Home » Spyware & Browser Hijacker Support Forum » Rundll findet Datei nicht/ Störende Werbung » Themenansicht

Rundll findet Datei nicht/ Störende Werbung
#0
10.10.2009, 11:46
Duros
Member

Beiträge: 23
#1 Hallo,

also bei mir ist das Problem seid ein paar Tagen kommt ständig wenn ich den Pc starte diese Meldung-> "Fehler beim Laden von sfsp.cfo" Rundll findet die diese Datei irgendwie nicht.

Außerdem bekomme ich alle 5min Werbung die mich ständig aus irgendetwas rausschmeißt (Programme,Spiele usw) ähnlich wie beim Drücken der Windows Taste.

Also ich hab als Virenschutz Antivir(kostenlose Version) und Spyware Doctor. Erst genantes hat alle irgendwie durchgelassen. Spyware Doc. hat beim Prüfen 66 Bedrohungen gefunden-> Wurden gelöscht später hat er einen Virus gefunden der Werbung auftauchen lässt->Gelöscht, jedoch kommt die Werbung trotzdem noch (manchmal werde ich ohne Werbung einfach rausgeschmissen)

hier nochmal die Log. vom hijackthis wenns was helfen sollte


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:47, on 10.10.2009
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3264)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\Programme\Spyware Doctor\pctsTray.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\NeroCheck.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\Programme\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Spyware Doctor\pctsAuxs.exe
C:\Programme\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Avira\AntiVir Desktop\avmailc.exe
C:\Programme\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\alg.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\DOKUME~1\KONSTA~1\LOKALE~1\Temp\ctv1037.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe sfsp.cfo beforegttav
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Programme\AskBarDis\bar\bin\askBar.dll
O2 - BHO: (no name) - {2AABD0C3-1B64-4DE0-AE17-BBBE806197F2} - (no file)
O2 - BHO: (no name) - {3C605200-6FAC-4587-986F-5DE5042EFC8E} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: (no name) - {D48D559B-BEFB-42BB-BF29-1F126E5B4C12} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Programme\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISTray] "C:\Programme\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CCleaner] "C:\Programme\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EAAEA45-E383-46B3-85A4-D0B4FC7B9A7A}: NameServer = 192.168.178.1,192.168.178.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: urqQKcyw - urqQKcyw.dll (file missing)
O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avmailc.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: Google Update Service (gupdate1c9d9e2279cb52c) (gupdate1c9d9e2279cb52c) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

--
End of file - 8463 bytes



Bitte sehr um Hilfe
Seitenanfang Seitenende
10.10.2009, 12:02
virenfinder
Member

Beiträge: 3716
#2 http://board.protecus.de/t23187.htm
abarbeiten, Logs posten.
Hast du das Log vom spyware dr noch? schau mal im Programm obs dort berichte oder etwas änliches gibt, poste das bitte auch.
Seitenanfang Seitenende
10.10.2009, 18:08
Duros
Member

Themenstarter

Beiträge: 23
#3 3.
mache einen Scan mit Malwarebytes -

Malwarebytes' Anti-Malware 1.41
Datenbank Version: 2936
Windows 5.1.2600 Service Pack 3, v.3264

10.10.2009 14:08:12
mbam-log-2009-10-10 (14-08-12).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 100481
Laufzeit: 8 minute(s), 43 second(s)

Infizierte Speicherprozesse: 1
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 5
Infizierte Registrierungswerte: 3
Infizierte Dateiobjekte der Registrierung: 1
Infizierte Verzeichnisse: 0
Infizierte Dateien: 48

Infizierte Speicherprozesse:
C:\WINDOWS\system32\NeroCheck.exe (Trojan.Agent) -> Unloaded process successfully.

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2aabd0c3-1b64-4de0-ae17-bbbe806197f2} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2aabd0c3-1b64-4de0-ae17-bbbe806197f2} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\NeroCheck.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nerofiltercheck (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{2aabd0c3-1b64-4de0-ae17-bbbe806197f2} (Trojan.Vundo) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe sfsp.cfo beforegttav) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\WINDOWS\system32\NeroCheck.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\xcnh.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\7zS66.tmp\soundman.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\soundman .exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\soundman.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv1029.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv1030.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv1037.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv1038.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv1126.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv1950.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv1951.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv1958.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv2047.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv2871.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv2873.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv2885.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv2968.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv3795.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv3796.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv3810.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv3890.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv4719.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv4724.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv4734.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv4821.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv5382.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv5645.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv5659.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv5744.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv6336.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv6568.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv6589.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv6665.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv7257.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv7494.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv7514.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv7576.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv8178.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv8418.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv8444.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv8500.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv9109.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv9339.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv9368.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Konstantin\Lokale Einstellungen\Temp\ctv9421.exe (Trojan.Dropper) -> Delete on reboot.
C:\Programme\Adobe\acrotray.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\yrsewrkr.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
-------------------------------------------------------------------------
4.
Erstelle ein Gmer Report:
GMER 1.0.15.15125 - http://www.gmer.net
Rootkit scan 2009-10-10 18:36:38
Windows 5.1.2600 Service Pack 3, v.3264
Running: v35mvlk9.exe; Driver: C:\DOKUME~1\KONSTA~1\LOKALE~1\Temp\fwldqpoc.sys


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF7759514]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF7748282]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF7748474]
SSDT F7E4315C ZwCreateThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF7759D00]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF7759FB8]
SSDT F7E4317A ZwLoadKey
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF77583FA]
SSDT F7E43148 ZwOpenProcess
SSDT F7E4314D ZwOpenThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF775A422]
SSDT F7E43184 ZwReplaceKey
SSDT F7E4317F ZwRestoreKey
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF77597D8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF7747F32]

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\Drivers\mchInjDrv.sys Das System kann die angegebene Datei nicht finden. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[108] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[108] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F60001
.text C:\WINDOWS\system32\nvsvc32.exe[108] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\nvsvc32.exe[108] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D20001
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe[312] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jqs.exe[480] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\Programme\Java\jre6\bin\jqs.exe[480] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02150001
.text C:\Programme\Java\jre6\bin\jqs.exe[480] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\Programme\Java\jre6\bin\jqs.exe[480] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[580] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\csrss.exe[580] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 014E0001
.text C:\WINDOWS\system32\csrss.exe[580] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\csrss.exe[580] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\winlogon.exe[604] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01350001
.text C:\WINDOWS\system32\winlogon.exe[604] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\winlogon.exe[604] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 011F0001
.text C:\WINDOWS\system32\services.exe[648] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\services.exe[648] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\lsass.exe[660] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BF0001
.text C:\WINDOWS\system32\lsass.exe[660] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\lsass.exe[660] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00730001
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\Programme\Spyware Doctor\pctsAuxs.exe[664] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EB0001
.text C:\WINDOWS\system32\svchost.exe[820] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[820] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FC0001
.text C:\WINDOWS\system32\svchost.exe[868] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[868] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[936] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\System32\svchost.exe[936] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01670001
.text C:\WINDOWS\System32\svchost.exe[936] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\System32\svchost.exe[936] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\System32\svchost.exe[1004] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A60001
.text C:\WINDOWS\System32\svchost.exe[1004] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\System32\svchost.exe[1004] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009C0001
.text C:\WINDOWS\System32\svchost.exe[1116] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\System32\svchost.exe[1116] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1340] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\Explorer.EXE[1340] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B40001
.text C:\WINDOWS\Explorer.EXE[1340] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\Explorer.EXE[1340] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1392] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E50001
.text C:\WINDOWS\system32\spoolsv.exe[1392] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\spoolsv.exe[1392] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\Programme\Spyware Doctor\pctsTray.exe[1612] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 04460001
.text C:\Programme\Spyware Doctor\pctsTray.exe[1612] kernel32.dll!CreateThread + 1A 7C8106E1 4 Bytes CALL 0044AB89 C:\Programme\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
.text C:\Programme\Spyware Doctor\pctsTray.exe[1612] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F0A0F5A
.text C:\Programme\Spyware Doctor\pctsTray.exe[1612] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F040F5A
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C60001
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] USER32.dll!SetWindowPos 7E36C013 3 Bytes [FF, 25, 1E]
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] USER32.dll!SetWindowPos + 4 7E36C017 2 Bytes [3A, 5F]
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] USER32.dll!SetForegroundWindow 7E374161 6 Bytes JMP 5F350F5A
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] USER32.dll!ChangeDisplaySettingsExA 7E3793DC 6 Bytes JMP 5F3C0F5A
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\Programme\Java\jre6\bin\jusched.exe[1620] USER32.dll!ChangeDisplaySettingsExW 7E3A95B5 6 Bytes JMP 5F3F0F5A
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\SOUNDMAN.EXE[1628] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\SOUNDMAN.EXE[1628] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00910001
.text C:\WINDOWS\SOUNDMAN.EXE[1628] USER32.dll!SetWindowPos 7E36C013 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\SOUNDMAN.EXE[1628] USER32.dll!SetWindowPos + 4 7E36C017 2 Bytes [3A, 5F]
.text C:\WINDOWS\SOUNDMAN.EXE[1628] USER32.dll!SetForegroundWindow 7E374161 6 Bytes JMP 5F350F5A
.text C:\WINDOWS\SOUNDMAN.EXE[1628] USER32.dll!ChangeDisplaySettingsExA 7E3793DC 6 Bytes JMP 5F3C0F5A
.text C:\WINDOWS\SOUNDMAN.EXE[1628] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\SOUNDMAN.EXE[1628] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\SOUNDMAN.EXE[1628] USER32.dll!ChangeDisplaySettingsExW 7E3A95B5 6 Bytes JMP 5F3F0F5A
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DF0001
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] USER32.dll!SetWindowPos 7E36C013 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] USER32.dll!SetWindowPos + 4 7E36C017 2 Bytes [3A, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] USER32.dll!SetForegroundWindow 7E374161 6 Bytes JMP 5F350F5A
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] USER32.dll!ChangeDisplaySettingsExA 7E3793DC 6 Bytes JMP 5F3C0F5A
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\RUNDLL32.EXE[1708] USER32.dll!ChangeDisplaySettingsExW 7E3A95B5 6 Bytes JMP 5F3F0F5A
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 015B0001
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] USER32.dll!SetWindowPos 7E36C013 3 Bytes [FF, 25, 1E]
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] USER32.dll!SetWindowPos + 4 7E36C017 2 Bytes [3A, 5F]
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] USER32.dll!SetForegroundWindow 7E374161 6 Bytes JMP 5F350F5A
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] USER32.dll!ChangeDisplaySettingsExA 7E3793DC 6 Bytes JMP 5F3C0F5A
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\Programme\Microsoft ActiveSync\Wcescomm.exe[1764] USER32.dll!ChangeDisplaySettingsExW 7E3A95B5 6 Bytes JMP 5F3F0F5A
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1776] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1776] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D00001
.text C:\WINDOWS\system32\ctfmon.exe[1776] USER32.dll!SetWindowPos 7E36C013 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1776] USER32.dll!SetWindowPos + 4 7E36C017 2 Bytes [3A, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1776] USER32.dll!SetForegroundWindow 7E374161 6 Bytes JMP 5F350F5A
.text C:\WINDOWS\system32\ctfmon.exe[1776] USER32.dll!ChangeDisplaySettingsExA 7E3793DC 6 Bytes JMP 5F3C0F5A
.text C:\WINDOWS\system32\ctfmon.exe[1776] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\ctfmon.exe[1776] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\ctfmon.exe[1776] USER32.dll!ChangeDisplaySettingsExW 7E3A95B5 6 Bytes JMP 5F3F0F5A
.text C:\Programme\Spyware Doctor\pctsSvc.exe[1816] kernel32.dll!CreateThread + 1A 7C8106E1 4 Bytes CALL 0044AD11 C:\Programme\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01310001
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] USER32.dll!SetWindowPos 7E36C013 3 Bytes [FF, 25, 1E]
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] USER32.dll!SetWindowPos + 4 7E36C017 2 Bytes [3A, 5F]
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] USER32.dll!SetForegroundWindow 7E374161 6 Bytes JMP 5F350F5A
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] USER32.dll!ChangeDisplaySettingsExA 7E3793DC 6 Bytes JMP 5F3C0F5A
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe[1820] USER32.dll!ChangeDisplaySettingsExW 7E3A95B5 6 Bytes JMP 5F3F0F5A
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FD0001
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] USER32.dll!SetWindowPos 7E36C013 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] USER32.dll!SetWindowPos + 4 7E36C017 2 Bytes [3A, 5F]
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] USER32.dll!SetForegroundWindow 7E374161 6 Bytes JMP 5F350F5A
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] USER32.dll!ChangeDisplaySettingsExA 7E3793DC 6 Bytes JMP 5F3C0F5A
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\PROGRA~1\MICROS~2\rapimgr.exe[1912] USER32.dll!ChangeDisplaySettingsExW 7E3A95B5 6 Bytes JMP 5F3F0F5A
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003D0001
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] USER32.dll!SetWindowPos 7E36C013 3 Bytes [FF, 25, 1E]
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] USER32.dll!SetWindowPos + 4 7E36C017 2 Bytes [3A, 5F]
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] USER32.dll!SetForegroundWindow 7E374161 6 Bytes JMP 5F350F5A
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] USER32.dll!ChangeDisplaySettingsExA 7E3793DC 6 Bytes JMP 5F3C0F5A
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe[1940] USER32.dll!ChangeDisplaySettingsExW 7E3A95B5 6 Bytes JMP 5F3F0F5A
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01150001
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe[1996] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A10001
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\System32\PAStiSvc.exe[2172] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[2196] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\System32\svchost.exe[2196] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E90001
.text C:\WINDOWS\System32\svchost.exe[2196] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\System32\svchost.exe[2196] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01250001
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] USER32.dll!SetWindowPos 7E36C013 3 Bytes [FF, 25, 1E]
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] USER32.dll!SetWindowPos + 4 7E36C017 2 Bytes [3A, 5F]
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] USER32.dll!SetForegroundWindow 7E374161 6 Bytes JMP 5F350F5A
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] USER32.dll!ChangeDisplaySettingsExA 7E3793DC 6 Bytes JMP 5F3C0F5A
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A
.text C:\Programme\Mozilla Firefox\firefox.exe[2648] USER32.dll!ChangeDisplaySettingsExW 7E3A95B5 6 Bytes JMP 5F3F0F5A
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtClose 7C91CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtClose + 4 7C91CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtCreateFile 7C91D090 1 Byte [FF]
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtCreateFile 7C91D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtCreateFile + 4 7C91D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtCreateKey 7C91D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtCreateKey + 4 7C91D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtCreateSection 7C91D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtCreateSection + 4 7C91D164 2 Bytes [23, 5F]
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtDeleteKey 7C91D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtDeleteKey + 4 7C91D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtDeleteValueKey 7C91D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtDeleteValueKey + 4 7C91D254 2 Bytes [11, 5F]
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtRenameKey 7C91DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtRenameKey + 4 7C91DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtSetInformationFile 7C91DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtSetInformationFile + 4 7C91DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtSetValueKey 7C91DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtSetValueKey + 4 7C91DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtTerminateProcess 7C91DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtTerminateProcess + 4 7C91DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtWriteFile 7C91DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtWriteFile + 4 7C91DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtWriteFileGather 7C91DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtWriteFileGather + 4 7C91DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtWriteVirtualMemory 7C91DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[3968] ntdll.dll!NtWriteVirtualMemory + 4 7C91DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\System32\alg.exe[3968] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00880001
.text C:\WINDOWS\System32\alg.exe[3968] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\WINDOWS\System32\alg.exe[3968] USER32.dll!SetWindowsHookExW 7E37DFFE 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\System32\alg.exe[3968] USER32.dll!SetWindowsHookExA 7E381221 6 Bytes JMP 5F2E0F5A

---- Devices - GMER 1.0.15 ----

Device \Driver\usbstor \Device\00000070 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\usbstor \Device\00000071 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\usbstor \Device\00000072 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\usbstor \Device\0000006d sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\usbstor \Device\0000006f sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-369a-8bff-96c9fa5cb45f}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-369a-8bff-96c9fa5cb45f}\InprocServer32@Class 0x41 0xA4 0x88 0xC2 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-369a-8bff-96c9fa5cb45f}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-369a-8bff-96c9fa5cb45f}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-4d73-b18e-ac12fa5cb45f}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-4d73-b18e-ac12fa5cb45f}\InprocServer32@Class 0x00 0x08 0x17 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-4d73-b18e-ac12fa5cb45f}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-4d73-b18e-ac12fa5cb45f}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-8be9-b97f-d8bafa5cb45f}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-8be9-b97f-d8bafa5cb45f}\InprocServer32@Class 0x53 0x02 0x1E 0x7F ...
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-8be9-b97f-d8bafa5cb45f}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-8be9-b97f-d8bafa5cb45f}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-a103-57d5-82f1fa5cb45f}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-a103-57d5-82f1fa5cb45f}\InprocServer32@Class 0xA6 0x10 0xF2 0xFF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-a103-57d5-82f1fa5cb45f}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-a103-57d5-82f1fa5cb45f}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-a9b5-40bd-a961fa5cb45f}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-a9b5-40bd-a961fa5cb45f}\InprocServer32@Class 0xA8 0x13 0x24 0xF7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-a9b5-40bd-a961fa5cb45f}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-a9b5-40bd-a961fa5cb45f}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-b4b4-1b9b-2c7ffa5cb45f}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-b4b4-1b9b-2c7ffa5cb45f}\InprocServer32@Class 0xF9 0xFF 0xB7 0xCD ...
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-b4b4-1b9b-2c7ffa5cb45f}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-b4b4-1b9b-2c7ffa5cb45f}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-f0e6-9dfc-a884fa5cb45f}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-f0e6-9dfc-a884fa5cb45f}\InprocServer32@Class 0x0B 0x8C 0x71 0x7C ...
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-f0e6-9dfc-a884fa5cb45f}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-f0e6-9dfc-a884fa5cb45f}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL





---------------------------------------------------------------------------
5.Erstellen eines Hijackthis-Logfiles

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:05:28, on 10.10.2009
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3264)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\Programme\Spyware Doctor\pctsTray.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\Programme\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Spyware Doctor\pctsAuxs.exe
C:\Programme\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Avira\AntiVir Desktop\avmailc.exe
C:\Programme\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\WINDOWS\System32\alg.exe
C:\Dokumente und Einstellungen\Konstantin\Desktop\v35mvlk9.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Programme\AskBarDis\bar\bin\askBar.dll
O2 - BHO: (no name) - {3C605200-6FAC-4587-986F-5DE5042EFC8E} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: (no name) - {D48D559B-BEFB-42BB-BF29-1F126E5B4C12} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Programme\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISTray] "C:\Programme\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Programme\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CCleaner] "C:\Programme\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EAAEA45-E383-46B3-85A4-D0B4FC7B9A7A}: NameServer = 192.168.178.1,192.168.178.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: urqQKcyw - urqQKcyw.dll (file missing)
O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avmailc.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: Google Update Service (gupdate1c9d9e2279cb52c) (gupdate1c9d9e2279cb52c) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

--
End of file - 8387 bytes

--------------------------------------------------------------------------
Dieser Beitrag wurde am 10.10.2009 um 18:38 Uhr von Duros editiert.
Seitenanfang Seitenende
10.10.2009, 18:23
virenfinder
Member

Beiträge: 3716
#4 du sollst ja auch nicht alles auf einmal sondern nach einander machen :-)
Seitenanfang Seitenende
10.10.2009, 18:27
Duros
Member

Themenstarter

Beiträge: 23
#5 Nene Hab schon alles hintereinander gemacht aber das dauert so ewig mit GMER sollte aber bald fertig sein

Das mit der Werbung wurde von Anti Malware beseitigt jedoch das mit dem Rundll hab ich noch nicht getestet weil ich dafür Pc neustarten muss und GMER noch läuft

So hab alles drin
Dieser Beitrag wurde am 10.10.2009 um 18:39 Uhr von Duros editiert.
Seitenanfang Seitenende
10.10.2009, 19:06
virenfinder
Member

Beiträge: 3716
#6 ok weiter mit combofix, log posten.
Seitenanfang Seitenende
10.10.2009, 22:26
Duros
Member

Themenstarter

Beiträge: 23
#7 Ich bekomme ständig eine Meldung das "Antivir Desktop" noch eingeschaltet ist, wie mach ich es aus??? Finde nix. Und wenn ich es trotzdem Starte besteht Chance auf Pc schaden und darauf hab ich kein Bock^^
Seitenanfang Seitenende
11.10.2009, 01:02
Argus
Ehrenmitglied
Avatar Argus

Beiträge: 6028
#8 Rechtsklick auf das Icon von Antivir neben der Uhr und den haaken bei "Antivir Guard aktivieren"entfernen

__________
MfG Argus
Seitenanfang Seitenende
11.10.2009, 11:52
Duros
Member

Themenstarter

Beiträge: 23
#9 ComboFix 09-10-10.02 - Konstantin 11.10.2009 11:38.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.1023.595 [GMT 2:00]
ausgeführt von:: c:\dokumente und einstellungen\Konstantin\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\whpcy.exe
c:\windows\Installer\a06c.msi
c:\windows\Installer\de453e.msi
c:\windows\system32\ctfmon .exe
c:\windows\system32\nerocheck .exe
c:\windows\system32\nmoVwyay.ini
c:\windows\system32\nmoVwyay.ini2
c:\windows\system32\ojxfvlkg.ini

.
((((((((((((((((((((((( Dateien erstellt von 2009-09-11 bis 2009-10-11 ))))))))))))))))))))))))))))))
.

2009-10-10 11:48 . 2009-10-10 11:48 -------- d-----w- c:\dokumente und einstellungen\Konstantin\Anwendungsdaten\Malwarebytes
2009-10-10 11:47 . 2009-09-10 12:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-10 11:47 . 2009-10-10 11:47 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2009-10-10 11:47 . 2009-09-10 12:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-10 11:47 . 2009-10-10 11:47 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware
2009-10-10 08:49 . 2009-10-10 08:50 -------- d-----w- c:\programme\RegCleaner
2009-10-08 18:03 . 2009-10-08 18:04 1024 ----a-w- C:\odwvn.exe
2009-10-06 14:40 . 2008-12-11 06:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-06 14:40 . 2009-04-03 09:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-06 14:40 . 2008-12-18 10:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-06 14:40 . 2008-12-10 09:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-10-06 14:39 . 2009-10-09 08:53 -------- d-----w- c:\programme\Spyware Doctor
2009-10-06 14:39 . 2009-10-06 14:39 -------- d-----w- c:\dokumente und einstellungen\Konstantin\Anwendungsdaten\PC Tools
2009-10-06 14:39 . 2009-10-06 14:39 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\PC Tools
2009-10-05 17:32 . 2009-10-05 17:32 -------- d-----r- c:\dokumente und einstellungen\LocalService\Favoriten
2009-10-05 17:32 . 2009-10-05 17:32 -------- d-----w- c:\dokumente und einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Mozilla
2009-10-05 15:40 . 2009-10-06 14:40 -------- d-----w- c:\programme\Gemeinsame Dateien\PC Tools
2009-09-29 16:24 . 2009-09-29 16:24 -------- d-----w- c:\dokumente und einstellungen\Konstantin\Anwendungsdaten\Apple Computer
2009-09-26 16:39 . 2003-04-18 14:29 44544 ----a-w- c:\windows\system32\msxml4a.dll
2009-09-22 19:00 . 2009-09-22 19:00 -------- d-----w- c:\programme\Trend Micro
2009-09-14 18:55 . 2006-05-21 14:15 634880 ----a-w- c:\windows\system32\NCTAudioEditor2.dll
2009-09-14 18:55 . 2004-07-14 12:44 23040 ----a-w- c:\windows\system32\auth.dll
2009-09-14 18:55 . 2002-05-23 19:40 110080 ----a-w- c:\windows\system32\advd.dll
2009-09-14 18:55 . 2006-05-21 14:15 966144 ----a-w- c:\windows\system32\NCTAudioInformation2.dll
2009-09-14 18:55 . 2006-05-21 14:15 877568 ----a-w- c:\windows\system32\NCTAudioFile2.dll
2009-09-14 18:55 . 2006-05-21 14:15 522752 ----a-w- c:\windows\system32\NCTAudioTransform2.dll
2009-09-14 18:55 . 2006-05-21 14:15 467968 ----a-w- c:\windows\system32\NCTAudioRecord2.dll
2009-09-14 18:55 . 2006-05-21 14:15 467456 ----a-w- c:\windows\system32\NCTAudioPlayer2.dll
2009-09-14 18:55 . 2009-09-14 18:57 -------- d-----w- c:\dokumente und einstellungen\Konstantin\Anwendungsdaten\concept design
2009-09-11 14:27 . 2009-09-11 14:27 -------- d-----w- c:\dokumente und einstellungen\Konstantin\Anwendungsdaten\MobMapUpdater

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-11 09:32 . 2008-04-16 18:44 -------- d---a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP
2009-10-11 09:32 . 2009-04-13 18:07 -------- d-----w- c:\dokumente und einstellungen\Konstantin\Anwendungsdaten\Skype
2009-10-10 22:01 . 2008-02-07 17:00 -------- d-----w- c:\dokumente und einstellungen\Konstantin\Anwendungsdaten\skypePM
2009-10-10 20:11 . 2009-02-13 09:05 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Google Updater
2009-10-09 20:07 . 2009-07-27 18:36 -------- d-----w- c:\programme\AskBarDis
2009-10-09 19:49 . 2009-07-08 17:47 -------- d-----w- c:\dokumente und einstellungen\Konstantin\Anwendungsdaten\Hamachi
2009-10-03 18:35 . 2008-02-01 11:30 -------- d-----w- c:\dokumente und einstellungen\Konstantin\Anwendungsdaten\teamspeak2
2009-09-27 15:01 . 2008-02-04 18:12 -------- d-----w- c:\dokumente und einstellungen\Konstantin\Anwendungsdaten\uTorrent
2009-09-27 12:05 . 2008-04-17 16:14 -------- d--h--w- c:\programme\InstallShield Installation Information
2009-09-04 12:20 . 2008-07-13 17:40 -------- d-----w- c:\programme\Java
2009-08-22 21:53 . 2009-07-08 17:47 17480 ----a-w- c:\windows\system32\drivers\hamachi.sys
2009-08-21 17:11 . 2009-04-10 14:03 -------- d-----w- c:\programme\Gemeinsame Dateien\Blizzard Entertainment
2009-08-06 08:01 . 2009-03-18 07:43 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-25 03:23 . 2009-01-02 20:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2008-02-13 11:48 . 2008-02-13 11:44 32800 --sha-w- c:\windows\system32\drivers\fidbox.dat
2008-02-13 11:48 . 2008-02-13 11:44 1056 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-26 08:32 279944 ----a-w- c:\programme\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\programme\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\programme\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"CCleaner"="c:\programme\CCleaner\CCleaner.exe" [2009-09-24 1685816]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe" [2005-12-16 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\programme\QuickTime\qttask.exe" [2009-01-05 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"avgnt"="c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Malwarebytes Anti-Malware (reboot)"="c:\programme\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2002-08-15 46592]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2007-12-01 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\eMule\\emule.exe"=
"c:\\Programme\\uTorrent\\uTorrent.exe"=
"c:\\Dokumente und Einstellungen\\Konstantin\\Desktop\\teewars-0.3.3-win32\\teewars-0.3.3-win32\\teewars_srv.exe"=
"c:\programme\Microsoft ActiveSync\rapimgr.exe"= c:\programme\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\programme\Microsoft ActiveSync\wcescomm.exe"= c:\programme\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\programme\Microsoft ActiveSync\WCESMgr.exe"= c:\programme\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"d:\\Games usw\\Steam\\SteamApps\\2000k\\counter-strike source\\hl2.exe"=
"c:\\Programme\\Messenger\\msmsgs.exe"=
"d:\\Games usw\\Steam\\SteamApps\\2000k\\insurgency\\hl2.exe"=
"d:\\Games usw\\Steam\\SteamApps\\2000k\\day of defeat source\\hl2.exe"=
"d:\\Games usw\\Steam\\SteamApps\\2000k\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Programme\\Java\\jre6\\bin\\java.exe"=
"d:\\Games usw\\aoe2\\age2_x1.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"d:\\Games usw\\Half-Life Versuch 1\\hl.exe"=
"d:\\Games usw\\Counter-Strike Source an Jakob-PC\\hl2.exe"=
"d:\\Games usw\\FT2\\FlatOut2.exe"=
"d:\\Games usw\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForever.exe"=
"d:\\Games usw\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
"d:\\Games usw\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
"d:\\Games usw\\Steam\\SteamApps\\2000k\\eternal-silence\\hl2.exe"=
"c:\\Programme\\ICQ6.5\\ICQ.exe"=
"d:\\Warcraft III\\Warcraft III.exe"=
"c:\\Nexon\\NEXON_EU_Downloader\\NEXON_EU_Downloader_Engine.exe"=
"c:\\Dokumente und Einstellungen\\All Users\\Anwendungsdaten\\NexonEU\\NGM\\NGM.exe"=
"d:\games usw\Combat Arms\Combat Arms EU\CombatArms.exe"= d:\games usw\Combat Arms\Combat Arms EU\CombatArms.exe:*Enabled:CombatArms.exe
"d:\games usw\Combat Arms\Combat Arms EU\Engine.exe"= d:\games usw\Combat Arms\Combat Arms EU\Engine.exe:*Enabled:Engine.exe
"d:\\Games usw\\Combat Arms\\Combat Arms EU\\NMService.exe"=
"d:\\World of Warcraft\\WoW-3.2.0-deDE-downloader.exe"=
"d:\\World of Warcraft\\Launcher.exe"=
"d:\\Games usw\\Empires (v2)\\Empires_DMW.exe"=
"d:\\Games usw\\Empires\\Empires_DMW.exe"=
"d:\\Games usw\\Konstan\\Clonk\\Clonk.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [06.10.2009 16:40 130936]
R2 ACEDRV08;ACEDRV08;c:\windows\system32\drivers\ACEDRV08.sys [10.05.2009 12:36 108768]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\programme\Avira\AntiVir Desktop\avmailc.exe [21.03.2009 11:31 194817]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [21.03.2009 11:31 108289]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\programme\Avira\AntiVir Desktop\avwebgrd.exe [21.03.2009 11:31 434945]
R3 PhTVTune;MEDION TV-TUNER 7134 MK2/3;c:\windows\system32\drivers\PhTVTune.sys [02.02.2008 17:11 24288]
S2 gupdate1c9d9e2279cb52c;Google Update Service (gupdate1c9d9e2279cb52c);c:\programme\Google\Update\GoogleUpdate.exe [21.05.2009 09:02 133104]
S3 dsltestSp5;dsltestSp5 NDIS Protocol Driver;c:\windows\system32\Drivers\dsltestSp5.sys --> c:\windows\system32\Drivers\dsltestSp5.sys [?]
S3 PAC207;Trust WB-1400T Webcam;c:\windows\system32\drivers\PFC027.sys [24.02.2005 12:29 162176]
S3 sdAuxService;PC Tools Auxiliary Service;c:\programme\Spyware Doctor\pctsAuxs.exe [06.10.2009 16:39 348752]
S3 TSMPacket;DSL-Manager Service;c:\windows\system32\DRIVERS\tsmpkt.sys --> c:\windows\system32\DRIVERS\tsmpkt.sys [?]
.
Inhalt des "geplante Tasks" Ordners

2009-01-02 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8222608407.job
- c:\programme\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 22:52]

2009-10-11 c:\windows\Tasks\Google Software Updater.job
- c:\programme\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-13 16:50]

2009-10-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programme\Google\Update\GoogleUpdate.exe [2009-05-21 07:02]

2009-10-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programme\Google\Update\GoogleUpdate.exe [2009-05-21 07:02]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://start.icq.com/
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: c:\programme\Avira\AntiVir Desktop\avsda.dll
TCP: {1EAAEA45-E383-46B3-85A4-D0B4FC7B9A7A} = 192.168.178.1,192.168.178.2
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\dokumente und einstellungen\Konstantin\Anwendungsdaten\Mozilla\Firefox\Profiles\h56dvdu0.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\dokumente und einstellungen\All Users\Anwendungsdaten\NexonEU\NGM\npNxGameeu.dll
FF - plugin: c:\programme\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\programme\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\npmidas.dll

---- FIREFOX Richtlinien ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
FF - user.js: yahoo.homepage.dontask - true.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

BHO-{3C605200-6FAC-4587-986F-5DE5042EFC8E} - (no file)
BHO-{D48D559B-BEFB-42BB-BF29-1F126E5B4C12} - (no file)
Notify-urqQKcyw - urqQKcyw.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-11 11:45
Windows 5.1.2600 Service Pack 3, v.3264 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C09C5BC9-8988-369a-8bff-96c9fa5cb45f}\InprocServer32*]
"Class"=hex:41,a4,88,c2,d1,09,9b,b0,36,c7,59,42,23,b9,e4,25,90,ed,34,56,34,5e,
b1,44,42,55,ca,b9,7d,36,2c,3a,bc,d9,be,21,e6,9e,93,c9,ac,f6,c2,d8,8f,47,51,\
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C09C5BC9-8988-4d73-b18e-ac12fa5cb45f}\InprocServer32*]
"Class"=hex:00,08,17,ba,82,53,1e,ac,94,e8,5f,8a,cf,2d,e3,15,df,8d,4f,30,63,46,
56,9b,df,49,fd,4b,d8,00,59,7e,f9,3b,7a,c9,89,ba,f3,c6,16,c9,0a,25,5a,b0,0e,\
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C09C5BC9-8988-8be9-b97f-d8bafa5cb45f}\InprocServer32*]
"Class"=hex:53,02,1e,7f,09,39,85,e4,c1,07,8f,e5,3e,a9,76,84,b7,6b,90,7f,10,b6,
b9,3c,63,da,98,57,54,d4,92,1e,5d,c7,77,01,08,42,87,74,5f,6e,af,8e,b7,04,56,\
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C09C5BC9-8988-a103-57d5-82f1fa5cb45f}\InprocServer32*]
"Class"=hex:a6,10,f2,ff,91,53,31,96,1d,4e,6d,4c,bf,69,50,bf,59,e8,83,24,8e,cd,
bb,8a,2a,ee,ff,9b,db,6a,2d,9f,60,23,ec,fa,55,fb,1f,0f,b3,38,ae,14,9a,c2,f1,\
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C09C5BC9-8988-a9b5-40bd-a961fa5cb45f}\InprocServer32*]
"Class"=hex:a8,13,24,f7,c5,05,ef,24,98,a6,f9,97,c8,32,ef,3d,f7,cc,0f,59,60,1e,
b8,49,82,7a,e2,0e,7c,33,3c,5e,a7,1c,eb,a5,27,26,5b,00,27,bc,67,71,d9,a7,df,\
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C09C5BC9-8988-b4b4-1b9b-2c7ffa5cb45f}\InprocServer32*]
"Class"=hex:f9,ff,b7,cd,90,4b,d6,e7,62,f2,d4,2e,65,82,67,67,d2,91,af,90,c0,8a,
ac,d4,00,b0,f3,1c,fb,37,2f,07,ea,60,de,9d,f2,0f,e2,2a,58,b6,2b,54,88,91,4e,\
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C09C5BC9-8988-f0e6-9dfc-a884fa5cb45f}\InprocServer32*]
"Class"=hex:0b,8c,71,7c,35,73,2b,59,34,0d,3d,fc,fe,9a,24,d7,7c,5b,01,b8,bb,b6,
80,08,70,a2,9d,85,ac,2d,cc,1a,bd,63,3a,15,5c,07,be,89,0f,bc,ae,af,93,05,75,\
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•6~*]
"7040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'lsass.exe'(660)
c:\programme\Avira\AntiVir Desktop\avsda.dll

- - - - - - - > 'explorer.exe'(3640)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\programme\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\programme\Avira\AntiVir Desktop\avguard.exe
c:\programme\Gemeinsame Dateien\Autodata Limited Shared\Service\ADCDLicSvc.exe
c:\windows\system32\rundll32.exe
c:\programme\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\MICROS~2\rapimgr.exe
c:\windows\system32\PAStiSvc.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2009-10-11 11:50 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2009-10-11 09:50

Vor Suchlauf: 8.348.217.344 Bytes frei
Nach Suchlauf: 8.194.519.040 Bytes frei

WindowsXP-KB310994-SP2-Home-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn /noguiboot

268 --- E O F --- 2009-09-09 15:34
Seitenanfang Seitenende
11.10.2009, 12:20
virenfinder
Member

Beiträge: 3716
#10 Update noch mal MalwareBytes und führe einen full Scan aus, Funde löschen, Log posten, berichten wie der PC läuft.
Seitenanfang Seitenende
11.10.2009, 19:44
Duros
Member

Themenstarter

Beiträge: 23
#11 Also das Programm läuft noch (seit 1h25min hat bis jetzt 15 infizierte Objekte gefunden antvir hat ganz plötzlich auch voll viele Gefunden(kommt mir so vor als wäre mein Pc noch anfälliger geworden :/ und Sypware Doctor 2Bedrohungen und 108 Infizierungen gefunden.

Spyware Doc.
Name der Bedrohung -- Infektionen
1.Application.NirCmd ------- 107
2.Trojan.Generic --------------- 1

wurde aber entfernt von Spy. Doc.
Seitenanfang Seitenende
11.10.2009, 20:32
virenfinder
Member

Beiträge: 3716
#12 rechtsklick aufs avira schirmchen, deaktivieren, nach dem scan wieder einschalten, dann auf ereignisse und zeigen was gefunden wurde
Seitenanfang Seitenende
11.10.2009, 20:44
Duros
Member

Themenstarter

Beiträge: 23
#13 Hier erstmal das von Anti Malware

und warum soll man antivir deaktivieren während des scans??

Und wie kann ich diesen schwarzen Bildschirm wieder ausmachen der bei jedem Neustart kommt? Das Nervt richtig nachdem es weg ist ist da noch ca 7sek lang schwarzer Bildschirm ohne irgendwelche Schrift


Malwarebytes' Anti-Malware 1.41
Datenbank Version: 2943
Windows 5.1.2600 Service Pack 3, v.3264

11.10.2009 20:38:00
mbam-log-2009-10-11 (20-38-00).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|)
Durchsuchte Objekte: 254341
Laufzeit: 2 hour(s), 19 minute(s), 14 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 16

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\Programme\Adobe\acrotray .exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F0E901A8-2501-446E-855B-05A0D52DD0BE}\RP430\A0098523.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F0E901A8-2501-446E-855B-05A0D52DD0BE}\RP431\A0099517.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F0E901A8-2501-446E-855B-05A0D52DD0BE}\RP431\A0099537.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F0E901A8-2501-446E-855B-05A0D52DD0BE}\RP431\A0099538.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F0E901A8-2501-446E-855B-05A0D52DD0BE}\RP431\A0099568.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F0E901A8-2501-446E-855B-05A0D52DD0BE}\RP431\A0099569.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F0E901A8-2501-446E-855B-05A0D52DD0BE}\RP431\A0099596.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F0E901A8-2501-446E-855B-05A0D52DD0BE}\RP431\A0099597.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F0E901A8-2501-446E-855B-05A0D52DD0BE}\RP431\A0099612.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F0E901A8-2501-446E-855B-05A0D52DD0BE}\RP431\A0099613.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F0E901A8-2501-446E-855B-05A0D52DD0BE}\RP431\A0099625.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F0E901A8-2501-446E-855B-05A0D52DD0BE}\RP431\A0099626.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F0E901A8-2501-446E-855B-05A0D52DD0BE}\RP431\A0099645.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F0E901A8-2501-446E-855B-05A0D52DD0BE}\RP431\A0099646.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Games usw\Combat Arms\Combat Arms EU\Game\CShell.dll (Malware.Packer.T) -> Quarantined and deleted successfully.
Dieser Beitrag wurde am 11.10.2009 um 20:49 Uhr von Duros editiert.
Seitenanfang Seitenende
11.10.2009, 21:29
virenfinder
Member

Beiträge: 3716
#14 wahrscheinlich damit der guard nicht dauernd anspringt, wo sind die meldungen?
http://www.paules-pc-forum.de/forum/4-pc-sicherheit/112535-avira-antivir-anleitung-zur-einrichtung.html
stelle avira so ein, teile die Premium betreffend weg lassen, danach update Avira, klicke dann auf lokaler schutz und lokale Laufwerke, Funde in Quarantäne, Log posten.
Danach erneut lokaler Schutz, Rootkitsuche, meldung am ende mein auswählen, auch dieses Log posten.
Wie meinst du schwarzer bildschirm, komplett schwarz?
Seitenanfang Seitenende
11.10.2009, 21:35
Duros
Member

Themenstarter

Beiträge: 23
#15 Irgendeins von den Programmen die ich benutzen sollte wie Anti Malware,Gmer hat angezeigt das nach bei jedem Neustart etwas angezeigt wird (Dauer 2 Sek) wenn es nicht benötigt wird soll man es ignorieren jedoch nach den 2 Sek kommt ca7 sek lang einfach nur Schwarz
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren:
Seite(n): 123