Home » Spyware & Browser Hijacker Support Forum » Nach Google Suche wir der falsche Link geöffnet! » Themenansicht

Nach Google Suche wir der falsche Link geöffnet!
#0
05.12.2010, 14:08
Larsos
...neu hier

Beiträge: 8
#1 Hallo,

ich habe zu dem Thema schon einige Threats gefunden und gelesen (aber nicht Alles verstanden). Da ich ein ziehmlicher Laie bin benötige ich Eure Hilfe um das Problem zu lösen.

Problem:
- nach der "Google Suche" funktionieren die Links erst nach dem zweiten Mal anklicken. Meistens werde ich auf shopping Seiten wie www[.]spardeingeld[.]de verlinkt.
- Problem habe ich bei IE wie auch bei Firefox.
- gestern habe ich Firefox deinstaliert auch mit den persönlichen Daten und wieder neu installiert. Anfangs hatte ich das Gefühl, das es funktioniert hat; allerdings ist das Problem heute wieder aufgetaucht.
- der PC ist im allgemeinen sehr langsam, d.h. er benötigt viel Zeit zum hochfahren und er hört sich an als würde er ständig im Hintergrund arbeiten.

OTL:

OTL logfile created on: 05.12.2010 12:28:49 - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\Lars der alte Sack\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18975)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 42,00% Memory free
4,00 Gb Paging File | 2,00 Gb Available in Paging File | 56,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 34,18 Gb Total Space | 6,32 Gb Free Space | 18,48% Space Free | Partition Type: NTFS
Drive E: | 109,01 Gb Total Space | 86,96 Gb Free Space | 79,77% Space Free | Partition Type: NTFS
Drive H: | 7,51 Gb Total Space | 3,18 Gb Free Space | 42,35% Space Free | Partition Type: FAT32

Computer Name: LARS | User Name: Lars der alte Sack | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

[color=#E56717]========== Processes (SafeList) ==========[/color]

PRC - C:\Users\Lars der alte Sack\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Programme\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Programme\Mozilla Firefox\plugin-container.exe (Mozilla Corporation)
PRC - C:\Programme\Windows Media Player\wmplayer.exe (Microsoft Corporation)
PRC - C:\Programme\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Programme\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe (Western Digital)
PRC - C:\Programme\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe (WDC)
PRC - C:\Programme\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe (WDC)
PRC - C:\Programme\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)
PRC - C:\Programme\Join Air\AssistantServices.exe ()
PRC - C:\Programme\Join Air\UIExec.exe ()
PRC - C:\Programme\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe (Memeo)
PRC - C:\Programme\Windows Sidebar\sidebar.exe (Microsoft Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\conime.exe (Microsoft Corporation)
PRC - C:\Programme\Spyware Doctor\pctsTray.exe (PC Tools)
PRC - C:\Programme\Spyware Doctor\pctsSvc.exe (PC Tools)
PRC - C:\Programme\Spyware Doctor\pctsAuxs.exe (PC Tools)
PRC - C:\Programme\Windows Defender\MSASCui.exe (Microsoft Corporation)
PRC - C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
PRC - C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
PRC - C:\Programme\Windows Mail\WinMail.exe (Microsoft Corporation)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Windows\BisonCam\BisonHK.exe ()
PRC - C:\Windows\BisonCam\BsMnt.exe ()
PRC - C:\Programme\O2Micro Oz128 Driver\o2flash.exe (O2Micro International)
PRC - C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Programme\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
PRC - C:\Windows\System32\agrsmsvc.exe (Agere Systems)


[color=#E56717]========== Modules (SafeList) ==========[/color]

MOD - C:\Users\Lars der alte Sack\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll (Microsoft Corporation)
MOD - C:\Programme\Spyware Doctor\smumhook.dll (PC Tools)


[color=#E56717]========== Win32 Services (SafeList) ==========[/color]

SRV - (hpqcxs08) -- C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll File not found
SRV - (FirebirdServerMAGIXInstance) -- C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe File not found
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (WDDMService) -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe (WDC)
SRV - (UI Assistant Service) -- C:\Programme\Join Air\AssistantServices.exe ()
SRV - (WDSmartWareBackgroundService) -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe (Memeo)
SRV - (sdCoreService) -- C:\Programme\Spyware Doctor\pctsSvc.exe (PC Tools)
SRV - (sdAuxService) -- C:\Programme\Spyware Doctor\pctsAuxs.exe (PC Tools)
SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (o2flash) -- C:\Program Files\O2Micro Oz128 Driver\o2flash.exe (O2Micro International)
SRV - (IAANTMON) Intel(R) -- C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
SRV - (AgereModemAudio) -- C:\Windows\System32\agrsmsvc.exe (Agere Systems)


[color=#E56717]========== Driver Services (SafeList) ==========[/color]

DRV - (SANDRA) -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009.SP3c\WNt500x86\Sandra.sys File not found
DRV - (NwlnkFwd) -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- C:\Windows\System32\DRIVERS\nwlnkflt.sys File not found
DRV - (MGHwCtrl) -- C:\Windows\System32\drivers\MGHwCtrl.sys File not found
DRV - (IpInIp) -- C:\Windows\System32\DRIVERS\ipinip.sys File not found
DRV - (FLASHSYS) -- C:\Program Files\MSI\Live Update 4\LU4\FLASHSYS.sys File not found
DRV - (blbdrive) -- C:\Windows\System32\drivers\blbdrive.sys File not found
DRV - (MBAMSwissArmy) -- C:\Windows\System32\drivers\mbamswissarmy.sys (Malwarebytes Corporation)
DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH)
DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (massfilter) -- C:\Windows\System32\drivers\massfilter.sys (ZTE Incorporated)
DRV - (usbaudio) USB-Audiotreiber (WDM) -- C:\Windows\System32\drivers\USBAUDIO.sys (Microsoft Corporation)
DRV - (avgio) -- C:\Programme\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (WDC_SAM) -- C:\Windows\System32\drivers\wdcsam.sys (Western Digital Technologies)
DRV - (ZTEusbnmea) -- C:\Windows\System32\drivers\ZTEusbnmea.sys (ZTE Incorporated)
DRV - (ZTEusbser6k) -- C:\Windows\System32\drivers\ZTEusbser6k.sys (ZTE Incorporated)
DRV - (ZTEusbmdm6k) -- C:\Windows\System32\drivers\ZTEusbmdm6k.sys (ZTE Incorporated)
DRV - (IKSysSec) -- C:\Windows\System32\drivers\iksyssec.sys (PCTools Research Pty Ltd.)
DRV - (IKSysFlt) -- C:\Windows\System32\drivers\iksysflt.sys (PCTools Research Pty Ltd.)
DRV - (IKFileSec) -- C:\Windows\system32\drivers\ikfilesec.sys (PCTools Research Pty Ltd.)
DRV - (NETw4v32) Intel(R) -- C:\Windows\System32\drivers\NETw4v32.sys (Intel Corporation)
DRV - (USB28xxBGA) -- C:\Windows\System32\drivers\emBDA.sys (eMPIA Technology, Inc.)
DRV - (USB28xxOEM) -- C:\Windows\System32\drivers\emOEM.sys (eMPIA Technology, Inc.)
DRV - (AF15BDA) -- C:\Windows\System32\drivers\AF15BDA.sys (AfaTech )
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (Cam5603D) -- C:\Windows\System32\drivers\BisonCam.sys (Bison Electronics. Inc. )
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\Windows\System32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.)
DRV - (O2MDRDR) -- C:\Windows\system32\DRIVERS\o2media.sys (O2Micro )
DRV - (O2SDRDR) -- C:\Windows\system32\DRIVERS\o2sd.sys (O2Micro )
DRV - (iaNvStor) Intel(R) -- C:\Windows\system32\DRIVERS\iaNvStor.sys (Intel Corporation)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation )
DRV - (iaStor) -- C:\Windows\system32\DRIVERS\iaStor.sys (Intel Corporation)
DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (Agere Systems)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (SiSRaid2) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (NETw3v32) Intel(R) -- C:\Windows\System32\drivers\NETw3v32.sys (Intel® Corporation)
DRV - (E1G60) Intel(R) -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
DRV - (fwrnusb) -- C:\Windows\System32\drivers\fwrnusb.sys (Telekom)
DRV - (k750bus) Sony Ericsson 750 driver (WDM) -- C:\Windows\System32\drivers\k750bus.sys (MCCI)


[color=#E56717]========== Standard Registry (SafeList) ==========[/color]


[color=#E56717]========== Internet Explorer ==========[/color]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msi.com.tw

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msi.com.tw
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

[color=#E56717]========== FireFox ==========[/color]

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.12.04 11:34:48 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.12.04 11:34:45 | 000,000,000 | ---D | M]

[2010.12.04 11:35:51 | 000,000,000 | ---D | M] -- C:\Users\Lars der alte Sack\AppData\Roaming\mozilla\Extensions
[2008.05.04 13:25:03 | 000,000,000 | ---D | M] -- C:\Users\Lars der alte Sack\AppData\Roaming\mozilla\Extensions\home2@tomtom.com
[2010.12.05 11:59:05 | 000,000,000 | ---D | M] -- C:\Users\Lars der alte Sack\AppData\Roaming\mozilla\Firefox\Profiles\8gb9by2s.default\extensions
[2010.12.05 10:53:47 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Lars der alte Sack\AppData\Roaming\mozilla\Firefox\Profiles\8gb9by2s.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010.12.04 11:34:45 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2010.10.11 21:14:41 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010.10.26 18:17:33 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010.09.15 03:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\npdeployJava1.dll
[2010.10.27 06:44:13 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010.10.27 06:44:13 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2010.10.27 06:44:13 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010.10.27 06:44:13 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010.10.27 06:44:13 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2006.09.18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (HP Print Clips) - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll File not found
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll (Google Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [BisonHK] C:\Windows\BisonCam\BisonHK.exe ()
O4 - HKLM..\Run: [BsMnt] C:\Windows\BisonCam\BsMnt.exe ()
O4 - HKLM..\Run: [IAAnotif] C:\Programme\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [ISTray] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [UIExec] C:\Program Files\Join Air\UIExec.exe ()
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [TomTomHOME.exe] C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe File not found
O4 - HKCU..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O9 - Extra Button: HP Sammelmappe - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll File not found
O9 - Extra Button: HP Intelligente Auswahl - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll File not found
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Games\PartyPoker\RunApp.exe File not found
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Games\PartyPoker\RunApp.exe File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img34.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img34.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{081f27a7-822f-11dd-b6e6-0019dbf18dba}\Shell\AutoRun\command - "" = D:\InstallTomTomHOME.exe -- File not found
O33 - MountPoints2\{7b369c10-75ec-11df-9443-0019dbf18dba}\Shell - "" = AutoRun
O33 - MountPoints2\{7b369c10-75ec-11df-9443-0019dbf18dba}\Shell\AutoRun\command - "" = D:\Install.exe -- File not found
O33 - MountPoints2\{849f9fd3-f537-11dc-98c0-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{849f9fd3-f537-11dc-98c0-806e6f6e6963}\Shell\AutoRun\command - "" = F:\Setup.exe -- File not found
O33 - MountPoints2\{b39fc089-9724-11df-af36-0019dbf18dba}\Shell - "" = AutoRun
O33 - MountPoints2\{b39fc089-9724-11df-af36-0019dbf18dba}\Shell\AutoRun\command - "" = G:\WD SmartWare.exe -- File not found
O33 - MountPoints2\{e24414b4-2301-11df-9a14-0019dbf18dba}\Shell\AutoRun\command - "" = I:\installer.exe -- File not found
O33 - MountPoints2\{f32cf695-c643-11de-a8c4-0019dbf18dba}\Shell\AutoRun\command - "" = D:\InstallTomTomHOME.exe -- File not found
O33 - MountPoints2\{f32cf6b0-c643-11de-a8c4-0019dbf18dba}\Shell\AutoRun\command - "" = D:\InstallTomTomHOME.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]

[2010.12.05 12:25:50 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Users\Lars der alte Sack\Desktop\OTL.exe
[2010.12.05 11:47:34 | 000,000,000 | ---D | C] -- C:\Users\Lars der alte Sack\AppData\Roaming\Malwarebytes
[2010.12.05 11:47:19 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010.12.05 11:47:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010.12.05 11:47:16 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010.12.05 11:47:16 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware
[2010.12.05 11:46:37 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Lars der alte Sack\Desktop\mbam-setup-1.46.exe
[12 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[12 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]

[2010.12.05 12:30:59 | 000,000,420 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{548B19B7-8F20-43B4-BE54-EBFBE33A5C18}.job
[2010.12.05 12:25:49 | 000,013,636 | ---- | M] () -- C:\Users\Lars der alte Sack\AppData\Roaming\nvModes.001
[2010.12.05 12:07:02 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Lars der alte Sack\Desktop\OTL.exe
[2010.12.05 11:47:21 | 000,000,828 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.12.05 11:46:42 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Lars der alte Sack\Desktop\mbam-setup-1.46.exe
[2010.12.05 11:36:18 | 000,000,444 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{11408962-BBD5-45CA-BD2B-B086CD03B0A3}.job
[2010.12.05 10:50:49 | 000,000,416 | ---- | M] () -- C:\Windows\tasks\PCConfidential.job
[2010.12.05 10:50:45 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010.12.05 10:50:45 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010.12.05 10:50:40 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010.12.04 13:52:36 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2010.12.04 11:34:49 | 000,001,734 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010.11.30 07:32:58 | 000,618,442 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2010.11.30 07:32:58 | 000,587,178 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010.11.30 07:32:58 | 000,122,648 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2010.11.30 07:32:58 | 000,101,250 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010.11.29 17:42:18 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010.11.29 17:42:06 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010.11.24 20:43:55 | 000,013,636 | ---- | M] () -- C:\Users\Lars der alte Sack\AppData\Roaming\nvModes.dat
[2010.11.23 07:12:12 | 000,061,960 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys
[2010.11.19 19:25:10 | 000,001,897 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2010.11.15 22:03:21 | 000,001,356 | ---- | M] () -- C:\Users\Lars der alte Sack\AppData\Local\d3d9caps.dat
[2010.11.15 16:42:33 | 000,126,856 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
[12 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[12 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

[color=#E56717]========== Files Created - No Company Name ==========[/color]

[2010.12.05 11:47:21 | 000,000,828 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.12.04 11:34:49 | 000,001,734 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010.10.26 18:22:33 | 000,022,016 | ---- | C] () -- C:\Windows\System32\wmp32.dll
[2010.06.23 13:18:08 | 000,000,032 | ---- | C] () -- C:\Windows\Menu.INI
[2009.08.30 17:18:28 | 000,000,552 | ---- | C] () -- C:\Users\Lars der alte Sack\AppData\Local\d3d8caps.dat
[2009.08.19 05:59:41 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009.07.03 20:57:31 | 000,000,206 | ---- | C] () -- C:\Windows\System32\abcefd8_g.dll
[2008.08.25 19:31:53 | 000,000,046 | ---- | C] () -- C:\Windows\hmview.ini
[2008.06.19 16:28:18 | 000,001,025 | ---- | C] () -- C:\Windows\System32\clauth2.dll
[2008.06.19 16:28:18 | 000,001,025 | ---- | C] () -- C:\Windows\System32\clauth1.dll
[2008.06.19 16:28:18 | 000,000,073 | ---- | C] () -- C:\Windows\System32\ssprs.dll
[2008.06.19 16:28:17 | 000,001,025 | ---- | C] () -- C:\Windows\System32\sysprs7.dll
[2008.06.19 16:28:17 | 000,000,205 | ---- | C] () -- C:\Windows\System32\lsprst7.dll
[2008.06.15 21:27:02 | 000,120,200 | ---- | C] () -- C:\Windows\System32\DLLDEV32i.dll
[2008.06.15 20:55:04 | 000,019,968 | ---- | C] () -- C:\Windows\System32\cpuinf32.dll
[2008.06.15 20:53:00 | 000,000,169 | ---- | C] () -- C:\Windows\magix.ini
[2008.06.15 20:48:33 | 000,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini
[2008.05.21 22:11:54 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2008.04.21 18:12:27 | 000,001,356 | ---- | C] () -- C:\Users\Lars der alte Sack\AppData\Local\d3d9caps.dat
[2008.04.21 18:04:08 | 000,008,192 | ---- | C] () -- C:\Users\Lars der alte Sack\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008.04.09 22:14:16 | 000,007,455 | ---- | C] () -- C:\ProgramData\hpzinstall.log
[2008.04.09 22:09:17 | 000,001,492 | ---- | C] () -- C:\Users\Lars der alte Sack\AppData\Roaming\wklnhst.dat
[2008.04.06 11:43:09 | 000,007,119 | ---- | C] () -- C:\Windows\mgxoschk.ini
[2008.04.05 16:00:38 | 000,000,305 | ---- | C] () -- C:\ProgramData\addr_file.html
[2008.04.05 15:40:41 | 000,013,636 | ---- | C] () -- C:\Users\Lars der alte Sack\AppData\Roaming\nvModes.001
[2008.04.05 15:40:35 | 000,013,636 | ---- | C] () -- C:\Users\Lars der alte Sack\AppData\Roaming\nvModes.dat
[2007.06.13 13:53:49 | 000,015,190 | ---- | C] () -- C:\Windows\M2000Twn.ini
[2007.06.13 13:01:41 | 000,163,840 | ---- | C] () -- C:\Windows\System32\nvccoin.dll
[2006.11.02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006.11.02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

[color=#E56717]========== LOP Check ==========[/color]

[2009.09.06 15:05:10 | 000,000,000 | ---D | M] -- C:\Users\Lars der alte Sack\AppData\Roaming\CopyTrans
[2010.08.01 09:46:06 | 000,000,000 | ---D | M] -- C:\Users\Lars der alte Sack\AppData\Roaming\FinalMediaPlayer
[2008.06.18 18:23:35 | 000,000,000 | ---D | M] -- C:\Users\Lars der alte Sack\AppData\Roaming\NCH Swift Sound
[2009.02.19 20:00:57 | 000,000,000 | ---D | M] -- C:\Users\Lars der alte Sack\AppData\Roaming\Petroglyph
[2008.04.09 22:09:27 | 000,000,000 | ---D | M] -- C:\Users\Lars der alte Sack\AppData\Roaming\Template
[2010.07.24 14:21:49 | 000,000,000 | ---D | M] -- C:\Users\Lars der alte Sack\AppData\Roaming\Western Digital
[2009.09.06 15:03:58 | 000,000,000 | ---D | M] -- C:\Users\Lars der alte Sack\AppData\Roaming\WindSolutions
[2010.12.05 10:50:49 | 000,000,416 | ---- | M] () -- C:\Windows\Tasks\PCConfidential.job
[2010.12.04 13:52:39 | 000,032,534 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010.12.05 11:36:18 | 000,000,444 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{11408962-BBD5-45CA-BD2B-B086CD03B0A3}.job
[2010.12.05 12:30:59 | 000,000,420 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{548B19B7-8F20-43B4-BE54-EBFBE33A5C18}.job

[color=#E56717]========== Purity Check ==========[/color]



[color=#E56717]========== Alternate Data Streams ==========[/color]

@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP;)FC5A2B2

< End of report >


OTL Extras logfile created on: 05.12.2010 12:28:49 - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\Lars der alte Sack\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18975)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 42,00% Memory free
4,00 Gb Paging File | 2,00 Gb Available in Paging File | 56,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 34,18 Gb Total Space | 6,32 Gb Free Space | 18,48% Space Free | Partition Type: NTFS
Drive E: | 109,01 Gb Total Space | 86,96 Gb Free Space | 79,77% Space Free | Partition Type: NTFS
Drive H: | 7,51 Gb Total Space | 3,18 Gb Free Space | 42,35% Space Free | Partition Type: FAT32

Computer Name: LARS | User Name: Lars der alte Sack | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

[color=#E56717]========== Extra Registry (SafeList) ==========[/color]


[color=#E56717]========== File Associations ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[color=#E56717]========== Shell Spawning ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[color=#E56717]========== Security Center Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[color=#E56717]========== Firewall Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[color=#E56717]========== Authorized Applications List ==========[/color]


[color=#E56717]========== Vista Active Open Ports Exception List ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{06499B6F-2E7B-416F-8A64-00F722F5DDB0}" = lport=rpc | protocol=6 | dir=in | app=c:\program files\sisoftware\sisoftware sandra lite 2009.sp3c\wnt500x86\rpcsandrasrv.exe |
"{356AAC5A-1F1F-47D2-8321-5C8DD6845718}" = lport=rpc | protocol=6 | dir=in | app=c:\program files\sisoftware\sisoftware sandra lite 2009.sp3c\wnt500x86\rpcsandrasrv.exe |
"{3CAB7492-2DA3-45DE-83F0-9ADEB0EE6CB1}" = lport=rpc | protocol=6 | dir=in | app=c:\program files\sisoftware\sisoftware sandra lite 2009.sp3c\wnt500x86\rpcsandrasrv.exe |
"{4FFE2B69-40DF-4F9D-9FD4-E3115C094EE6}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{6185F065-E190-40E3-85B9-41400BBF905F}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{844F5B87-B0F3-45CE-8D55-A195A3584DB6}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{97660262-8983-4699-A564-D162DAA384DA}" = lport=rpc | protocol=6 | dir=in | app=c:\program files\sisoftware\sisoftware sandra lite 2009.sp3c\wnt500x86\rpcsandrasrv.exe |
"{9C3A039F-26F3-413D-9542-1DF65F2F0CB7}" = lport=rpc | protocol=6 | dir=in | app=c:\program files\sisoftware\sisoftware sandra lite 2009.sp3c\wnt500x86\rpcsandrasrv.exe |
"{9E56F34A-B333-4275-84F5-508C5156ECDD}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{A4E6F8B5-B8E4-4B4B-BB4F-CCF76330CC1E}" = lport=2869 | protocol=6 | dir=in | app=system |
"{A508E9AD-2B7C-478B-9777-DA2C6E553E96}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{C71C8550-3679-4604-92E0-4A03BD15046F}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{C98DA3F9-18E6-4603-8461-6600F0E558AA}" = lport=10243 | protocol=6 | dir=in | app=system |
"{D0F54BB3-0951-4695-ABC5-F467AE39954A}" = rport=10243 | protocol=6 | dir=out | app=system |
"{D18B1550-7B93-4459-A0A5-F7DE17CE830D}" = lport=rpc | protocol=6 | dir=in | app=c:\program files\sisoftware\sisoftware sandra lite 2009.sp3c\wnt500x86\rpcsandrasrv.exe |

[color=#E56717]========== Vista Active Application Exception List ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{029CF68D-5E68-4F13-83A9-05C02C214668}" = protocol=1 | dir=in | app=c:\program files\sisoftware\sisoftware sandra lite 2009.sp3c\wnt500x86\rpcsandrasrv.exe |
"{0339FC9A-3380-4C0A-AADA-A0FB5806797C}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{08F5F49D-98FA-4FEF-98EE-9244AACF89C1}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{0F5DEBEC-C5CD-4915-80D0-24CA5DA46A9E}" = protocol=1 | dir=in | app=c:\program files\sisoftware\sisoftware sandra lite 2009.sp3c\wnt500x86\rpcsandrasrv.exe |
"{18C11C22-06C3-42DB-A0C3-7EB3485A8B66}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{1E206CC0-F4FB-4BA1-A483-C9684C67554E}" = protocol=6 | dir=in | app=d:\itunes.exe |
"{2A023FE3-13F6-4418-BBD7-8DBC994F1DA1}" = protocol=1 | dir=in | app=c:\program files\sisoftware\sisoftware sandra lite 2009.sp3c\wnt500x86\rpcsandrasrv.exe |
"{2DF9AB22-D36A-4AEE-8A2B-D6EF7C79C919}" = protocol=1 | dir=in | app=c:\program files\sisoftware\sisoftware sandra lite 2009.sp3c\wnt500x86\rpcsandrasrv.exe |
"{3A0256E5-FBF7-47E1-B970-F1AFC79AD630}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{3AFA9AEA-FC1A-44BB-872C-2E2A5F3BC6B4}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{57F00744-EE32-48AC-91DD-EEC5C7EDD608}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{59C14D60-5A84-46CE-BA94-3A572B937C14}" = protocol=6 | dir=out | app=system |
"{73D66D51-DE54-49D3-BD9D-C3D592F065D1}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{856C30A8-C0DD-4676-996E-3A427B7FCE15}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{8EFBB195-469B-4430-A9CE-84B206FA1E87}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{95E5AB15-315D-4EE7-99DA-C88D8629EB87}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{9F350DED-2FF0-44B7-AA15-B3AD346BEF9F}" = protocol=6 | dir=in | app=e:\games\game.dat |
"{A02619FB-8334-4FDC-80CE-7FFBFABE487A}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{B43EAA57-EBF3-4570-8413-99404653D645}" = protocol=1 | dir=in | app=c:\program files\sisoftware\sisoftware sandra lite 2009.sp3c\wnt500x86\rpcsandrasrv.exe |
"{B6C1236A-6B87-40FC-AADB-05D48206DD88}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{B71C9BAC-374F-4BF8-AD41-9D87679F9314}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{B8063466-9CE8-41D8-B88F-60F39F2407FE}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{BF342E23-1DA4-49E2-BE8C-4123226E32D8}" = protocol=17 | dir=in | app=d:\itunes.exe |
"{C218682C-F135-410B-BC8D-F75ECCCB5807}" = protocol=17 | dir=in | app=e:\games\game.dat |
"{DB944EE2-81C0-4BF9-8480-FBE9E967232A}" = protocol=1 | dir=in | app=c:\program files\sisoftware\sisoftware sandra lite 2009.sp3c\wnt500x86\rpcsandrasrv.exe |
"{DF1D6A48-66B8-4C7D-9FDA-18EAB4DC8506}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{E05D6C24-2CCA-451F-80F2-639A7A796F6A}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{F6C650F7-697F-4652-ACA9-710DC02D0D6E}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{F7DB3561-2E23-4021-9BA4-9DBC5E8B5E69}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"TCP Query User{5FE5D2C2-6B9E-40B5-9A12-8D938DED2C7A}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{89EAE38E-8781-419D-8DC0-B09C171CB6A6}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"TCP Query User{92FD6485-284C-4254-9F02-8329DB086D7E}E:\games\game.dat" = protocol=6 | dir=in | app=e:\games\game.dat |
"UDP Query User{19C9B909-2B30-4131-AAA4-C52E6E7D5B7A}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{4E6FFE47-FB08-484E-9566-5B2BA0C45374}E:\games\game.dat" = protocol=17 | dir=in | app=e:\games\game.dat |
"UDP Query User{E31B51FA-8326-4B36-B1B8-128B97D2F1BF}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |

[color=#E56717]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{056268CC-BC9E-4948-83BF-0C1E0E955883}" = Initio USB Default Controller Driver 32-bit
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Solution
"{232DB76D-4751-41A9-9EC2-CDC0DAC1FAB6}" = WD SmartWare
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{2614F54E-A828-49FA-93BA-45A3F756BFAA}" = 32 Bit HP CIO Components Installer
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 22
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{3D9892BB-A751-4E48-ADC8-E4289956CE1D}" = QuickTime
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 5.0
"{415CDA53-9100-476F-A7B2-476691E117C7}" = HP Smart Web Printing
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A57592C-FF92-4083-97A9-92783BD5AFB4}" = BisonCam
"{4EA2F95F-A537-4d17-9E7F-6B3FF8D9BBE3}" = Microsoft Works
"{543E938C-BDC4-4933-A612-01293996845F}" = UnloadSupport
"{5D9B17E4-5C34-45B2-9C95-8B9DB4CF7AF3}" = HP_Network_UserGuide
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{78764173-3805-4916-B3CE-B433702B8870}" = O2Micro Flash Memory Card Reader Driver Installer(x86)
"{818ABC3C-635C-4651-8183-D0E9640B7DD1}" = HP Update
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel Matrix Storage Manager
"{91F7F3F3-CE80-48C3-8327-7D24A0A5716A}" = iTunes
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A2C60BF1-82E3-493C-911D-14AD50471F2F}" = Rundum-Betrachter-innoPlus
"{A9E5EDA7-2E6C-49E7-924B-A32B89C24A04}" = Join Air
"{AC76BA86-7AD7-1031-7B44-A94000000001}" = Adobe Reader 9.4.1 - Deutsch
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{B2D7C787-7BFD-47b3-AE85-60146221015D}" = C4380_Help
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{BA165460-FCF7-4D6C-A7A2-F2321700720F}" = MobileMe Control Panel
"{C7340571-7773-4A8C-9EBC-4E4243B38C76}" = Microsoft XML Parser
"{CCF22908-ECD2-4068-84F1-BA02DA1EC72D}" = GoGear Spark Device Manager
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DBB0F0D8-D1A1-4F15-A031-C2B7BCCF63D0}" = GoGear Spark Device Manager
"{E2662C24-B31E-4349-A084-32EB76E8B760}" = BufferChm
"{EDE721EC-870A-11D8-9D75-000129760D75}" = PowerDirector Express
"{EEEB604C-C1A7-4f8c-B03F-56F9C1C9C45F}" = Fax
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"050687C778546C6B4394BBA447EF152225312328" = Windows Driver Package - Bluetooth Dongle Maker Bluetooth (01/01/2007 6.0.6000.16386)
"1713EFD0409BCDF53DED33020E5FE8E4FB97BA41" = Windows Driver Package - Intel (NETw2v32) net (03/06/2007 9.1.1.15)
"195542A0B31C09E423E56F0170C91E08AE9084BF" = Windows Driver Package - Atheros Communications Inc. Net (04/15/2007 7.2.0.204)
"2B7701FAB28420FC913E2F6B14E05BF5E2CC3A3A" = Windows Driver Package - Intel (iaNvStor) SCSIAdapter (03/10/2007 1.0.0.1082)
"826B99A85CD4868B9A3FAED5E017F71E18E06320" = Windows Driver Package - Intel (NETw4v32) net (04/30/2007 11.1.1.11)
"9D79C0A6F2EAAA6C6EE43E3C5E767B7D3877AC69" = Windows Driver Package - Intel net (04/30/2007 11.1.1.11)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agere Systems Soft Modem" = Agere Systems HDA Modem
"AudibleManager" = AudibleManager
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"D05DA14883E767E9A25DF66DF49F8700A0290ACD" = Windows Driver Package - Atheros Communications Inc. (athr) Net (04/15/2007 7.2.0.204)
"FKC22150706_is1" = fotokasten comfort
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.12)" = Mozilla Firefox (3.6.12)
"NVIDIA Drivers" = NVIDIA Drivers
"Spyware Doctor" = Spyware Doctor 6.0
"WinRAR archiver" = WinRAR archiver

[color=#E56717]========== Last 10 Event Log Errors ==========[/color]

[ Application Events ]
Error - 04.12.2010 05:35:47 | Computer Name = Lars | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 41106

Error - 04.12.2010 05:35:50 | Computer Name = Lars | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 04.12.2010 05:35:50 | Computer Name = Lars | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 44024

Error - 04.12.2010 05:35:50 | Computer Name = Lars | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 44024

Error - 04.12.2010 05:35:52 | Computer Name = Lars | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 04.12.2010 05:35:52 | Computer Name = Lars | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 45474

Error - 04.12.2010 05:35:52 | Computer Name = Lars | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 45474

Error - 04.12.2010 06:25:35 | Computer Name = Lars | Source = WDSmartWareBackgroundService | ID = 0
Description =

Error - 04.12.2010 08:47:27 | Computer Name = Lars | Source = VSS | ID = 8194
Description =

Error - 05.12.2010 05:51:28 | Computer Name = Lars | Source = WDSmartWareBackgroundService | ID = 0
Description =

[ System Events ]
Error - 18.11.2010 11:55:34 | Computer Name = Lars | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am 18.11.2010 um 16:52:48 unerwartet heruntergefahren.

Error - 19.11.2010 14:25:12 | Computer Name = Lars | Source = Service Control Manager | ID = 7009
Description =

Error - 19.11.2010 14:25:12 | Computer Name = Lars | Source = Service Control Manager | ID = 7000
Description =

Error - 19.11.2010 14:25:12 | Computer Name = Lars | Source = DCOM | ID = 10005
Description =

Error - 19.11.2010 18:34:03 | Computer Name = Lars | Source = Service Control Manager | ID = 7011
Description =

Error - 20.11.2010 06:43:14 | Computer Name = Lars | Source = volsnap | ID = 393252
Description = Die Schattenkopien von Volume "C:" wurden abgebrochen, weil der Schattenkopiespeicher
nicht auf ein benutzerdefiniertes Limit vergrößert werden konnte.

Error - 28.11.2010 14:31:10 | Computer Name = Lars | Source = Service Control Manager | ID = 7011
Description =

Error - 28.11.2010 14:31:38 | Computer Name = Lars | Source = Service Control Manager | ID = 7011
Description =

Error - 04.12.2010 04:25:53 | Computer Name = Lars | Source = ACPI | ID = 327693
Description = : Der eingebettete Controller (EC) hat nicht innerhalb des angegebenen
Zeitlimits reagiert. Dies deutet auf einen Fehler in der EC-Hardware oder -Firmware
hin bzw. darauf, dass das BIOS auf falsche Art auf den EC zugreift. Fragen Sie
den Computerhersteller nach einem aktualisierten BIOS. Dieser Fehler kann in einigen
Situationen zur Folge haben, dass der Computer fehlerhaft läuft.

Error - 04.12.2010 08:49:49 | Computer Name = Lars | Source = ACPI | ID = 327693
Description = : Der eingebettete Controller (EC) hat nicht innerhalb des angegebenen
Zeitlimits reagiert. Dies deutet auf einen Fehler in der EC-Hardware oder -Firmware
hin bzw. darauf, dass das BIOS auf falsche Art auf den EC zugreift. Fragen Sie
den Computerhersteller nach einem aktualisierten BIOS. Dieser Fehler kann in einigen
Situationen zur Folge haben, dass der Computer fehlerhaft läuft.


< End of report >
Seitenanfang Seitenende
05.12.2010, 14:09
Larsos
...neu hier

Themenstarter

Beiträge: 8
#2 Mallwarebytes:

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Datenbank Version: 5214

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

05.12.2010 13:07:48
mbam-log-2010-12-05 (13-07-48).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|E:\|)
Durchsuchte Objekte: 298590
Laufzeit: 1 Stunde(n), 14 Minute(n), 1 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 1
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 1
Infizierte Dateiobjekte der Registrierung: 1
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
c:\Windows\System32\wmp32.dll (Trojan.Downloader) -> Delete on reboot.

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_Application (Hijacker.Application) -> Value: bak_Application -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\Application (Hijacker.Application) -> Bad: (http:xxwww.helpmeopen.com/?n=app&ext=%s) Good: (hxxp://shell.windows.com/fileassoc/%04x/xml/redir.asp?Ext=%s) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
c:\Windows\System32\wmp32.dll (Trojan.Downloader) -> Delete on reboot.
Seitenanfang Seitenende
05.12.2010, 14:11
Larsos
...neu hier

Themenstarter

Beiträge: 8
#3 GMER


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-05 13:55:40
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD16 rev.04.0
Running: g0kq7bi7.exe; Driver: C:\Users\LARSDE~1\AppData\Local\Temp\fgrdapog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcess [0x8F137794]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcessEx [0x8F137F1E]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwTerminateProcess [0x8F136D0A]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwWriteVirtualMemory [0x8F136384]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateUserProcess [0x8F1386B6]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 209 824FE96C 8 Bytes [94, 77, 13, 8F, 1E, 7F, 13, ...]
.text ntkrnlpa.exe!KeSetEvent + 621 824FED84 4 Bytes [0A, 6D, 13, 8F]
.text ntkrnlpa.exe!KeSetEvent + 681 824FEDE4 4 Bytes [84, 63, 13, 8F]
.text ntkrnlpa.exe!KeSetEvent + 6E5 824FEE48 4 Bytes [B6, 86, 13, 8F]
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8BE09340, 0x344E47, 0xE8000020]
? C:\Windows\system32\Drivers\mchInjDrv.sys Das System kann die angegebene Datei nicht finden. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Spyware Doctor\pctsSvc.exe[228] kernel32.dll!CreateThread + 1A 7607C928 4 Bytes CALL 0044A809 C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[376] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[376] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[376] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[376] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[376] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[376] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[376] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[376] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[376] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[376] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[376] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[376] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[376] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\svchost.exe[408] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[408] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\System32\svchost.exe[408] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[408] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\System32\svchost.exe[408] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[408] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\System32\svchost.exe[408] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[408] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\System32\svchost.exe[408] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[408] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\System32\svchost.exe[408] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[408] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\System32\svchost.exe[408] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\wbem\wmiprvse.exe[508] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wbem\wmiprvse.exe[508] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\wbem\wmiprvse.exe[508] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wbem\wmiprvse.exe[508] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\system32\wbem\wmiprvse.exe[508] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wbem\wmiprvse.exe[508] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\system32\wbem\wmiprvse.exe[508] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wbem\wmiprvse.exe[508] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\wbem\wmiprvse.exe[508] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wbem\wmiprvse.exe[508] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\wbem\wmiprvse.exe[508] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wbem\wmiprvse.exe[508] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\system32\wbem\wmiprvse.exe[508] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\csrss.exe[584] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[584] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\csrss.exe[584] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[584] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\system32\csrss.exe[584] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[584] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\system32\csrss.exe[584] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[584] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\csrss.exe[584] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[584] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\csrss.exe[584] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[584] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\system32\csrss.exe[584] KERNEL32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\wininit.exe[636] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[636] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\wininit.exe[636] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[636] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\system32\wininit.exe[636] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[636] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\system32\wininit.exe[636] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[636] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\wininit.exe[636] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[636] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\wininit.exe[636] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[636] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\system32\wininit.exe[636] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\csrss.exe[648] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[648] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\csrss.exe[648] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[648] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\system32\csrss.exe[648] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[648] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\system32\csrss.exe[648] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[648] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\csrss.exe[648] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[648] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\csrss.exe[648] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[648] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\system32\csrss.exe[648] KERNEL32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\services.exe[680] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[680] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\services.exe[680] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[680] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\system32\services.exe[680] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[680] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\system32\services.exe[680] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[680] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\services.exe[680] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[680] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\services.exe[680] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[680] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\system32\services.exe[680] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\lsass.exe[692] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[692] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\lsass.exe[692] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[692] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\system32\lsass.exe[692] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[692] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\system32\lsass.exe[692] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[692] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\lsass.exe[692] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[692] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\lsass.exe[692] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[692] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Program Files\O2Micro Oz128 Driver\o2flash.exe[696] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Program Files\O2Micro Oz128 Driver\o2flash.exe[696] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\O2Micro Oz128 Driver\o2flash.exe[696] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\O2Micro Oz128 Driver\o2flash.exe[696] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Program Files\O2Micro Oz128 Driver\o2flash.exe[696] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\O2Micro Oz128 Driver\o2flash.exe[696] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Program Files\O2Micro Oz128 Driver\o2flash.exe[696] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\O2Micro Oz128 Driver\o2flash.exe[696] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\O2Micro Oz128 Driver\o2flash.exe[696] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Program Files\O2Micro Oz128 Driver\o2flash.exe[696] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\O2Micro Oz128 Driver\o2flash.exe[696] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Program Files\O2Micro Oz128 Driver\o2flash.exe[696] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Program Files\O2Micro Oz128 Driver\o2flash.exe[696] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\lsm.exe[700] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[700] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\lsm.exe[700] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[700] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\system32\lsm.exe[700] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[700] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\system32\lsm.exe[700] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[700] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\lsm.exe[700] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[700] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\lsm.exe[700] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[700] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\system32\lsm.exe[700] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\svchost.exe[836] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[836] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\svchost.exe[836] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[836] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\system32\svchost.exe[836] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[836] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\system32\svchost.exe[836] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[836] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\svchost.exe[836] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[836] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\svchost.exe[836] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[836] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\system32\svchost.exe[836] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\mobsync.exe[848] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\mobsync.exe[848] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\System32\mobsync.exe[848] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\mobsync.exe[848] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\System32\mobsync.exe[848] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\mobsync.exe[848] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\System32\mobsync.exe[848] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\mobsync.exe[848] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\System32\mobsync.exe[848] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\mobsync.exe[848] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\System32\mobsync.exe[848] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\mobsync.exe[848] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\System32\mobsync.exe[848] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[916] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[916] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[916] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[916] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[916] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[916] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[916] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[916] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[916] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[916] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[916] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[916] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[916] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\svchost.exe[920] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[920] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\svchost.exe[920] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[920] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\system32\svchost.exe[920] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[920] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\system32\svchost.exe[920] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[920] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\svchost.exe[920] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[920] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\svchost.exe[920] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[920] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\system32\svchost.exe[920] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\System32\svchost.exe[956] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\svchost.exe[1008] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1008] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\System32\svchost.exe[1008] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1008] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\System32\svchost.exe[1008] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1008] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\System32\svchost.exe[1008] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1008] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\System32\svchost.exe[1008] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1008] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\System32\svchost.exe[1008] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1008] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\System32\svchost.exe[1008] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\svchost.exe[1036] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1036] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\System32\svchost.exe[1036] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1036] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\System32\svchost.exe[1036] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1036] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\System32\svchost.exe[1036] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1036] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\System32\svchost.exe[1036] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1036] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\System32\svchost.exe[1036] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1036] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\winlogon.exe[1136] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\winlogon.exe[1136] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\winlogon.exe[1136] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\winlogon.exe[1136] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\system32\winlogon.exe[1136] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\winlogon.exe[1136] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\system32\winlogon.exe[1136] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\winlogon.exe[1136] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\winlogon.exe[1136] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\winlogon.exe[1136] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\winlogon.exe[1136] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\winlogon.exe[1136] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\system32\winlogon.exe[1136] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\svchost.exe[1244] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1244] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\svchost.exe[1244] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1244] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\system32\svchost.exe[1244] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1244] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\system32\svchost.exe[1244] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1244] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\svchost.exe[1244] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1244] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\svchost.exe[1244] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1244] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\system32\svchost.exe[1244] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\svchost.exe[1252] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1252] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\System32\svchost.exe[1252] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1252] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\System32\svchost.exe[1252] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1252] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\System32\svchost.exe[1252] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1252] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\System32\svchost.exe[1252] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1252] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\System32\svchost.exe[1252] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1252] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\System32\svchost.exe[1252] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\svchost.exe[1296] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1296] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\svchost.exe[1296] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1296] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\system32\svchost.exe[1296] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1296] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\system32\svchost.exe[1296] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1296] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\svchost.exe[1296] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1296] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\svchost.exe[1296] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1296] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\svchost.exe[1464] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1464] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\svchost.exe[1464] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1464] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\system32\svchost.exe[1464] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1464] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\system32\svchost.exe[1464] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1464] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\svchost.exe[1464] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1464] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\svchost.exe[1464] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1464] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\svchost.exe[1480] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1480] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\svchost.exe[1480] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1480] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\system32\svchost.exe[1480] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1480] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\system32\svchost.exe[1480] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1480] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\svchost.exe[1480] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1480] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\svchost.exe[1480] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1480] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\system32\svchost.exe[1480] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1524] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1524] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1524] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1524] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1524] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1524] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1524] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1524] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1524] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1524] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1524] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1524] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1524] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\WUDFHost.exe[1648] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\WUDFHost.exe[1648] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\WUDFHost.exe[1648] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\WUDFHost.exe[1648] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\system32\WUDFHost.exe[1648] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\WUDFHost.exe[1648] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\system32\WUDFHost.exe[1648] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\WUDFHost.exe[1648] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\WUDFHost.exe[1648] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\WUDFHost.exe[1648] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\WUDFHost.exe[1648] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\WUDFHost.exe[1648] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\system32\WUDFHost.exe[1648] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\spoolsv.exe[1764] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1764] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\System32\spoolsv.exe[1764] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1764] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\System32\spoolsv.exe[1764] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1764] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\System32\spoolsv.exe[1764] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1764] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\System32\spoolsv.exe[1764] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1764] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\System32\spoolsv.exe[1764] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1764] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\System32\spoolsv.exe[1764] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\svchost.exe[1800] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1800] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\svchost.exe[1800] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1800] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\system32\svchost.exe[1800] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1800] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\system32\svchost.exe[1800] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1800] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\svchost.exe[1800] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1800] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\svchost.exe[1800] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1800] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\system32\svchost.exe[1800] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\taskeng.exe[1840] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[1840] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\taskeng.exe[1840] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[1840] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\system32\taskeng.exe[1840] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[1840] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\system32\taskeng.exe[1840] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[1840] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\taskeng.exe[1840] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[1840] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\taskeng.exe[1840] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[1840] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\system32\taskeng.exe[1840] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1900] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1900] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1900] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1900] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1900] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1900] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1900] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1900] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1900] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1900] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1900] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1900] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1900] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\agrsmsvc.exe[1964] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\agrsmsvc.exe[1964] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\agrsmsvc.exe[1964] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\agrsmsvc.exe[1964] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\system32\agrsmsvc.exe[1964] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\agrsmsvc.exe[1964] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\system32\agrsmsvc.exe[1964] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\agrsmsvc.exe[1964] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\agrsmsvc.exe[1964] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\agrsmsvc.exe[1964] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\agrsmsvc.exe[1964] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\agrsmsvc.exe[1964] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\system32\agrsmsvc.exe[1964] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1992] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1992] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1992] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1992] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1992] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1992] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1992] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1992] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1992] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1992] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1992] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1992] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1992] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[2020] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[2020] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2020] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[2020] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[2020] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[2020] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[2020] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[2020] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2020] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[2020] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2020] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[2020] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[2020] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\system32\svchost.exe[2044] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2080] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2080] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2080] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2080] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2080] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2080] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2080] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2080] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2080] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2080] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2080] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2080] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2080] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\taskeng.exe[2272] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2272] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\taskeng.exe[2272] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2272] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\system32\taskeng.exe[2272] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2272] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\system32\taskeng.exe[2272] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2272] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\taskeng.exe[2272] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2272] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\taskeng.exe[2272] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2272] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\system32\taskeng.exe[2272] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\Dwm.exe[2320] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[2320] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\Dwm.exe[2320] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[2320] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\system32\Dwm.exe[2320] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[2320] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\system32\Dwm.exe[2320] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[2320] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\Dwm.exe[2320] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[2320] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\Dwm.exe[2320] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[2320] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\system32\Dwm.exe[2320] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\Explorer.EXE[2384] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[2384] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\Explorer.EXE[2384] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[2384] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\Explorer.EXE[2384] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[2384] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\Explorer.EXE[2384] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[2384] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\Explorer.EXE[2384] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[2384] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\Explorer.EXE[2384] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[2384] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\Explorer.EXE[2384] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[2428] kernel32.dll!CreateThread + 1A 7607C928 4 Bytes CALL 0044A81D C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
.text C:\Windows\system32\svchost.exe[2560] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2560] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\svchost.exe[2560] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2560] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\system32\svchost.exe[2560] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2560] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\system32\svchost.exe[2560] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2560] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\svchost.exe[2560] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2560] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\svchost.exe[2560] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2560] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\system32\svchost.exe[2560] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Program Files\Join Air\AssistantServices.exe[2588] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Join Air\AssistantServices.exe[2588] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Join Air\AssistantServices.exe[2588] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Join Air\AssistantServices.exe[2588] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Program Files\Join Air\AssistantServices.exe[2588] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Join Air\AssistantServices.exe[2588] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Program Files\Join Air\AssistantServices.exe[2588] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Join Air\AssistantServices.exe[2588] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Join Air\AssistantServices.exe[2588] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Join Air\AssistantServices.exe[2588] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Join Air\AssistantServices.exe[2588] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Join Air\AssistantServices.exe[2588] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Program Files\Join Air\AssistantServices.exe[2588] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe[2680] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe[2680] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe[2680] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe[2680] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe[2680] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe[2680] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe[2680] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe[2680] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe[2680] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe[2680] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe[2680] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe[2680] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe[2680] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe[2700] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe[2700] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe[2700] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe[2700] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe[2700] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe[2700] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe[2700] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe[2700] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe[2700] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe[2700] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe[2700] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe[2700] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe[2700] KERNEL32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[2724] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Defender\MSASCui.exe[2724] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Windows Defender\MSASCui.exe[2724] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Defender\MSASCui.exe[2724] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Program Files\Windows Defender\MSASCui.exe[2724] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Defender\MSASCui.exe[2724] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Program Files\Windows Defender\MSASCui.exe[2724] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Defender\MSASCui.exe[2724] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Windows Defender\MSASCui.exe[2724] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Defender\MSASCui.exe[2724] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Windows Defender\MSASCui.exe[2724] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Defender\MSASCui.exe[2724] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Program Files\Windows Defender\MSASCui.exe[2724] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\RtHDVCpl.exe[2764] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\RtHDVCpl.exe[2764] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\RtHDVCpl.exe[2764] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\RtHDVCpl.exe[2764] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\RtHDVCpl.exe[2764] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\RtHDVCpl.exe[2764] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\RtHDVCpl.exe[2764] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\RtHDVCpl.exe[2764] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\RtHDVCpl.exe[2764] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\RtHDVCpl.exe[2764] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\RtHDVCpl.exe[2764] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\RtHDVCpl.exe[2764] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\RtHDVCpl.exe[2764] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\BisonCam\BisonHK.exe[2772] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\BisonCam\BisonHK.exe[2772] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\BisonCam\BisonHK.exe[2772] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\BisonCam\BisonHK.exe[2772] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\BisonCam\BisonHK.exe[2772] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\BisonCam\BisonHK.exe[2772] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\BisonCam\BisonHK.exe[2772] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\BisonCam\BisonHK.exe[2772] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\BisonCam\BisonHK.exe[2772] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\BisonCam\BisonHK.exe[2772] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\BisonCam\BisonHK.exe[2772] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\BisonCam\BisonHK.exe[2772] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\BisonCam\BisonHK.exe[2772] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\svchost.exe[2784] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[2784] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\System32\svchost.exe[2784] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[2784] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\System32\svchost.exe[2784] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[2784] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\System32\svchost.exe[2784] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[2784] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\System32\svchost.exe[2784] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[2784] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\System32\svchost.exe[2784] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[2784] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\System32\svchost.exe[2784] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\BisonCam\BsMnt.exe[2828] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\BisonCam\BsMnt.exe[2828] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\BisonCam\BsMnt.exe[2828] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\BisonCam\BsMnt.exe[2828] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\BisonCam\BsMnt.exe[2828] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\BisonCam\BsMnt.exe[2828] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\BisonCam\BsMnt.exe[2828] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\BisonCam\BsMnt.exe[2828] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\BisonCam\BsMnt.exe[2828] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\BisonCam\BsMnt.exe[2828] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\BisonCam\BsMnt.exe[2828] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\BisonCam\BsMnt.exe[2828] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\BisonCam\BsMnt.exe[2828] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2868] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2868] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2868] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2868] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2868] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2868] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2868] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2868] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2868] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2868] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2868] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2868] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2868] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\rundll32.exe[2968] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\rundll32.exe[2968] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\System32\rundll32.exe[2968] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\rundll32.exe[2968] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\System32\rundll32.exe[2968] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\rundll32.exe[2968] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\System32\rundll32.exe[2968] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\rundll32.exe[2968] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\System32\rundll32.exe[2968] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\rundll32.exe[2968] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\System32\rundll32.exe[2968] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\rundll32.exe[2968] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\System32\rundll32.exe[2968] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2976] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2976] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2976] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2976] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2976] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2976] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2976] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2976] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2976] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2976] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2976] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2976] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2976] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Program Files\Join Air\UIExec.exe[3004] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Join Air\UIExec.exe[3004] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Join Air\UIExec.exe[3004] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Join Air\UIExec.exe[3004] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Program Files\Join Air\UIExec.exe[3004] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Join Air\UIExec.exe[3004] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Program Files\Join Air\UIExec.exe[3004] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Join Air\UIExec.exe[3004] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Join Air\UIExec.exe[3004] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Join Air\UIExec.exe[3004] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Join Air\UIExec.exe[3004] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Join Air\UIExec.exe[3004] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Program Files\Join Air\UIExec.exe[3004] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[3020] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[3020] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\iTunes\iTunesHelper.exe[3020] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[3020] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Program Files\iTunes\iTunesHelper.exe[3020] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[3020] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Program Files\iTunes\iTunesHelper.exe[3020] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[3020] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\iTunes\iTunesHelper.exe[3020] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[3020] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\iTunes\iTunesHelper.exe[3020] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[3020] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Program Files\iTunes\iTunesHelper.exe[3020] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3028] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3028] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3028] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3028] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3028] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3028] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3028] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3028] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3028] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3028] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3028] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3028] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3028] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Program Files\Windows Sidebar\sidebar.exe[3116] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3116] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Windows Sidebar\sidebar.exe[3116] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3116] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3116] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3116] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3116] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3116] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Windows Sidebar\sidebar.exe[3116] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3116] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Windows Sidebar\sidebar.exe[3116] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3116] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3116] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\ehome\ehtray.exe[3136] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\ehome\ehtray.exe[3136] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\ehome\ehtray.exe[3136] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\ehome\ehtray.exe[3136] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\ehome\ehtray.exe[3136] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\ehome\ehtray.exe[3136] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\ehome\ehtray.exe[3136] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\ehome\ehtray.exe[3136] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\ehome\ehtray.exe[3136] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\ehome\ehtray.exe[3136] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\ehome\ehtray.exe[3136] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\ehome\ehtray.exe[3136] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\ehome\ehtray.exe[3136] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3148] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3148] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3148] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3148] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3148] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3148] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3148] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3148] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3148] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3148] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3148] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3148] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3148] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe[3156] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe[3156] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe[3156] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe[3156] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe[3156] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe[3156] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe[3156] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe[3156] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe[3156] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe[3156] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe[3156] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe[3156] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe[3156] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe[3172] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe[3172] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe[3172] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe[3172] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe[3172] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe[3172] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe[3172] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe[3172] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe[3172] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe[3172] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe[3172] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe[3172] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe[3172] KERNEL32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\ehome\ehmsas.exe[3196] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\ehome\ehmsas.exe[3196] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\ehome\ehmsas.exe[3196] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\ehome\ehmsas.exe[3196] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\ehome\ehmsas.exe[3196] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\ehome\ehmsas.exe[3196] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\ehome\ehmsas.exe[3196] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\ehome\ehmsas.exe[3196] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\ehome\ehmsas.exe[3196] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\ehome\ehmsas.exe[3196] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\ehome\ehmsas.exe[3196] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\ehome\ehmsas.exe[3196] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\ehome\ehmsas.exe[3196] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Users\Lars der alte Sack\Downloads\g0kq7bi7.exe[3208] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Users\Lars der alte Sack\Downloads\g0kq7bi7.exe[3208] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Users\Lars der alte Sack\Downloads\g0kq7bi7.exe[3208] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Users\Lars der alte Sack\Downloads\g0kq7bi7.exe[3208] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Users\Lars der alte Sack\Downloads\g0kq7bi7.exe[3208] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Users\Lars der alte Sack\Downloads\g0kq7bi7.exe[3208] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Users\Lars der alte Sack\Downloads\g0kq7bi7.exe[3208] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Users\Lars der alte Sack\Downloads\g0kq7bi7.exe[3208] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Users\Lars der alte Sack\Downloads\g0kq7bi7.exe[3208] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Users\Lars der alte Sack\Downloads\g0kq7bi7.exe[3208] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Users\Lars der alte Sack\Downloads\g0kq7bi7.exe[3208] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Users\Lars der alte Sack\Downloads\g0kq7bi7.exe[3208] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Users\Lars der alte Sack\Downloads\g0kq7bi7.exe[3208] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\rundll32.exe[3436] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\rundll32.exe[3436] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\System32\rundll32.exe[3436] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\rundll32.exe[3436] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\System32\rundll32.exe[3436] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\rundll32.exe[3436] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\System32\rundll32.exe[3436] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\rundll32.exe[3436] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\System32\rundll32.exe[3436] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\rundll32.exe[3436] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\System32\rundll32.exe[3436] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\rundll32.exe[3436] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\System32\rundll32.exe[3436] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Program Files\iPod\bin\iPodService.exe[3748] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\conime.exe[4384] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\conime.exe[4384] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\conime.exe[4384] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\conime.exe[4384] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Windows\system32\conime.exe[4384] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\conime.exe[4384] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Windows\system32\conime.exe[4384] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\conime.exe[4384] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\conime.exe[4384] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\conime.exe[4384] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\conime.exe[4384] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\conime.exe[4384] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Windows\system32\conime.exe[4384] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5920] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5920] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Mozilla Firefox\firefox.exe[5920] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5920] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5920] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5920] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5920] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5920] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Mozilla Firefox\firefox.exe[5920] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5920] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Mozilla Firefox\firefox.exe[5920] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5920] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5920] kernel32.dll!CreateProcessW 76031BF3 5 Bytes JMP 000568F2
.text C:\Program Files\Mozilla Firefox\firefox.exe[5920] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5920] ADVAPI32.dll!CreateProcessAsUserW 75E71EE9 5 Bytes JMP 00056A3A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5920] WS2_32.dll!select 75F515F4 5 Bytes JMP 0005667C
.text C:\Program Files\Mozilla Firefox\firefox.exe[5920] WS2_32.dll!closesocket 75F5330C 5 Bytes JMP 00056642
.text C:\Program Files\Mozilla Firefox\firefox.exe[5920] WS2_32.dll!recv 75F5343A 5 Bytes JMP 000566F1
.text C:\Program Files\Mozilla Firefox\firefox.exe[5920] WS2_32.dll!GetAddrInfoW 75F53D12 5 Bytes JMP 00055C29
.text C:\Program Files\Mozilla Firefox\firefox.exe[5920] WS2_32.dll!connect 75F540D9 5 Bytes JMP 000565C3
.text C:\Program Files\Mozilla Firefox\firefox.exe[5920] WS2_32.dll!send 75F5659B 5 Bytes JMP 0005679B
.text C:\Program Files\Mozilla Firefox\firefox.exe[5920] WS2_32.dll!gethostbyname 75F662D4 5 Bytes JMP 00056183
.text \\?\C:\Windows\system32\wbem\WMIADAP.EXE[6116] ntdll.dll!NtCreateProcess 77734494 3 Bytes [FF, 25, 1E]
.text \\?\C:\Windows\system32\wbem\WMIADAP.EXE[6116] ntdll.dll!NtCreateProcess + 4 77734498 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text \\?\C:\Windows\system32\wbem\WMIADAP.EXE[6116] ntdll.dll!NtCreateProcessEx 777344A4 3 Bytes [FF, 25, 1E]
.text \\?\C:\Windows\system32\wbem\WMIADAP.EXE[6116] ntdll.dll!NtCreateProcessEx + 4 777344A8 2 Bytes [11, 5F]
.text \\?\C:\Windows\system32\wbem\WMIADAP.EXE[6116] ntdll.dll!NtCreateSection 777344C4 3 Bytes [FF, 25, 1E]
.text \\?\C:\Windows\system32\wbem\WMIADAP.EXE[6116] ntdll.dll!NtCreateSection + 4 777344C8 2 Bytes [05, 5F]
.text \\?\C:\Windows\system32\wbem\WMIADAP.EXE[6116] ntdll.dll!NtTerminateProcess 777354F4 3 Bytes [FF, 25, 1E]
.text \\?\C:\Windows\system32\wbem\WMIADAP.EXE[6116] ntdll.dll!NtTerminateProcess + 4 777354F8 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text \\?\C:\Windows\system32\wbem\WMIADAP.EXE[6116] ntdll.dll!NtWriteVirtualMemory 77735674 3 Bytes [FF, 25, 1E]
.text \\?\C:\Windows\system32\wbem\WMIADAP.EXE[6116] ntdll.dll!NtWriteVirtualMemory + 4 77735678 2 Bytes [17, 5F] {POP SS; POP EDI}
.text \\?\C:\Windows\system32\wbem\WMIADAP.EXE[6116] ntdll.dll!NtCreateUserProcess 77735804 3 Bytes [FF, 25, 1E]
.text \\?\C:\Windows\system32\wbem\WMIADAP.EXE[6116] ntdll.dll!NtCreateUserProcess + 4 77735808 2 Bytes [0B, 5F]
.text \\?\C:\Windows\system32\wbem\WMIADAP.EXE[6116] kernel32.dll!LoadLibraryExW 76059109 6 Bytes JMP 5F070F5A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Spyware Doctor\pctsSvc.exe[228] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [0044A960] C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
IAT C:\Program Files\Spyware Doctor\pctsSvc.exe[228] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [0044A960] C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
IAT C:\Windows\Explorer.EXE[2384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74327817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7437A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7432BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7431F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [743275E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7431E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74358395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7432DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7431FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7431FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [743171CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [743ACAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7434C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7431D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74316853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7431687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74322AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Program Files\Spyware Doctor\pctsTray.exe[2428] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [0044A974] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
IAT C:\Program Files\Spyware Doctor\pctsTray.exe[2428] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [0044A974] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0019db0a65f1
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001d9213fedd
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001d9213fedd@001fe460b99a 0x2B 0x94 0x39 0x34 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0019db0a65f1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001d9213fedd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001d9213fedd@001fe460b99a 0x2B 0x94 0x39 0x34 ...

---- EOF - GMER 1.0.15 ----
Seitenanfang Seitenende
05.12.2010, 21:29
Swisstreasure
Moderator

Beiträge: 5694
#4 Hallo und herzlich Willkommen auf Protecus.de

Um ein infiziertes System zu bereinigen bedarf es neben Zeit auch die Beachtung folgender Punkte:

• Halte Dich an die Anweisungen des jeweiligen Helfers.
• Falls Du externen Speichermedien (USB Sticks, Festplatten) hast, dann schliesse die vor der Reinigung an.
• Während der Reinigung solltest Du weder Programme installieren noch deinstallieren, welche nicht ausdrücklich verlangt werden.
• Bitte arbeite jeden Schritt der Reihe nach ab.
• Falls bei einem Schritt Probleme auftauchen, poste was du bereits hast und melde Dich mit dem Problembeschreiben.


• Die Bereinigung ist erst beendet wenn der jeweilige Helfer das OK gibt.
• Wenn die Kiste wieder flott läuft heisst das nicht, dass das Sytem auch sauber ist.
• Bei geschäftlich genutzten Rechner sollte der zuständige IT Verantwortliche beigezogen werden.
• Ein Support unsererseits kann unter Umständen bei einem Firmenrechner abgelehnt werden.
• Bei illegaler Software besteht die Möglichkeit, dass der Support eingestellt wird.
• Jegliche Cracks oder Keygens werden weder gefördert noch akzeptiert.
• Bei stark infizierten Systemen vorallem wenn Backdoors oder Rootkits involviert sind kann es vorkommen, dass ein Helfer zum Neuaufsetzen rät.
• In letzter Instanz ist dann immer der User welcher entscheidet.


Vista und Win7 User:
Alle Programme und Tools, die wir anordnen, immer mit Rechtsklick und Als Administrator ausführen.

Schritt 1

Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Lade ComboFix von einem der unten aufgeführten Links herunter. Du musst diese umbenennen, bevor Du es auf den Desktop speicherst. Speichere ComboFix auf deinen Desktop.

BleepingComputer
ForoSpyware**NB: Es ist wichtig, das ComboFix.exe auf dem Desktop gespeichert wird**




• Deaktivere Deine Anti-Virus- und Anti-Spyware-Programme. Normalerweise kannst Du dies über einen Rechtsklick auf das Systemtray-Icon tun. Die Programme könnten sonst eventuell unsere Programme bei deren Arbeit stören.
• Doppel-klicke auf ComboFix.exe und folge den Aufforderungen.
• Wenn ComboFix fertig ist, wird es ein Log für dich erstellen.
• Bitte poste mir den Inhalt von C:\ComboFix.txt hier in de Thread.
Seitenanfang Seitenende
05.12.2010, 22:34
Larsos
...neu hier

Themenstarter

Beiträge: 8
#5 Hi Swiss,

ich habe versucht die obigen Schritte durchzuführen allerdings ohnen Erfolg :-(
das Programm ist bis zum Schritt 50 durchgelaufen, dann wolte es die folgenden Dateien löschen:

auf dem Laufwerk C: autorun.inf und auf dem Laufwerk E: installer.exe

Bei diesem Punkt hat sich dann mein Rechner aufgehangen und ich konnte Ihn nur mit Hilfe der Systemstarthilfe wieder hochfahren, d.h. der Rechner hat sich auf den letzten Systemwiederherstellungspunkt zurückgesetzt.

Was soll ich jetzt tun?

P.S. die folgenden Fehler habe ich erhalten bevor das Programm ComboFix gelaufen ist.

Antivir und Spybot wären noch aktiv obwohl ich beide vorher deaktivert habe.

Danke für deine Hilfe
Lars
Seitenanfang Seitenende
06.12.2010, 19:57
Swisstreasure
Moderator

Beiträge: 5694
#6 Schritt 1

Fixen mit OTL

• Starte bitte die OTL.exe.
Vista und Win7 User mit Rechtsklick "als Administrator starten"
• Kopiere nun den Inhalt in die Textbox.

Code

:OTL
O33 - MountPoints2\{081f27a7-822f-11dd-b6e6-0019dbf18dba}\Shell\AutoRun\command - "" = D:\InstallTomTomHOME.exe -- File not found
O33 - MountPoints2\{7b369c10-75ec-11df-9443-0019dbf18dba}\Shell - "" = AutoRun
O33 - MountPoints2\{7b369c10-75ec-11df-9443-0019dbf18dba}\Shell\AutoRun\command - "" = D:\Install.exe -- File not found
O33 - MountPoints2\{849f9fd3-f537-11dc-98c0-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{849f9fd3-f537-11dc-98c0-806e6f6e6963}\Shell\AutoRun\command - "" = F:\Setup.exe -- File not found
O33 - MountPoints2\{b39fc089-9724-11df-af36-0019dbf18dba}\Shell - "" = AutoRun
O33 - MountPoints2\{b39fc089-9724-11df-af36-0019dbf18dba}\Shell\AutoRun\command - "" = G:\WD SmartWare.exe -- File not found
O33 - MountPoints2\{e24414b4-2301-11df-9a14-0019dbf18dba}\Shell\AutoRun\command - "" = I:\installer.exe -- File not found
O33 - MountPoints2\{f32cf695-c643-11de-a8c4-0019dbf18dba}\Shell\AutoRun\command - "" = D:\InstallTomTomHOME.exe -- File not found
O33 - MountPoints2\{f32cf6b0-c643-11de-a8c4-0019dbf18dba}\Shell\AutoRun\command - "" = D:\InstallTomTomHOME.exe -- File not found
:Commands
[purity]
[emptytemp]
• Schliesse bitte nun alle Programme.
• Klicke nun bitte auf den Fix Button.
OTL kann gegebenfalls einen Neustart verlangen. Bitte dies zulassen.
• Nach dem Neustart findest Du ein Textdokument auf deinem Desktop.
( Auch zu finden unter C:\_OTL\MovedFiles\<time_date>.txt)
Kopiere nun den Inhalt hier in Deinen Thread

Schritt 2

Versuche Combofix erneut.
Seitenanfang Seitenende
06.12.2010, 20:41
Larsos
...neu hier

Themenstarter

Beiträge: 8
#7 Hi,

ich glaub ich hab Mist gebaut.

Als ich OTL.exe hab laufen lassen hab ich vergessen, dass ein andere Benutzer noch angemeldet war.

OTL.exe hat sich dann irgendwann aufgehangen "OTL reagiert nicht mehr - Programm schliessen?" Nach einem Kaltstart ist das System wieder hochgefahren und unter dem oben genannten Pfad wurde die folgende Datei erstellt.

Files\Folders moved on Reboot...
C:\Users\Krümel\AppData\Local\Temp\ppcrlui_4688_2 moved successfully.
C:\Users\Krümel\AppData\Local\Mozilla\Firefox\Profiles\1f7e80c8.default\Cache\_CACHE_001_ moved successfully.
C:\Users\Krümel\AppData\Local\Mozilla\Firefox\Profiles\1f7e80c8.default\Cache\_CACHE_002_ moved successfully.
C:\Users\Krümel\AppData\Local\Mozilla\Firefox\Profiles\1f7e80c8.default\Cache\_CACHE_003_ moved successfully.
C:\Users\Krümel\AppData\Local\Mozilla\Firefox\Profiles\1f7e80c8.default\Cache\_CACHE_MAP_ moved successfully.
C:\Users\Krümel\AppData\Local\Mozilla\Firefox\Profiles\1f7e80c8.default\urlclassifier3.sqlite moved successfully.
C:\Users\Krümel\AppData\Local\Mozilla\Firefox\Profiles\1f7e80c8.default\XUL.mfl moved successfully.

Registry entries deleted on Reboot...

Ich hab dann gedacht ich wiederhole den Vorgang nochmal, ohne das noch andere Programme laufen, allerdings hat sich dabei OTL direkt aufgehangen.

Auf meinem Desktop habe ich jetzt zwei Datein "desktop.ini" die leicht durchsichtig sind - was mache ich mit denen?

Combofix habe ich jetzt noch nicht wieder versucht, da ich wohl besser auf ein "ok" warte.

Vielen Dank für deine Gedult mit mir.
Lars
Seitenanfang Seitenende
07.12.2010, 17:09
Swisstreasure
Moderator

Beiträge: 5694
#8 Doch versuche Combofix nochmals
Seitenanfang Seitenende
07.12.2010, 19:42
Larsos
...neu hier

Themenstarter

Beiträge: 8
#9 Hi Swiss,

so jetzt scheint es geklappt zu haben:

Kannst du mir noch sagen was ich mit diesen beiden Desktop.ini Datein auf meinem Desktop machen soll?

Code

ComboFix 10-12-02.06 - Lars der alte Sack 07.12.2010  19:20:34.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.49.1031.18.2047.1098 [GMT 1:00]
ausgeführt von:: c:\users\Lars der alte Sack\Desktop\Combo-Fix.exe
SP: Avira AntiVir PersonalEdition *enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows-Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AutoRun.inf

.
(((((((((((((((((((((((   Dateien erstellt von 2010-11-07 bis 2010-12-07  ))))))))))))))))))))))))))))))
.

2010-12-07 18:30 . 2010-12-07 18:30    --------    d-----w-    c:\users\Lars der alte Sack\AppData\Local\temp
2010-12-07 18:30 . 2010-12-07 18:30    --------    d-----w-    c:\users\Krümel\AppData\Local\temp
2010-12-07 18:30 . 2010-12-07 18:30    --------    d-----w-    c:\users\Default\AppData\Local\temp
2010-12-07 17:02 . 2010-11-10 04:33    6273872    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{8FF05E49-1503-4BDD-AD61-505862488326}\mpengine.dll
2010-12-06 19:15 . 2010-12-06 19:15    --------    d-----w-    C:\_OTL
2010-12-05 21:06 . 2010-12-05 21:15    --------    d-----w-    c:\users\Lars der alte Sack\AppData\Local\Temp(7)
2010-12-05 21:06 . 2010-12-05 21:06    --------    d-----w-    c:\users\Krümel\AppData\Local\Temp(5)
2010-12-05 20:45 . 2010-12-05 21:10    --------    d-----w-    C:\Combo-Fix
2010-12-05 13:30 . 2010-12-05 21:22    --------    d-----w-    c:\programdata\Spybot - Search & Destroy
2010-12-05 10:47 . 2010-12-05 10:47    --------    d-----w-    c:\users\Lars der alte Sack\AppData\Roaming\Malwarebytes
2010-12-05 10:47 . 2010-11-29 16:42    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-05 10:47 . 2010-12-05 10:47    --------    d-----w-    c:\programdata\Malwarebytes
2010-12-05 10:47 . 2010-12-05 13:15    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-12-05 10:47 . 2010-11-29 16:42    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-23 06:12 . 2009-03-21 10:57    61960    ----a-w-    c:\windows\system32\drivers\avgntflt.sys
2010-11-15 15:42 . 2009-03-21 10:57    126856    ----a-w-    c:\windows\system32\drivers\avipbb.sys
2010-10-19 09:41 . 2009-10-02 16:15    222080    ------w-    c:\windows\system32\MpSigStub.exe
2010-09-15 02:50 . 2010-10-11 20:14    472808    ----a-w-    c:\windows\system32\deployJava1.dll
2010-09-13 13:56 . 2010-10-13 16:43    8147456    ----a-w-    c:\windows\system32\wmploc.DLL
.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SpybotSD TeaTimer"="e:\spybot - search & destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-10 4431872]
"BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2007-03-15 32768]
"BsMnt"="c:\windows\BisonCam\BsMnt.exe" [2007-03-15 172032]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"Skytel"="Skytel.exe" [2007-04-04 1822720]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-04-28 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-28 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-28 81920]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-15 281768]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-11-03 1168264]
"UIExec"="c:\program files\Join Air\UIExec.exe" [2009-08-31 132608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-1-21 2057536]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2010-1-21 9136960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 UI Assistant Service;UI Assistant Service;c:\program files\Join Air\AssistantServices.exe [2009-08-31 241664]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [x]
R3 FLASHSYS;FLASHSYS;c:\program files\MSI\Live Update 4\LU4\FLASHSYS.sys [x]
R3 fwrnusb;fwrnusb;c:\windows\system32\DRIVERS\fwrnusb.sys [2006-01-30 23552]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-04-22 9728]
R3 MGHwCtrl;MGHwCtrl;c:\windows\system32\drivers\MGHwCtrl.sys [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
S0 iaNvStor;Intel(R) Turbo Memory  Technology NAND Controller;c:\windows\system32\DRIVERS\iaNvStor.sys [2007-03-10 210432]
S0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2007-04-03 39680]
S0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2007-04-02 35712]
S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-11-15 135336]
S2 SBSDWSCService;SBSD Security Center Service;e:\spybot - search & destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2010-01-21 110592]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]


--- Andere Dienste/Treiber im Speicher ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs    REG_MULTI_SZ       BthServ
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt    REG_MULTI_SZ       hpqcxs08
.
Inhalt des "geplante Tasks" Ordners

2010-12-06 c:\windows\Tasks\User_Feed_Synchronization-{11408962-BBD5-45CA-BD2B-B086CD03B0A3}.job
- c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]

2010-12-07 c:\windows\Tasks\User_Feed_Synchronization-{548B19B7-8F20-43B4-BE54-EBFBE33A5C18}.job
- c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.msi.com.tw
uInternet Settings,ProxyOverride = *.local
IE: Nach Microsoft E&xel exportieren
FF - ProfilePath - c:\users\Lars der alte Sack\AppData\Roaming\Mozilla\Firefox\Profiles\8gb9by2s.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\innoPlus\Rundum-Betrachter-innoPlus\npirsviewer.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\Lars der alte Sack\AppData\Roaming\Mozilla\Firefox\Profiles\8gb9by2s.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

HKCU-Run-TomTomHOME.exe - c:\program files\TomTom HOME 2\TomTomHOMERunner.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-07 19:30
Windows 6.0.6002 Service Pack 2 NTFS

Scanne versteckte Prozesse... 

Scanne versteckte Autostarteinträge... 

Scanne versteckte Dateien... 

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Zeit der Fertigstellung: 2010-12-07  19:34:14
ComboFix-quarantined-files.txt  2010-12-07 18:34

Vor Suchlauf: 8.757.567.488 Bytes frei
Nach Suchlauf: 8.577.359.872 Bytes frei

- - End Of File - - 66BC50C978C8F69B7DCCF8D0CEF76E96
Seitenanfang Seitenende
07.12.2010, 20:12
Swisstreasure
Moderator

Beiträge: 5694
#10 Wirst Du noch weiter geleitet?

Mach einmal folgendes und schau ob die Desktop.ini noch vorhanden sind:
http://www.hijackthis-forum.de/tipps-tricks/30790-dateien-sichtbar-machen.html#post254628
Seitenanfang Seitenende
07.12.2010, 21:00
Larsos
...neu hier

Themenstarter

Beiträge: 8
#11 Hi,

ich habe jetzt mal verschieden Seiten aufgerufen und es scheint als würde es klappen.

Die Desktop Datein sind jetzt nachdem ich die Häcken ausgemacht habe auch wieder verschwunden.

Das einzige, was mich jetzt noch ganzschön nervt, ist das der Rechner jetzt noch länger braucht bis er hochgefahren ist.

Hast du da evtl. noch einen Tipp was ich dagegen machen kann?

Vielen Dank für Deine Hilfe
Lars
Seitenanfang Seitenende
07.12.2010, 21:21
Swisstreasure
Moderator

Beiträge: 5694
#12 Schritt 1

Combofix deinstallieren

Bitte vor der folgenden Aktion wieder temporär Antivirus-Programm, evtl. vorhandenes Skript-Blocking (Norton) und Anti-Malware Programme deaktivieren.

Start => Ausführen (bei Vista (Windows-Taste + R) => dort reinschreiben Combo-Fix.exe /uninstall => Enter drücken - damit wird Combofix komplett entfernt und der Cache der Systemwiederherstellung geleert, damit auch daraus die Schädlinge verschwinden. Es wird ein neuer Systemwiederherstellungspunkt erstellt. Gleichzeitig setzt Combofix die Zeiteinstellungen wieder auf die Ursprungseinstellungen, und setzt die Systemeinstellungen wieder so zurück, dass Dateierweiterungen und Systemdateien versteckt sind, was Du bei Bedarf im Explorer unter Extras => Ordneroptionen aber wieder ändern bzw. Deinen persönlichen Vorlieben entsprechend anpassen kannst.

Schritt 2

Tool-Bereinigung mit OTL

Wir werden nun die CleanUp!-Funktion von OTL nutzen, um die meisten Programme, die wir zur Bereinigung installiert haben, wieder von Deinem System zu löschen.• Bitte lade Dir (falls noch nicht vorhanden) OTL von OldTimer herunter.
Speichere es auf Deinem Desktop.
• Doppelklick auf OTL.exe um das Programm auszuführen.
Vista und Windows 7 User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen.
• Klicke auf den Button "Bereinigung"
• OTL fragt eventuell nach einem Neustart.
Sollte es dies tun, so lasse dies bitte zu.Anmerkung: Nach dem Neustart werden OTL und andere Helferprogramme, die Du im Laufe der Bereinigung heruntergeladen hast, nicht mehr vorhanden sein. Sie wurden entfernt. Es ist daher Ok, wenn diese Programme nicht mehr vorhanden sind. Sollten noch welche übrig geblieben sein, lösche sie manuell.

Schritt 3

CCleaner installieren und einstellen
CCleaner (Slim ohne Toolbar) herunterladen und installieren.
• CCleaner starten und => unter options settings => german einstellen.
• Gehe auf den Button links oben "Cleaner" => Reiter "Windows"
setze Häkchen wie folgt:
alle außer "Eingabefeld Verlauf" und bei
Erweitert nur ein Häkchen bei "Alte Prefetchdaten" und "Benutzerdefinierte Dateien und Ordner".
• Wechsel zum Reiter "Anwendungen",
dort alle Häkchen setzen außer bei Firefox/Mozilla (falls vorhanden) "Gespeicherte
Formulardaten".

Schritt 4

Registry mit CCleaner bereinigen

Gehe links auf den Button "Einstellungen" und kontrolliere, ob bei "Erweitert" ein Haken bei
"Zeige Aufforderung für ein Backup der Registry" vorhanden ist, falls nicht, bitte anhaken.
Zur Registry-Bereinigung klicke links auf "Registry", setze alle Häkchen und starte die Suche
unten mit dem Button "nach Fehlern suchen". Die gefundenen Fehler kannst Du durch den
Button "Fehler beheben" entfernen lassen. Diesen Vorgang wiederholen, bis keine Fehler
mehr gefunden werden. Den Rechner neu starten. Teile uns hier mit, wie viele Fehler
bereinigt wurden.
Seitenanfang Seitenende
08.12.2010, 22:29
Larsos
...neu hier

Themenstarter

Beiträge: 8
#13 Hi Swiss,

ich habe alle 4 Punkte erfolgreich durchlaufen und es wurden 1860 Fehler beeiningt (1854 + 6).

1. Sollte ich jetzt schon eine Verbesserung feststellen? Wenn ja dann ist dies leider nicht der Fall.

2. Ich habe mir die bereinigten Fehler abspeichern lassen. Kann ich diese Datein löschen oder sollte man sich die immer aufheben?

Vielen Dank
Lars

P.S. Info für die die mitlesen:
Bei Schritt 1 musste ich "combofix /uninstall" einkopieren
Seitenanfang Seitenende
09.12.2010, 19:00
Swisstreasure
Moderator

Beiträge: 5694
#14 Ja di Fehler kannst Du löschen.

Es kann auch sein dass 2 GB RAM ein bisschen zu wenig sind.

Die Logs sind sauber.
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren:
Seite(n): 1