|
|||||||
| Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
 |
|
|
Topic Tools |
|
#1
August 21st, 2014, 10:27 PM
|
|||
|
|||
|
Windows 7 Ultimate PC sluggish
Hi.
I am also getting warnings that firewall and antivirus are turned off when they are both enabled. The pc is really slow to load anything. I suspect some sort of virus or system problem. Could you help with it please. Thanks Jon 
|
|
#2
August 21st, 2014, 11:32 PM
|
||||
|
||||
|
Hello jonboy123,
Let's take a look. The system is Windows 7, so when running any of the scan files we use, be sure to right click the file, then select "Run as administrator" to start the scan/tool. And To make sure you have an accurate view of files there, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types" To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed. ------- Download RogueKiller from here to your desktop. Close all open programs Remember to right click -> run as administrator, and click the downloaded file. Wen RogueKiller finises it's opening scan, press the Scan button.. A RKreport.txt will be created in the same location as the RogueKiller file. If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe, and try again. Please post the contents of the RKreport.txt. ----------- Click here and download OldTimer's OTL to your desktop, then click that to open the scan display. At the top click "Scan All Users", then click "Run Scan". Make no other changes at this time. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are also saved in the same location as OTL.exe. Post the contents of those back here please.
|
|
#3
August 22nd, 2014, 11:03 AM
|
|||
|
|||
|
Windows 7 Ultimate PC sluggish
Hi Tom.
Here is the Roguekiller log. I tried to post it using quick reply but it doesn't seem to have gone so did another one. Had to rename it to winlog.exe though to get it to work. It seems to have deleted itself from the desktop also which is wierd? RogueKiller V9.2.8.0 [Jul 11 2014] by Adlice Software mail : http://www.adlice.com/contact/ Feedback : http://forum.adlice.com Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : Jon [Admin rights] Mode : Scan -- Date : 08/22/2014 10:09:16 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 21 ¤¤¤ [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{83B65331-1D99-42AF-A739-4AA4B4DC3BC4} | DhcpNameServer : 172.20.10.1 -> FOUND [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\T cpip\Parameters\Interfaces\{83B65331-1D99-42AF-A739-4AA4B4DC3BC4} | DhcpNameServer : 172.20.10.1 -> FOUND [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\T cpip\Parameters\Interfaces\{83B65331-1D99-42AF-A739-4AA4B4DC3BC4} | DhcpNameServer : 172.20.10.1 -> FOUND [PUM.Policies] (X64) HKEY_USERS\S-1-5-21-3285714031-64123788-3120992467-1001\Software\Microsoft\Windows\CurrentVersion\Pol icies\System | disableregistrytools : 0 -> FOUND [PUM.Policies] (X86) HKEY_USERS\S-1-5-21-3285714031-64123788-3120992467-1001\Software\Microsoft\Windows\CurrentVersion\Pol icies\System | disableregistrytools : 0 -> FOUND [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\System | DisableRegistryTools : 0 -> FOUND [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\System | DisableRegistryTools : 0 -> FOUND [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND [PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir...=ie&ar=msnhome -> FOUND [PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir...=ie&ar=msnhome -> FOUND [PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir...=ie&ar=msnhome -> FOUND [PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir...=ie&ar=msnhome -> FOUND [PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> FOUND [PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> FOUND [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-3285714031-64123788-3120992467-1001\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> FOUND [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-3285714031-64123788-3120992467-1001\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> FOUND [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll? prd=ie&ar=iesearch -> FOUND [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> FOUND ¤¤¤ Scheduled tasks : 1 ¤¤¤ [Suspicious.Path] \\Test TimeTrigger -- C:\Users\Jon\AppData\Local\Temp\Runner.exe (C:\Users\Jon\AppData\Local\Temp\DNS.exe) -> FOUND ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ HOSTS File : 1 ¤¤¤ [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost ¤¤¤ Antirootkit : 0 (Driver: NOT LOADED [0xc000036b]) ¤¤¤ Here is the OTL log: OTL logfile created on: 22/08/2014 10:28:45 - Run 2 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Jon\Desktop 64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.11.9600.17239) Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy 3.25 Gb Total Physical Memory | 0.78 Gb Available Physical Memory | 24.06% Memory free 6.49 Gb Paging File | 4.23 Gb Available in Paging File | 65.09% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 465.75 Gb Total Space | 147.64 Gb Free Space | 31.70% Space Free | Partition Type: NTFS Computer Name: JON-PC | User Name: Jon | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2014/08/22 09:02:48 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Jon\Desktop\OTL.exe PRC - [2014/08/15 19:47:50 | 036,414,752 | ---- | M] (Dropbox, Inc.) -- C:\Users\Jon\AppData\Roaming\Dropbox\bin\Dropbox.e xe PRC - [2014/08/07 04:20:57 | 000,860,488 | ---- | M] (Google Inc.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe PRC - [2014/07/31 12:26:24 | 004,085,896 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\avastui.exe PRC - [2014/07/14 18:21:46 | 001,390,176 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdate Svc.exe PRC - [2014/07/14 18:21:06 | 001,767,520 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe PRC - [2014/07/14 07:45:42 | 000,050,344 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe PRC - [2014/06/23 12:15:28 | 002,640,152 | ---- | M] (Trusteer Ltd.) -- C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe PRC - [2014/06/23 12:15:28 | 001,886,488 | ---- | M] (Trusteer Ltd.) -- C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe PRC - [2014/06/06 11:27:16 | 000,064,384 | ---- | M] (Google) -- C:\Users\Jon\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe PRC - [2013/12/18 19:42:32 | 000,065,432 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe PRC - [2012/07/13 17:27:00 | 000,769,432 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Nero\Update\NASvc.exe ========== Modules (No Company Name) ========== MOD - [2014/08/22 08:18:13 | 000,043,008 | ---- | M] () -- c:\Users\Jon\AppData\Local\Temp\dropbox_sqlite_ext .{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpnqwp_d.dll MOD - [2014/08/15 19:46:08 | 003,610,624 | ---- | M] () -- C:\Users\Jon\AppData\Roaming\Dropbox\bin\wxmsw28uh _vc.dll MOD - [2014/08/07 04:20:55 | 000,353,096 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.143\ppgo oglenaclpluginchrome.dll MOD - [2014/08/07 04:20:53 | 008,537,928 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.143\pdf. dll MOD - [2014/08/07 04:20:49 | 000,718,152 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.143\libg lesv2.dll MOD - [2014/08/07 04:20:47 | 000,126,280 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.143\libe gl.dll MOD - [2014/08/07 04:20:46 | 001,732,936 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.143\ffmp egsumo.dll MOD - [2014/07/14 07:45:47 | 019,329,904 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\libcef.dll MOD - [2014/07/14 07:45:44 | 000,301,152 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\aswProperty.dll MOD - [2014/06/30 12:24:56 | 001,404,120 | ---- | M] () -- C:\ProgramData\Trusteer\Rapport\store\exts\Rapport MS\baseline\RapportMS.dll MOD - [2014/03/23 17:04:20 | 000,557,056 | ---- | M] () -- C:\Program Files (x86)\Trusteer\Rapport\bin\js32.dll MOD - [2014/01/20 14:17:04 | 000,073,544 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll MOD - [2014/01/20 14:16:38 | 001,044,808 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll MOD - [2013/08/23 20:01:44 | 025,100,288 | ---- | M] () -- C:\Users\Jon\AppData\Roaming\Dropbox\bin\libcef.dl l ========== Services (SafeList) ========== SRV:64bit: - [2014/07/25 14:00:25 | 000,111,616 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\IEEtwCollector.exe -- (IEEtwCollectorService) SRV:64bit: - [2014/07/14 07:45:42 | 000,050,344 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus) SRV:64bit: - [2013/05/27 06:50:47 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV:64bit: - [2011/04/20 02:04:20 | 000,203,776 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility) SRV:64bit: - [2009/12/21 10:44:06 | 000,535,552 | ---- | M] (CSR, plc) [Auto | Running] -- C:\Windows\SysNative\HFGService.dll -- (HFGService) SRV:64bit: - [2009/07/14 02:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt) SRV - [2014/08/07 08:52:52 | 000,438,616 | ---- | M] (Garmin Ltd or its subsidiaries) [Auto | Stopped] -- C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.e xe -- (Garmin Core Update Service) SRV - [2014/07/14 18:21:46 | 001,390,176 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdate Svc.exe -- (c2cautoupdatesvc) SRV - [2014/07/14 18:21:06 | 001,767,520 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe -- (c2cpnrsvc) SRV - [2014/07/10 03:22:27 | 000,262,320 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpda teService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2014/06/23 12:15:28 | 001,886,488 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService) SRV - [2014/03/20 23:49:18 | 000,067,224 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\msco rsvw.exe -- (clr_optimization_v2.0.50727_32) SRV - [2013/12/18 19:42:32 | 000,065,432 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2013/12/16 21:31:34 | 000,443,080 | ---- | M] () [On_Demand | Stopped] -- C:\Windows\SysWOW64\GSService.exe -- (GSService) SRV - [2013/10/23 09:15:08 | 000,172,192 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate) SRV - [2013/09/11 22:21:54 | 000,105,144 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msco rsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2012/07/13 17:27:00 | 000,769,432 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files (x86)\Nero\Update\NASvc.exe -- (NAUpdate) ========== Driver Services (SafeList) ========== DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys -- (esgiguard) DRV:64bit: - [2014/07/14 07:46:35 | 000,427,360 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswsp.sys -- (aswSP) DRV:64bit: - [2014/07/14 07:45:53 | 000,092,008 | ---- | M] (AVAST Software) [Kernel | Auto | Stopped] -- C:\Windows\SysNative\drivers\aswstm.sys -- (aswStm) DRV:64bit: - [2014/07/14 07:45:52 | 001,041,168 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswsnx.sys -- (aswSnx) DRV:64bit: - [2014/07/14 07:45:52 | 000,224,896 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\aswVmm.sys -- (aswVmm) DRV:64bit: - [2014/07/14 07:45:52 | 000,079,184 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt) DRV:64bit: - [2014/07/14 07:45:52 | 000,065,776 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\aswRvrt.sys -- (aswRvrt) DRV:64bit: - [2014/07/14 07:45:52 | 000,029,208 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\aswHwid.sys -- (aswHwid) DRV:64bit: - [2014/07/14 07:45:51 | 000,093,568 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr2.sys -- (aswRdr) DRV:64bit: - [2014/06/23 12:15:38 | 000,358,616 | ---- | M] (Trusteer Ltd.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\RapportKE64.sys -- (RapportKE64) DRV:64bit: - [2014/01/23 04:21:06 | 000,206,080 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssudmdm.sys -- (ssudmdm) DRV:64bit: - [2014/01/23 04:21:06 | 000,108,800 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssudbus.sys -- (dg_ssudbus) DRV:64bit: - [2013/10/02 03:22:20 | 000,056,832 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2013/07/25 16:53:46 | 000,023,040 | ---- | M] (Apple Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netaapl64.sys -- (Netaapl) DRV:64bit: - [2013/06/21 01:07:50 | 000,188,232 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sscdmdm.sys -- (sscdmdm) DRV:64bit: - [2013/06/21 01:07:50 | 000,169,288 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sscdbus.sys -- (sscdbus) DRV:64bit: - [2013/06/21 01:07:50 | 000,021,320 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sscdmdfl.sys -- (sscdmdfl) DRV:64bit: - [2013/02/06 07:25:22 | 000,032,064 | ---- | M] (Jaksta Technologies Pty Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\jakndis.sys -- (jakndis) DRV:64bit: - [2012/12/13 14:50:36 | 000,054,784 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64) DRV:64bit: - [2012/08/23 15:10:20 | 000,019,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport) DRV:64bit: - [2012/08/21 13:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM) DRV:64bit: - [2012/07/03 17:21:52 | 000,019,600 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswKbd.sys -- (aswKbd) DRV:64bit: - [2012/03/01 07:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:64bit: - [2011/04/20 02:44:50 | 009,319,936 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag) DRV:64bit: - [2011/04/20 02:44:50 | 009,319,936 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag) DRV:64bit: - [2011/04/20 01:22:34 | 000,306,176 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap) DRV:64bit: - [2011/03/11 07:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2011/03/11 07:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2010/11/20 14:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2009/12/21 10:43:36 | 000,052,224 | ---- | M] (CSR, plc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\BthAudioHF.sys -- (BthAudioHF) DRV:64bit: - [2009/12/21 10:43:00 | 000,078,848 | ---- | M] (CSR, plc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bthav.sys -- (csr_a2dp) DRV:64bit: - [2009/08/13 08:38:24 | 000,029,184 | ---- | M] (CSR, plc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\BthAvrcp.sys -- (BthAvrcp) DRV:64bit: - [2009/07/14 02:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009/07/14 02:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009/07/14 02:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009/07/14 01:39:20 | 000,023,040 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\WSDPrint.sys -- (WSDPrintDevice) DRV:64bit: - [2009/07/14 01:35:32 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\serscan.sys -- (StillCam) DRV:64bit: - [2009/06/10 21:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009/06/10 21:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009/06/10 21:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009/06/10 21:34:18 | 000,057,344 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\L1C62x64.sys -- (L1C) DRV:64bit: - [2009/06/10 21:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV:64bit: - [2009/05/14 09:26:24 | 000,015,416 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ASACPI.sys -- (MTsensor) DRV:64bit: - [2007/12/26 03:46:26 | 000,340,992 | ---- | M] (NETGEAR Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\wg111v2.sys -- (RTL8187) DRV - [2014/08/22 10:01:05 | 000,033,512 | ---- | M] () [Kernel | On_Demand | Unknown] -- C:\Windows\SysWOW64\drivers\TrueSight.sys -- (TrueSight) DRV - [2014/06/30 12:24:48 | 000,631,128 | ---- | M] () [Kernel | System | Running] -- C:\ProgramData\Trusteer\Rapport\store\exts\Rapport Cerberus\baseline\RapportCerberus64_69108.sys -- (RapportCerberus_69108) DRV - [2014/06/23 12:15:38 | 000,414,296 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys -- (RapportPG64) DRV - [2014/06/23 12:15:38 | 000,299,736 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys -- (RapportEI64) DRV - [2009/07/14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) DRV - [2006/07/24 17:05:00 | 000,005,632 | ---- | M] () [File_System | System | Stopped] -- C:\Windows\SysWow64\drivers\StarOpen.sys -- (StarOpen) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com IE:64bit: - HKLM\..\SearchScopes,DefaultScope = IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com IE - HKLM\..\SearchScopes,DefaultScope = IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter net Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-3285714031-64123788-3120992467-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com IE - HKU\S-1-5-21-3285714031-64123788-3120992467-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us IE - HKU\S-1-5-21-3285714031-64123788-3120992467-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 01 29 21 B9 D0 35 CD 01 [binary data] IE - HKU\S-1-5-21-3285714031-64123788-3120992467-1001\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-21-3285714031-64123788-3120992467-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR IE - HKU\S-1-5-21-3285714031-64123788-3120992467-1001\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_14_0_0_ 145.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.) FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\Windows\system32\npDeployJava1.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_ 145.dll () FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.) FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Web Player Plug-In,version=1.0.0: C:\Program Files (x86)\DivX\DivX Web Player\npdivx32.dll (DivX, LLC) FF - HKLM\Software\MozillaPlugins\@garmin.com/GpsControl: C:\Program Files (x86)\Garmin GPS Plugin\npGarmin.dll (GARMIN Corp.) FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google) FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.65.2: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.65.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@Nero.com/KM: C:\PROGRA~2\COMMON~1\Nero\BROWSE~1\NPBROW~1.DLL (Nero AG) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKCU\Software\MozillaPlugins\@doubletwist.com/NPPodcast: C:\Program Files (x86)\Common Files\doubleTwist\NPPodcast.dll File not found FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Users\Jon\AppData\Roaming\Mozilla\plugins\npgoo gletalk.dll (Google) FF - HKCU\Software\MozillaPlugins\@talk.google.com/O1DPlugin: C:\Users\Jon\AppData\Roaming\Mozilla\plugins\npo1d .dll (Google) FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Jon\AppData\Local\Google\Update\1.3.24.15 \npGoogleUpdate3.dll (Google Inc.) FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Jon\AppData\Local\Google\Update\1.3.24.15 \npGoogleUpdate3.dll (Google Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extens ions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2014/07/14 07:45:57 | 000,000,000 | ---D | M] [2012/11/05 20:40:43 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Jon\AppData\Roaming\Mozilla\Firefox\exten sions [2012/11/05 20:40:49 | 000,000,000 | ---D | M] (uTorrentControl_v2) -- C:\Users\Jon\AppData\Roaming\Mozilla\Firefox\exten sions\{7473b6bd-4691-4744-a82b-7854eb3d70b6} [2014/02/13 16:52:50 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions ========== Chrome ========== CHR - default_search_provider: (Enabled) CHR - default_search_provider: search_url = CHR - default_search_provider: suggest_url = CHR - homepage: http://www.google.com/ CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.143\Pepp erFlash\pepflashplayer.dll CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.143\ppGo ogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.143\pdf. dll CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll CHR - plugin: QuickTime Plug-in 7.7.4 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll CHR - plugin: QuickTime Plug-in 7.7.4 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll CHR - plugin: QuickTime Plug-in 7.7.4 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll CHR - plugin: QuickTime Plug-in 7.7.4 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll CHR - plugin: QuickTime Plug-in 7.7.4 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll CHR - plugin: Garmin Communicator Plug-In (Enabled) = C:\Program Files (x86)\Garmin GPS Plugin\npGarmin.dll CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll CHR - plugin: Java(TM) Platform SE 7 U21 (Enabled) = C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll CHR - plugin: VLC Web Plugin (Enabled) = C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_70 0_224.dll CHR - plugin: Java Deployment Toolkit 7.0.210.11 (Enabled) = C:\Windows\SysWOW64\npDeployJava1.dll CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll CHR - Extension: Google Voice Search Hotword (Beta) = C:\Users\Jon\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmn hjmhfn\0.1.1.5023_0\ CHR - Extension: avast! Online Security = C:\Users\Jon\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegiea cbdmki\9.0.2022.121_0\ CHR - Extension: Skype Click to Call = C:\Users\Jon\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfg npldfl\7.3.16540.9015_0\ CHR - Extension: Google Wallet = C:\Users\Jon\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccm gmieda\0.0.6.1_0\ O1 HOSTS File: ([2013/06/24 08:30:03 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2:64bit: - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software) O2:64bit: - BHO: (Skype Click to Call for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\SkypeIEPlugin.dll (Microsoft Corporation) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O2 - BHO: (Skype Click to Call for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O3:64bit: - HKLM\..\Toolbar: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found. O3:64bit: - HKLM\..\Toolbar: (no name) - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No CLSID value found. O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [AvastUI.exe] C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software) O4 - HKU\.DEFAULT..\Run: [GarminExpressTrayApp] C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe (Garmin Ltd or its subsidiaries) O4 - HKU\S-1-5-18..\Run: [GarminExpressTrayApp] C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe (Garmin Ltd or its subsidiaries) O4 - HKU\S-1-5-21-3285714031-64123788-3120992467-1001..\Run: [FBEB048EB7CB93125BF492D79DF0C3BC4EB81112._service_ run] C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) O4 - Startup: C:\Users\Helen\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\Startup\Dropbox.lnk = C:\Users\Jon\AppData\Roaming\Dropbox\bin\Dropbox.e xe (Dropbox, Inc.) O4 - Startup: C:\Users\Jon\AppData\Roaming\Microsoft\Windows\Sta rt Menu\Programs\Startup\Dropbox.lnk = C:\Users\Jon\AppData\Roaming\Dropbox\bin\Dropbox.e xe (Dropbox, Inc.) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\System: ConsentPromptBehaviorUser = 3 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\System: EnableLinkedConnections = 1 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3285714031-64123788-3120992467-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3285714031-64123788-3120992467-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-3285714031-64123788-3120992467-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer: NoDrives = 0 O7 - HKU\S-1-5-21-3285714031-64123788-3120992467-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\System: LogonHoursAction = 2 O7 - HKU\S-1-5-21-3285714031-64123788-3120992467-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\System: DontDisplayLogonHoursWarnings = 1 O8:64bit: - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 File not found O8:64bit: - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105 File not found O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 File not found O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105 File not found O9:64bit: - Extra Button: Skype Click to Call settings - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\SkypeIEPlugin.dll (Microsoft Corporation) O9 - Extra Button: Skype Click to Call settings - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation) O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.) O13 - gopher Prefix: missing O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfac es\{83B65331-1D99-42AF-A739-4AA4B4DC3BC4}: DhcpNameServer = 172.20.10.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfac es\{A6C5A978-1B40-4B4A-B30D-0897B717EBF6}: DhcpNameServer = 192.168.1.1 O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found O18:64bit: - Protocol\Handler\msdaipp\0x00000001 - No CLSID value found O18:64bit: - Protocol\Handler\msdaipp\oledb - No CLSID value found O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found O18:64bit: - Protocol\Handler\mso-offdap - No CLSID value found O18:64bit: - Protocol\Handler\mso-offdap11 - No CLSID value found O18:64bit: - Protocol\Handler\skype4com - No CLSID value found O18:64bit: - Protocol\Handler\skypec2c {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\SkypeIEPlugin.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Handler\skypec2c {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation) O18:64bit: - Protocol\Filter\text/xml - No CLSID value found O20:64bit: - AppInit_DLLs: (C:\Windows\Jaksta\AC\x64\jaudcap.dll) - C:\Windows\Jaksta\AC\x64\jaudcap.dll (Jaksta Technologies Pty Ltd) O20 - AppInit_DLLs: (C:\Windows\Jaksta\AC\x86\jaudcap.dll) - C:\Windows\Jaksta\AC\x86\jaudcap.dll (Jaksta Technologies Pty Ltd) O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2011/08/23 18:51:58 | 000,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
|
|
#4
August 22nd, 2014, 11:03 AM
|
|||
|
|||
|
Windows 7 Ultimate PC sluggish
========== Files/Folders - Created Within 30 Days ==========
[2014/08/22 09:02:50 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Jon\Desktop\OTL.exe [2014/08/22 08:41:24 | 000,000,000 | ---D | C] -- C:\Users\Jon\AppData\Local\CrashDumps [2014/08/22 08:30:57 | 000,000,000 | ---D | C] -- C:\ProgramData\RogueKiller [2014/08/21 23:05:43 | 000,099,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\infocardapi.dll [2014/08/21 23:05:41 | 001,389,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\icardagt.exe [2014/08/21 23:05:41 | 000,619,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\icardagt.exe [2014/08/21 23:05:41 | 000,171,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\infocardapi.dll [2014/08/21 23:05:26 | 000,008,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\icardres.dll [2014/08/21 23:05:26 | 000,008,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\icardres.dll [2014/08/21 23:03:07 | 000,035,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\TsWpfWrp.exe [2014/08/21 23:03:07 | 000,035,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\TsWpfWrp.exe [2014/08/21 22:52:41 | 000,000,000 | ---D | C] -- C:\Users\Jon\AppData\Roaming\Jaksta Media Player [2014/08/21 22:47:22 | 000,051,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieetwproxystub.dll [2014/08/21 22:47:20 | 000,069,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll [2014/08/21 22:47:19 | 000,597,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript9diag.dll [2014/08/21 22:47:18 | 000,032,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll [2014/08/21 22:47:14 | 000,060,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll [2014/08/21 22:47:13 | 000,048,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwproxystub.dll [2014/08/21 22:47:10 | 000,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\JavaScriptCollectionAgent.dll [2014/08/21 22:47:02 | 000,692,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe [2014/08/21 22:47:02 | 000,061,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll [2014/08/21 22:47:01 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iernonce.dll [2014/08/21 22:46:58 | 002,001,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl [2014/08/21 22:46:55 | 000,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwcollectorres.dll [2014/08/21 22:46:50 | 000,111,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwcollector.exe [2014/08/21 22:46:46 | 000,452,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dxtmsft.dll [2014/08/21 22:46:46 | 000,438,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll [2014/08/21 22:46:45 | 000,631,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll [2014/08/21 22:46:41 | 000,066,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesetup.dll [2014/08/21 22:46:38 | 002,087,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl [2014/08/21 22:46:34 | 001,068,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmlmedia.dll [2014/08/21 22:46:33 | 000,112,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe [2014/08/21 22:46:24 | 000,704,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieapfltr.dll [2014/08/21 22:46:15 | 000,061,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MshtmlDac.dll [2014/08/21 22:46:14 | 000,164,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msrating.dll [2014/08/21 22:46:07 | 000,292,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dxtrans.dll [2014/08/21 22:46:06 | 000,598,016 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll [2014/08/21 22:46:03 | 000,085,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll [2014/08/21 22:46:02 | 001,249,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmlmedia.dll [2014/08/21 22:46:01 | 000,139,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe [2014/08/21 22:46:00 | 000,758,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9diag.dll [2014/08/21 22:45:58 | 005,824,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll [2014/08/21 22:45:57 | 000,548,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll [2014/08/21 22:45:56 | 000,846,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieapfltr.dll [2014/08/21 22:45:49 | 000,083,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\MshtmlDac.dll [2014/08/21 22:45:48 | 000,195,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msrating.dll [2014/08/21 22:45:42 | 000,940,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\MsSpellCheckingFacility.exe [2014/08/21 21:59:26 | 001,216,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rpcrt4.dll [2014/08/21 21:52:25 | 000,529,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\aepdu.dll [2014/08/21 21:52:17 | 000,424,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\aeinv.dll [2014/08/10 09:03:29 | 000,000,000 | ---D | C] -- C:\Users\Jon\AppData\Local\pangu [2014/08/10 00:08:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes [2014/08/10 00:05:25 | 000,000,000 | ---D | C] -- C:\Program Files\iPod [2014/08/10 00:05:24 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes [2014/08/10 00:05:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iTunes [2014/08/10 00:05:24 | 000,000,000 | ---D | C] -- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69 [2014/08/02 09:01:46 | 000,058,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuauclt.exe [2014/08/02 09:01:46 | 000,044,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wups2.dll [2014/08/02 09:01:45 | 002,620,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wucltux.dll [2014/08/02 09:01:17 | 000,097,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wudriver.dll [2014/08/02 09:01:17 | 000,038,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wups.dll [2014/08/02 09:01:16 | 000,092,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wudriver.dll [2014/08/02 09:01:15 | 000,700,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuapi.dll [2014/08/02 09:01:15 | 000,581,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wuapi.dll [2014/08/02 09:01:14 | 000,036,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wups.dll [2014/08/02 09:00:34 | 000,179,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wuwebv.dll [2014/08/02 09:00:33 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wuapp.exe [2014/08/02 09:00:32 | 000,198,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuwebv.dll [2014/08/02 09:00:31 | 000,036,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuapp.exe [2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] [2 C:\Program Files (x86)\*.tmp files -> C:\Program Files (x86)\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2014/08/22 10:31:10 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2014/08/22 10:29:02 | 000,000,900 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3285714031-64123788-3120992467-1001UA.job [2014/08/22 10:22:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2014/08/22 10:01:05 | 000,033,512 | ---- | M] () -- C:\Windows\SysWow64\drivers\TrueSight.sys [2014/08/22 09:02:48 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Jon\Desktop\OTL.exe [2014/08/22 08:30:02 | 004,851,288 | ---- | M] () -- C:\Users\Jon\Desktop\winlog.exe [2014/08/22 08:16:39 | 000,011,136 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2014/08/22 08:16:37 | 000,011,136 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2014/08/22 08:13:24 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2014/08/22 08:08:40 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2014/08/22 08:08:31 | 2615,812,096 | -HS- | M] () -- C:\hiberfil.sys [2014/08/21 23:03:31 | 000,002,183 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk [2014/08/21 22:42:27 | 000,001,311 | ---- | M] () -- C:\Users\Public\Desktop\Jaksta Media Player.lnk [2014/08/21 21:33:45 | 000,001,045 | ---- | M] () -- C:\Users\Jon\AppData\Roaming\Microsoft\Windows\Sta rt Menu\Programs\Startup\Dropbox.lnk [2014/08/21 21:32:36 | 000,001,009 | ---- | M] () -- C:\Users\Jon\Desktop\Dropbox.lnk [2014/08/10 00:08:15 | 000,001,783 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk [2014/08/09 19:16:02 | 000,000,848 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3285714031-64123788-3120992467-1001Core.job [2014/08/07 03:06:41 | 000,529,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\aepdu.dll [2014/08/07 03:01:34 | 000,424,448 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\aeinv.dll [2014/07/30 10:35:01 | 000,782,470 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2014/07/30 10:35:01 | 000,662,384 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2014/07/30 10:35:01 | 000,122,252 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2014/07/25 15:01:41 | 000,004,096 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwcollectorres.dll [2014/07/25 14:30:30 | 000,066,048 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\iesetup.dll [2014/07/25 14:28:35 | 000,048,640 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwproxystub.dll [2014/07/25 14:28:27 | 000,548,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll [2014/07/25 14:25:45 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\MshtmlDac.dll [2014/07/25 14:10:00 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\iernonce.dll [2014/07/25 14:03:50 | 000,598,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll [2014/07/25 14:00:51 | 000,139,264 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe [2014/07/25 14:00:25 | 000,111,616 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwcollector.exe [2014/07/25 13:59:28 | 000,758,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9diag.dll [2014/07/25 13:47:25 | 000,940,032 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\MsSpellCheckingFacility.exe [2014/07/25 13:40:12 | 000,452,096 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\dxtmsft.dll [2014/07/25 13:34:49 | 000,061,952 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll [2014/07/25 13:33:08 | 000,051,200 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\ieetwproxystub.dll [2014/07/25 13:30:32 | 000,061,952 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\MshtmlDac.dll [2014/07/25 13:28:15 | 005,824,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll [2014/07/25 13:28:05 | 000,072,704 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\JavaScriptCollectionAgent.dll [2014/07/25 13:19:18 | 000,195,584 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\msrating.dll [2014/07/25 13:17:33 | 000,032,768 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll [2014/07/25 13:17:26 | 000,085,504 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll [2014/07/25 13:12:35 | 000,438,784 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll [2014/07/25 13:10:53 | 000,292,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\dxtrans.dll [2014/07/25 13:10:15 | 000,112,128 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe [2014/07/25 13:08:47 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript9diag.dll [2014/07/25 12:47:50 | 000,631,808 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll [2014/07/25 12:43:16 | 000,060,416 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll [2014/07/25 12:42:31 | 000,692,736 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe [2014/07/25 12:39:29 | 002,087,936 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl [2014/07/25 12:39:25 | 001,249,280 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmlmedia.dll [2014/07/25 12:36:30 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\msrating.dll [2014/07/25 12:34:04 | 000,069,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll [2014/07/25 12:07:49 | 002,001,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl [2014/07/25 12:07:10 | 001,068,032 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmlmedia.dll [2014/07/25 11:17:47 | 000,846,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieapfltr.dll [2014/07/25 11:09:19 | 000,704,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\ieapfltr.dll [2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] [2 C:\Program Files (x86)\*.tmp files -> C:\Program Files (x86)\*.tmp -> ] ========== Files Created - No Company Name ========== [2014/08/22 08:30:58 | 000,033,512 | ---- | C] () -- C:\Windows\SysWow64\drivers\TrueSight.sys [2014/08/22 08:30:07 | 004,851,288 | ---- | C] () -- C:\Users\Jon\Desktop\winlog.exe [2014/08/21 22:42:27 | 000,001,311 | ---- | C] () -- C:\Users\Public\Desktop\Jaksta Media Player.lnk [2014/08/21 21:33:45 | 000,001,045 | ---- | C] () -- C:\Users\Jon\AppData\Roaming\Microsoft\Windows\Sta rt Menu\Programs\Startup\Dropbox.lnk [2014/08/10 00:08:15 | 000,001,783 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk [2014/03/18 22:57:55 | 000,000,084 | ---- | C] () -- C:\Windows\wininit.ini [2014/03/01 23:27:20 | 000,003,584 | ---- | C] () -- C:\Users\Jon\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2014/01/30 19:32:13 | 000,011,832 | ---- | C] () -- C:\Windows\SysWow64\drivers\AsInsHelp64.sys [2014/01/30 19:32:12 | 000,010,216 | ---- | C] () -- C:\Windows\SysWow64\drivers\AsInsHelp32.sys [2014/01/09 20:30:02 | 000,000,108 | ---- | C] () -- C:\Users\Jon\AppData\Roaming\WB.CFG [2014/01/09 20:30:02 | 000,000,005 | ---- | C] () -- C:\Users\Jon\AppData\Roaming\WBPU-TTL.DAT [2013/12/29 16:06:59 | 000,443,080 | ---- | C] () -- C:\Windows\SysWow64\GSService.exe [2013/11/08 17:18:02 | 000,000,000 | ---- | C] () -- C:\ProgramData\LauncherAccess.dt [2013/11/08 15:18:25 | 000,005,632 | ---- | C] () -- C:\Windows\SysWow64\drivers\StarOpen.sys [2013/10/07 19:36:02 | 000,000,017 | ---- | C] () -- C:\Users\Jon\AppData\Local\resmon.resmoncfg [2013/06/25 21:07:12 | 000,044,216 | ---- | C] () -- C:\Users\Jon\AppData\Local\RAContactHistory.xml [2013/03/29 15:27:03 | 000,000,064 | ---- | C] () -- C:\Windows\GPlrLanc.dat [2013/02/16 23:18:51 | 000,774,592 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2013/02/05 18:52:54 | 000,030,568 | ---- | C] () -- C:\Windows\MusiccityDownload.exe [2013/02/05 18:52:50 | 000,974,848 | ---- | C] () -- C:\Windows\SysWow64\cis-2.4.dll [2013/02/05 18:52:50 | 000,081,920 | ---- | C] () -- C:\Windows\SysWow64\issacapi_bs-2.3.dll [2013/02/05 18:52:50 | 000,065,536 | ---- | C] () -- C:\Windows\SysWow64\issacapi_pe-2.3.dll [2013/02/05 18:52:50 | 000,057,344 | ---- | C] () -- C:\Windows\SysWow64\issacapi_se-2.3.dll [2012/05/27 11:57:34 | 000,000,057 | ---- | C] () -- C:\ProgramData\Ament.ini [2012/05/19 16:06:12 | 000,000,632 | RHS- | C] () -- C:\Users\Jon\ntuser.pol ========== ZeroAccess Check ========== [2009/07/14 05:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\cls id\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\cls id\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc8 7-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2014/06/25 03:05:42 | 014,175,744 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\cl sid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2014/06/25 02:41:30 | 012,874,240 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA 9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\cl sid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 13:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CD B-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\cl sid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] ========== Alternate Data Streams ========== @Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:373E1720 < End of report >
|
|
#5
August 22nd, 2014, 11:08 PM
|
||||
|
||||
|
Nothing really bad so far. Odd DNS settings - do you use a phone tether (or have) to connect to the Internet? Wondering if just Avast is the culprit.
See if you can locate some files to check. Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types" Navigate (right click My Computer, left click Explore) to the following files: C:\Users\Jon\AppData\Local\Temp\Runner.exe C:\Users\Jon\AppData\Local\Temp\DNS.exe If they exist, then just zip a copy of each, and send it to jintan@malwarecrypt.com as an attachment. Please place "Submitted Files - jonboy123" as the email Subject. ------------ Click here and download the installer for Gmer to your desktop, then click that file to run Gmer. Once the opening scan finishes, click on Scan (again, before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan). When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.
|
|
#6
August 23rd, 2014, 10:16 AM
|
|||
|
|||
|
Hi Tom.
Couldn't find either of these files to send to you. Are you able to advise on what the correct DNS settings should be? (I changed them a while ago to just make web browsing more secure for my daughter but not sure if i did it correctly) If Avast is the culprit, would you advise changing to another antivirus program. I installed Avast originally because of its low resource usage and good reviews on CNet, but that was a while ago. Here is the GMER log GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-08-23 10:06:48 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000AAKS-00UU3A0 rev.01.03B01 465.76GB Running: r9d45imn.exe; Driver: C:\Users\Jon\AppData\Local\Temp\uwldypow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLoo kasideList + 528 fffff80002fa4000 45 bytes [70, 11, 05, 00, 00, 00, 63, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLoo kasideList + 574 fffff80002fa402e 24 bytes [1D, 00, E3, B2, 5D, C0, 13, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rt 0000000077561360 5 bytes JMP 000000014a2d0460 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775613b0 5 bytes JMP 000000014a2d0450 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077561510 5 bytes JMP 000000014a2d0370 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rtEx 0000000077561560 5 bytes JMP 000000014a2d0470 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 5 bytes JMP 000000014a2d03e0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 5 bytes JMP 000000014a2d0320 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077561650 5 bytes JMP 000000014a2d03b0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077561670 5 bytes JMP 000000014a2d0390 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775616b0 5 bytes JMP 000000014a2d02e0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077561730 5 bytes JMP 000000014a2d02d0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 5 bytes JMP 000000014a2d0310 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 5 bytes JMP 000000014a2d03c0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 5 bytes JMP 000000014a2d03f0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077561940 5 bytes JMP 000000014a2d0230 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceiv ePort 0000000077561b00 5 bytes JMP 000000014a2d0480 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJob Object 0000000077561b30 5 bytes JMP 000000014a2d03a0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077561c10 5 bytes JMP 000000014a2d02f0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077561c20 5 bytes JMP 000000014a2d0350 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077561c80 5 bytes JMP 000000014a2d0290 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077561d10 5 bytes JMP 000000014a2d02b0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 5 bytes JMP 000000014a2d03d0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077561d40 5 bytes JMP 000000014a2d0330 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077561db0 5 bytes JMP 000000014a2d0410 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077561de0 5 bytes JMP 000000014a2d0240 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 5 bytes JMP 000000014a2d01e0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077562160 5 bytes JMP 000000014a2d0250 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077562190 5 bytes JMP 000000014a2d0490 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultip leKeys 00000000775621a0 5 bytes JMP 000000014a2d04a0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775621d0 5 bytes JMP 000000014a2d0300 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775621e0 5 bytes JMP 000000014a2d0360 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077562240 5 bytes JMP 000000014a2d02a0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077562290 5 bytes JMP 000000014a2d02c0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775622c0 5 bytes JMP 000000014a2d0380 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775622d0 5 bytes JMP 000000014a2d0340 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775625c0 5 bytes JMP 000000014a2d0440 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775627c0 5 bytes JMP 000000014a2d0260 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775627d0 5 bytes JMP 000000014a2d0270 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775627e0 5 bytes JMP 000000014a2d0400 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformati on 00000000775629a0 5 bytes JMP 000000014a2d01f0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerStat e 00000000775629b0 5 bytes JMP 000000014a2d0210 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 5 bytes JMP 000000014a2d0200 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077562a80 5 bytes JMP 000000014a2d0420 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077562a90 5 bytes JMP 000000014a2d0430 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 5 bytes JMP 000000014a2d0220 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077562b80 5 bytes JMP 000000014a2d0280 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rt 0000000077561360 5 bytes JMP 00000000776c0460 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775613b0 5 bytes JMP 00000000776c0450 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077561510 5 bytes JMP 00000000776c0370 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rtEx 0000000077561560 5 bytes JMP 00000000776c0470 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 5 bytes JMP 00000000776c03e0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 5 bytes JMP 00000000776c0320 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077561650 5 bytes JMP 00000000776c03b0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077561670 5 bytes JMP 00000000776c0390 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775616b0 5 bytes JMP 00000000776c02e0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077561730 5 bytes JMP 00000000776c02d0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 5 bytes JMP 00000000776c0310 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 5 bytes JMP 00000000776c03c0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 5 bytes JMP 00000000776c03f0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077561940 5 bytes JMP 00000000776c0230 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceiv ePort 0000000077561b00 5 bytes JMP 00000000776c0480 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJob Object 0000000077561b30 5 bytes JMP 00000000776c03a0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077561c10 5 bytes JMP 00000000776c02f0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077561c20 5 bytes JMP 00000000776c0350 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077561c80 5 bytes JMP 00000000776c0290 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077561d10 5 bytes JMP 00000000776c02b0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 5 bytes JMP 00000000776c03d0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077561d40 5 bytes JMP 00000000776c0330 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077561db0 5 bytes JMP 00000000776c0410 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077561de0 5 bytes JMP 00000000776c0240 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 5 bytes JMP 00000000776c01e0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077562160 5 bytes JMP 00000000776c0250 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077562190 5 bytes JMP 00000000776c0490 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultip leKeys 00000000775621a0 5 bytes JMP 00000000776c04a0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775621d0 5 bytes JMP 00000000776c0300 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775621e0 5 bytes JMP 00000000776c0360 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077562240 5 bytes JMP 00000000776c02a0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077562290 5 bytes JMP 00000000776c02c0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775622c0 5 bytes JMP 00000000776c0380 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775622d0 5 bytes JMP 00000000776c0340 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775625c0 5 bytes JMP 00000000776c0440 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775627c0 5 bytes JMP 00000000776c0260 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775627d0 5 bytes JMP 00000000776c0270 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775627e0 5 bytes JMP 00000000776c0400 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformati on 00000000775629a0 5 bytes JMP 00000000776c01f0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerStat e 00000000775629b0 5 bytes JMP 00000000776c0210 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 5 bytes JMP 00000000776c0200 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077562a80 5 bytes JMP 00000000776c0420 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077562a90 5 bytes JMP 00000000776c0430 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 5 bytes JMP 00000000776c0220 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077562b80 5 bytes JMP 00000000776c0280 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007744ef8d 1 byte [62] .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rt 0000000077561360 5 bytes JMP 00000000776c0460 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775613b0 5 bytes JMP 00000000776c0450 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077561510 5 bytes JMP 00000000776c0370 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rtEx 0000000077561560 5 bytes JMP 00000000776c0470 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 5 bytes JMP 00000000776c03e0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 5 bytes JMP 00000000776c0320 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077561650 5 bytes JMP 00000000776c03b0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077561670 5 bytes JMP 00000000776c0390 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775616b0 5 bytes JMP 00000000776c02e0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077561730 5 bytes JMP 00000000776c02d0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 5 bytes JMP 00000000776c0310 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 5 bytes JMP 00000000776c03c0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread
|
|
#7
August 23rd, 2014, 10:17 AM
|
|||
|
|||
|
.text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077561940 5 bytes JMP 00000000776c0230
.text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceiv ePort 0000000077561b00 5 bytes JMP 00000000776c0480 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJob Object 0000000077561b30 5 bytes JMP 00000000776c03a0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077561c10 5 bytes JMP 00000000776c02f0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077561c20 5 bytes JMP 00000000776c0350 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077561c80 5 bytes JMP 00000000776c0290 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077561d10 5 bytes JMP 00000000776c02b0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 5 bytes JMP 00000000776c03d0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077561d40 5 bytes JMP 00000000776c0330 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077561db0 5 bytes JMP 00000000776c0410 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077561de0 5 bytes JMP 00000000776c0240 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 5 bytes JMP 00000000776c01e0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077562160 5 bytes JMP 00000000776c0250 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077562190 5 bytes JMP 00000000776c0490 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultip leKeys 00000000775621a0 5 bytes JMP 00000000776c04a0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775621d0 5 bytes JMP 00000000776c0300 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775621e0 5 bytes JMP 00000000776c0360 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077562240 5 bytes JMP 00000000776c02a0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077562290 5 bytes JMP 00000000776c02c0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775622c0 5 bytes JMP 00000000776c0380 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775622d0 5 bytes JMP 00000000776c0340 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775625c0 5 bytes JMP 00000000776c0440 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775627c0 5 bytes JMP 00000000776c0260 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775627d0 5 bytes JMP 00000000776c0270 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775627e0 5 bytes JMP 00000000776c0400 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformati on 00000000775629a0 5 bytes JMP 00000000776c01f0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerStat e 00000000775629b0 5 bytes JMP 00000000776c0210 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 5 bytes JMP 00000000776c0200 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077562a80 5 bytes JMP 00000000776c0420 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077562a90 5 bytes JMP 00000000776c0430 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 5 bytes JMP 00000000776c0220 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077562b80 5 bytes JMP 00000000776c0280 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rt 0000000077561360 5 bytes JMP 00000000776c0460 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775613b0 5 bytes JMP 00000000776c0450 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077561510 5 bytes JMP 00000000776c0370 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rtEx 0000000077561560 5 bytes JMP 00000000776c0470 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 5 bytes JMP 00000000776c03e0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 5 bytes JMP 00000000776c0320 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077561650 5 bytes JMP 00000000776c03b0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077561670 5 bytes JMP 00000000776c0390 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775616b0 5 bytes JMP 00000000776c02e0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077561730 5 bytes JMP 00000000776c02d0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 5 bytes JMP 00000000776c0310 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 5 bytes JMP 00000000776c03c0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 5 bytes JMP 00000000776c03f0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077561940 5 bytes JMP 00000000776c0230 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceiv ePort 0000000077561b00 5 bytes JMP 00000000776c0480 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJob Object 0000000077561b30 5 bytes JMP 00000000776c03a0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077561c10 5 bytes JMP 00000000776c02f0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077561c20 5 bytes JMP 00000000776c0350 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077561c80 5 bytes JMP 00000000776c0290 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077561d10 5 bytes JMP 00000000776c02b0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 5 bytes JMP 00000000776c03d0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077561d40 5 bytes JMP 00000000776c0330 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077561db0 5 bytes JMP 00000000776c0410 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077561de0 5 bytes JMP 00000000776c0240 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 5 bytes JMP 00000000776c01e0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077562160 5 bytes JMP 00000000776c0250 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077562190 5 bytes JMP 00000000776c0490 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultip leKeys 00000000775621a0 5 bytes JMP 00000000776c04a0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775621d0 5 bytes JMP 00000000776c0300 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775621e0 5 bytes JMP 00000000776c0360 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077562240 5 bytes JMP 00000000776c02a0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077562290 5 bytes JMP 00000000776c02c0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775622c0 5 bytes JMP 00000000776c0380 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775622d0 5 bytes JMP 00000000776c0340 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775625c0 5 bytes JMP 00000000776c0440 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775627c0 5 bytes JMP 00000000776c0260 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775627d0 5 bytes JMP 00000000776c0270 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775627e0 5 bytes JMP 00000000776c0400 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformati on 00000000775629a0 5 bytes JMP 00000000776c01f0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerStat e 00000000775629b0 5 bytes JMP 00000000776c0210 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 5 bytes JMP 00000000776c0200 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077562a80 5 bytes JMP 00000000776c0420 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077562a90 5 bytes JMP 00000000776c0430 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 5 bytes JMP 00000000776c0220 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077562b80 5 bytes JMP 00000000776c0280 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007744ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rt 0000000077561360 5 bytes JMP 00000000776c0460 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775613b0 5 bytes JMP 00000000776c0450 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077561510 5 bytes JMP 00000000776c0370 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rtEx 0000000077561560 5 bytes JMP 00000000776c0470 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 5 bytes JMP 00000000776c03e0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 5 bytes JMP 00000000776c0320 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077561650 5 bytes JMP 00000000776c03b0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077561670 5 bytes JMP 00000000776c0390 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775616b0 5 bytes JMP 00000000776c02e0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077561730 5 bytes JMP 00000000776c02d0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 5 bytes JMP 00000000776c0310 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 5 bytes JMP 00000000776c03c0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 5 bytes JMP 00000000776c03f0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077561940 5 bytes JMP 00000000776c0230 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceiv ePort 0000000077561b00 5 bytes JMP 00000000776c0480 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJob Object 0000000077561b30 5 bytes JMP 00000000776c03a0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077561c10 5 bytes JMP 00000000776c02f0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077561c20 5 bytes JMP 00000000776c0350 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077561c80 5 bytes JMP 00000000776c0290 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077561d10 5 bytes JMP 00000000776c02b0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 5 bytes JMP 00000000776c03d0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077561d40 5 bytes JMP 00000000776c0330 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077561db0 5 bytes JMP 00000000776c0410 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry
|
|
#8
August 23rd, 2014, 10:19 AM
|
|||
|
|||
|
.text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 5 bytes JMP 00000000776c01e0
.text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077562160 5 bytes JMP 00000000776c0250 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077562190 5 bytes JMP 00000000776c0490 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultip leKeys 00000000775621a0 5 bytes JMP 00000000776c04a0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775621d0 5 bytes JMP 00000000776c0300 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775621e0 5 bytes JMP 00000000776c0360 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077562240 5 bytes JMP 00000000776c02a0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077562290 5 bytes JMP 00000000776c02c0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775622c0 5 bytes JMP 00000000776c0380 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775622d0 5 bytes JMP 00000000776c0340 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775625c0 5 bytes JMP 00000000776c0440 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775627c0 5 bytes JMP 00000000776c0260 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775627d0 5 bytes JMP 00000000776c0270 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775627e0 5 bytes JMP 00000000776c0400 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformati on 00000000775629a0 5 bytes JMP 00000000776c01f0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerStat e 00000000775629b0 5 bytes JMP 00000000776c0210 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 5 bytes JMP 00000000776c0200 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077562a80 5 bytes JMP 00000000776c0420 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077562a90 5 bytes JMP 00000000776c0430 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 5 bytes JMP 00000000776c0220 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077562b80 5 bytes JMP 00000000776c0280 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rt 0000000077561360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775613b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077561510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rtEx 0000000077561560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077561650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077561670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775616b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077561730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077561940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceiv ePort 0000000077561b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJob Object 0000000077561b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077561c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077561c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077561c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077561d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077561d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077561db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077561de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077562160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077562190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultip leKeys 00000000775621a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775621d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775621e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077562240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077562290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775622c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775622d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775625c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775627c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775627d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775627e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformati on 00000000775629a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerStat e 00000000775629b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077562a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077562a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077562b80 5 bytes JMP 0000000100070280 .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[908] C:\Windows\SysWOW64\ntdll.dll!KiUserApcDispatcher 0000000077700028 5 bytes JMP 0000000100eb4100 .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[908] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2fd 1 byte [62] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[908] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000759b2c9e 4 bytes CALL 71ab0000 .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[908] C:\Windows\syswow64\WS2_32.dll!getaddrinfo 0000000076464296 5 bytes JMP 0000000171a50022 .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[908] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076464889 5 bytes JMP 0000000171a10022 .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[908] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007646d1ea 5 bytes JMP 00000001719d0022 .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[908] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076477673 5 bytes JMP 0000000171ae0022 .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[908] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d91465 2 bytes [D9, 75] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe[908] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d914bb 2 bytes [D9, 75] .text ... * 2 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rt 0000000077561360 5 bytes JMP 00000000776c0460 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775613b0 5 bytes JMP 00000000776c0450 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077561510 5 bytes JMP 00000000776c0370 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rtEx 0000000077561560 5 bytes JMP 00000000776c0470 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 5 bytes JMP 00000000776c03e0 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 5 bytes JMP 00000000776c0320 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077561650 5 bytes JMP 00000000776c03b0 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077561670 5 bytes JMP 00000000776c0390 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775616b0 5 bytes JMP 00000000776c02e0 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077561730 5 bytes JMP 00000000776c02d0 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 5 bytes JMP 00000000776c0310 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 5 bytes JMP 00000000776c03c0 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 5 bytes JMP 00000000776c03f0 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077561940 5 bytes JMP 00000000776c0230 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceiv ePort 0000000077561b00 5 bytes JMP 00000000776c0480 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJob Object 0000000077561b30 5 bytes JMP 00000000776c03a0 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077561c10 5 bytes JMP 00000000776c02f0 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077561c20 5 bytes JMP 00000000776c0350 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077561c80 5 bytes JMP 00000000776c0290 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077561d10 5 bytes JMP 00000000776c02b0 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 5 bytes JMP 00000000776c03d0 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077561d40 5 bytes JMP 00000000776c0330 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077561db0 5 bytes JMP 00000000776c0410 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077561de0 5 bytes JMP 00000000776c0240 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 5 bytes JMP 00000000776c01e0 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077562160 5 bytes JMP 00000000776c0250 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077562190 5 bytes JMP 00000000776c0490 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultip leKeys 00000000775621a0 5 bytes JMP 00000000776c04a0 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775621d0 5 bytes JMP 00000000776c0300 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775621e0 5 bytes JMP 00000000776c0360 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077562240 5 bytes JMP 00000000776c02a0 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077562290 5 bytes JMP 00000000776c02c0 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775622c0 5 bytes JMP 00000000776c0380 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775622d0 5 bytes JMP 00000000776c0340 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775625c0 5 bytes JMP 00000000776c0440 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775627c0 5 bytes JMP 00000000776c0260 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775627d0 5 bytes JMP 00000000776c0270 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775627e0 5 bytes JMP 00000000776c0400 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformati on 00000000775629a0 5 bytes JMP 00000000776c01f0 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerStat e 00000000775629b0 5 bytes JMP 00000000776c0210 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 5 bytes JMP 00000000776c0200 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess
|
|
#9
August 23rd, 2014, 10:19 AM
|
|||
|
|||
|
.text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077562a90 5 bytes JMP 00000000776c0430
.text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 5 bytes JMP 00000000776c0220 .text C:\Windows\System32\svchost.exe[136] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077562b80 5 bytes JMP 00000000776c0280 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rt 0000000077561360 5 bytes JMP 00000000776c0460 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775613b0 5 bytes JMP 00000000776c0450 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077561510 5 bytes JMP 00000000776c0370 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rtEx 0000000077561560 5 bytes JMP 00000000776c0470 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 5 bytes JMP 00000000776c03e0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 5 bytes JMP 00000000776c0320 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077561650 5 bytes JMP 00000000776c03b0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077561670 5 bytes JMP 00000000776c0390 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775616b0 5 bytes JMP 00000000776c02e0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077561730 5 bytes JMP 00000000776c02d0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 5 bytes JMP 00000000776c0310 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 5 bytes JMP 00000000776c03c0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 5 bytes JMP 00000000776c03f0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077561940 5 bytes JMP 00000000776c0230 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceiv ePort 0000000077561b00 5 bytes JMP 00000000776c0480 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJob Object 0000000077561b30 5 bytes JMP 00000000776c03a0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077561c10 5 bytes JMP 00000000776c02f0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077561c20 5 bytes JMP 00000000776c0350 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077561c80 5 bytes JMP 00000000776c0290 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077561d10 5 bytes JMP 00000000776c02b0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 5 bytes JMP 00000000776c03d0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077561d40 5 bytes JMP 00000000776c0330 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077561db0 5 bytes JMP 00000000776c0410 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077561de0 5 bytes JMP 00000000776c0240 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 5 bytes JMP 00000000776c01e0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077562160 5 bytes JMP 00000000776c0250 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077562190 5 bytes JMP 00000000776c0490 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultip leKeys 00000000775621a0 5 bytes JMP 00000000776c04a0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775621d0 5 bytes JMP 00000000776c0300 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775621e0 5 bytes JMP 00000000776c0360 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077562240 5 bytes JMP 00000000776c02a0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077562290 5 bytes JMP 00000000776c02c0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775622c0 5 bytes JMP 00000000776c0380 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775622d0 5 bytes JMP 00000000776c0340 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775625c0 5 bytes JMP 00000000776c0440 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775627c0 5 bytes JMP 00000000776c0260 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775627d0 5 bytes JMP 00000000776c0270 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775627e0 5 bytes JMP 00000000776c0400 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformati on 00000000775629a0 5 bytes JMP 00000000776c01f0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerStat e 00000000775629b0 5 bytes JMP 00000000776c0210 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 5 bytes JMP 00000000776c0200 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077562a80 5 bytes JMP 00000000776c0420 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077562a90 5 bytes JMP 00000000776c0430 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 5 bytes JMP 00000000776c0220 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077562b80 5 bytes JMP 00000000776c0280 .text C:\Windows\System32\svchost.exe[404] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007744ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rt 0000000077561360 5 bytes JMP 00000000776c0460 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775613b0 5 bytes JMP 00000000776c0450 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077561510 5 bytes JMP 00000000776c0370 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rtEx 0000000077561560 5 bytes JMP 00000000776c0470 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 5 bytes JMP 00000000776c03e0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 5 bytes JMP 00000000776c0320 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077561650 5 bytes JMP 00000000776c03b0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077561670 5 bytes JMP 00000000776c0390 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775616b0 5 bytes JMP 00000000776c02e0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077561730 5 bytes JMP 00000000776c02d0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 5 bytes JMP 00000000776c0310 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 5 bytes JMP 00000000776c03c0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 5 bytes JMP 00000000776c03f0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077561940 5 bytes JMP 00000000776c0230 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceiv ePort 0000000077561b00 5 bytes JMP 00000000776c0480 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJob Object 0000000077561b30 5 bytes JMP 00000000776c03a0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077561c10 5 bytes JMP 00000000776c02f0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077561c20 5 bytes JMP 00000000776c0350 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077561c80 5 bytes JMP 00000000776c0290 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077561d10 5 bytes JMP 00000000776c02b0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 5 bytes JMP 00000000776c03d0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077561d40 5 bytes JMP 00000000776c0330 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077561db0 5 bytes JMP 00000000776c0410 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077561de0 5 bytes JMP 00000000776c0240 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 5 bytes JMP 00000000776c01e0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077562160 5 bytes JMP 00000000776c0250 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077562190 5 bytes JMP 00000000776c0490 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultip leKeys 00000000775621a0 5 bytes JMP 00000000776c04a0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775621d0 5 bytes JMP 00000000776c0300 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775621e0 5 bytes JMP 00000000776c0360 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077562240 5 bytes JMP 00000000776c02a0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077562290 5 bytes JMP 00000000776c02c0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775622c0 5 bytes JMP 00000000776c0380 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775622d0 5 bytes JMP 00000000776c0340 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775625c0 5 bytes JMP 00000000776c0440 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775627c0 5 bytes JMP 00000000776c0260 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775627d0 5 bytes JMP 00000000776c0270 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775627e0 5 bytes JMP 00000000776c0400 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformati on 00000000775629a0 5 bytes JMP 00000000776c01f0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerStat e 00000000775629b0 5 bytes JMP 00000000776c0210 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 5 bytes JMP 00000000776c0200 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077562a80 5 bytes JMP 00000000776c0420 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077562a90 5 bytes JMP 00000000776c0430 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 5 bytes JMP 00000000776c0220 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077562b80 5 bytes JMP 00000000776c0280 .text C:\Windows\system32\svchost.exe[572] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007744ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rt 0000000077561360 5 bytes JMP 00000000776c0460 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775613b0 5 bytes JMP 00000000776c0450 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077561510 5 bytes JMP 00000000776c0370 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rtEx 0000000077561560 5 bytes JMP 00000000776c0470 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 5 bytes JMP 00000000776c03e0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 5 bytes JMP 00000000776c0320 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077561650 5 bytes JMP 00000000776c03b0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077561670 5 bytes JMP 00000000776c0390 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775616b0 5 bytes JMP 00000000776c02e0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077561730 5 bytes JMP 00000000776c02d0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 5 bytes JMP 00000000776c0310 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 5 bytes JMP 00000000776c03c0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 5 bytes JMP 00000000776c03f0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077561940 5 bytes JMP 00000000776c0230 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceiv ePort 0000000077561b00 5 bytes JMP 00000000776c0480 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJob Object 0000000077561b30 5 bytes JMP 00000000776c03a0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077561c10 5 bytes JMP 00000000776c02f0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077561c20 5 bytes JMP 00000000776c0350 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077561c80 5 bytes JMP 00000000776c0290 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077561d10 5 bytes JMP 00000000776c02b0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 5 bytes JMP 00000000776c03d0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077561d40 5 bytes JMP 00000000776c0330 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess
|
|
#10
August 23rd, 2014, 10:20 AM
|
|||
|
|||
|
.text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077561de0 5 bytes JMP 00000000776c0240
.text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 5 bytes JMP 00000000776c01e0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077562160 5 bytes JMP 00000000776c0250 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077562190 5 bytes JMP 00000000776c0490 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultip leKeys 00000000775621a0 5 bytes JMP 00000000776c04a0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775621d0 5 bytes JMP 00000000776c0300 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775621e0 5 bytes JMP 00000000776c0360 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077562240 5 bytes JMP 00000000776c02a0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077562290 5 bytes JMP 00000000776c02c0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775622c0 5 bytes JMP 00000000776c0380 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775622d0 5 bytes JMP 00000000776c0340 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775625c0 5 bytes JMP 00000000776c0440 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775627c0 5 bytes JMP 00000000776c0260 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775627d0 5 bytes JMP 00000000776c0270 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775627e0 5 bytes JMP 00000000776c0400 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformati on 00000000775629a0 5 bytes JMP 00000000776c01f0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerStat e 00000000775629b0 5 bytes JMP 00000000776c0210 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 5 bytes JMP 00000000776c0200 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077562a80 5 bytes JMP 00000000776c0420 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077562a90 5 bytes JMP 00000000776c0430 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 5 bytes JMP 00000000776c0220 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077562b80 5 bytes JMP 00000000776c0280 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rt 0000000077561360 5 bytes JMP 00000000776c0460 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775613b0 5 bytes JMP 00000000776c0450 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077561510 5 bytes JMP 00000000776c0370 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rtEx 0000000077561560 5 bytes JMP 00000000776c0470 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 5 bytes JMP 00000000776c03e0 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 5 bytes JMP 00000000776c0320 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077561650 5 bytes JMP 00000000776c03b0 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077561670 5 bytes JMP 00000000776c0390 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775616b0 5 bytes JMP 00000000776c02e0 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077561730 5 bytes JMP 00000000776c02d0 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 5 bytes JMP 00000000776c0310 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 5 bytes JMP 00000000776c03c0 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 5 bytes JMP 00000000776c03f0 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077561940 5 bytes JMP 00000000776c0230 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceiv ePort 0000000077561b00 5 bytes JMP 00000000776c0480 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJob Object 0000000077561b30 5 bytes JMP 00000000776c03a0 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077561c10 5 bytes JMP 00000000776c02f0 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077561c20 5 bytes JMP 00000000776c0350 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077561c80 5 bytes JMP 00000000776c0290 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077561d10 5 bytes JMP 00000000776c02b0 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 5 bytes JMP 00000000776c03d0 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077561d40 5 bytes JMP 00000000776c0330 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077561db0 5 bytes JMP 00000000776c0410 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077561de0 5 bytes JMP 00000000776c0240 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 5 bytes JMP 00000000776c01e0 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077562160 5 bytes JMP 00000000776c0250 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077562190 5 bytes JMP 00000000776c0490 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultip leKeys 00000000775621a0 5 bytes JMP 00000000776c04a0 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775621d0 5 bytes JMP 00000000776c0300 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775621e0 5 bytes JMP 00000000776c0360 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077562240 5 bytes JMP 00000000776c02a0 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077562290 5 bytes JMP 00000000776c02c0 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775622c0 5 bytes JMP 00000000776c0380 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775622d0 5 bytes JMP 00000000776c0340 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775625c0 5 bytes JMP 00000000776c0440 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775627c0 5 bytes JMP 00000000776c0260 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775627d0 5 bytes JMP 00000000776c0270 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775627e0 5 bytes JMP 00000000776c0400 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformati on 00000000775629a0 5 bytes JMP 00000000776c01f0 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerStat e 00000000775629b0 5 bytes JMP 00000000776c0210 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 5 bytes JMP 00000000776c0200 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077562a80 5 bytes JMP 00000000776c0420 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077562a90 5 bytes JMP 00000000776c0430 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 5 bytes JMP 00000000776c0220 .text C:\Windows\System32\spoolsv.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077562b80 5 bytes JMP 00000000776c0280 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rt 0000000077561360 5 bytes JMP 00000000776c0460 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775613b0 5 bytes JMP 00000000776c0450 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077561510 5 bytes JMP 00000000776c0370 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rtEx 0000000077561560 5 bytes JMP 00000000776c0470 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 5 bytes JMP 00000000776c03e0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 5 bytes JMP 00000000776c0320 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077561650 5 bytes JMP 00000000776c03b0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077561670 5 bytes JMP 00000000776c0390 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775616b0 5 bytes JMP 00000000776c02e0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077561730 5 bytes JMP 00000000776c02d0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 5 bytes JMP 00000000776c0310 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 5 bytes JMP 00000000776c03c0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 5 bytes JMP 00000000776c03f0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077561940 5 bytes JMP 00000000776c0230 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceiv ePort 0000000077561b00 5 bytes JMP 00000000776c0480 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJob Object 0000000077561b30 5 bytes JMP 00000000776c03a0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077561c10 5 bytes JMP 00000000776c02f0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077561c20 5 bytes JMP 00000000776c0350 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077561c80 5 bytes JMP 00000000776c0290 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077561d10 5 bytes JMP 00000000776c02b0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 5 bytes JMP 00000000776c03d0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077561d40 5 bytes JMP 00000000776c0330 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077561db0 5 bytes JMP 00000000776c0410 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077561de0 5 bytes JMP 00000000776c0240 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 5 bytes JMP 00000000776c01e0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077562160 5 bytes JMP 00000000776c0250 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077562190 5 bytes JMP 00000000776c0490 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultip leKeys 00000000775621a0 5 bytes JMP 00000000776c04a0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775621d0 5 bytes JMP 00000000776c0300 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775621e0 5 bytes JMP 00000000776c0360 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077562240 5 bytes JMP 00000000776c02a0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077562290 5 bytes JMP 00000000776c02c0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775622c0 5 bytes JMP 00000000776c0380 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775622d0 5 bytes JMP 00000000776c0340 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775625c0 5 bytes JMP 00000000776c0440 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775627c0 5 bytes JMP 00000000776c0260 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775627d0 5 bytes JMP 00000000776c0270 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775627e0 5 bytes JMP 00000000776c0400 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformati on 00000000775629a0 5 bytes JMP 00000000776c01f0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerStat e 00000000775629b0 5 bytes JMP 00000000776c0210 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 5 bytes JMP 00000000776c0200 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077562a80 5 bytes JMP 00000000776c0420 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077562a90 5 bytes JMP 00000000776c0430 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 5 bytes JMP 00000000776c0220 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077562b80 5 bytes JMP 00000000776c0280 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1796] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1820] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2fd 1 byte [62] .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rt 0000000077561360 5 bytes JMP 00000000776c0460 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775613b0 5 bytes JMP 00000000776c0450 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077561510 5 bytes JMP 00000000776c0370 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rtEx 0000000077561560 5 bytes JMP 00000000776c0470 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 5 bytes JMP 00000000776c03e0 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 5 bytes JMP 00000000776c0320 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077561650 5 bytes JMP 00000000776c03b0 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077561670 5 bytes JMP 00000000776c0390 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775616b0 5 bytes JMP 00000000776c02e0 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077561730 5 bytes JMP 00000000776c02d0 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 5 bytes JMP 00000000776c0310 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 5 bytes JMP 00000000776c03c0 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 5 bytes JMP 00000000776c03f0 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077561940 5 bytes JMP 00000000776c0230 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceiv ePort 0000000077561b00 5 bytes JMP 00000000776c0480 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJob Object 0000000077561b30 5 bytes JMP 00000000776c03a0 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077561c10 5 bytes JMP 00000000776c02f0 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077561c20 5 bytes JMP 00000000776c0350 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077561c80 5 bytes JMP 00000000776c0290 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077561d10 5 bytes JMP 00000000776c02b0 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 5 bytes JMP 00000000776c03d0 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077561d40 5 bytes JMP 00000000776c0330 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077561db0 5 bytes JMP 00000000776c0410 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077561de0 5 bytes JMP 00000000776c0240 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 5 bytes JMP 00000000776c01e0 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077562160 5 bytes JMP 00000000776c0250 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077562190 5 bytes JMP 00000000776c0490 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultip leKeys 00000000775621a0 5 bytes JMP 00000000776c04a0 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775621d0 5 bytes JMP 00000000776c0300 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775621e0 5 bytes JMP 00000000776c0360 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077562240 5 bytes JMP 00000000776c02a0 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077562290 5 bytes JMP 00000000776c02c0 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775622c0 5 bytes JMP 00000000776c0380 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775622d0 5 bytes JMP 00000000776c0340 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775625c0 5 bytes JMP 00000000776c0440 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775627c0 5 bytes JMP 00000000776c0260 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775627d0 5 bytes JMP 00000000776c0270 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775627e0 5 bytes JMP 00000000776c0400 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformati on 00000000775629a0 5 bytes JMP 00000000776c01f0 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerStat e 00000000775629b0 5 bytes JMP 00000000776c0210 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 5 bytes JMP 00000000776c0200 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077562a80 5 bytes JMP 00000000776c0420 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077562a90 5 bytes JMP 00000000776c0430 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 5 bytes JMP 00000000776c0220 .text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077562b80 5 bytes JMP 00000000776c0280 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2384] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2fd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rt 0000000077561360 5 bytes JMP 00000000776c0460 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775613b0 5 bytes JMP 00000000776c0450 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077561510 5 bytes JMP 00000000776c0370 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rtEx 0000000077561560 5 bytes JMP 00000000776c0470 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 5 bytes JMP 00000000776c03e0 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 5 bytes JMP 00000000776c0320 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077561650 5 bytes JMP 00000000776c03b0 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077561670 5 bytes JMP 00000000776c0390 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775616b0 5 bytes JMP 00000000776c02e0 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077561730 5 bytes JMP 00000000776c02d0 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 5 bytes JMP 00000000776c0310 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 5 bytes JMP 00000000776c03c0
|
|
#11
August 23rd, 2014, 10:21 AM
|
|||
|
|||
|
.text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 5 bytes JMP 00000000776c03f0
.text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077561940 5 bytes JMP 00000000776c0230 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceiv ePort 0000000077561b00 5 bytes JMP 00000000776c0480 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJob Object 0000000077561b30 5 bytes JMP 00000000776c03a0 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077561c10 5 bytes JMP 00000000776c02f0 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077561c20 5 bytes JMP 00000000776c0350 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077561c80 5 bytes JMP 00000000776c0290 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077561d10 5 bytes JMP 00000000776c02b0 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 5 bytes JMP 00000000776c03d0 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077561d40 5 bytes JMP 00000000776c0330 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077561db0 5 bytes JMP 00000000776c0410 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077561de0 5 bytes JMP 00000000776c0240 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 5 bytes JMP 00000000776c01e0 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077562160 5 bytes JMP 00000000776c0250 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077562190 5 bytes JMP 00000000776c0490 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultip leKeys 00000000775621a0 5 bytes JMP 00000000776c04a0 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775621d0 5 bytes JMP 00000000776c0300 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775621e0 5 bytes JMP 00000000776c0360 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077562240 5 bytes JMP 00000000776c02a0 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077562290 5 bytes JMP 00000000776c02c0 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775622c0 5 bytes JMP 00000000776c0380 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775622d0 5 bytes JMP 00000000776c0340 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775625c0 5 bytes JMP 00000000776c0440 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775627c0 5 bytes JMP 00000000776c0260 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775627d0 5 bytes JMP 00000000776c0270 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775627e0 5 bytes JMP 00000000776c0400 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformati on 00000000775629a0 5 bytes JMP 00000000776c01f0 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerStat e 00000000775629b0 5 bytes JMP 00000000776c0210 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 5 bytes JMP 00000000776c0200 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077562a80 5 bytes JMP 00000000776c0420 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077562a90 5 bytes JMP 00000000776c0430 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 5 bytes JMP 00000000776c0220 .text C:\Windows\system32\atieclxx.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077562b80 5 bytes JMP 00000000776c0280 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rt 0000000077561360 5 bytes JMP 00000000776c0460 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775613b0 5 bytes JMP 00000000776c0450 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077561510 5 bytes JMP 00000000776c0370 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rtEx 0000000077561560 5 bytes JMP 00000000776c0470 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 5 bytes JMP 00000000776c03e0 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 5 bytes JMP 00000000776c0320 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077561650 5 bytes JMP 00000000776c03b0 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077561670 5 bytes JMP 00000000776c0390 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775616b0 5 bytes JMP 00000000776c02e0 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077561730 5 bytes JMP 00000000776c02d0 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 5 bytes JMP 00000000776c0310 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 5 bytes JMP 00000000776c03c0 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 5 bytes JMP 00000000776c03f0 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077561940 5 bytes JMP 00000000776c0230 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceiv ePort 0000000077561b00 5 bytes JMP 00000000776c0480 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJob Object 0000000077561b30 5 bytes JMP 00000000776c03a0 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077561c10 5 bytes JMP 00000000776c02f0 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077561c20 5 bytes JMP 00000000776c0350 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077561c80 5 bytes JMP 00000000776c0290 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077561d10 5 bytes JMP 00000000776c02b0 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 5 bytes JMP 00000000776c03d0 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077561d40 5 bytes JMP 00000000776c0330 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077561db0 5 bytes JMP 00000000776c0410 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077561de0 5 bytes JMP 00000000776c0240 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 5 bytes JMP 00000000776c01e0 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077562160 5 bytes JMP 00000000776c0250 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077562190 5 bytes JMP 00000000776c0490 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultip leKeys 00000000775621a0 5 bytes JMP 00000000776c04a0 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775621d0 5 bytes JMP 00000000776c0300 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775621e0 5 bytes JMP 00000000776c0360 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077562240 5 bytes JMP 00000000776c02a0 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077562290 5 bytes JMP 00000000776c02c0 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775622c0 5 bytes JMP 00000000776c0380 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775622d0 5 bytes JMP 00000000776c0340 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775625c0 5 bytes JMP 00000000776c0440 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775627c0 5 bytes JMP 00000000776c0260 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775627d0 5 bytes JMP 00000000776c0270 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775627e0 5 bytes JMP 00000000776c0400 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformati on 00000000775629a0 5 bytes JMP 00000000776c01f0 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerStat e 00000000775629b0 5 bytes JMP 00000000776c0210 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 5 bytes JMP 00000000776c0200 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077562a80 5 bytes JMP 00000000776c0420 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077562a90 5 bytes JMP 00000000776c0430 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 5 bytes JMP 00000000776c0220 .text C:\Windows\system32\SearchIndexer.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077562b80 5 bytes JMP 00000000776c0280 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rt 0000000077561360 5 bytes JMP 00000000776c0460 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775613b0 5 bytes JMP 00000000776c0450 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077561510 5 bytes JMP 00000000776c0370 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rtEx 0000000077561560 5 bytes JMP 00000000776c0470 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 5 bytes JMP 00000000776c03e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 5 bytes JMP 00000000776c0320 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077561650 5 bytes JMP 00000000776c03b0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077561670 5 bytes JMP 00000000776c0390 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775616b0 5 bytes JMP 00000000776c02e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077561730 5 bytes JMP 00000000776c02d0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 5 bytes JMP 00000000776c0310 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 5 bytes JMP 00000000776c03c0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 5 bytes JMP 00000000776c03f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077561940 5 bytes JMP 00000000776c0230 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceiv ePort 0000000077561b00 5 bytes JMP 00000000776c0480 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJob Object 0000000077561b30 5 bytes JMP 00000000776c03a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077561c10 5 bytes JMP 00000000776c02f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077561c20 5 bytes JMP 00000000776c0350 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077561c80 5 bytes JMP 00000000776c0290 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077561d10 5 bytes JMP 00000000776c02b0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 5 bytes JMP 00000000776c03d0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077561d40 5 bytes JMP 00000000776c0330 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077561db0 5 bytes JMP 00000000776c0410 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077561de0 5 bytes JMP 00000000776c0240 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 5 bytes JMP 00000000776c01e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077562160 5 bytes JMP 00000000776c0250 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077562190 5 bytes JMP 00000000776c0490 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultip leKeys 00000000775621a0 5 bytes JMP 00000000776c04a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775621d0 5 bytes JMP 00000000776c0300 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775621e0 5 bytes JMP 00000000776c0360 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077562240 5 bytes JMP 00000000776c02a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077562290 5 bytes JMP 00000000776c02c0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775622c0 5 bytes JMP 00000000776c0380 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775622d0 5 bytes JMP 00000000776c0340 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775625c0 5 bytes JMP 00000000776c0440 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775627c0 5 bytes JMP 00000000776c0260 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775627d0 5 bytes JMP 00000000776c0270 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775627e0 5 bytes JMP 00000000776c0400 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformati on 00000000775629a0 5 bytes JMP 00000000776c01f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerStat e 00000000775629b0 5 bytes JMP 00000000776c0210 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 5 bytes JMP 00000000776c0200 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077562a80 5 bytes JMP 00000000776c0420 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077562a90 5 bytes JMP 00000000776c0430 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 5 bytes JMP 00000000776c0220 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077562b80 5 bytes JMP 00000000776c0280 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3968] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007744ef8d 1 byte [62] .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rt 0000000077561360 5 bytes JMP 00000000776c0460 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775613b0 5 bytes JMP 00000000776c0450 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077561510 5 bytes JMP 00000000776c0370 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rtEx 0000000077561560 5 bytes JMP 00000000776c0470 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 5 bytes JMP 00000000776c03e0 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 5 bytes JMP 00000000776c0320 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077561650 5 bytes JMP 00000000776c03b0 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077561670 5 bytes JMP 00000000776c0390 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775616b0 5 bytes JMP 00000000776c02e0 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077561730 5 bytes JMP 00000000776c02d0 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 5 bytes JMP 00000000776c0310 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 5 bytes JMP 00000000776c03c0 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 5 bytes JMP 00000000776c03f0 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077561940 5 bytes JMP 00000000776c0230 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceiv ePort 0000000077561b00 5 bytes JMP 00000000776c0480 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJob Object 0000000077561b30 5 bytes JMP 00000000776c03a0
|
|
#12
August 23rd, 2014, 10:22 AM
|
|||
|
|||
|
.text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077561c20 5 bytes JMP 00000000776c0350
.text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077561c80 5 bytes JMP 00000000776c0290 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077561d10 5 bytes JMP 00000000776c02b0 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 5 bytes JMP 00000000776c03d0 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077561d40 5 bytes JMP 00000000776c0330 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077561db0 5 bytes JMP 00000000776c0410 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077561de0 5 bytes JMP 00000000776c0240 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 5 bytes JMP 00000000776c01e0 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077562160 5 bytes JMP 00000000776c0250 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077562190 5 bytes JMP 00000000776c0490 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultip leKeys 00000000775621a0 5 bytes JMP 00000000776c04a0 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775621d0 5 bytes JMP 00000000776c0300 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775621e0 5 bytes JMP 00000000776c0360 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077562240 5 bytes JMP 00000000776c02a0 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077562290 5 bytes JMP 00000000776c02c0 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775622c0 5 bytes JMP 00000000776c0380 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775622d0 5 bytes JMP 00000000776c0340 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775625c0 5 bytes JMP 00000000776c0440 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775627c0 5 bytes JMP 00000000776c0260 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775627d0 5 bytes JMP 00000000776c0270 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775627e0 5 bytes JMP 00000000776c0400 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformati on 00000000775629a0 5 bytes JMP 00000000776c01f0 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerStat e 00000000775629b0 5 bytes JMP 00000000776c0210 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 5 bytes JMP 00000000776c0200 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077562a80 5 bytes JMP 00000000776c0420 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077562a90 5 bytes JMP 00000000776c0430 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 5 bytes JMP 00000000776c0220 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077562b80 5 bytes JMP 00000000776c0280 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007744ef8d 1 byte [62] .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rt 0000000077561360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775613b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077561510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rtEx 0000000077561560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077561650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077561670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775616b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077561730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077561940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceiv ePort 0000000077561b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJob Object 0000000077561b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077561c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077561c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077561c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077561d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077561d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077561db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077561de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077562160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077562190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultip leKeys 00000000775621a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775621d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775621e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077562240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077562290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775622c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775622d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775625c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775627c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775627d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775627e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformati on 00000000775629a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerStat e 00000000775629b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077562a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077562a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077562b80 5 bytes JMP 0000000100070280 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rt 0000000077561360 5 bytes JMP 00000000776c0460 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775613b0 5 bytes JMP 00000000776c0450 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077561510 5 bytes JMP 00000000776c0370 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rtEx 0000000077561560 5 bytes JMP 00000000776c0470 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 5 bytes JMP 00000000776c03e0 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 5 bytes JMP 00000000776c0320 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077561650 5 bytes JMP 00000000776c03b0 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077561670 5 bytes JMP 00000000776c0390 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775616b0 5 bytes JMP 00000000776c02e0 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077561730 5 bytes JMP 00000000776c02d0 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 5 bytes JMP 00000000776c0310 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 5 bytes JMP 00000000776c03c0 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 5 bytes JMP 00000000776c03f0 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077561940 5 bytes JMP 00000000776c0230 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceiv ePort 0000000077561b00 5 bytes JMP 00000000776c0480 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJob Object 0000000077561b30 5 bytes JMP 00000000776c03a0 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077561c10 5 bytes JMP 00000000776c02f0 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077561c20 5 bytes JMP 00000000776c0350 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077561c80 5 bytes JMP 00000000776c0290 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077561d10 5 bytes JMP 00000000776c02b0 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 5 bytes JMP 00000000776c03d0 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077561d40 5 bytes JMP 00000000776c0330 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077561db0 5 bytes JMP 00000000776c0410 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077561de0 5 bytes JMP 00000000776c0240 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 5 bytes JMP 00000000776c01e0 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077562160 5 bytes JMP 00000000776c0250 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077562190 5 bytes JMP 00000000776c0490 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultip leKeys 00000000775621a0 5 bytes JMP 00000000776c04a0 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775621d0 5 bytes JMP 00000000776c0300 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775621e0 5 bytes JMP 00000000776c0360 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077562240 5 bytes JMP 00000000776c02a0 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077562290 5 bytes JMP 00000000776c02c0 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775622c0 5 bytes JMP 00000000776c0380 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775622d0 5 bytes JMP 00000000776c0340 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775625c0 5 bytes JMP 00000000776c0440 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775627c0 5 bytes JMP 00000000776c0260 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775627d0 5 bytes JMP 00000000776c0270 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775627e0 5 bytes JMP 00000000776c0400 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformati on 00000000775629a0 5 bytes JMP 00000000776c01f0 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerStat e 00000000775629b0 5 bytes JMP 00000000776c0210 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 5 bytes JMP 00000000776c0200 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077562a80 5 bytes JMP 00000000776c0420 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077562a90 5 bytes JMP 00000000776c0430 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 5 bytes JMP 00000000776c0220 .text C:\Windows\Explorer.EXE[2724] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077562b80 5 bytes JMP 00000000776c0280 .text C:\Windows\Explorer.EXE[2724] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007744ef8d 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3880] C:\Windows\syswow64\kernel32.dll!SetUnhandledExcep tionFilter 00000000754a8791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3880] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2812] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2fd 1 byte [62] .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3912] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2fd 1 byte [62] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[456] C:\Windows\SysWOW64\ntdll.dll!KiUserApcDispatcher 0000000077700028 5 bytes JMP 0000000100f3c710 .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[456] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2fd 1 byte [62] .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[456] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000759b2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[456] C:\Windows\syswow64\WS2_32.dll!getaddrinfo 0000000076464296 5 bytes JMP 0000000171a20022 .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[456] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076464889 5 bytes JMP 00000001719e0022 .text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[456] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007646d1ea 5 bytes JMP 00000001719a0022
|
|
#13
August 23rd, 2014, 10:22 AM
|
|||
|
|||
|
.text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d91465 2 bytes [D9, 75]
.text C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe[456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d914bb 2 bytes [D9, 75] .text ... * 2 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rt 0000000077561360 5 bytes JMP 00000000776c0460 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775613b0 5 bytes JMP 00000000776c0450 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077561510 5 bytes JMP 00000000776c0370 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rtEx 0000000077561560 5 bytes JMP 00000000776c0470 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 5 bytes JMP 00000000776c03e0 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 5 bytes JMP 00000000776c0320 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077561650 5 bytes JMP 00000000776c03b0 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077561670 5 bytes JMP 00000000776c0390 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775616b0 5 bytes JMP 00000000776c02e0 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077561730 5 bytes JMP 00000000776c02d0 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 5 bytes JMP 00000000776c0310 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 5 bytes JMP 00000000776c03c0 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 5 bytes JMP 00000000776c03f0 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077561940 5 bytes JMP 00000000776c0230 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceiv ePort 0000000077561b00 5 bytes JMP 00000000776c0480 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJob Object 0000000077561b30 5 bytes JMP 00000000776c03a0 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077561c10 5 bytes JMP 00000000776c02f0 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077561c20 5 bytes JMP 00000000776c0350 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077561c80 5 bytes JMP 00000000776c0290 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077561d10 5 bytes JMP 00000000776c02b0 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 5 bytes JMP 00000000776c03d0 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077561d40 5 bytes JMP 00000000776c0330 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077561db0 5 bytes JMP 00000000776c0410 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077561de0 5 bytes JMP 00000000776c0240 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 5 bytes JMP 00000000776c01e0 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077562160 5 bytes JMP 00000000776c0250 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077562190 5 bytes JMP 00000000776c0490 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultip leKeys 00000000775621a0 5 bytes JMP 00000000776c04a0 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775621d0 5 bytes JMP 00000000776c0300 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775621e0 5 bytes JMP 00000000776c0360 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077562240 5 bytes JMP 00000000776c02a0 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077562290 5 bytes JMP 00000000776c02c0 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775622c0 5 bytes JMP 00000000776c0380 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775622d0 5 bytes JMP 00000000776c0340 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775625c0 5 bytes JMP 00000000776c0440 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775627c0 5 bytes JMP 00000000776c0260 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775627d0 5 bytes JMP 00000000776c0270 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775627e0 5 bytes JMP 00000000776c0400 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformati on 00000000775629a0 5 bytes JMP 00000000776c01f0 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerStat e 00000000775629b0 5 bytes JMP 00000000776c0210 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 5 bytes JMP 00000000776c0200 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077562a80 5 bytes JMP 00000000776c0420 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077562a90 5 bytes JMP 00000000776c0430 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 5 bytes JMP 00000000776c0220 .text C:\Program Files\iPod\bin\iPodService.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077562b80 5 bytes JMP 00000000776c0280 .text C:\Users\Jon\AppData\Roaming\Dropbox\bin\Dropbox.e xe[1020] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2fd 1 byte [62] .text C:\Users\Jon\AppData\Roaming\Dropbox\bin\Dropbox.e xe[1020] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 0000000075d91465 2 bytes [D9, 75] .text C:\Users\Jon\AppData\Roaming\Dropbox\bin\Dropbox.e xe[1020] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 0000000075d914bb 2 bytes [D9, 75] .text ... * 2 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rt 0000000077561360 5 bytes JMP 00000000776c0460 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775613b0 5 bytes JMP 00000000776c0450 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077561510 5 bytes JMP 00000000776c0370 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rtEx 0000000077561560 5 bytes JMP 00000000776c0470 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 5 bytes JMP 00000000776c03e0 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 5 bytes JMP 00000000776c0320 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077561650 5 bytes JMP 00000000776c03b0 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077561670 5 bytes JMP 00000000776c0390 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775616b0 5 bytes JMP 00000000776c02e0 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077561730 5 bytes JMP 00000000776c02d0 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 5 bytes JMP 00000000776c0310 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 5 bytes JMP 00000000776c03c0 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 5 bytes JMP 00000000776c03f0 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077561940 5 bytes JMP 00000000776c0230 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceiv ePort 0000000077561b00 5 bytes JMP 00000000776c0480 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJob Object 0000000077561b30 5 bytes JMP 00000000776c03a0 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077561c10 5 bytes JMP 00000000776c02f0 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077561c20 5 bytes JMP 00000000776c0350 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077561c80 5 bytes JMP 00000000776c0290 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077561d10 5 bytes JMP 00000000776c02b0 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 5 bytes JMP 00000000776c03d0 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077561d40 5 bytes JMP 00000000776c0330 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077561db0 5 bytes JMP 00000000776c0410 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077561de0 5 bytes JMP 00000000776c0240 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 5 bytes JMP 00000000776c01e0 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077562160 5 bytes JMP 00000000776c0250 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077562190 5 bytes JMP 00000000776c0490 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultip leKeys 00000000775621a0 5 bytes JMP 00000000776c04a0 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775621d0 5 bytes JMP 00000000776c0300 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775621e0 5 bytes JMP 00000000776c0360 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077562240 5 bytes JMP 00000000776c02a0 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077562290 5 bytes JMP 00000000776c02c0 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775622c0 5 bytes JMP 00000000776c0380 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775622d0 5 bytes JMP 00000000776c0340 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775625c0 5 bytes JMP 00000000776c0440 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775627c0 5 bytes JMP 00000000776c0260 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775627d0 5 bytes JMP 00000000776c0270 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775627e0 5 bytes JMP 00000000776c0400 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformati on 00000000775629a0 5 bytes JMP 00000000776c01f0 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerStat e 00000000775629b0 5 bytes JMP 00000000776c0210 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 5 bytes JMP 00000000776c0200 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077562a80 5 bytes JMP 00000000776c0420 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077562a90 5 bytes JMP 00000000776c0430 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 5 bytes JMP 00000000776c0220 .text C:\Windows\System32\svchost.exe[3740] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077562b80 5 bytes JMP 00000000776c0280 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rt 0000000077561360 5 bytes JMP 00000000776c0460 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775613b0 5 bytes JMP 00000000776c0450 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077561510 5 bytes JMP 00000000776c0370 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePo rtEx 0000000077561560 5 bytes JMP 00000000776c0470 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 5 bytes JMP 00000000776c03e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 5 bytes JMP 00000000776c0320 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077561650 5 bytes JMP 00000000776c03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077561670 5 bytes JMP 00000000776c0390 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775616b0 5 bytes JMP 00000000776c02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077561730 5 bytes JMP 00000000776c02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 5 bytes JMP 00000000776c0310 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 5 bytes JMP 00000000776c03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 5 bytes JMP 00000000776c03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077561940 5 bytes JMP 00000000776c0230 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceiv ePort 0000000077561b00 5 bytes JMP 00000000776c0480 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJob Object 0000000077561b30 5 bytes JMP 00000000776c03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077561c10 5 bytes JMP 00000000776c02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077561c20 5 bytes JMP 00000000776c0350 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077561c80 5 bytes JMP 00000000776c0290 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077561d10 5 bytes JMP 00000000776c02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 5 bytes JMP 00000000776c03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077561d40 5 bytes JMP 00000000776c0330 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077561db0 5 bytes JMP 00000000776c0410 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077561de0 5 bytes JMP 00000000776c0240 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 5 bytes JMP 00000000776c01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077562160 5 bytes JMP 00000000776c0250 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077562190 5 bytes JMP 00000000776c0490 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultip leKeys 00000000775621a0 5 bytes JMP 00000000776c04a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775621d0 5 bytes JMP 00000000776c0300 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775621e0 5 bytes JMP 00000000776c0360 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077562240 5 bytes JMP 00000000776c02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077562290 5 bytes JMP 00000000776c02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775622c0 5 bytes JMP 00000000776c0380 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775622d0 5 bytes JMP 00000000776c0340 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775625c0 5 bytes JMP 00000000776c0440 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775627c0 5 bytes JMP 00000000776c0260 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775627d0 5 bytes JMP 00000000776c0270 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775627e0 5 bytes JMP 00000000776c0400 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformati on 00000000775629a0 5 bytes JMP 00000000776c01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerStat e 00000000775629b0 5 bytes JMP 00000000776c0210 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 5 bytes JMP 00000000776c0200 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077562a80 5 bytes JMP 00000000776c0420 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077562a90 5 bytes JMP 00000000776c0430 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 5 bytes JMP 00000000776c0220 .text C:\Windows\system32\wbem\wmiprvse.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077562b80 5 bytes JMP 00000000776c0280 .text C:\Users\Jon\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe[5428] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2fd 1 byte [62] .text C:\Users\Jon\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe[5428] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d91465 2 bytes [D9, 75] .text C:\Users\Jon\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe[5428] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d914bb 2 bytes [D9, 75] .text ... * 2 .text C:\Users\Jon\Desktop\r9d45imn.exe[3792] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2fd 1 byte [62] ---- Processes - GMER 2.1 ---- Library C:\Users\Jon\AppData\Roaming\Dropbox\bin\wxmsw28uh _vc.dll (*** suspicious ***) @ C:\Users\Jon\AppData\Roaming\Dropbox\bin\Dropbox.e xe [1020](2014-08-15 18:46:08) 0000000003c10000 Library c:\users\jon\appdata\local\temp\dropbox_sqlite_ext .{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpjgbm7p.dll (*** suspicious ***) @ C:\Users\Jon\AppData\Roaming\Dropbox\bin\Dropbox.e xe [1020](2014-08-23 08:39:41) 0000000004060000 Library C:\Users\Jon\AppData\Roaming\Dropbox\bin\libcef.dl l (*** suspicious ***) @ C:\Users\Jon\AppData\Roaming\Dropbox\bin\Dropbox.e xe [1020](2013-08-23 19:01:44) 0000000064390000 Library C:\Users\Jon\AppData\Roaming\Dropbox\bin\icudt.dll (*** suspicious ***) @ C:\Users\Jon\AppData\Roaming\Dropbox\bin\Dropbox.e xe [1020] (ICU Data DLL/The ICU Project)(2013-08-23 19:01:42) 0000000067110000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Par ameters\Keys\00081bc01e1c Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Paramet ers\Keys\00081bc01e1c (not active ControlSet) ---- EOF - GMER 2.1 ----
|
|
#14
August 24th, 2014, 12:17 AM
|
||||
|
||||
|
Malware running from Dropbox. Must be some flaw in the software that allows that. FYI - PM me before posting such a large log like this last Gmer log.
See if you can uninstall Dropbox. Reboot after, and just update me if the uninstall went without a problem. ------------ But also go here and download Malwarebytes AntiRootkit from here to your desktop, then click that and allow it to extract to your desktop. Click Next, then click the Update button (you will need to have the Internet connected for this). Once it has updated, click Next, then click Scan. When it finishes, click Exit. Then post the two logs it created, located in the same mbar folder on your desktop. mbar-log-date-(xx-xx-xx).txt system-log.txt
|
|
#15
August 24th, 2014, 10:21 PM
|
|||
|
|||
|
Windows 7 Ultimate PC sluggish
Hi Tom.
The Malwarebytes rootkit scan didn't find any malware. Here are the logs. Malwarebytes Anti-Rootkit BETA 1.07.0.1012 www.malwarebytes.org Database version: v2014.08.24.06 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 11.0.9600.17239 Jon :: JON-PC [administrator] 24/08/2014 21:12:20 mbar-log-2014-08-24 (21-12-20).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken Scan options disabled: Objects scanned: 0 Time elapsed: 1 minute(s), 10 second(s) [aborted] Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) Physical Sectors Detected: 0 (No malicious items detected) (end) --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.07.0.1012 (c) Malwarebytes Corporation 2011-2012 OS version: 6.1.7601 Windows 7 Service Pack 1 x64 Account is Administrative Internet Explorer version: 11.0.9600.17239 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 2.812000 GHz Memory total: 3487752192, free: 1527738368 Downloaded database version: v2014.08.24.06 Downloaded database version: v2014.08.21.01 ======================================= Initializing... ------------ Kernel report ------------ 08/24/2014 21:12:03 ------------ Loaded modules ----------- \SystemRoot\system32\ntoskrnl.exe \SystemRoot\system32\hal.dll \SystemRoot\system32\kdcom.dll \SystemRoot\system32\mcupdate_AuthenticAMD.dll \SystemRoot\system32\PSHED.dll \SystemRoot\system32\CLFS.SYS \SystemRoot\system32\CI.dll \SystemRoot\system32\drivers\Wdf01000.sys \SystemRoot\system32\drivers\WDFLDR.SYS \SystemRoot\system32\drivers\ACPI.sys \SystemRoot\system32\drivers\WMILIB.SYS \SystemRoot\system32\drivers\msisadrv.sys \SystemRoot\system32\drivers\pci.sys \SystemRoot\system32\drivers\vdrvroot.sys \SystemRoot\System32\drivers\partmgr.sys \SystemRoot\system32\drivers\volmgr.sys \SystemRoot\System32\drivers\volmgrx.sys \SystemRoot\system32\drivers\pciide.sys \SystemRoot\system32\drivers\PCIIDEX.SYS \SystemRoot\System32\drivers\mountmgr.sys \SystemRoot\system32\drivers\vmbus.sys \SystemRoot\system32\drivers\winhv.sys \SystemRoot\system32\drivers\atapi.sys \SystemRoot\system32\drivers\ataport.SYS \SystemRoot\system32\drivers\amdxata.sys \SystemRoot\system32\drivers\fltmgr.sys \SystemRoot\system32\drivers\fileinfo.sys \SystemRoot\System32\Drivers\Ntfs.sys \SystemRoot\System32\Drivers\msrpc.sys \SystemRoot\System32\Drivers\ksecdd.sys \SystemRoot\System32\Drivers\cng.sys \SystemRoot\System32\drivers\pcw.sys \SystemRoot\System32\Drivers\Fs_Rec.sys \SystemRoot\system32\drivers\ndis.sys \SystemRoot\system32\drivers\NETIO.SYS \SystemRoot\System32\Drivers\ksecpkg.sys \SystemRoot\System32\drivers\tcpip.sys \SystemRoot\System32\drivers\fwpkclnt.sys \SystemRoot\system32\drivers\vmstorfl.sys \SystemRoot\system32\drivers\volsnap.sys \SystemRoot\System32\Drivers\spldr.sys \SystemRoot\System32\drivers\rdyboost.sys \SystemRoot\System32\Drivers\RapportKE64.sys \SystemRoot\System32\Drivers\mup.sys \SystemRoot\System32\drivers\hwpolicy.sys \SystemRoot\System32\DRIVERS\fvevol.sys \SystemRoot\system32\DRIVERS\disk.sys \SystemRoot\system32\DRIVERS\CLASSPNP.SYS \SystemRoot\System32\Drivers\aswVmm.sys \SystemRoot\System32\Drivers\aswRvrt.sys \SystemRoot\system32\drivers\cdrom.sys \SystemRoot\system32\drivers\aswSnx.sys \SystemRoot\system32\drivers\aswSP.sys \??\C:\ProgramData\Trusteer\Rapport\store\exts\Rap portCerberus\baseline\RapportCerberus64_69108.sys \??\C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \SystemRoot\System32\Drivers\aswKbd.SYS \SystemRoot\System32\drivers\vga.sys \SystemRoot\System32\drivers\VIDEOPRT.SYS \SystemRoot\System32\drivers\watchdog.sys \SystemRoot\System32\DRIVERS\RDPCDD.sys \SystemRoot\system32\drivers\rdpencdd.sys \SystemRoot\system32\drivers\rdprefmp.sys \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\system32\DRIVERS\tdx.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\System32\DRIVERS\netbt.sys \SystemRoot\system32\drivers\afd.sys \SystemRoot\system32\drivers\aswRdr2.sys \SystemRoot\system32\drivers\ws2ifsl.sys \SystemRoot\system32\DRIVERS\wfplwf.sys \SystemRoot\system32\DRIVERS\pacer.sys \SystemRoot\system32\DRIVERS\jakndis.sys \SystemRoot\system32\DRIVERS\netbios.sys \SystemRoot\system32\DRIVERS\serial.sys \SystemRoot\system32\DRIVERS\wanarp.sys \SystemRoot\system32\drivers\termdd.sys \SystemRoot\system32\DRIVERS\rdbss.sys \??\C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys \SystemRoot\system32\drivers\nsiproxy.sys \SystemRoot\system32\drivers\mssmbios.sys \SystemRoot\System32\drivers\discache.sys \SystemRoot\system32\drivers\csc.sys \SystemRoot\System32\Drivers\dfsc.sys \SystemRoot\system32\DRIVERS\blbdrive.sys \SystemRoot\SysWow64\drivers\AsIO.sys \SystemRoot\system32\DRIVERS\tunnel.sys \SystemRoot\system32\DRIVERS\amdppm.sys \SystemRoot\system32\DRIVERS\atikmpag.sys \SystemRoot\system32\DRIVERS\atikmdag.sys \SystemRoot\System32\drivers\dxgkrnl.sys \SystemRoot\System32\drivers\dxgmms1.sys \SystemRoot\system32\DRIVERS\L1C62x64.sys \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys \SystemRoot\system32\DRIVERS\usbohci.sys \SystemRoot\system32\DRIVERS\USBPORT.SYS \SystemRoot\system32\DRIVERS\usbehci.sys \SystemRoot\system32\drivers\HDAudBus.sys \SystemRoot\system32\DRIVERS\parport.sys \SystemRoot\system32\DRIVERS\ASACPI.sys \SystemRoot\system32\DRIVERS\serenum.sys \SystemRoot\system32\drivers\wmiacpi.sys \SystemRoot\system32\drivers\CompositeBus.sys \SystemRoot\system32\DRIVERS\AgileVpn.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys \SystemRoot\system32\DRIVERS\ndistapi.sys \SystemRoot\system32\DRIVERS\ndiswan.sys \SystemRoot\system32\DRIVERS\raspppoe.sys \SystemRoot\system32\DRIVERS\raspptp.sys \SystemRoot\system32\DRIVERS\rassstp.sys \SystemRoot\system32\DRIVERS\rdpbus.sys \SystemRoot\system32\DRIVERS\kbdclass.sys \SystemRoot\system32\DRIVERS\mouclass.sys \SystemRoot\system32\drivers\serscan.sys \SystemRoot\system32\drivers\ksthunk.sys \SystemRoot\system32\drivers\ks.sys \SystemRoot\system32\drivers\swenum.sys \SystemRoot\system32\drivers\umbus.sys \SystemRoot\system32\DRIVERS\usbhub.sys \SystemRoot\System32\Drivers\NDProxy.SYS \SystemRoot\system32\drivers\HdAudio.sys \SystemRoot\system32\drivers\portcls.sys \SystemRoot\system32\drivers\drmk.sys \SystemRoot\system32\DRIVERS\usbccgp.sys \SystemRoot\system32\DRIVERS\USBD.SYS \SystemRoot\system32\DRIVERS\hidusb.sys \SystemRoot\system32\DRIVERS\HIDCLASS.SYS \SystemRoot\system32\DRIVERS\HIDPARSE.SYS \SystemRoot\system32\DRIVERS\kbdhid.sys \SystemRoot\system32\DRIVERS\mouhid.sys \SystemRoot\System32\Drivers\usbvideo.sys \SystemRoot\system32\drivers\usbaudio.sys \SystemRoot\System32\Drivers\crashdmp.sys \SystemRoot\System32\Drivers\dump_dumpata.sys \SystemRoot\System32\Drivers\dump_atapi.sys \SystemRoot\System32\Drivers\dump_dumpfve.sys \SystemRoot\System32\win32k.sys \SystemRoot\System32\drivers\Dxapi.sys \SystemRoot\system32\DRIVERS\monitor.sys \SystemRoot\System32\TSDDD.dll \SystemRoot\System32\cdd.dll \SystemRoot\System32\ATMFD.DLL \SystemRoot\system32\drivers\luafv.sys \SystemRoot\system32\drivers\aswMonFlt.sys \SystemRoot\system32\DRIVERS\lltdio.sys \SystemRoot\system32\DRIVERS\nwifi.sys \SystemRoot\system32\DRIVERS\ndisuio.sys \SystemRoot\system32\DRIVERS\rspndr.sys \SystemRoot\system32\drivers\HTTP.sys \SystemRoot\system32\DRIVERS\bowser.sys \SystemRoot\System32\drivers\mpsdrv.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\system32\DRIVERS\mrxsmb10.sys \SystemRoot\system32\DRIVERS\mrxsmb20.sys \SystemRoot\system32\drivers\aswHwid.sys \SystemRoot\system32\drivers\peauth.sys \SystemRoot\System32\Drivers\secdrv.SYS \SystemRoot\System32\DRIVERS\srvnet.sys \SystemRoot\System32\drivers\tcpipreg.sys \SystemRoot\System32\DRIVERS\srv2.sys \SystemRoot\System32\DRIVERS\srv.sys \SystemRoot\system32\DRIVERS\asyncmac.sys \??\C:\Windows\system32\drivers\mbamchameleon.sys \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys \Windows\System32\ntdll.dll \Windows\System32\smss.exe \Windows\System32\apisetschema.dll \Windows\System32\autochk.exe ----------- End ----------- Done! <<<1>>> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xfffffa8003843060 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\ Lower Device Object: 0xfffffa80028e5680 Lower Device Driver Name: \Driver\atapi\ Scan Interrupted Scan Interrupted Scan Interrupted <<<2>>> Physical Sector Size: 512 Drive: 0, DevicePointer: 0xfffffa8003843060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xfffffa8003843b90, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xfffffa8003843060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xfffffa80028f5520, DeviceName: Unknown, DriverName: \Driver\ACPI\ DevicePointer: 0xfffffa80028e5680, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes <<<2>>> <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers... Scan was aborted. ======================================= --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.07.0.1012 (c) Malwarebytes Corporation 2011-2012 OS version: 6.1.7601 Windows 7 Service Pack 1 x64 Account is Administrative Internet Explorer version: 11.0.9600.17239 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 2.812000 GHz Memory total: 3487752192, free: 1528131584 Downloaded database version: v2014.08.24.06 Downloaded database version: v2014.08.21.01 Initializing... ====================== ------------ Kernel report ------------ 08/24/2014 21:15:00 ------------ Loaded modules ----------- \SystemRoot\system32\ntoskrnl.exe \SystemRoot\system32\hal.dll \SystemRoot\system32\kdcom.dll \SystemRoot\system32\mcupdate_AuthenticAMD.dll \SystemRoot\system32\PSHED.dll \SystemRoot\system32\CLFS.SYS \SystemRoot\system32\CI.dll \SystemRoot\system32\drivers\Wdf01000.sys \SystemRoot\system32\drivers\WDFLDR.SYS \SystemRoot\system32\drivers\ACPI.sys \SystemRoot\system32\drivers\WMILIB.SYS \SystemRoot\system32\drivers\msisadrv.sys \SystemRoot\system32\drivers\pci.sys \SystemRoot\system32\drivers\vdrvroot.sys \SystemRoot\System32\drivers\partmgr.sys \SystemRoot\system32\drivers\volmgr.sys \SystemRoot\System32\drivers\volmgrx.sys \SystemRoot\system32\drivers\pciide.sys \SystemRoot\system32\drivers\PCIIDEX.SYS \SystemRoot\System32\drivers\mountmgr.sys \SystemRoot\system32\drivers\vmbus.sys \SystemRoot\system32\drivers\winhv.sys \SystemRoot\system32\drivers\atapi.sys \SystemRoot\system32\drivers\ataport.SYS \SystemRoot\system32\drivers\amdxata.sys \SystemRoot\system32\drivers\fltmgr.sys \SystemRoot\system32\drivers\fileinfo.sys \SystemRoot\System32\Drivers\Ntfs.sys \SystemRoot\System32\Drivers\msrpc.sys \SystemRoot\System32\Drivers\ksecdd.sys \SystemRoot\System32\Drivers\cng.sys \SystemRoot\System32\drivers\pcw.sys \SystemRoot\System32\Drivers\Fs_Rec.sys \SystemRoot\system32\drivers\ndis.sys \SystemRoot\system32\drivers\NETIO.SYS \SystemRoot\System32\Drivers\ksecpkg.sys \SystemRoot\System32\drivers\tcpip.sys \SystemRoot\System32\drivers\fwpkclnt.sys \SystemRoot\system32\drivers\vmstorfl.sys \SystemRoot\system32\drivers\volsnap.sys \SystemRoot\System32\Drivers\spldr.sys \SystemRoot\System32\drivers\rdyboost.sys \SystemRoot\System32\Drivers\RapportKE64.sys \SystemRoot\System32\Drivers\mup.sys \SystemRoot\System32\drivers\hwpolicy.sys \SystemRoot\System32\DRIVERS\fvevol.sys \SystemRoot\system32\DRIVERS\disk.sys \SystemRoot\system32\DRIVERS\CLASSPNP.SYS \SystemRoot\System32\Drivers\aswVmm.sys \SystemRoot\System32\Drivers\aswRvrt.sys \SystemRoot\system32\drivers\cdrom.sys \SystemRoot\system32\drivers\aswSnx.sys \SystemRoot\system32\drivers\aswSP.sys \??\C:\ProgramData\Trusteer\Rapport\store\exts\Rap portCerberus\baseline\RapportCerberus64_69108.sys \??\C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \SystemRoot\System32\Drivers\aswKbd.SYS \SystemRoot\System32\drivers\vga.sys \SystemRoot\System32\drivers\VIDEOPRT.SYS \SystemRoot\System32\drivers\watchdog.sys \SystemRoot\System32\DRIVERS\RDPCDD.sys \SystemRoot\system32\drivers\rdpencdd.sys \SystemRoot\system32\drivers\rdprefmp.sys \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\system32\DRIVERS\tdx.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\System32\DRIVERS\netbt.sys \SystemRoot\system32\drivers\afd.sys \SystemRoot\system32\drivers\aswRdr2.sys \SystemRoot\system32\drivers\ws2ifsl.sys \SystemRoot\system32\DRIVERS\wfplwf.sys \SystemRoot\system32\DRIVERS\pacer.sys \SystemRoot\system32\DRIVERS\jakndis.sys \SystemRoot\system32\DRIVERS\netbios.sys \SystemRoot\system32\DRIVERS\serial.sys \SystemRoot\system32\DRIVERS\wanarp.sys \SystemRoot\system32\drivers\termdd.sys \SystemRoot\system32\DRIVERS\rdbss.sys \??\C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys \SystemRoot\system32\drivers\nsiproxy.sys \SystemRoot\system32\drivers\mssmbios.sys \SystemRoot\System32\drivers\discache.sys \SystemRoot\system32\drivers\csc.sys \SystemRoot\System32\Drivers\dfsc.sys \SystemRoot\system32\DRIVERS\blbdrive.sys \SystemRoot\SysWow64\drivers\AsIO.sys \SystemRoot\system32\DRIVERS\tunnel.sys \SystemRoot\system32\DRIVERS\amdppm.sys \SystemRoot\system32\DRIVERS\atikmpag.sys \SystemRoot\system32\DRIVERS\atikmdag.sys \SystemRoot\System32\drivers\dxgkrnl.sys \SystemRoot\System32\drivers\dxgmms1.sys \SystemRoot\system32\DRIVERS\L1C62x64.sys \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys \SystemRoot\system32\DRIVERS\usbohci.sys \SystemRoot\system32\DRIVERS\USBPORT.SYS \SystemRoot\system32\DRIVERS\usbehci.sys \SystemRoot\system32\drivers\HDAudBus.sys \SystemRoot\system32\DRIVERS\parport.sys \SystemRoot\system32\DRIVERS\ASACPI.sys \SystemRoot\system32\DRIVERS\serenum.sys \SystemRoot\system32\drivers\wmiacpi.sys \SystemRoot\system32\drivers\CompositeBus.sys \SystemRoot\system32\DRIVERS\AgileVpn.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys \SystemRoot\system32\DRIVERS\ndistapi.sys \SystemRoot\system32\DRIVERS\ndiswan.sys \SystemRoot\system32\DRIVERS\raspppoe.sys \SystemRoot\system32\DRIVERS\raspptp.sys \SystemRoot\system32\DRIVERS\rassstp.sys \SystemRoot\system32\DRIVERS\rdpbus.sys \SystemRoot\system32\DRIVERS\kbdclass.sys \SystemRoot\system32\DRIVERS\mouclass.sys \SystemRoot\system32\drivers\serscan.sys \SystemRoot\system32\drivers\ksthunk.sys \SystemRoot\system32\drivers\ks.sys \SystemRoot\system32\drivers\swenum.sys \SystemRoot\system32\drivers\umbus.sys \SystemRoot\system32\DRIVERS\usbhub.sys \SystemRoot\System32\Drivers\NDProxy.SYS \SystemRoot\system32\drivers\HdAudio.sys \SystemRoot\system32\drivers\portcls.sys \SystemRoot\system32\drivers\drmk.sys \SystemRoot\system32\DRIVERS\usbccgp.sys \SystemRoot\system32\DRIVERS\USBD.SYS \SystemRoot\system32\DRIVERS\hidusb.sys \SystemRoot\system32\DRIVERS\HIDCLASS.SYS \SystemRoot\system32\DRIVERS\HIDPARSE.SYS \SystemRoot\system32\DRIVERS\kbdhid.sys \SystemRoot\system32\DRIVERS\mouhid.sys \SystemRoot\System32\Drivers\usbvideo.sys \SystemRoot\system32\drivers\usbaudio.sys \SystemRoot\System32\Drivers\crashdmp.sys \SystemRoot\System32\Drivers\dump_dumpata.sys \SystemRoot\System32\Drivers\dump_atapi.sys \SystemRoot\System32\Drivers\dump_dumpfve.sys \SystemRoot\System32\win32k.sys \SystemRoot\System32\drivers\Dxapi.sys \SystemRoot\system32\DRIVERS\monitor.sys \SystemRoot\System32\TSDDD.dll \SystemRoot\System32\cdd.dll \SystemRoot\System32\ATMFD.DLL \SystemRoot\system32\drivers\luafv.sys \SystemRoot\system32\drivers\aswMonFlt.sys \SystemRoot\system32\DRIVERS\lltdio.sys \SystemRoot\system32\DRIVERS\nwifi.sys \SystemRoot\system32\DRIVERS\ndisuio.sys \SystemRoot\system32\DRIVERS\rspndr.sys \SystemRoot\system32\drivers\HTTP.sys \SystemRoot\system32\DRIVERS\bowser.sys \SystemRoot\System32\drivers\mpsdrv.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\system32\DRIVERS\mrxsmb10.sys \SystemRoot\system32\DRIVERS\mrxsmb20.sys \SystemRoot\system32\drivers\aswHwid.sys \SystemRoot\system32\drivers\peauth.sys \SystemRoot\System32\Drivers\secdrv.SYS \SystemRoot\System32\DRIVERS\srvnet.sys \SystemRoot\System32\drivers\tcpipreg.sys \SystemRoot\System32\DRIVERS\srv2.sys \SystemRoot\System32\DRIVERS\srv.sys \SystemRoot\system32\DRIVERS\asyncmac.sys \??\C:\Windows\system32\drivers\mbamchameleon.sys \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys \Windows\System32\ntdll.dll \Windows\System32\smss.exe \Windows\System32\apisetschema.dll \Windows\System32\autochk.exe ----------- End ----------- Done! <<<1>>> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xfffffa8003843060 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\ Lower Device Object: 0xfffffa80028e5680 Lower Device Driver Name: \Driver\atapi\ <<<2>>> Physical Sector Size: 512 Drive: 0, DevicePointer: 0xfffffa8003843060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xfffffa8003843b90, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xfffffa8003843060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xfffffa80028f5520, DeviceName: Unknown, DriverName: \Driver\ACPI\ DevicePointer: 0xfffffa80028e5680, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes <<<2>>> <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers... Done! Drive 0 This is a System drive Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: C633D97F Partition information: Partition 0 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 63 Numsec = 976751937 Partition file system is NTFS Partition is bootable Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 500107862016 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)... Done! Scan finished ======================================= Removal queue found; removal started Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam... Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-63-i.mbam... Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam... Removal finished
|
|
| Bookmarks |
«
Previous Topic
|
Next Topic
»
| Topic Tools | |
|
|
Similar Topics
|
||||
| Topic | Topic Starter | Forum | Replies | Last Post |
| Windows Ultimate Booster Virus | shirley_b1 | Malware Removal | 2 | February 3rd, 2014 03:26 PM |
| Switching from Windows Vista to Windows 7 Ultimate | Nicol | Windows Vista | 2 | March 27th, 2011 01:45 AM |
| Upgrade from Vista Ultimate 32 bit to Windows 7 64 bit | airjazz | Windows 7 | 1 | June 10th, 2010 06:13 PM |
| Windows 7 Ultimate, which to buy? | IPR512 | Windows 7 | 19 | October 26th, 2009 05:34 AM |
| Windows Vista Ultimate Problems | zg56789 | Windows Vista | 6 | July 26th, 2007 01:37 AM |
All times are GMT +1. The time now is 02:50 AM.