|
gabiza7
offline
OC Profi
14 Jahre dabei !
AMD Athlon II
2700 MHz @ 3700 MHz
46°C mit 1.475 Volt
|
     
Vor wenigen Tagen haben wir einen netten Brief von der Telekom erhalten, dass auf einem Rechner bei uns im Netzwerk der ZeroAccess wütet.
Jetzt habe ich mal meinen Rechner gecheckt (mit der DE-Cleaner Rettungs-CD von Avira) und prompt wurden gleich acht Schädlinge gefunden und sieben auf meiner externen Platte. Soweit ich das sehen kann, stecken die Schädlinge laut dem DE-Cleaner aber ausschließlich in Android-ROMs und Tools wie dem OneClickRoot-Tool. Jetzt frage ich mich halt, ob sich da wirklich ein Schädling in den Dateien steckt oder ob die nur fälschlicherweise als solche erkannt werden. Lade mir die ROMs und Co. grundsätzlich immer von den offiziellen Quellen runter, wie z.B. von der AOKP-Seite, sourceforge.net oder bei xda-developers. Habe mal Screens vom Scanergebnis verlinkt (leider nur abfotografiert):
Auf einem WG-Rechner, den ich mir noch angeguckt habe, konnte ich mit der üblichen Software wie dem Windows Tool zum Erkennen bösartiger Software, dem EU Cleaner oder dem Scanner von Malwarebytes jetzt erstmal nichts Schlimmes finden. Etwas seltsam finde ich nur, dass sich die DE-Cleaner Rettungs-CD partout nicht von dem Rechner aus booten lässt. Weiß jemand, ob sich ZeroAccess und Derivate ins BIOS/im Rechner einnisten kann, dass er das Booten von solchen Rettungs-CDs unterbinden kann? Dann habe ich auf beiden Rechnern noch GMER drüberlaufen lassen (den kompletten Scan, nicht den Quick Scan). Leider weiß ich nicht, was mir die log-Files sagen sollen. Wäre daher echt sehr nett, wenn sich die jemand angucken könnte, der/die Ahnung hat.
GMER-Log meines Rechners:
CodeGMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-09-30 23:13:26
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD10EZEX-60ZF5A0 rev.80.00A80 931,51GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\andrea\AppData\Local\Temp\pxldipow.sys
---- User code sections - GMER 2.1 ----
.text C:\Windows\system32\wininit.exe[604] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Windows\system32\winlogon.exe[668] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Windows\system32\services.exe[716] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[932] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007615a2ba 1 byte [62]
.text C:\Windows\System32\svchost.exe[296] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Windows\System32\svchost.exe[496] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Windows\system32\svchost.exe[628] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Windows\system32\svchost.exe[776] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Windows\system32\AUDIODG.EXE[1088] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Windows\servicing\TrustedInstaller.exe[1140] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Windows\system32\svchost.exe[1272] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Windows\System32\spoolsv.exe[1476] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Windows\system32\svchost.exe[1504] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1604] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007615a2ba 1 byte [62]
.text C:\Windows\system32\svchost.exe[1768] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f3b10 5 bytes JMP 000000010037075c
.text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f7ac0 5 bytes JMP 00000001003703a4
.text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077321430 5 bytes JMP 0000000100370b14
.text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077321490 5 bytes JMP 0000000100370ecc
.text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077321570 5 bytes JMP 000000010037163c
.text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000773217b0 5 bytes JMP 0000000100371284
.text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773227e0 5 bytes JMP 00000001003719f4
.text C:\Windows\system32\svchost.exe[2768] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe046e00 5 bytes JMP 000007ff7e061dac
.text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe046f2c 5 bytes JMP 000007ff7e060ecc
.text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe047220 5 bytes JMP 000007ff7e061284
.text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe04739c 5 bytes JMP 000007ff7e06163c
.text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe047538 5 bytes JMP 000007ff7e0619f4
.text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe0475e8 5 bytes JMP 000007ff7e0603a4
.text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe04790c 5 bytes JMP 000007ff7e06075c
.text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe047ab4 5 bytes JMP 000007ff7e060b14
.text C:\Windows\system32\SearchIndexer.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f3b10 5 bytes JMP 000000010027075c
.text C:\Windows\system32\SearchIndexer.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f7ac0 5 bytes JMP 00000001002703a4
.text C:\Windows\system32\SearchIndexer.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077321430 5 bytes JMP 0000000100270b14
.text C:\Windows\system32\SearchIndexer.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077321490 5 bytes JMP 0000000100270ecc
.text C:\Windows\system32\SearchIndexer.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077321570 5 bytes JMP 000000010027163c
.text C:\Windows\system32\SearchIndexer.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000773217b0 5 bytes JMP 0000000100271284
.text C:\Windows\system32\SearchIndexer.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773227e0 5 bytes JMP 00000001002719f4
.text C:\Windows\system32\SearchIndexer.exe[2252] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Windows\system32\SearchIndexer.exe[2252] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe046e00 5 bytes JMP 000007ff7e061dac
.text C:\Windows\system32\SearchIndexer.exe[2252] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe046f2c 5 bytes JMP 000007ff7e060ecc
.text C:\Windows\system32\SearchIndexer.exe[2252] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe047220 5 bytes JMP 000007ff7e061284
.text C:\Windows\system32\SearchIndexer.exe[2252] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe04739c 5 bytes JMP 000007ff7e06163c
.text C:\Windows\system32\SearchIndexer.exe[2252] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe047538 5 bytes JMP 000007ff7e0619f4
.text C:\Windows\system32\SearchIndexer.exe[2252] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe0475e8 5 bytes JMP 000007ff7e0603a4
.text C:\Windows\system32\SearchIndexer.exe[2252] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe04790c 5 bytes JMP 000007ff7e06075c
.text C:\Windows\system32\SearchIndexer.exe[2252] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe047ab4 5 bytes JMP 000007ff7e060b14
.text C:\Windows\system32\SearchProtocolHost.exe[2072] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Windows\system32\SearchProtocolHost.exe[2072] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe046e00 5 bytes JMP 000007ff7e061dac
.text C:\Windows\system32\SearchProtocolHost.exe[2072] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe046f2c 5 bytes JMP 000007ff7e060ecc
.text C:\Windows\system32\SearchProtocolHost.exe[2072] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe047220 5 bytes JMP 000007ff7e061284
.text C:\Windows\system32\SearchProtocolHost.exe[2072] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe04739c 5 bytes JMP 000007ff7e06163c
.text C:\Windows\system32\SearchProtocolHost.exe[2072] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe047538 5 bytes JMP 000007ff7e0619f4
.text C:\Windows\system32\SearchProtocolHost.exe[2072] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe0475e8 5 bytes JMP 000007ff7e0603a4
.text C:\Windows\system32\SearchProtocolHost.exe[2072] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe04790c 5 bytes JMP 000007ff7e06075c
.text C:\Windows\system32\SearchProtocolHost.exe[2072] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe047ab4 5 bytes JMP 000007ff7e060b14
.text C:\Windows\system32\SearchFilterHost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f3b10 5 bytes JMP 00000001001b075c
.text C:\Windows\system32\SearchFilterHost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f7ac0 5 bytes JMP 00000001001b03a4
.text C:\Windows\system32\SearchFilterHost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077321430 5 bytes JMP 00000001001b0b14
.text C:\Windows\system32\SearchFilterHost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077321490 5 bytes JMP 00000001001b0ecc
.text C:\Windows\system32\SearchFilterHost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077321570 5 bytes JMP 00000001001b163c
.text C:\Windows\system32\SearchFilterHost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000773217b0 5 bytes JMP 00000001001b1284
.text C:\Windows\system32\SearchFilterHost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773227e0 5 bytes JMP 00000001001b19f4
.text C:\Windows\system32\SearchFilterHost.exe[1764] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Windows\system32\SearchFilterHost.exe[1764] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe046e00 5 bytes JMP 000007ff7e061dac
.text C:\Windows\system32\SearchFilterHost.exe[1764] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe046f2c 5 bytes JMP 000007ff7e060ecc
.text C:\Windows\system32\SearchFilterHost.exe[1764] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe047220 5 bytes JMP 000007ff7e061284
.text C:\Windows\system32\SearchFilterHost.exe[1764] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe04739c 5 bytes JMP 000007ff7e06163c
.text C:\Windows\system32\SearchFilterHost.exe[1764] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe047538 5 bytes JMP 000007ff7e0619f4
.text C:\Windows\system32\SearchFilterHost.exe[1764] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe0475e8 5 bytes JMP 000007ff7e0603a4
.text C:\Windows\system32\SearchFilterHost.exe[1764] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe04790c 5 bytes JMP 000007ff7e06075c
.text C:\Windows\system32\SearchFilterHost.exe[1764] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe047ab4 5 bytes JMP 000007ff7e060b14
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f3b10 5 bytes JMP 000000010041075c
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f7ac0 5 bytes JMP 00000001004103a4
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077321430 5 bytes JMP 0000000100410b14
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077321490 5 bytes JMP 0000000100410ecc
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077321570 5 bytes JMP 000000010041163c
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000773217b0 5 bytes JMP 0000000100411284
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773227e0 5 bytes JMP 00000001004119f4
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2824] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2824] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe046e00 5 bytes JMP 000007ff7e061dac
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2824] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe046f2c 5 bytes JMP 000007ff7e060ecc
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2824] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe047220 5 bytes JMP 000007ff7e061284
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2824] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe04739c 5 bytes JMP 000007ff7e06163c
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2824] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe047538 5 bytes JMP 000007ff7e0619f4
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2824] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe0475e8 5 bytes JMP 000007ff7e0603a4
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2824] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe04790c 5 bytes JMP 000007ff7e06075c
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2824] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe047ab4 5 bytes JMP 000007ff7e060b14
.text C:\Windows\system32\nvvsvc.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f3b10 5 bytes JMP 000000010025075c
.text C:\Windows\system32\nvvsvc.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f7ac0 5 bytes JMP 00000001002503a4
.text C:\Windows\system32\nvvsvc.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077321430 5 bytes JMP 0000000100250b14
.text C:\Windows\system32\nvvsvc.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077321490 5 bytes JMP 0000000100250ecc
.text C:\Windows\system32\nvvsvc.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077321570 5 bytes JMP 000000010025163c
.text C:\Windows\system32\nvvsvc.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000773217b0 5 bytes JMP 0000000100251284
.text C:\Windows\system32\nvvsvc.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773227e0 5 bytes JMP 00000001002519f4
.text C:\Windows\system32\nvvsvc.exe[1584] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Windows\system32\nvvsvc.exe[1584] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe046e00 5 bytes JMP 000007ff7e061dac
.text C:\Windows\system32\nvvsvc.exe[1584] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe046f2c 5 bytes JMP 000007ff7e060ecc
.text C:\Windows\system32\nvvsvc.exe[1584] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe047220 5 bytes JMP 000007ff7e061284
.text C:\Windows\system32\nvvsvc.exe[1584] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe04739c 5 bytes JMP 000007ff7e06163c
.text C:\Windows\system32\nvvsvc.exe[1584] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe047538 5 bytes JMP 000007ff7e0619f4
.text C:\Windows\system32\nvvsvc.exe[1584] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe0475e8 5 bytes JMP 000007ff7e0603a4
.text C:\Windows\system32\nvvsvc.exe[1584] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe04790c 5 bytes JMP 000007ff7e06075c
.text C:\Windows\system32\nvvsvc.exe[1584] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe047ab4 5 bytes JMP 000007ff7e060b14
.text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f3b10 5 bytes JMP 00000001002b075c
.text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f7ac0 5 bytes JMP 00000001002b03a4
.text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077321430 5 bytes JMP 00000001002b0b14
.text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077321490 5 bytes JMP 00000001002b0ecc
.text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077321570 5 bytes JMP 00000001002b163c
.text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000773217b0 5 bytes JMP 00000001002b1284
.text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773227e0 5 bytes JMP 00000001002b19f4
.text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe046e00 5 bytes JMP 000007ff7e061dac
.text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe046f2c 5 bytes JMP 000007ff7e060ecc
.text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe047220 5 bytes JMP 000007ff7e061284
.text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe04739c 5 bytes JMP 000007ff7e06163c
.text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe047538 5 bytes JMP 000007ff7e0619f4
.text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe0475e8 5 bytes JMP 000007ff7e0603a4
.text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe04790c 5 bytes JMP 000007ff7e06075c
.text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe047ab4 5 bytes JMP 000007ff7e060b14
.text C:\Windows\system32\taskhost.exe[3044] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f3b10 5 bytes JMP 00000001001e075c
.text C:\Windows\system32\taskhost.exe[3044] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f7ac0 5 bytes JMP 00000001001e03a4
.text C:\Windows\system32\taskhost.exe[3044] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077321430 5 bytes JMP 00000001001e0b14
.text C:\Windows\system32\taskhost.exe[3044] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077321490 5 bytes JMP 00000001001e0ecc
.text C:\Windows\system32\taskhost.exe[3044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077321570 5 bytes JMP 00000001001e163c
.text C:\Windows\system32\taskhost.exe[3044] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000773217b0 5 bytes JMP 00000001001e1284
.text C:\Windows\system32\taskhost.exe[3044] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773227e0 5 bytes JMP 00000001001e19f4
.text C:\Windows\system32\taskhost.exe[3044] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Windows\system32\taskhost.exe[3044] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe046e00 5 bytes JMP 000007ff7e061dac
.text C:\Windows\system32\taskhost.exe[3044] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe046f2c 5 bytes JMP 000007ff7e060ecc
.text C:\Windows\system32\taskhost.exe[3044] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe047220 5 bytes JMP 000007ff7e061284
.text C:\Windows\system32\taskhost.exe[3044] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe04739c 5 bytes JMP 000007ff7e06163c
.text C:\Windows\system32\taskhost.exe[3044] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe047538 5 bytes JMP 000007ff7e0619f4
.text C:\Windows\system32\taskhost.exe[3044] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe0475e8 5 bytes JMP 000007ff7e0603a4
.text C:\Windows\system32\taskhost.exe[3044] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe04790c 5 bytes JMP 000007ff7e06075c
.text C:\Windows\system32\taskhost.exe[3044] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe047ab4 5 bytes JMP 000007ff7e060b14
.text C:\Windows\Explorer.EXE[2532] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f3b10 5 bytes JMP 00000001002d075c
.text C:\Windows\Explorer.EXE[2532] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f7ac0 5 bytes JMP 00000001002d03a4
.text C:\Windows\Explorer.EXE[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077321430 5 bytes JMP 00000001002d0b14
.text C:\Windows\Explorer.EXE[2532] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077321490 5 bytes JMP 00000001002d0ecc
.text C:\Windows\Explorer.EXE[2532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077321570 5 bytes JMP 00000001002d163c
.text C:\Windows\Explorer.EXE[2532] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000773217b0 5 bytes JMP 00000001002d1284
.text C:\Windows\Explorer.EXE[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773227e0 5 bytes JMP 00000001002d19f4
.text C:\Windows\Explorer.EXE[2532] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Windows\Explorer.EXE[2532] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe046e00 5 bytes JMP 000007ff7e061dac
.text C:\Windows\Explorer.EXE[2532] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe046f2c 5 bytes JMP 000007ff7e060ecc
.text C:\Windows\Explorer.EXE[2532] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe047220 5 bytes JMP 000007ff7e061284
.text C:\Windows\Explorer.EXE[2532] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe04739c 5 bytes JMP 000007ff7e06163c
.text C:\Windows\Explorer.EXE[2532] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe047538 5 bytes JMP 000007ff7e0619f4
.text C:\Windows\Explorer.EXE[2532] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe0475e8 5 bytes JMP 000007ff7e0603a4
.text C:\Windows\Explorer.EXE[2532] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe04790c 5 bytes JMP 000007ff7e06075c
.text C:\Windows\Explorer.EXE[2532] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe047ab4 5 bytes JMP 000007ff7e060b14
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f3b10 5 bytes JMP 00000001004c075c
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f7ac0 5 bytes JMP 00000001004c03a4
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077321430 5 bytes JMP 00000001004c0b14
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077321490 5 bytes JMP 00000001004c0ecc
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077321570 5 bytes JMP 00000001004c163c
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000773217b0 5 bytes JMP 00000001004c1284
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773227e0 5 bytes JMP 00000001004c19f4
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3344] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3344] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe046e00 5 bytes JMP 000007ff7e061dac
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3344] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe046f2c 5 bytes JMP 000007ff7e060ecc
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3344] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe047220 5 bytes JMP 000007ff7e061284
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3344] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe04739c 5 bytes JMP 000007ff7e06163c
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3344] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe047538 5 bytes JMP 000007ff7e0619f4
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3344] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe0475e8 5 bytes JMP 000007ff7e0603a4
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3344] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe04790c 5 bytes JMP 000007ff7e06075c
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3344] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe047ab4 5 bytes JMP 000007ff7e060b14
.text C:\Program Files\Windows Sidebar\sidebar.exe[3508] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f3b10 5 bytes JMP 000000010012075c
.text C:\Program Files\Windows Sidebar\sidebar.exe[3508] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f7ac0 5 bytes JMP 00000001001203a4
.text C:\Program Files\Windows Sidebar\sidebar.exe[3508] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077321430 5 bytes JMP 0000000100120b14
.text C:\Program Files\Windows Sidebar\sidebar.exe[3508] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077321490 5 bytes JMP 0000000100120ecc
.text C:\Program Files\Windows Sidebar\sidebar.exe[3508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077321570 5 bytes JMP 000000010012163c
.text C:\Program Files\Windows Sidebar\sidebar.exe[3508] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000773217b0 5 bytes JMP 0000000100121284
.text C:\Program Files\Windows Sidebar\sidebar.exe[3508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773227e0 5 bytes JMP 00000001001219f4
.text C:\Program Files\Windows Sidebar\sidebar.exe[3508] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3508] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe046e00 5 bytes JMP 000007ff7e061dac
.text C:\Program Files\Windows Sidebar\sidebar.exe[3508] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe046f2c 5 bytes JMP 000007ff7e060ecc
.text C:\Program Files\Windows Sidebar\sidebar.exe[3508] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe047220 5 bytes JMP 000007ff7e061284
.text C:\Program Files\Windows Sidebar\sidebar.exe[3508] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe04739c 5 bytes JMP 000007ff7e06163c
.text C:\Program Files\Windows Sidebar\sidebar.exe[3508] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe047538 5 bytes JMP 000007ff7e0619f4
.text C:\Program Files\Windows Sidebar\sidebar.exe[3508] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe0475e8 5 bytes JMP 000007ff7e0603a4
.text C:\Program Files\Windows Sidebar\sidebar.exe[3508] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe04790c 5 bytes JMP 000007ff7e06075c
.text C:\Program Files\Windows Sidebar\sidebar.exe[3508] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe047ab4 5 bytes JMP 000007ff7e060b14
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f3b10 5 bytes JMP 00000001002c075c
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f7ac0 5 bytes JMP 00000001002c03a4
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077321430 5 bytes JMP 00000001002c0b14
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077321490 5 bytes JMP 00000001002c0ecc
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077321570 5 bytes JMP 00000001002c163c
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000773217b0 5 bytes JMP 00000001002c1284
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773227e0 5 bytes JMP 00000001002c19f4
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3556] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3556] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe046e00 5 bytes JMP 000007ff7e061dac
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe046f2c 5 bytes JMP 000007ff7e060ecc
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe047220 5 bytes JMP 000007ff7e061284
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe04739c 5 bytes JMP 000007ff7e06163c
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe047538 5 bytes JMP 000007ff7e0619f4
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3556] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe0475e8 5 bytes JMP 000007ff7e0603a4
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3556] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe04790c 5 bytes JMP 000007ff7e06075c
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3556] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe047ab4 5 bytes JMP 000007ff7e060b14
.text D:\Programme\Kies\Kies.exe[3576] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000774cfac0 5 bytes JMP 0000000100030600
.text D:\Programme\Kies\Kies.exe[3576] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000774cfb58 5 bytes JMP 0000000100030804
.text D:\Programme\Kies\Kies.exe[3576] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774cfcb0 5 bytes JMP 0000000100030c0c
.text D:\Programme\Kies\Kies.exe[3576] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000774d0038 5 bytes JMP 0000000100030a08
.text D:\Programme\Kies\Kies.exe[3576] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000774d1920 5 bytes JMP 0000000100030e10
.text D:\Programme\Kies\Kies.exe[3576] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000774ec4dd 5 bytes JMP 00000001000301f8
.text D:\Programme\Kies\Kies.exe[3576] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774f1287 5 bytes JMP 00000001000303fc
.text D:\Programme\Kies\Kies.exe[3576] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007615a2ba 1 byte [62]
.text D:\Programme\Kies\Kies.exe[3576] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076295181 5 bytes JMP 0000000100141014
.text D:\Programme\Kies\Kies.exe[3576] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076295254 5 bytes JMP 0000000100140804
.text D:\Programme\Kies\Kies.exe[3576] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762953d5 5 bytes JMP 0000000100140a08
.text D:\Programme\Kies\Kies.exe[3576] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762954c2 5 bytes JMP 0000000100140c0c
.text D:\Programme\Kies\Kies.exe[3576] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762955e2 5 bytes JMP 0000000100140e10
.text D:\Programme\Kies\Kies.exe[3576] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007629567c 5 bytes JMP 00000001001401f8
.text D:\Programme\Kies\Kies.exe[3576] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007629589f 5 bytes JMP 00000001001403fc
.text D:\Programme\Kies\Kies.exe[3576] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076295a22 5 bytes JMP 0000000100140600
.text D:\Programme\Kies\Kies.exe[3576] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076eaee09 5 bytes JMP 00000001001501f8
.text D:\Programme\Kies\Kies.exe[3576] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076eb3982 5 bytes JMP 00000001001503fc
.text D:\Programme\Kies\Kies.exe[3576] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076eb7603 5 bytes JMP 0000000100150804
.text D:\Programme\Kies\Kies.exe[3576] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076eb835c 5 bytes JMP 0000000100150600
.text D:\Programme\Kies\Kies.exe[3576] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076ecf52b 5 bytes JMP 0000000100150a08
.text D:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe[3684] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 00000000774c000c 1 byte [C3]
.text D:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000774cfac0 5 bytes JMP 0000000100030600
.text D:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000774cfb58 5 bytes JMP 0000000100030804
.text D:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774cfcb0 5 bytes JMP 0000000100030c0c
.text D:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000774d0038 5 bytes JMP 0000000100030a08
.text D:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000774d1920 5 bytes JMP 0000000100030e10
.text D:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe[3684] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000774ec4dd 5 bytes JMP 00000001000301f8
.text D:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe[3684] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774f1287 5 bytes JMP 00000001000303fc
.text D:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe[3684] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 000000007754f8ea 5 bytes JMP 00000001774fd5c1
.text D:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe[3684] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007615a2ba 1 byte [62]
.text D:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe[3684] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076295181 5 bytes JMP 0000000100171014
.text D:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe[3684] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076295254 5 bytes JMP 0000000100170804
.text D:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe[3684] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762953d5 5 bytes JMP 0000000100170a08
.text D:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe[3684] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762954c2 5 bytes JMP 0000000100170c0c
.text D:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe[3684] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762955e2 5 bytes JMP 0000000100170e10
.text D:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe[3684] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007629567c 5 bytes JMP 00000001001701f8
.text D:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe[3684] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007629589f 5 bytes JMP 00000001001703fc
.text D:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe[3684] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076295a22 5 bytes JMP 0000000100170600
.text D:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe[3684] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076eaee09 5 bytes JMP 00000001001801f8
.text D:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe[3684] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076eb3982 5 bytes JMP 00000001001803fc
.text D:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe[3684] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076eb7603 5 bytes JMP 0000000100180804
.text D:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe[3684] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076eb835c 5 bytes JMP 0000000100180600
.text D:\Programme\Kies\External\FirmwareUpdate\KiesPDLR.exe[3684] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076ecf52b 5 bytes JMP 0000000100180a08
.text D:\Programme\Avast\AvastUI.exe[3844] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007615a2ba 1 byte [62]
.text D:\Programme\PowerDVD\PowerDVD10\PDVD10Serv.exe[3872] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000774cfac0 5 bytes JMP 0000000100030600
.text D:\Programme\PowerDVD\PowerDVD10\PDVD10Serv.exe[3872] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000774cfb58 5 bytes JMP 0000000100030804
.text D:\Programme\PowerDVD\PowerDVD10\PDVD10Serv.exe[3872] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774cfcb0 5 bytes JMP 0000000100030c0c
.text D:\Programme\PowerDVD\PowerDVD10\PDVD10Serv.exe[3872] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000774d0038 5 bytes JMP 0000000100030a08
.text D:\Programme\PowerDVD\PowerDVD10\PDVD10Serv.exe[3872] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000774d1920 5 bytes JMP 0000000100030e10
.text D:\Programme\PowerDVD\PowerDVD10\PDVD10Serv.exe[3872] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000774ec4dd 5 bytes JMP 00000001000301f8
.text D:\Programme\PowerDVD\PowerDVD10\PDVD10Serv.exe[3872] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774f1287 5 bytes JMP 00000001000303fc
.text D:\Programme\PowerDVD\PowerDVD10\PDVD10Serv.exe[3872] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007615a2ba 1 byte [62]
.text D:\Programme\PowerDVD\PowerDVD10\PDVD10Serv.exe[3872] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076eaee09 5 bytes JMP 00000001002401f8
.text D:\Programme\PowerDVD\PowerDVD10\PDVD10Serv.exe[3872] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076eb3982 5 bytes JMP 00000001002403fc
.text D:\Programme\PowerDVD\PowerDVD10\PDVD10Serv.exe[3872] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076eb7603 5 bytes JMP 0000000100240804
.text D:\Programme\PowerDVD\PowerDVD10\PDVD10Serv.exe[3872] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076eb835c 5 bytes JMP 0000000100240600
.text D:\Programme\PowerDVD\PowerDVD10\PDVD10Serv.exe[3872] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076ecf52b 5 bytes JMP 0000000100240a08
.text D:\Programme\PowerDVD\PowerDVD10\PDVD10Serv.exe[3872] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076295181 5 bytes JMP 00000001002d1014
.text D:\Programme\PowerDVD\PowerDVD10\PDVD10Serv.exe[3872] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076295254 5 bytes JMP 00000001002d0804
.text D:\Programme\PowerDVD\PowerDVD10\PDVD10Serv.exe[3872] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762953d5 5 bytes JMP 00000001002d0a08
.text D:\Programme\PowerDVD\PowerDVD10\PDVD10Serv.exe[3872] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762954c2 5 bytes JMP 00000001002d0c0c
.text D:\Programme\PowerDVD\PowerDVD10\PDVD10Serv.exe[3872] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762955e2 5 bytes JMP 00000001002d0e10
.text D:\Programme\PowerDVD\PowerDVD10\PDVD10Serv.exe[3872] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007629567c 5 bytes JMP 00000001002d01f8
.text D:\Programme\PowerDVD\PowerDVD10\PDVD10Serv.exe[3872] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007629589f 5 bytes JMP 00000001002d03fc
.text D:\Programme\PowerDVD\PowerDVD10\PDVD10Serv.exe[3872] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076295a22 5 bytes JMP 00000001002d0600
.text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000774cfac0 5 bytes JMP 0000000100030600
.text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000774cfb58 5 bytes JMP 0000000100030804
.text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774cfcb0 5 bytes JMP 0000000100030c0c
.text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000774d0038 5 bytes JMP 0000000100030a08
.text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[4032] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000774d1920 5 bytes JMP 0000000100030e10
.text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[4032] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000774ec4dd 5 bytes JMP 00000001000301f8
.text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[4032] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774f1287 5 bytes JMP 00000001000303fc
.text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[4032] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007615a2ba 1 byte [62]
.text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[4032] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076eaee09 5 bytes JMP 00000001002301f8
.text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[4032] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076eb3982 5 bytes JMP 00000001002303fc
.text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[4032] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076eb7603 5 bytes JMP 0000000100230804
.text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[4032] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076eb835c 5 bytes JMP 0000000100230600
.text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[4032] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076ecf52b 5 bytes JMP 0000000100230a08
.text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[4032] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076295181 5 bytes JMP 0000000100241014
.text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[4032] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076295254 5 bytes JMP 0000000100240804
.text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[4032] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762953d5 5 bytes JMP 0000000100240a08
.text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[4032] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762954c2 5 bytes JMP 0000000100240c0c
.text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[4032] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762955e2 5 bytes JMP 0000000100240e10
.text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[4032] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007629567c 5 bytes JMP 00000001002401f8
.text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[4032] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007629589f 5 bytes JMP 00000001002403fc
.text C:\Program Files (x86)\Cyberlink\Shared files\brs.exe[4032] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076295a22 5 bytes JMP 0000000100240600
.text D:\Programme\Kies\KiesTrayAgent.exe[4052] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000774cfac0 5 bytes JMP 0000000100030600
.text D:\Programme\Kies\KiesTrayAgent.exe[4052] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000774cfb58 5 bytes JMP 0000000100030804
.text D:\Programme\Kies\KiesTrayAgent.exe[4052] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774cfcb0 5 bytes JMP 0000000100030c0c
.text D:\Programme\Kies\KiesTrayAgent.exe[4052] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000774d0038 5 bytes JMP 0000000100030a08
.text D:\Programme\Kies\KiesTrayAgent.exe[4052] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000774d1920 5 bytes JMP 0000000100030e10
.text D:\Programme\Kies\KiesTrayAgent.exe[4052] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000774ec4dd 5 bytes JMP 00000001000301f8
.text D:\Programme\Kies\KiesTrayAgent.exe[4052] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774f1287 5 bytes JMP 00000001000303fc
.text D:\Programme\Kies\KiesTrayAgent.exe[4052] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007615a2ba 1 byte [62]
.text D:\Programme\Kies\KiesTrayAgent.exe[4052] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076eaee09 5 bytes JMP 00000001002401f8
.text D:\Programme\Kies\KiesTrayAgent.exe[4052] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076eb3982 5 bytes JMP 00000001002403fc
.text D:\Programme\Kies\KiesTrayAgent.exe[4052] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076eb7603 5 bytes JMP 0000000100240804
.text D:\Programme\Kies\KiesTrayAgent.exe[4052] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076eb835c 5 bytes JMP 0000000100240600
.text D:\Programme\Kies\KiesTrayAgent.exe[4052] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076ecf52b 5 bytes JMP 0000000100240a08
.text D:\Programme\Kies\KiesTrayAgent.exe[4052] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076295181 5 bytes JMP 0000000100251014
.text D:\Programme\Kies\KiesTrayAgent.exe[4052] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076295254 5 bytes JMP 0000000100250804
.text D:\Programme\Kies\KiesTrayAgent.exe[4052] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762953d5 5 bytes JMP 0000000100250a08
.text D:\Programme\Kies\KiesTrayAgent.exe[4052] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762954c2 5 bytes JMP 0000000100250c0c
.text D:\Programme\Kies\KiesTrayAgent.exe[4052] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762955e2 5 bytes JMP 0000000100250e10
.text D:\Programme\Kies\KiesTrayAgent.exe[4052] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007629567c 5 bytes JMP 00000001002501f8
.text D:\Programme\Kies\KiesTrayAgent.exe[4052] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007629589f 5 bytes JMP 00000001002503fc
.text D:\Programme\Kies\KiesTrayAgent.exe[4052] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076295a22 5 bytes JMP 0000000100250600
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772f3b10 5 bytes JMP 000000010044075c
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772f7ac0 5 bytes JMP 00000001004403a4
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077321430 5 bytes JMP 0000000100440b14
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077321490 5 bytes JMP 0000000100440ecc
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077321570 5 bytes JMP 000000010044163c
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000773217b0 5 bytes JMP 0000000100441284
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773227e0 5 bytes JMP 00000001004419f4
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2984] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2984] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe046e00 5 bytes JMP 000007ff7e061dac
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2984] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe046f2c 5 bytes JMP 000007ff7e060ecc
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2984] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe047220 5 bytes JMP 000007ff7e061284
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2984] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe04739c 5 bytes JMP 000007ff7e06163c
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2984] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe047538 5 bytes JMP 000007ff7e0619f4
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2984] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe0475e8 5 bytes JMP 000007ff7e0603a4
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2984] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe04790c 5 bytes JMP 000007ff7e06075c
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2984] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe047ab4 5 bytes JMP 000007ff7e060b14
.text C:\Windows\System32\WUDFHost.exe[2592] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe046e00 5 bytes JMP 000007ff7e061dac
.text C:\Windows\System32\WUDFHost.exe[2592] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe046f2c 5 bytes JMP 000007ff7e060ecc
.text C:\Windows\System32\WUDFHost.exe[2592] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe047220 5 bytes JMP 000007ff7e061284
.text C:\Windows\System32\WUDFHost.exe[2592] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe04739c 5 bytes JMP 000007ff7e06163c
.text C:\Windows\System32\WUDFHost.exe[2592] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe047538 5 bytes JMP 000007ff7e0619f4
.text C:\Windows\System32\WUDFHost.exe[2592] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe0475e8 5 bytes JMP 000007ff7e0603a4
.text C:\Windows\System32\WUDFHost.exe[2592] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe04790c 5 bytes JMP 000007ff7e06075c
.text C:\Windows\System32\WUDFHost.exe[2592] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe047ab4 5 bytes JMP 000007ff7e060b14
.text F:\Antivirus\gmer_2.1.19163.exe[788] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000774cfac0 5 bytes JMP 0000000100030600
.text F:\Antivirus\gmer_2.1.19163.exe[788] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000774cfb58 5 bytes JMP 0000000100030804
.text F:\Antivirus\gmer_2.1.19163.exe[788] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774cfcb0 5 bytes JMP 0000000100030c0c
.text F:\Antivirus\gmer_2.1.19163.exe[788] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000774d0038 5 bytes JMP 0000000100030a08
.text F:\Antivirus\gmer_2.1.19163.exe[788] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000774d1920 5 bytes JMP 0000000100030e10
.text F:\Antivirus\gmer_2.1.19163.exe[788] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000774ec4dd 5 bytes JMP 00000001000301f8
.text F:\Antivirus\gmer_2.1.19163.exe[788] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774f1287 5 bytes JMP 00000001000303fc
.text F:\Antivirus\gmer_2.1.19163.exe[788] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007615a2ba 1 byte [62]
.text F:\Antivirus\gmer_2.1.19163.exe[788] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076295181 5 bytes JMP 0000000100241014
.text F:\Antivirus\gmer_2.1.19163.exe[788] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076295254 5 bytes JMP 0000000100240804
.text F:\Antivirus\gmer_2.1.19163.exe[788] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762953d5 5 bytes JMP 0000000100240a08
.text F:\Antivirus\gmer_2.1.19163.exe[788] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762954c2 5 bytes JMP 0000000100240c0c
.text F:\Antivirus\gmer_2.1.19163.exe[788] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762955e2 5 bytes JMP 0000000100240e10
.text F:\Antivirus\gmer_2.1.19163.exe[788] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007629567c 5 bytes JMP 00000001002401f8
.text F:\Antivirus\gmer_2.1.19163.exe[788] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007629589f 5 bytes JMP 00000001002403fc
.text F:\Antivirus\gmer_2.1.19163.exe[788] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076295a22 5 bytes JMP 0000000100240600
.text F:\Antivirus\gmer_2.1.19163.exe[788] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076eaee09 5 bytes JMP 00000001002501f8
.text F:\Antivirus\gmer_2.1.19163.exe[788] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076eb3982 5 bytes JMP 00000001002503fc
.text F:\Antivirus\gmer_2.1.19163.exe[788] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076eb7603 5 bytes JMP 0000000100250804
.text F:\Antivirus\gmer_2.1.19163.exe[788] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076eb835c 5 bytes JMP 0000000100250600
.text F:\Antivirus\gmer_2.1.19163.exe[788] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076ecf52b 5 bytes JMP 0000000100250a08
.text C:\Windows\system32\wbem\wmiprvse.exe[2580] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007710eecd 1 byte [62]
.text C:\Windows\system32\wbem\wmiprvse.exe[2580] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe046e00 5 bytes JMP 000007ff7e061dac
.text C:\Windows\system32\wbem\wmiprvse.exe[2580] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe046f2c 5 bytes JMP 000007ff7e060ecc
.text C:\Windows\system32\wbem\wmiprvse.exe[2580] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe047220 5 bytes JMP 000007ff7e061284
.text C:\Windows\system32\wbem\wmiprvse.exe[2580] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe04739c 5 bytes JMP 000007ff7e06163c
.text C:\Windows\system32\wbem\wmiprvse.exe[2580] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe047538 5 bytes JMP 000007ff7e0619f4
.text C:\Windows\system32\wbem\wmiprvse.exe[2580] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe0475e8 5 bytes JMP 000007ff7e0603a4
.text C:\Windows\system32\wbem\wmiprvse.exe[2580] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe04790c 5 bytes JMP 000007ff7e06075c
.text C:\Windows\system32\wbem\wmiprvse.exe[2580] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe047ab4 5 bytes JMP 000007ff7e060b14
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr?
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk)
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr?
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt)
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip?
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 44
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 210735
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition1\Windows
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr?
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx)
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\D:\Programme\Avast
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\D:\Programme\Avast
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip?
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi
Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm
Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor
Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "D:\Programme\Avast\AvastSvc.exe"
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS?
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Verwaltet und implementiert avast! Antivirus-Dienste f?r diesen Computer. Dies beinhaltet den Echtzeit-Schutz, den Virus-Container und den Planer.
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr?
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk)
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr?
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt)
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip?
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 44
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 210735
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition1\Windows
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr?
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx)
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\D:\Programme\Avast
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast
Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1
Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP
Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection
Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1
Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\D:\Programme\Avast
Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast
Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files
Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget
Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1
Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support
Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI
Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip?
Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver
Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 9
Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0
Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm
Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor
Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "D:\Programme\Avast\AvastSvc.exe"
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS?
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Verwaltet und implementiert avast! Antivirus-Dienste f?r diesen Computer. Dies beinhaltet den Echtzeit-Schutz, den Virus-Container und den Planer.
---- EOF - GMER 2.1 ---- |
|
Beiträge gesamt: 933 | Durchschnitt: 0 Postings pro Tag
Registrierung: Feb. 2010 | Dabei seit: 5403 Tagen | Erstellt: 20:47 am 1. Okt. 2013
|
|
gabiza7
offline
OC Profi
14 Jahre dabei !
AMD Athlon II
2700 MHz @ 3700 MHz
46°C mit 1.475 Volt
|
Hier der Log des zweiten Rechners, der für mich nach etwas Recherche so aussieht, als wäre da was. Was meint ihr?
CodeGMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-09-29 18:10:31
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-9 MAXTOR_STM3320820AS rev.3.AAE 298,09GB
Running: gmer_2.1.19163.exe; Driver: C:\DOKUME~1\ROSENK~1\LOKALE~1\Temp\kwedaaob.sys
---- System - GMER 2.1 ----
SSDT 89714320 ZwAlertResumeThread
SSDT 897742E0 ZwAlertThread
SSDT 8A108328 ZwAllocateVirtualMemory
SSDT 8A00FE10 ZwAssignProcessToJobObject
SSDT 8A202F18 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwCreateKey [0xB4500ED0]
SSDT 897402D0 ZwCreateMutant
SSDT 89F913D0 ZwCreateSymbolicLinkObject
SSDT 8977B880 ZwCreateThread
SSDT 8A00FE88 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteKey [0xB4501150]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteValueKey [0xB4501810]
SSDT 8A05B310 ZwDuplicateObject
SSDT 897242D0 ZwFreeVirtualMemory
SSDT 897412C0 ZwImpersonateAnonymousToken
SSDT 89714288 ZwImpersonateThread
SSDT 8A150168 ZwLoadDriver
SSDT 89775300 ZwMapViewOfSection
SSDT 89772320 ZwOpenEvent
SSDT 8A1E0860 ZwOpenProcess
SSDT 89F9D310 ZwOpenProcessToken
SSDT 8A15A390 ZwOpenSection
SSDT 8A10FDF0 ZwOpenThread
SSDT 89744198 ZwProtectVirtualMemory
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwRenameKey [0xB4501D70]
SSDT 897222A8 ZwResumeThread
SSDT 897212C0 ZwSetContextThread
SSDT 89776298 ZwSetInformationProcess
SSDT 8977D2E0 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwSetValueKey [0xB4501A90]
SSDT 89772288 ZwSuspendProcess
SSDT 89722320 ZwSuspendThread
SSDT 89713658 ZwTerminateProcess
SSDT 8977C2E0 ZwTerminateThread
SSDT 89776320 ZwUnmapViewOfSection
SSDT 897232D0 ZwWriteVirtualMemory
---- Kernel code sections - GMER 2.1 ----
? SYMDS.SYS Das System kann die angegebene Datei nicht finden. !
? SYMEFA.SYS Das System kann die angegebene Datei nicht finden. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6F8A3C0, 0x95B7EA, 0xE8000020]
---- User code sections - GMER 2.1 ----
.text F:\gmer_2.1.19163.exe[932] ntdll.dll!NtMapViewOfSection 7C91D51E 5 Bytes JMP 003B0048
.text F:\gmer_2.1.19163.exe[932] ntdll.dll!NtTerminateThread 7C91DE7E 5 Bytes JMP 00370050
.text F:\gmer_2.1.19163.exe[932] ADVAPI32.dll!OpenSCManagerW + A3 77DB6FF8 7 Bytes JMP 003B020E
.text F:\gmer_2.1.19163.exe[932] ADVAPI32.dll!LogonUserExW + 461 77DC4A04 7 Bytes JMP 003B012A
.text F:\gmer_2.1.19163.exe[932] ADVAPI32.dll!SystemFunction025 + 8D 77DC4C61 7 Bytes JMP 003B0682
.text F:\gmer_2.1.19163.exe[932] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E06E64 7 Bytes JMP 003B059E
.text F:\gmer_2.1.19163.exe[932] ADVAPI32.dll!ChangeServiceConfigA + 193 77E06FFC 7 Bytes JMP 003B03D6
.text F:\gmer_2.1.19163.exe[932] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E0720C 2 Bytes JMP 003B02F2
.text F:\gmer_2.1.19163.exe[932] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E0720F 4 Bytes [5A, 88, EB, F9] {POP EDX; MOV BL, CH; STC }
.text F:\gmer_2.1.19163.exe[932] ADVAPI32.dll!CreateServiceA + 193 77E073A4 7 Bytes JMP 003B04BA
.text F:\gmer_2.1.19163.exe[932] ADVAPI32.dll!CreateServiceW + 103 77E074AC 7 Bytes JMP 003B0766
.text F:\gmer_2.1.19163.exe[932] USER32.dll!CreateSystemThreads + 10A 7E3817F2 7 Bytes JMP 003B092C
.text F:\gmer_2.1.19163.exe[932] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 003B084A
---- Devices - GMER 2.1 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys
---- Files - GMER 2.1 ----
File D:\System Volume Information\_restore{8C277329-7B23-4C5D-8D07-0A5CCADB07AE}\RP678 0 bytes
File D:\System Volume Information\_restore{8C277329-7B23-4C5D-8D07-0A5CCADB07AE}\RP678\change.log 658 bytes
---- EOF - GMER 2.1 ---- |
Mist, ganz schön lang, sorry. Lässt sich das spoilern?
(Geändert von gabiza7 um 21:02 am Okt. 1, 2013)
|
Beiträge gesamt: 933 | Durchschnitt: 0 Postings pro Tag
Registrierung: Feb. 2010 | Dabei seit: 5403 Tagen | Erstellt: 20:50 am 1. Okt. 2013
|
|
|
|
|
|
