Mededeling

Collapse
No announcement yet.

trojan

Collapse
X
  •  
  • Filter
  • Tijd
  • Show
Clear All
new posts

  • trojan

    Hallo,

    ook op de computer van mijn ouders zit in een trojan.
    Met scannen gaf hij aan dat het in avast zit.. besmet door: VBS: Fluffer miner-d trj

    Hier de log bestanden. Bedankt alvast.

    Malwarebytes Anti-Malware 1.75.0.1300
    www.malwarebytes.org

    Databaseversie: v2013.11.17.02

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 10.0.9200.16736
    wdellink :: WDELLINK-PC [administrator]

    17-11-2013 13:01:41
    mbam-log-2013-11-17 (13-01-41).txt

    Scan type: Volledige scan (C:\|D:\|E:\|G:\|H:\|)
    Ingeschakelde scan opties: Geheugen | Opstartitems | Register | Bestanden en mappen | Heuristiek/Extra | Heuristiek/Shuriken | PUP | PUM
    Uitgeschakelde scan opties: P2P
    Objecten gescand: 383823
    Verstreken tijd: 42 minuut/minuten, 30 seconde(n)

    Geheugenprocessen gedetecteerd: 0
    (Geen kwaadaardige objecten gedetecteerd)

    Geheugenmodulen gedetecteerd: 0
    (Geen kwaadaardige objecten gedetecteerd)

    Registersleutels gedetecteerd: 0
    (Geen kwaadaardige objecten gedetecteerd)

    Registerwaarden gedetecteerd: 0
    (Geen kwaadaardige objecten gedetecteerd)

    Registerdata gedetecteerd: 0
    (Geen kwaadaardige objecten gedetecteerd)

    Mappen gedetecteerd: 0
    (Geen kwaadaardige objecten gedetecteerd)

    Bestanden gedetecteerd: 0
    (Geen kwaadaardige objecten gedetecteerd)

    (einde)


    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 10.0.9200.16736 BrowserJavaVersion: 10.45.2
    Run by wdellink at 15:53:35 on 2013-11-17
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.31.1043.18.6127.4399 [GMT 1:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
    C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
    C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
    C:\Program Files\Acer\Acer Updater\UpdaterService.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\svchost.exe -k HPService
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\System32\WUDFHost.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
    C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe
    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe
    C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe
    C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe
    C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
    C:\Windows\system32\msiexec.exe
    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    C:\Windows\system32\sppsvc.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    C:\Windows\SysWOW64\NOTEPAD.EXE
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.startpagina.nl/
    uURLSearchHooks: SearchHook Class: {D8278076-BC68-4484-9233-6E7F1628B56C} -
    BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Ask Toolbar: {4F524A2D-5637-006A-76A7-7A786E7484D7} -
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
    BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    BHO: Aanmeldhulp voor Windows Live ID: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
    BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    TB: Ask Toolbar: {4F524A2D-5637-006A-76A7-7A786E7484D7} -
    EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
    uRun: [TomTomHOME.exe] "C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe"
    mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    mRun: [SuiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe"
    mRun: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d
    mRun: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe"
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun: [MDS_Menu] "C:\Program Files (x86)\Acer Arcade Deluxe\MediaEspresso\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Acer Arcade Deluxe\MediaEspresso" UpdateWithCreateOnce "Software\CyberLink\MediaEspresso\6.1"
    mRun: [ArcadeMovieService] "C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe"
    mRun: [Hotkey Utility] C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe
    mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [ApnTBMon] "C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe"
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: &Verzenden naar OneNote - C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105
    IE: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr/200
    IE: E&xporteren naar Microsoft Excel - C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://212.204.181.105/activex/AMC.cab
    TCP: NameServer = 192.168.0.1
    TCP: Interfaces\{5F638E70-97FD-4814-8E1C-CFB47F1BC004} : DHCPNameServer = 192.168.0.1
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.57\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
    x64-BHO: avast! Online Security: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
    x64-BHO: Ask Toolbar: {4F524A2D-5637-006A-76A7-7A786E7484D7} -
    x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
    x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
    x64-TB: avast! Online Security: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
    x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
    x64-TB: Ask Toolbar: {4F524A2D-5637-006A-76A7-7A786E7484D7} -
    x64-Run: [mwlDaemon] C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe
    x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
    x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 aswRvrt;aswRvrt;C:\Windows\System32\drivers\aswRvrt.sys [2013-3-7 65336]
    R0 aswVmm;aswVmm;C:\Windows\System32\drivers\aswVmm.sys [2013-3-7 204880]
    R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2011-6-10 1030952]
    R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2011-6-10 378944]
    R1 mwlPSDFilter;mwlPSDFilter;C:\Windows\System32\drivers\mwlPSDFilter.sys [2009-6-3 22576]
    R1 mwlPSDNServ;mwlPSDNServ;C:\Windows\System32\drivers\mwlPSDNserv.sys [2009-6-3 20016]
    R1 mwlPSDVDisk;mwlPSDVDisk;C:\Windows\System32\drivers\mwlPSDVDisk.sys [2009-6-3 60464]
    R2 APNMCP;Ask-updateservice;C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe [2013-10-16 166352]
    R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2011-6-10 33400]
    R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2011-6-10 80816]
    R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2013-9-21 46808]
    R2 GREGService;GREGService;C:\Program Files (x86)\Acer\Registration\GREGsvc.exe [2010-1-8 23584]
    R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-17 13336]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-1-18 383264]
    R2 TeamViewer7;TeamViewer 7;C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-1-19 2984832]
    R2 TomTomHOMEService;TomTomHOMEService;C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2011-3-9 92592]
    R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-11-17 2655768]
    R2 Updater Service;Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2010-11-17 243232]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 MWLService;MyWinLocker Service;C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [2010-5-27 305520]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-11-9 19456]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-11-9 57856]
    S3 WatAdminSvc;Windows Activation Technologies-service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-6-11 1255736]
    S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
    .
    =============== Created Last 30 ================
    .
    2013-11-17 12:04:03 10280728 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E3A8A204-5F2B-45AE-A119-278BE15A528A}\mpengine.dll
    2013-11-15 18:56:53 -------- d-----w- C:\Users\wdellink\AppData\Local\{15580978-8D46-4C13-ACB2-224119C6851F}
    2013-11-15 06:35:21 -------- d-----w- C:\Users\wdellink\AppData\Local\{0D56F079-0142-452E-8D10-5D668E047F7C}
    2013-11-14 22:11:59 2241536 ----a-w- C:\Windows\System32\wininet.dll
    2013-11-14 17:10:22 -------- d-----w- C:\Users\wdellink\AppData\Local\{BA2F759B-6B9A-4E61-BB32-957974E4E458}
    2013-11-13 14:52:05 -------- d-----w- C:\Users\wdellink\AppData\Local\{96CE4B67-1EFE-4196-B3A5-B3095FBA458A}
    2013-11-12 16:41:28 -------- d-----w- C:\Users\wdellink\AppData\Local\{C0EF37C1-735F-49B8-92E4-39F923FDCC77}
    2013-11-11 16:51:45 -------- d-----w- C:\Users\wdellink\AppData\Local\{A08F6755-C1A4-46F1-A0D9-71208A6363D2}
    2013-11-10 19:37:14 -------- d-----w- C:\Users\wdellink\AppData\Local\{C557D9C3-B046-47D5-B2F7-A930D91BDC13}
    2013-11-10 08:46:02 -------- d-----w- C:\Users\wdellink\AppData\Local\{3E668A84-9EA0-4259-A721-9CD3C64A4390}
    2013-11-09 12:30:31 -------- d-----w- C:\Users\wdellink\AppData\Local\{689492B4-B72E-4283-A9A0-70D300323F05}
    2013-11-08 12:22:01 -------- d-----w- C:\Users\wdellink\AppData\Local\{A1D10FE6-3A26-4821-AADD-37A161A0C0C8}
    2013-11-07 17:53:51 -------- d-----w- C:\Users\wdellink\AppData\Local\{2CF93ABF-8420-4E2D-A3B5-3BEEF807CE79}
    2013-11-07 05:30:04 -------- d-----w- C:\Users\wdellink\AppData\Local\{45047949-B735-4B94-A4CC-CA36F62788C3}
    2013-11-06 17:19:11 -------- d-----w- C:\Users\wdellink\AppData\Local\{E433FACF-FD75-4D44-9C5A-09C317FD93EB}
    2013-11-05 20:09:18 -------- d-----w- C:\Users\wdellink\AppData\Local\{911BF23C-B89E-4814-8329-F9361494664E}
    2013-11-05 05:32:17 -------- d-----w- C:\Users\wdellink\AppData\Local\{DBF841AC-CEBB-4C09-8951-928DF2E3B979}
    2013-11-04 12:48:36 -------- d-----w- C:\Users\wdellink\AppData\Local\{D0C3A644-486C-4276-AD26-9D950906A702}
    2013-11-03 19:46:49 -------- d-----w- C:\Users\wdellink\AppData\Local\{959230FC-9E59-4EF4-BE02-8A2F0BCAADA6}
    2013-11-03 07:46:15 -------- d-----w- C:\Users\wdellink\AppData\Local\{FF702116-E73E-4EEA-BE24-2EDFE898B275}
    2013-11-02 12:01:20 -------- d-----w- C:\Users\wdellink\AppData\Local\{86E09D6A-B7EA-4FAC-A477-2C070410FBE3}
    2013-11-01 22:14:30 -------- d-----w- C:\Users\wdellink\AppData\Local\{7A2944DD-52CD-41E7-9957-87558E7952DE}
    2013-11-01 22:10:29 -------- d-----w- C:\Users\wdellink\AppData\Local\{1CFF3448-D4A4-4943-804A-FC12419D5547}
    2013-11-01 07:23:47 -------- d-----w- C:\Users\wdellink\AppData\Local\{192AEA72-B68B-4C48-819B-F8CD4C327B4F}
    2013-10-31 15:26:43 -------- d-----w- C:\Users\wdellink\AppData\Local\{50BF1A51-748E-427E-B8EF-67F1C6A3D955}
    2013-10-30 13:13:51 -------- d-----w- C:\Users\wdellink\AppData\Local\{B0B2B440-0D76-400D-9B4F-872A60DCFE92}
    2013-10-29 12:58:50 -------- d-----w- C:\Users\wdellink\AppData\Local\{1E48D5C1-2D76-43EF-920C-3DF7713F5D9E}
    2013-10-28 19:09:31 -------- d-----w- C:\Users\wdellink\AppData\Local\{A585DD91-4406-4812-857C-A70EF7FA5EBD}
    2013-10-28 05:27:52 -------- d-----w- C:\Users\wdellink\AppData\Local\{4A981FE9-57F3-4247-A666-A0711967DEB6}
    2013-10-27 08:43:14 -------- d-----w- C:\Users\wdellink\AppData\Local\{5F1C79D4-1D9B-4AE6-A23F-6BB1F70974BD}
    2013-10-26 08:17:27 -------- d-----w- C:\Users\wdellink\AppData\Local\{34B1D64B-0CEE-4826-90EA-16D4ECDDFE4C}
    2013-10-25 16:21:34 -------- d-----w- C:\Users\wdellink\AppData\Local\{64585251-D2CE-4A43-B088-C73CFEBBBDAB}
    2013-10-24 17:38:43 -------- d-----w- C:\Users\wdellink\AppData\Local\{2C6C2E6E-6A30-4004-91C9-EA0E845B617C}
    2013-10-23 16:49:51 -------- d-----w- C:\Users\wdellink\AppData\Local\{DD1D6A50-EAB1-4107-86E8-42196B11CE85}
    2013-10-22 11:56:20 -------- d-----w- C:\Users\wdellink\AppData\Local\{DBA8FCEF-BBAB-464C-B4B2-038AC33D4776}
    2013-10-21 15:44:56 -------- d-----w- C:\Users\wdellink\AppData\Local\{D0613385-366E-4A42-99D2-9D1E9C55DA83}
    2013-10-21 04:30:49 -------- d-----w- C:\Users\wdellink\AppData\Local\{4F3F8946-C43E-469D-BAB8-F1BB8D317ECF}
    2013-10-20 07:58:53 -------- d-----w- C:\Users\wdellink\AppData\Local\{E4E165FD-7CFC-4C82-AA5C-30EC17418A8F}
    2013-10-19 19:07:50 -------- d-----w- C:\Users\wdellink\AppData\Local\{F157D7F8-DE75-4454-8B39-1E615C525004}
    2013-10-19 06:40:16 -------- d-----w- C:\Users\wdellink\AppData\Local\{04345C84-7411-4563-81AD-0E2AA4602ACA}
    2013-10-19 06:23:16 -------- d-----w- C:\Users\wdellink\AppData\Local\{027C13E3-F7F3-4F61-B04F-1CECF9F5D408}
    .
    ==================== Find3M ====================
    .
    2013-10-12 08:43:37 3959808 ----a-w- C:\Windows\System32\jscript9.dll
    2013-10-12 08:43:32 67072 ----a-w- C:\Windows\System32\iesetup.dll
    2013-10-12 08:43:32 136704 ----a-w- C:\Windows\System32\iesysprep.dll
    2013-10-12 07:03:50 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
    2013-10-12 07:02:33 2877952 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2013-10-12 07:02:29 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
    2013-10-12 07:02:29 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
    2013-10-12 06:35:26 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
    2013-10-12 06:08:58 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2013-10-12 05:44:38 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
    2013-10-12 05:15:39 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
    2013-10-12 02:30:42 830464 ----a-w- C:\Windows\System32\nshwfp.dll
    2013-10-12 02:29:21 859648 ----a-w- C:\Windows\System32\IKEEXT.DLL
    2013-10-12 02:29:08 324096 ----a-w- C:\Windows\System32\FWPUCLNT.DLL
    2013-10-12 02:03:08 656896 ----a-w- C:\Windows\SysWow64\nshwfp.dll
    2013-10-12 02:01:25 216576 ----a-w- C:\Windows\SysWow64\FWPUCLNT.DLL
    2013-10-09 20:10:51 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-10-09 20:10:51 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2013-10-08 05:50:37 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
    2013-10-05 20:25:35 1474048 ----a-w- C:\Windows\System32\crypt32.dll
    2013-10-05 19:57:25 1168384 ----a-w- C:\Windows\SysWow64\crypt32.dll
    2013-10-04 02:28:31 190464 ----a-w- C:\Windows\System32\SmartcardCredentialProvider.dll
    2013-10-04 02:25:17 197120 ----a-w- C:\Windows\System32\credui.dll
    2013-10-04 02:24:49 1930752 ----a-w- C:\Windows\System32\authui.dll
    2013-10-04 01:58:50 152576 ----a-w- C:\Windows\SysWow64\SmartcardCredentialProvider.dll
    2013-10-04 01:56:25 168960 ----a-w- C:\Windows\SysWow64\credui.dll
    2013-10-04 01:56:00 1796096 ----a-w- C:\Windows\SysWow64\authui.dll
    2013-10-03 02:23:48 404480 ----a-w- C:\Windows\System32\gdi32.dll
    2013-10-03 02:00:44 311808 ----a-w- C:\Windows\SysWow64\gdi32.dll
    2013-09-28 01:09:10 497152 ----a-w- C:\Windows\System32\drivers\afd.sys
    2013-09-25 02:26:40 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
    2013-09-25 02:26:40 154560 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
    2013-09-25 02:23:33 28672 ----a-w- C:\Windows\System32\sspisrv.dll
    2013-09-25 02:23:33 135680 ----a-w- C:\Windows\System32\sspicli.dll
    2013-09-25 02:23:01 28160 ----a-w- C:\Windows\System32\secur32.dll
    2013-09-25 02:22:59 340992 ----a-w- C:\Windows\System32\schannel.dll
    2013-09-25 02:21:50 307200 ----a-w- C:\Windows\System32\ncrypt.dll
    2013-09-25 02:21:07 1447936 ----a-w- C:\Windows\System32\lsasrv.dll
    2013-09-25 01:58:17 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
    2013-09-25 01:57:26 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
    2013-09-25 01:57:24 247808 ----a-w- C:\Windows\SysWow64\schannel.dll
    2013-09-25 01:56:42 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll
    2013-09-25 01:03:24 30720 ----a-w- C:\Windows\System32\lsass.exe
    2013-09-08 02:30:37 1903552 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    2013-09-08 02:27:14 327168 ----a-w- C:\Windows\System32\mswsock.dll
    2013-09-08 02:03:58 231424 ----a-w- C:\Windows\SysWow64\mswsock.dll
    2013-09-03 12:35:10 278800 ------w- C:\Windows\System32\MpSigStub.exe
    2013-08-30 07:48:10 72016 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
    2013-08-30 07:48:10 65336 ----a-w- C:\Windows\System32\drivers\aswRvrt.sys
    2013-08-30 07:48:10 204880 ----a-w- C:\Windows\System32\drivers\aswVmm.sys
    2013-08-30 07:48:10 1030952 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
    2013-08-30 07:48:09 80816 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
    2013-08-30 07:47:40 41664 ----a-w- C:\Windows\avastSS.scr
    2013-08-29 02:17:48 5549504 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2013-08-29 02:16:35 1732032 ----a-w- C:\Windows\System32\ntdll.dll
    2013-08-29 02:16:28 243712 ----a-w- C:\Windows\System32\wow64.dll
    2013-08-29 02:16:14 859648 ----a-w- C:\Windows\System32\tdh.dll
    2013-08-29 02:13:28 878080 ----a-w- C:\Windows\System32\advapi32.dll
    2013-08-29 01:51:45 3969472 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2013-08-29 01:51:45 3914176 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2013-08-29 01:50:31 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
    2013-08-29 01:50:30 1292192 ----a-w- C:\Windows\SysWow64\ntdll.dll
    2013-08-29 01:50:16 619520 ----a-w- C:\Windows\SysWow64\tdh.dll
    2013-08-29 01:48:17 640512 ----a-w- C:\Windows\SysWow64\advapi32.dll
    2013-08-29 01:48:15 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
    2013-08-29 00:49:53 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
    2013-08-29 00:49:52 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
    2013-08-29 00:49:52 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
    2013-08-29 00:49:49 2048 ----a-w- C:\Windows\SysWow64\user.exe
    2013-08-28 01:21:06 3155968 ----a-w- C:\Windows\System32\win32k.sys
    2013-08-28 01:12:33 461312 ----a-w- C:\Windows\System32\scavengeui.dll
    .
    ============= FINISH: 15:53:59,55 ===============

  • #2
    GMER 2.1.19163 - http://www.gmer.net
    Rootkit scan 2013-11-17 16:04:38
    Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD10 rev.80.0 931,51GB
    Running: tonuuimm.exe; Driver: C:\Users\wdellink\AppData\Local\Temp\ugddikod.sys


    ---- User code sections - GMER 2.1 ----

    .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
    .text C:\Windows\system32\winlogon.exe[680] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
    .text C:\Windows\system32\services.exe[728] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
    .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
    .text C:\Windows\system32\nvvsvc.exe[928] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
    .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[952] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000772aa2ba 1 byte [62]
    .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
    .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
    .text C:\Windows\System32\svchost.exe[568] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
    .text C:\Windows\system32\svchost.exe[792] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
    .text C:\Windows\system32\svchost.exe[1000] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
    .text C:\Windows\system32\AUDIODG.EXE[1108] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
    .text C:\Windows\system32\svchost.exe[1244] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
    .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1400] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
    .text C:\Windows\system32\nvvsvc.exe[1408] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
    .text C:\Windows\System32\spoolsv.exe[1552] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
    .text C:\Windows\system32\svchost.exe[1580] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
    .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe[1744] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000772aa2ba 1 byte [62]
    .text C:\Windows\system32\svchost.exe[1788] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
    .text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[1908] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000772aa2ba 1 byte [62]
    .text C:\Windows\SysWOW64\svchost.exe[1948] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000772aa2ba 1 byte [62]
    .text C:\Windows\system32\taskhost.exe[1056] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
    .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
    .text C:\Windows\Explorer.EXE[2328] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
    .text C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe[2424] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000772aa2ba 1 byte [62]
    .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[2480] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a5fac0 5 bytes JMP 0000000100030600
    .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[2480] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a5fb58 5 bytes JMP 0000000100030804
    .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[2480] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a5fcb0 5 bytes JMP 0000000100030c0c
    .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[2480] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a60038 5 bytes JMP 0000000100030a08
    .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[2480] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a61920 5 bytes JMP 0000000100030e10
    .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[2480] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a7c4dd 5 bytes JMP 00000001000301f8
    .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[2480] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a81287 5 bytes JMP 00000001000303fc
    .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[2480] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000772aa2ba 1 byte [62]
    .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[2480] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076405181 5 bytes JMP 00000001001d1014
    .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[2480] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076405254 5 bytes JMP 00000001001d0804
    .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[2480] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000764053d5 5 bytes JMP 00000001001d0a08
    .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[2480] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000764054c2 5 bytes JMP 00000001001d0c0c
    .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[2480] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000764055e2 5 bytes JMP 00000001001d0e10
    .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[2480] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007640567c 5 bytes JMP 00000001001d01f8
    .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[2480] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007640589f 5 bytes JMP 00000001001d03fc
    .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[2480] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076405a22 5 bytes JMP 00000001001d0600
    .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a5fac0 5 bytes JMP 0000000100030600
    .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a5fb58 5 bytes JMP 0000000100030804
    .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a5fcb0 5 bytes JMP 0000000100030c0c
    .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a60038 5 bytes JMP 0000000100030a08
    .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a61920 5 bytes JMP 0000000100030e10
    .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2560] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a7c4dd 5 bytes JMP 00000001000301f8
    .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2560] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a81287 5 bytes JMP 00000001000303fc
    .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2560] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000772aa2ba 1 byte [62]
    .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2560] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076daee09 5 bytes JMP 00000001001501f8
    .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2560] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076db3982 5 bytes JMP 00000001001503fc
    .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076db7603 5 bytes JMP 0000000100150804
    .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076db835c 5 bytes JMP 0000000100150600
    .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2560] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dcf52b 5 bytes JMP 0000000100150a08
    .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2560] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076405181 5 bytes JMP 0000000100161014
    .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2560] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076405254 5 bytes JMP 0000000100160804
    .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2560] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000764053d5 5 bytes JMP 0000000100160a08
    .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2560] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000764054c2 5 bytes JMP 0000000100160c0c
    .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2560] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000764055e2 5 bytes JMP 0000000100160e10
    .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2560] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007640567c 5 bytes JMP 00000001001601f8
    .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2560] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007640589f 5 bytes JMP 00000001001603fc
    .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2560] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076405a22 5 bytes JMP 0000000100160600
    .text C:\Windows\System32\svchost.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077883b10 5 bytes JMP 000000010015075c
    .text C:\Windows\System32\svchost.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077887ac0 5 bytes JMP 00000001001503a4
    .text C:\Windows\System32\svchost.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778b1430 5 bytes JMP 0000000100150b14
    .text C:\Windows\System32\svchost.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778b1490 5 bytes JMP 0000000100150ecc
    .text C:\Windows\System32\svchost.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b1570 5 bytes JMP 000000010015163c
    .text C:\Windows\System32\svchost.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778b17b0 5 bytes JMP 0000000100151284
    .text C:\Windows\System32\svchost.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b27e0 5 bytes JMP 00000001001519f4
    .text C:\Windows\System32\svchost.exe[2588] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
    .text C:\Windows\System32\svchost.exe[2588] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec76e00 5 bytes JMP 000007ff7ec91dac
    .text C:\Windows\System32\svchost.exe[2588] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec76f2c 5 bytes JMP 000007ff7ec90ecc
    .text C:\Windows\System32\svchost.exe[2588] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec77220 5 bytes JMP 000007ff7ec91284
    .text C:\Windows\System32\svchost.exe[2588] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec7739c 5 bytes JMP 000007ff7ec9163c
    .text C:\Windows\System32\svchost.exe[2588] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec77538 5 bytes JMP 000007ff7ec919f4
    .text C:\Windows\System32\svchost.exe[2588] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec775e8 5 bytes JMP 000007ff7ec903a4
    .text C:\Windows\System32\svchost.exe[2588] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec7790c 5 bytes JMP 000007ff7ec9075c
    .text C:\Windows\System32\svchost.exe[2588] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec77ab4 5 bytes JMP 000007ff7ec90b14
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2612] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077883b10 5 bytes JMP 000000010013075c
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2612] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077887ac0 5 bytes JMP 00000001001303a4
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2612] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778b1430 5 bytes JMP 0000000100130b14
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2612] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778b1490 5 bytes JMP 0000000100130ecc
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b1570 5 bytes JMP 000000010013163c
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2612] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778b17b0 5 bytes JMP 0000000100131284
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b27e0 5 bytes JMP 00000001001319f4
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2612] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2612] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec76e00 5 bytes JMP 000007ff7ec91dac
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2612] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec76f2c 5 bytes JMP 000007ff7ec90ecc
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2612] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec77220 5 bytes JMP 000007ff7ec91284
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2612] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec7739c 5 bytes JMP 000007ff7ec9163c
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2612] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec77538 5 bytes JMP 000007ff7ec919f4
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2612] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec775e8 5 bytes JMP 000007ff7ec903a4
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2612] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec7790c 5 bytes JMP 000007ff7ec9075c
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2612] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec77ab4 5 bytes JMP 000007ff7ec90b14
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2852] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec76e00 5 bytes JMP 000007ff7ec91dac
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2852] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec76f2c 5 bytes JMP 000007ff7ec90ecc
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2852] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec77220 5 bytes JMP 000007ff7ec91284
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2852] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec7739c 5 bytes JMP 000007ff7ec9163c
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2852] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec77538 5 bytes JMP 000007ff7ec919f4
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2852] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec775e8 5 bytes JMP 000007ff7ec903a4
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2852] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec7790c 5 bytes JMP 000007ff7ec9075c
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2852] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec77ab4 5 bytes JMP 000007ff7ec90b14
    .text C:\Windows\system32\svchost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077883b10 5 bytes JMP 00000001001c075c
    .text C:\Windows\system32\svchost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077887ac0 5 bytes JMP 00000001001c03a4
    .text C:\Windows\system32\svchost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778b1430 5 bytes JMP 00000001001c0b14
    .text C:\Windows\system32\svchost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778b1490 5 bytes JMP 00000001001c0ecc
    .text C:\Windows\system32\svchost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b1570 5 bytes JMP 00000001001c163c
    .text C:\Windows\system32\svchost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778b17b0 5 bytes JMP 00000001001c1284
    .text C:\Windows\system32\svchost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b27e0 5 bytes JMP 00000001001c19f4
    .text C:\Windows\system32\svchost.exe[1392] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
    .text C:\Windows\system32\svchost.exe[1392] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec76e00 5 bytes JMP 000007ff7ec91dac
    .text C:\Windows\system32\svchost.exe[1392] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec76f2c 5 bytes JMP 000007ff7ec90ecc
    .text C:\Windows\system32\svchost.exe[1392] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec77220 5 bytes JMP 000007ff7ec91284
    .text C:\Windows\system32\svchost.exe[1392] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec7739c 5 bytes JMP 000007ff7ec9163c
    .text C:\Windows\system32\svchost.exe[1392] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec77538 5 bytes JMP 000007ff7ec919f4
    .text C:\Windows\system32\svchost.exe[1392] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec775e8 5 bytes JMP 000007ff7ec903a4
    .text C:\Windows\system32\svchost.exe[1392] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec7790c 5 bytes JMP 000007ff7ec9075c
    .text C:\Windows\system32\svchost.exe[1392] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec77ab4 5 bytes JMP 000007ff7ec90b14
    .text C:\Windows\system32\svchost.exe[3244] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec76e00 5 bytes JMP 000007ff7ec91dac
    .text C:\Windows\system32\svchost.exe[3244] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec76f2c 5 bytes JMP 000007ff7ec90ecc
    .text C:\Windows\system32\svchost.exe[3244] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec77220 5 bytes JMP 000007ff7ec91284
    .text C:\Windows\system32\svchost.exe[3244] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec7739c 5 bytes JMP 000007ff7ec9163c
    .text C:\Windows\system32\svchost.exe[3244] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec77538 5 bytes JMP 000007ff7ec919f4
    .text C:\Windows\system32\svchost.exe[3244] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec775e8 5 bytes JMP 000007ff7ec903a4
    .text C:\Windows\system32\svchost.exe[3244] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec7790c 5 bytes JMP 000007ff7ec9075c
    .text C:\Windows\system32\svchost.exe[3244] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec77ab4 5 bytes JMP 000007ff7ec90b14
    .text C:\Windows\system32\taskeng.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077883b10 5 bytes JMP 000000010010075c
    .text C:\Windows\system32\taskeng.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077887ac0 5 bytes JMP 00000001001003a4
    .text C:\Windows\system32\taskeng.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778b1430 5 bytes JMP 0000000100100b14
    .text C:\Windows\system32\taskeng.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778b1490 5 bytes JMP 0000000100100ecc
    .text C:\Windows\system32\taskeng.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b1570 5 bytes JMP 000000010010163c
    .text C:\Windows\system32\taskeng.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778b17b0 5 bytes JMP 0000000100101284
    .text C:\Windows\system32\taskeng.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b27e0 5 bytes JMP 00000001001019f4
    .text C:\Windows\system32\taskeng.exe[3588] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec76e00 5 bytes JMP 000007ff7ec91dac
    .text C:\Windows\system32\taskeng.exe[3588] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec76f2c 5 bytes JMP 000007ff7ec90ecc
    .text C:\Windows\system32\taskeng.exe[3588] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec77220 5 bytes JMP 000007ff7ec91284
    .text C:\Windows\system32\taskeng.exe[3588] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec7739c 5 bytes JMP 000007ff7ec9163c
    .text C:\Windows\system32\taskeng.exe[3588] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec77538 5 bytes JMP 000007ff7ec919f4
    .text C:\Windows\system32\taskeng.exe[3588] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec775e8 5 bytes JMP 000007ff7ec903a4
    .text C:\Windows\system32\taskeng.exe[3588] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec7790c 5 bytes JMP 000007ff7ec9075c
    .text C:\Windows\system32\taskeng.exe[3588] C:\Windows\SYSTEM32\sechost.dll!DeleteService

    Comment


    • #3
      000007fefec77ab4 5 bytes JMP 000007ff7ec90b14
      .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a5fac0 5 bytes JMP 0000000100030600
      .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a5fb58 5 bytes JMP 0000000100030804
      .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a5fcb0 5 bytes JMP 0000000100030c0c
      .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a60038 5 bytes JMP 0000000100030a08
      .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a61920 5 bytes JMP 0000000100030e10
      .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3956] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a7c4dd 5 bytes JMP 00000001000301f8
      .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3956] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a81287 5 bytes JMP 00000001000303fc
      .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3956] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000772aa2ba 1 byte [62]
      .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3956] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076daee09 5 bytes JMP 00000001002501f8
      .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3956] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076db3982 5 bytes JMP 00000001002503fc
      .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3956] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076db7603 5 bytes JMP 0000000100250804
      .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3956] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076db835c 5 bytes JMP 0000000100250600
      .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3956] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dcf52b 5 bytes JMP 0000000100250a08
      .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3956] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076405181 5 bytes JMP 0000000100261014
      .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3956] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076405254 5 bytes JMP 0000000100260804
      .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3956] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000764053d5 5 bytes JMP 0000000100260a08
      .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3956] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000764054c2 5 bytes JMP 0000000100260c0c
      .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3956] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000764055e2 5 bytes JMP 0000000100260e10
      .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3956] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007640567c 5 bytes JMP 00000001002601f8
      .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3956] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007640589f 5 bytes JMP 00000001002603fc
      .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3956] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076405a22 5 bytes JMP 0000000100260600
      .text C:\Windows\system32\SearchIndexer.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077883b10 5 bytes JMP 000000010014075c
      .text C:\Windows\system32\SearchIndexer.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077887ac0 5 bytes JMP 00000001001403a4
      .text C:\Windows\system32\SearchIndexer.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778b1430 5 bytes JMP 0000000100140b14
      .text C:\Windows\system32\SearchIndexer.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778b1490 5 bytes JMP 0000000100140ecc
      .text C:\Windows\system32\SearchIndexer.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b1570 5 bytes JMP 000000010014163c
      .text C:\Windows\system32\SearchIndexer.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778b17b0 5 bytes JMP 0000000100141284
      .text C:\Windows\system32\SearchIndexer.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b27e0 5 bytes JMP 00000001001419f4
      .text C:\Windows\system32\SearchIndexer.exe[2556] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
      .text C:\Windows\system32\SearchIndexer.exe[2556] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec76e00 5 bytes JMP 000007ff7ec91dac
      .text C:\Windows\system32\SearchIndexer.exe[2556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec76f2c 5 bytes JMP 000007ff7ec90ecc
      .text C:\Windows\system32\SearchIndexer.exe[2556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec77220 5 bytes JMP 000007ff7ec91284
      .text C:\Windows\system32\SearchIndexer.exe[2556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec7739c 5 bytes JMP 000007ff7ec9163c
      .text C:\Windows\system32\SearchIndexer.exe[2556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec77538 5 bytes JMP 000007ff7ec919f4
      .text C:\Windows\system32\SearchIndexer.exe[2556] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec775e8 5 bytes JMP 000007ff7ec903a4
      .text C:\Windows\system32\SearchIndexer.exe[2556] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec7790c 5 bytes JMP 000007ff7ec9075c
      .text C:\Windows\system32\SearchIndexer.exe[2556] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec77ab4 5 bytes JMP 000007ff7ec90b14
      .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077883b10 5 bytes JMP 000000010041075c
      .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077887ac0 5 bytes JMP 00000001004103a4
      .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778b1430 5 bytes JMP 0000000100410b14
      .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778b1490 5 bytes JMP 0000000100410ecc
      .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b1570 5 bytes JMP 000000010041163c
      .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778b17b0 5 bytes JMP 0000000100411284
      .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b27e0 5 bytes JMP 00000001004119f4
      .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3540] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
      .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3540] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec76e00 5 bytes JMP 000007ff7ec91dac
      .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec76f2c 5 bytes JMP 000007ff7ec90ecc
      .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec77220 5 bytes JMP 000007ff7ec91284
      .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec7739c 5 bytes JMP 000007ff7ec9163c
      .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec77538 5 bytes JMP 000007ff7ec919f4
      .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3540] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec775e8 5 bytes JMP 000007ff7ec903a4
      .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3540] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec7790c 5 bytes JMP 000007ff7ec9075c
      .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3540] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec77ab4 5 bytes JMP 000007ff7ec90b14
      .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077883b10 5 bytes JMP 000000010044075c
      .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077887ac0 5 bytes JMP 00000001004403a4
      .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778b1430 3 bytes JMP 0000000100440b14
      .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 4 00000000778b1434 1 byte [88]
      .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778b1490 3 bytes JMP 0000000100440ecc
      .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory + 4 00000000778b1494 1 byte [88]
      .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b1570 5 bytes JMP 000000010044163c
      .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778b17b0 3 bytes JMP 0000000100441284
      .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 4 00000000778b17b4 1 byte [88]
      .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b27e0 3 bytes JMP 00000001004419f4
      .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 4 00000000778b27e4 1 byte [88]
      .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007779eecd 1 byte [62]
      .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec76e00 5 bytes JMP 000007ff7ec91dac
      .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec76f2c 5 bytes JMP 000007ff7ec90ecc
      .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec77220 5 bytes JMP 000007ff7ec91284
      .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec7739c 5 bytes JMP 000007ff7ec9163c
      .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec77538 5 bytes JMP 000007ff7ec919f4
      .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec775e8 5 bytes JMP 000007ff7ec903a4
      .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec7790c 5 bytes JMP 000007ff7ec9075c
      .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec77ab4 5 bytes JMP 000007ff7ec90b14
      .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a5fac0 5 bytes JMP 0000000100030600
      .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a5fb58 5 bytes JMP 0000000100030804
      .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a5fcb0 5 bytes JMP 0000000100030c0c
      .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a60038 5 bytes JMP 0000000100030a08
      .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a61920 5 bytes JMP 0000000100030e10
      .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe[3684] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a7c4dd 5 bytes JMP 00000001000301f8
      .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe[3684] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a81287 5 bytes JMP 00000001000303fc
      .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe[3684] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000772aa2ba 1 byte [62]
      .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe[3684] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076daee09 5 bytes JMP 00000001002401f8
      .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe[3684] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076db3982 5 bytes JMP 00000001002403fc
      .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe[3684] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076db7603 5 bytes JMP 0000000100240804
      .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe[3684] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076db835c 5 bytes JMP 0000000100240600
      .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe[3684] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dcf52b 5 bytes JMP 0000000100240a08
      .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe[3684] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076405181 5 bytes JMP 0000000100251014
      .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe[3684] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076405254 5 bytes JMP 0000000100250804
      .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe[3684] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000764053d5 5 bytes JMP 0000000100250a08
      .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe[3684] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000764054c2 5 bytes JMP 0000000100250c0c
      .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe[3684] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000764055e2 5 bytes JMP 0000000100250e10
      .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe[3684] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007640567c 5 bytes JMP 00000001002501f8
      .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe[3684] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007640589f 5 bytes JMP 00000001002503fc
      .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe[3684] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076405a22 5 bytes JMP 0000000100250600
      .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1856] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a5fac0 5 bytes JMP 0000000100030600
      .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1856] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a5fb58 5 bytes JMP 0000000100030804
      .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1856] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a5fcb0 5 bytes JMP 0000000100030c0c
      .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1856] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a60038 5 bytes JMP 0000000100030a08
      .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1856] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a61920 5 bytes JMP 0000000100030e10
      .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1856] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a7c4dd 5 bytes JMP 00000001000301f8
      .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1856] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a81287 5 bytes JMP 00000001000303fc
      .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1856] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000772aa2ba 1 byte [62]
      .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1856] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076405181 5 bytes JMP 0000000100151014
      .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1856] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076405254 5 bytes JMP 0000000100150804
      .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1856] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000764053d5 5 bytes JMP 0000000100150a08
      .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1856] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000764054c2 5 bytes JMP 0000000100150c0c
      .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1856] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000764055e2 5 bytes JMP 0000000100150e10
      .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1856] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007640567c 5 bytes JMP 00000001001501f8
      .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1856] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007640589f 5 bytes JMP 00000001001503fc
      .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1856] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076405a22 5 bytes JMP 0000000100150600
      .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1856] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076daee09 5 bytes JMP 00000001001601f8
      .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1856] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076db3982 5 bytes JMP 00000001001603fc
      .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1856] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076db7603 5 bytes JMP 0000000100160804
      .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1856] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076db835c 5 bytes JMP 0000000100160600
      .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1856] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dcf52b 5 bytes JMP 0000000100160a08
      .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a5fac0 5 bytes JMP 0000000100030600
      .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a5fb58 5 bytes JMP 0000000100030804
      .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a5fcb0 5 bytes JMP 0000000100030c0c
      .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a60038 5 bytes JMP 0000000100030a08
      .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a61920 5 bytes JMP 0000000100030e10
      .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4060] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a7c4dd 5 bytes JMP 00000001000301f8
      .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4060] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a81287 5 bytes JMP 00000001000303fc
      .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4060] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000772aa2ba 1 byte [62]
      .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4060] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076405181 5 bytes JMP 0000000100241014
      .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4060] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076405254 5 bytes JMP 0000000100240804
      .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4060] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000764053d5 5 bytes JMP 0000000100240a08
      .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4060] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000764054c2 5 bytes JMP 0000000100240c0c
      .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4060] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000764055e2 5 bytes JMP 0000000100240e10
      .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4060] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007640567c 5 bytes JMP 00000001002401f8
      .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4060] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007640589f 5 bytes JMP 00000001002403fc
      .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4060] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076405a22 5 bytes JMP 0000000100240600
      .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4060] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076daee09 5 bytes JMP 00000001002501f8
      .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4060] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076db3982 5 bytes JMP 00000001002503fc
      .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4060] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076db7603 5 bytes JMP 0000000100250804
      .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4060] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076db835c 5 bytes JMP 0000000100250600
      .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4060] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dcf52b 5 bytes JMP 0000000100250a08
      .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[260] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a5fac0 5 bytes JMP 0000000100030600
      .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[260] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a5fb58 5 bytes JMP 0000000100030804
      .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[260] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a5fcb0 5 bytes JMP 0000000100030c0c
      .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[260] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a60038 5 bytes JMP 0000000100030a08
      .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[260] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a61920 5 bytes JMP 0000000100030e10
      .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[260] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a7c4dd 5 bytes JMP 00000001000301f8
      .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[260] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a81287 5 bytes JMP 00000001000303fc
      .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[260] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000772aa2ba 1 byte [62]
      .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[260] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076daee09 5 bytes JMP 00000001002501f8
      .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[260] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076db3982 5 bytes JMP 00000001002503fc
      .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[260] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076db7603 5 bytes JMP 0000000100250804
      .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[260] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076db835c 5 bytes JMP 0000000100250600
      .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[260] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dcf52b 5 bytes JMP 0000000100250a08
      .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[260] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076405181 5 bytes JMP 0000000100261014
      .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[260] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076405254 5 bytes JMP 0000000100260804
      .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[260] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000764053d5 5 bytes JMP 0000000100260a08
      .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[260] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000764054c2 5 bytes JMP 0000000100260c0c
      .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[260] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000764055e2 5 bytes JMP 0000000100260e10
      .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[260] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007640567c 5 bytes JMP 00000001002601f8
      .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[260] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007640589f 5 bytes JMP 00000001002603fc

      Comment


      • #4
        .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[260] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076405a22 5 bytes JMP 0000000100260600
        .text C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[128] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a5fac0 5 bytes JMP 0000000100030600
        .text C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[128] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a5fb58 5 bytes JMP 0000000100030804
        .text C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[128] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a5fcb0 5 bytes JMP 0000000100030c0c
        .text C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[128] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a60038 5 bytes JMP 0000000100030a08
        .text C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[128] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a61920 5 bytes JMP 0000000100030e10
        .text C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[128] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a7c4dd 5 bytes JMP 00000001000301f8
        .text C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[128] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a81287 5 bytes JMP 00000001000303fc
        .text C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[128] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000772aa2ba 1 byte [62]
        .text C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[128] C:\Windows\syswow64\user32.DLL!SetWinEventHook 0000000076daee09 5 bytes JMP 00000001002401f8
        .text C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[128] C:\Windows\syswow64\user32.DLL!UnhookWinEvent 0000000076db3982 5 bytes JMP 00000001002403fc
        .text C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[128] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 0000000076db7603 5 bytes JMP 0000000100240804
        .text C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[128] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 0000000076db835c 5 bytes JMP 0000000100240600
        .text C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[128] C:\Windows\syswow64\user32.DLL!UnhookWindowsHookEx 0000000076dcf52b 5 bytes JMP 0000000100240a08
        .text C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[128] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076405181 5 bytes JMP 0000000100251014
        .text C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[128] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076405254 5 bytes JMP 0000000100250804
        .text C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[128] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000764053d5 5 bytes JMP 0000000100250a08
        .text C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[128] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000764054c2 5 bytes JMP 0000000100250c0c
        .text C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[128] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000764055e2 5 bytes JMP 0000000100250e10
        .text C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[128] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007640567c 5 bytes JMP 00000001002501f8
        .text C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[128] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007640589f 5 bytes JMP 00000001002503fc
        .text C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[128] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076405a22 5 bytes JMP 0000000100250600
        .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[1140] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a5fac0 5 bytes JMP 0000000100030600
        .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[1140] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a5fb58 5 bytes JMP 0000000100030804
        .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[1140] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a5fcb0 5 bytes JMP 0000000100030c0c
        .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[1140] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a60038 5 bytes JMP 0000000100030a08
        .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[1140] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a61920 5 bytes JMP 0000000100030e10
        .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[1140] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a7c4dd 5 bytes JMP 00000001000301f8
        .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[1140] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a81287 5 bytes JMP 00000001000303fc
        .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[1140] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000772aa2ba 1 byte [62]
        .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[1140] C:\Windows\syswow64\user32.DLL!SetWinEventHook 0000000076daee09 5 bytes JMP 00000001001601f8
        .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[1140] C:\Windows\syswow64\user32.DLL!UnhookWinEvent 0000000076db3982 5 bytes JMP 00000001001603fc
        .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[1140] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 0000000076db7603 5 bytes JMP 0000000100160804
        .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[1140] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 0000000076db835c 5 bytes JMP 0000000100160600
        .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[1140] C:\Windows\syswow64\user32.DLL!UnhookWindowsHookEx 0000000076dcf52b 5 bytes JMP 0000000100160a08
        .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[1140] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076405181 5 bytes JMP 0000000100171014
        .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[1140] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076405254 5 bytes JMP 0000000100170804
        .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[1140] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000764053d5 5 bytes JMP 0000000100170a08
        .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[1140] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000764054c2 5 bytes JMP 0000000100170c0c
        .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[1140] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000764055e2 5 bytes JMP 0000000100170e10
        .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[1140] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007640567c 5 bytes JMP 00000001001701f8
        .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[1140] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007640589f 5 bytes JMP 00000001001703fc
        .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[1140] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076405a22 5 bytes JMP 0000000100170600
        .text C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[3548] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a5fac0 5 bytes JMP 0000000100030600
        .text C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[3548] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a5fb58 5 bytes JMP 0000000100030804
        .text C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[3548] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a5fcb0 5 bytes JMP 0000000100030c0c
        .text C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[3548] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a60038 5 bytes JMP 0000000100030a08
        .text C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[3548] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a61920 5 bytes JMP 0000000100030e10
        .text C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[3548] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a7c4dd 5 bytes JMP 00000001000301f8
        .text C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[3548] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a81287 5 bytes JMP 00000001000303fc
        .text C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[3548] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000772aa2ba 1 byte [62]
        .text C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[3548] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076daee09 5 bytes JMP 00000001002401f8
        .text C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[3548] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076db3982 5 bytes JMP 00000001002403fc
        .text C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[3548] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076db7603 5 bytes JMP 0000000100240804
        .text C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[3548] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076db835c 5 bytes JMP 0000000100240600
        .text C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[3548] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dcf52b 5 bytes JMP 0000000100240a08
        .text C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[3548] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076405181 5 bytes JMP 0000000100251014
        .text C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[3548] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076405254 5 bytes JMP 0000000100250804
        .text C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[3548] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000764053d5 5 bytes JMP 0000000100250a08
        .text C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[3548] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000764054c2 5 bytes JMP 0000000100250c0c
        .text C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[3548] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000764055e2 5 bytes JMP 0000000100250e10
        .text C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[3548] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007640567c 5 bytes JMP 00000001002501f8
        .text C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[3548] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007640589f 5 bytes JMP 00000001002503fc
        .text C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[3548] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076405a22 5 bytes JMP 0000000100250600
        .text C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[3548] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d81465 2 bytes [D8, 76]
        .text C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[3548] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d814bb 2 bytes [D8, 76]
        .text ... * 2
        .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3576] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000772aa2ba 1 byte [62]
        .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3776] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a5fac0 5 bytes JMP 0000000100030600
        .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3776] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a5fb58 5 bytes JMP 0000000100030804
        .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a5fcb0 5 bytes JMP 0000000100030c0c
        .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3776] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a60038 5 bytes JMP 0000000100030a08
        .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3776] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a61920 5 bytes JMP 0000000100030e10
        .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3776] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a7c4dd 5 bytes JMP 00000001000301f8
        .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3776] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a81287 5 bytes JMP 00000001000303fc
        .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3776] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000772aa2ba 1 byte [62]
        .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3776] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076daee09 5 bytes JMP 00000001002401f8
        .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3776] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076db3982 5 bytes JMP 00000001002403fc
        .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3776] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076db7603 5 bytes JMP 0000000100240804
        .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3776] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076db835c 5 bytes JMP 0000000100240600
        .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3776] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dcf52b 5 bytes JMP 0000000100240a08
        .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3776] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076405181 5 bytes JMP 0000000100251014
        .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3776] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076405254 5 bytes JMP 0000000100250804
        .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3776] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000764053d5 5 bytes JMP 0000000100250a08
        .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3776] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000764054c2 5 bytes JMP 0000000100250c0c
        .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3776] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000764055e2 5 bytes JMP 0000000100250e10
        .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3776] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007640567c 5 bytes JMP 00000001002501f8
        .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3776] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007640589f 5 bytes JMP 00000001002503fc
        .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3776] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076405a22 5 bytes JMP 0000000100250600
        .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4192] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a5fac0 5 bytes JMP 0000000100030600
        .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4192] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a5fb58 5 bytes JMP 0000000100030804
        .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4192] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a5fcb0 5 bytes JMP 0000000100030c0c
        .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4192] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a60038 5 bytes JMP 0000000100030a08
        .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4192] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a61920 5 bytes JMP 0000000100030e10
        .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4192] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a7c4dd 5 bytes JMP 00000001000301f8
        .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4192] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a81287 5 bytes JMP 00000001000303fc
        .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4192] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000772aa2ba 1 byte [62]
        .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4192] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076405181 5 bytes JMP 0000000100251014
        .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4192] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076405254 5 bytes JMP 0000000100250804
        .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4192] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000764053d5 5 bytes JMP 0000000100250a08
        .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4192] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000764054c2 5 bytes JMP 0000000100250c0c
        .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4192] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000764055e2 5 bytes JMP 0000000100250e10
        .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4192] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007640567c 5 bytes JMP 00000001002501f8
        .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4192] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007640589f 5 bytes JMP 00000001002503fc
        .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4192] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076405a22 5 bytes JMP 0000000100250600
        .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4192] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076daee09 5 bytes JMP 00000001002601f8
        .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4192] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076db3982 5 bytes JMP 00000001002603fc
        .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4192] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076db7603 5 bytes JMP 0000000100260804
        .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4192] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076db835c 5 bytes JMP 0000000100260600
        .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4192] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dcf52b 5 bytes JMP 0000000100260a08
        .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[4284] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a5fac0 5 bytes JMP 0000000100030600
        .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[4284] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a5fb58 5 bytes JMP 0000000100030804
        .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[4284] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a5fcb0 5 bytes JMP 0000000100030c0c
        .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[4284] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a60038 5 bytes JMP 0000000100030a08
        .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[4284] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a61920 5 bytes JMP 0000000100030e10
        .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[4284] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a7c4dd 5 bytes JMP 00000001000301f8
        .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[4284] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a81287 5 bytes JMP 00000001000303fc
        .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[4284] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000772aa2ba 1 byte [62]
        .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[4284] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076405181 5 bytes JMP 0000000100101014
        .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[4284] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076405254 5 bytes JMP 0000000100100804
        .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[4284] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000764053d5 5 bytes JMP 0000000100100a08
        .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[4284] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000764054c2 5 bytes JMP 0000000100100c0c
        .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[4284] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000764055e2 5 bytes JMP 0000000100100e10
        .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[4284] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007640567c 5 bytes JMP 00000001001001f8
        .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[4284] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007640589f 5 bytes JMP 00000001001003fc
        .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[4284] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076405a22 5 bytes JMP 0000000100100600
        .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[4284] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076daee09 5 bytes JMP 00000001001101f8
        .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[4284] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076db3982 5 bytes JMP 00000001001103fc
        .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[4284] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076db7603 5 bytes JMP 0000000100110804
        .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[4284] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076db835c 5 bytes JMP 0000000100110600
        .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[4284] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dcf52b 5 bytes JMP 0000000100110a08
        .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[4284] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d81465 2 bytes [D8, 76]
        .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[4284] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d814bb 2 bytes [D8, 76]
        .text ... * 2
        .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a5fac0 5 bytes JMP 0000000100030600
        .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a5fb58 5 bytes JMP 0000000100030804
        .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a5fcb0 5 bytes JMP 0000000100030c0c
        .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a60038 5 bytes JMP 0000000100030a08
        .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a61920 5 bytes JMP 0000000100030e10
        .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3944] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a7c4dd 5 bytes JMP 00000001000301f8
        .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3944] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a81287 5 bytes JMP 00000001000303fc
        .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3944] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000772aa2ba 1 byte [62]
        .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3944] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076405181 5 bytes JMP 0000000100101014
        .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3944] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076405254 5 bytes JMP 0000000100100804
        .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3944] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000764053d5 5 bytes JMP 0000000100100a08
        .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3944] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000764054c2 5 bytes JMP 0000000100100c0c
        .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3944] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000764055e2 5 bytes JMP 0000000100100e10
        .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3944] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007640567c 5 bytes JMP 00000001001001f8
        .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3944] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007640589f 5 bytes JMP 00000001001003fc
        .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3944] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076405a22 5 bytes JMP 0000000100100600
        .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3944] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076daee09 5 bytes JMP 00000001001301f8
        .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3944] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076db3982 5 bytes JMP 00000001001303fc
        .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3944] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076db7603 5 bytes JMP 0000000100130804
        .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3944] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076db835c 5 bytes JMP 0000000100130600
        .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3944]

        Comment


        • #5
          C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dcf52b 5 bytes JMP 0000000100130a08
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3968] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a5fac0 5 bytes JMP 0000000100030600
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3968] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a5fb58 5 bytes JMP 0000000100030804
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3968] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a5fcb0 5 bytes JMP 0000000100030c0c
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3968] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a60038 5 bytes JMP 0000000100030a08
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3968] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a61920 5 bytes JMP 0000000100030e10
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3968] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a7c4dd 5 bytes JMP 00000001000301f8
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3968] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a81287 5 bytes JMP 00000001000303fc
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3968] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000772aa2ba 1 byte [62]
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3968] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076405181 5 bytes JMP 0000000100241014
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3968] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076405254 5 bytes JMP 0000000100240804
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3968] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000764053d5 5 bytes JMP 0000000100240a08
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3968] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000764054c2 5 bytes JMP 0000000100240c0c
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3968] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000764055e2 5 bytes JMP 0000000100240e10
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3968] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007640567c 5 bytes JMP 00000001002401f8
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3968] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007640589f 5 bytes JMP 00000001002403fc
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3968] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076405a22 5 bytes JMP 0000000100240600
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3968] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076daee09 5 bytes JMP 00000001002501f8
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3968] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076db3982 5 bytes JMP 00000001002503fc
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3968] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076db7603 5 bytes JMP 0000000100250804
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3968] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076db835c 5 bytes JMP 0000000100250600
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3968] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dcf52b 5 bytes JMP 0000000100250a08
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a5fac0 5 bytes JMP 0000000100030600
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a5fb58 5 bytes JMP 0000000100030804
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a5fcb0 5 bytes JMP 0000000100030c0c
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a60038 5 bytes JMP 0000000100030a08
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a61920 5 bytes JMP 0000000100030e10
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5084] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a7c4dd 5 bytes JMP 00000001000301f8
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5084] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a81287 5 bytes JMP 00000001000303fc
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5084] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000772aa2ba 1 byte [62]
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5084] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076405181 5 bytes JMP 0000000100241014
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5084] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076405254 5 bytes JMP 0000000100240804
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5084] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000764053d5 5 bytes JMP 0000000100240a08
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5084] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000764054c2 5 bytes JMP 0000000100240c0c
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5084] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000764055e2 5 bytes JMP 0000000100240e10
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5084] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007640567c 5 bytes JMP 00000001002401f8
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5084] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007640589f 5 bytes JMP 00000001002403fc
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5084] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076405a22 5 bytes JMP 0000000100240600
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5084] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076daee09 5 bytes JMP 00000001002501f8
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5084] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076db3982 5 bytes JMP 00000001002503fc
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5084] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076db7603 5 bytes JMP 0000000100250804
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5084] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076db835c 5 bytes JMP 0000000100250600
          .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5084] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dcf52b 5 bytes JMP 0000000100250a08
          .text C:\Windows\SysWOW64\NOTEPAD.EXE[4492] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a5fac0 5 bytes JMP 0000000100030600
          .text C:\Windows\SysWOW64\NOTEPAD.EXE[4492] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a5fb58 5 bytes JMP 0000000100030804
          .text C:\Windows\SysWOW64\NOTEPAD.EXE[4492] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a5fcb0 5 bytes JMP 0000000100030c0c
          .text C:\Windows\SysWOW64\NOTEPAD.EXE[4492] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a60038 5 bytes JMP 0000000100030a08
          .text C:\Windows\SysWOW64\NOTEPAD.EXE[4492] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a61920 5 bytes JMP 0000000100030e10
          .text C:\Windows\SysWOW64\NOTEPAD.EXE[4492] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a7c4dd 5 bytes JMP 00000001000301f8
          .text C:\Windows\SysWOW64\NOTEPAD.EXE[4492] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a81287 5 bytes JMP 00000001000303fc
          .text C:\Windows\SysWOW64\NOTEPAD.EXE[4492] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000772aa2ba 1 byte [62]
          .text C:\Windows\SysWOW64\NOTEPAD.EXE[4492] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076405181 5 bytes JMP 0000000100091014
          .text C:\Windows\SysWOW64\NOTEPAD.EXE[4492] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076405254 5 bytes JMP 0000000100090804
          .text C:\Windows\SysWOW64\NOTEPAD.EXE[4492] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000764053d5 5 bytes JMP 0000000100090a08
          .text C:\Windows\SysWOW64\NOTEPAD.EXE[4492] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000764054c2 5 bytes JMP 0000000100090c0c
          .text C:\Windows\SysWOW64\NOTEPAD.EXE[4492] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000764055e2 5 bytes JMP 0000000100090e10
          .text C:\Windows\SysWOW64\NOTEPAD.EXE[4492] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007640567c 5 bytes JMP 00000001000901f8
          .text C:\Windows\SysWOW64\NOTEPAD.EXE[4492] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007640589f 5 bytes JMP 00000001000903fc
          .text C:\Windows\SysWOW64\NOTEPAD.EXE[4492] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076405a22 5 bytes JMP 0000000100090600
          .text C:\Windows\SysWOW64\NOTEPAD.EXE[4492] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076daee09 5 bytes JMP 00000001001501f8
          .text C:\Windows\SysWOW64\NOTEPAD.EXE[4492] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076db3982 5 bytes JMP 00000001001503fc
          .text C:\Windows\SysWOW64\NOTEPAD.EXE[4492] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076db7603 5 bytes JMP 0000000100150804
          .text C:\Windows\SysWOW64\NOTEPAD.EXE[4492] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076db835c 5 bytes JMP 0000000100150600
          .text C:\Windows\SysWOW64\NOTEPAD.EXE[4492] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dcf52b 5 bytes JMP 0000000100150a08
          .text C:\Users\wdellink\Downloads\tonuuimm.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a5fac0 5 bytes JMP 0000000100030600
          .text C:\Users\wdellink\Downloads\tonuuimm.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a5fb58 5 bytes JMP 0000000100030804
          .text C:\Users\wdellink\Downloads\tonuuimm.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a5fcb0 5 bytes JMP 0000000100030c0c
          .text C:\Users\wdellink\Downloads\tonuuimm.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a60038 5 bytes JMP 0000000100030a08
          .text C:\Users\wdellink\Downloads\tonuuimm.exe[4172] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a61920 5 bytes JMP 0000000100030e10
          .text C:\Users\wdellink\Downloads\tonuuimm.exe[4172] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a7c4dd 5 bytes JMP 00000001000301f8
          .text C:\Users\wdellink\Downloads\tonuuimm.exe[4172] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a81287 5 bytes JMP 00000001000303fc
          .text C:\Users\wdellink\Downloads\tonuuimm.exe[4172] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000772aa2ba 1 byte [62]
          .text C:\Users\wdellink\Downloads\tonuuimm.exe[4172] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076405181 5 bytes JMP 0000000100241014
          .text C:\Users\wdellink\Downloads\tonuuimm.exe[4172] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076405254 5 bytes JMP 0000000100240804
          .text C:\Users\wdellink\Downloads\tonuuimm.exe[4172] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000764053d5 5 bytes JMP 0000000100240a08
          .text C:\Users\wdellink\Downloads\tonuuimm.exe[4172] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000764054c2 5 bytes JMP 0000000100240c0c
          .text C:\Users\wdellink\Downloads\tonuuimm.exe[4172] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000764055e2 5 bytes JMP 0000000100240e10
          .text C:\Users\wdellink\Downloads\tonuuimm.exe[4172] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007640567c 5 bytes JMP 00000001002401f8
          .text C:\Users\wdellink\Downloads\tonuuimm.exe[4172] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007640589f 5 bytes JMP 00000001002403fc
          .text C:\Users\wdellink\Downloads\tonuuimm.exe[4172] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076405a22 5 bytes JMP 0000000100240600
          .text C:\Users\wdellink\Downloads\tonuuimm.exe[4172] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076daee09 5 bytes JMP 00000001002501f8
          .text C:\Users\wdellink\Downloads\tonuuimm.exe[4172] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076db3982 5 bytes JMP 00000001002503fc
          .text C:\Users\wdellink\Downloads\tonuuimm.exe[4172] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076db7603 5 bytes JMP 0000000100250804
          .text C:\Users\wdellink\Downloads\tonuuimm.exe[4172] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076db835c 5 bytes JMP 0000000100250600
          .text C:\Users\wdellink\Downloads\tonuuimm.exe[4172] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076dcf52b 5 bytes JMP 0000000100250a08

          Comment


          • #6
            ---- User IAT/EAT - GMER 2.1 ----

            IAT C:\Windows\Explorer.EXE[2328] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!FreeLibraryAndExitThread] [10002370] C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll
            IAT C:\Windows\Explorer.EXE[2328] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateThread] [100034e0] C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll
            IAT C:\Windows\Explorer.EXE[2328] @ C:\Windows\system32\SHELL32.dll[KERNEL32.dll!LoadLibraryA] [100011e0] C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll

            ---- Threads - GMER 2.1 ----

            Thread C:\Windows\System32\svchost.exe [2588:3848] 000007fef9ac9688
            Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4972:3612] 000007fefe2d0168
            Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4972:3268] 000007fefba42a7c
            Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4972:4612] 000007feee31d618
            Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4972:4904] 000007fef9265124
            Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4972:3392] 000007feee2b9730
            Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4972:3016] 000007feee31d618

            ---- Registry - GMER 2.1 ----

            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 2
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 2
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 1
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] aswFsBlk
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] FSFilter Activity Monitor
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] FltMgr?
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] avast! mini-filter driver (aswFsBlk)
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 3
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\[email protected] aswFsBlk Instance
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk [email protected] 388400
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk [email protected] 0
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 2
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 2
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 1
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] \??\C:\Windows\system32\drivers\aswMonFlt.sys
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] aswMonFlt
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] FSFilter Anti-Virus
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] FltMgr?
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] avast! mini-filter driver (aswMonFlt)
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\[email protected] aswMonFlt Instance
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt [email protected] 320700
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt [email protected] 0
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 1
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 1
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 1
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] aswRdr
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] PNP_TDI
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] tcpip?
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] avast! WFP Redirect driver
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] \SystemRoot\System32\Drivers\aswrdr2.sys
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\[email protected]
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\[email protected] nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 1
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 0
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 1
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] aswRvrt
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] avast! Revert
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\[email protected] 199
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\[email protected] 646567
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\[email protected] \Device\Harddisk0\Partition3\Windows
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\[email protected] 1
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 2
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 1
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 1
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] aswSnx
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] FSFilter Virtualization
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] FltMgr?
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] avast! virtualization driver (aswSnx)
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 2
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\[email protected] aswSnx Instance
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx [email protected] 137600
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx [email protected] 0
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\[email protected] \DosDevices\C:\Program Files\AVAST Software\Avast
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\[email protected] \DosDevices\C:\ProgramData\AVAST Software\Avast
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 1
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 1
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 1
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] aswSP
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] avast! Self Protection
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\[email protected] 1
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\[email protected] \DosDevices\C:\Program Files\AVAST Software\Avast
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\[email protected] \DosDevices\C:\ProgramData\AVAST Software\Avast
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\[email protected] \DosDevices\C:\Program Files
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\[email protected] \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 1
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 1
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 1
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] avast! Network Shield Support
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] PNP_TDI
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] tcpip?
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] avast! Network Shield TDI driver
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 10
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 1
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 0
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] 1
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] aswVmm
            Reg HKLM\SYSTEM\CurrentControlSet\services\[email protected] avast! VM Monitor
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters
            Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm
            Reg HKLM\SYSTEM\CurrentControlSet\services\avast! [email protected] 32
            Reg HKLM\SYSTEM\CurrentControlSet\services\avast! [email protected] 2
            Reg HKLM\SYSTEM\CurrentControlSet\services\avast! [email protected] 1
            Reg HKLM\SYSTEM\CurrentControlSet\services\avast! [email protected] "C:\Program Files\AVAST Software\Avast\AvastSvc.exe"
            Reg HKLM\SYSTEM\CurrentControlSet\services\avast! [email protected] avast! Antivirus
            Reg HKLM\SYSTEM\CurrentControlSet\services\avast! [email protected] ShellSvcGroup
            Reg HKLM\SYSTEM\CurrentControlSet\services\avast! [email protected] aswMonFlt?RpcSS?
            Reg HKLM\SYSTEM\CurrentControlSet\services\avast! [email protected] 1
            Reg HKLM\SYSTEM\CurrentControlSet\services\avast! [email protected] LocalSystem
            Reg HKLM\SYSTEM\CurrentControlSet\services\avast! [email protected] 1
            Reg HKLM\SYSTEM\CurrentControlSet\services\avast! [email protected] Behandelt en implementeert avast! antivirus diensten voor deze computer. Dit bevat de interne bescherming, de viruskluis en de planner.
            Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 2
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 2
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 1
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] aswFsBlk
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] FSFilter Activity Monitor
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] FltMgr?
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] avast! mini-filter driver (aswFsBlk)
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 3
            Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet)
            Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\[email protected] aswFsBlk Instance
            Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet)
            Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk [email protected] 388400
            Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk [email protected] 0
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 2
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 2
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 1
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] \??\C:\Windows\system32\drivers\aswMonFlt.sys
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] aswMonFlt
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] FSFilter Anti-Virus
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] FltMgr?
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] avast! mini-filter driver (aswMonFlt)
            Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet)
            Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\[email protected] aswMonFlt Instance
            Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet)
            Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt [email protected] 320700
            Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt [email protected] 0
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 1
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 1
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 1
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] aswRdr
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] PNP_TDI
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] tcpip?
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] avast! WFP Redirect driver
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] \SystemRoot\System32\Drivers\aswrdr2.sys
            Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet)
            Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\[email protected]
            Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\[email protected] nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 1
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 0
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 1
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] aswRvrt
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] avast! Revert
            Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet)
            Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\[email protected] 199
            Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\[email protected] 646567
            Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\[email protected] \Device\Harddisk0\Partition3\Windows
            Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\[email protected] 1
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 2
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 1
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 1
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] aswSnx
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] FSFilter Virtualization
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] FltMgr?
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] avast! virtualization driver (aswSnx)
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 2
            Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet)
            Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\[email protected] aswSnx Instance
            Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet)
            Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx [email protected] 137600
            Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx [email protected] 0
            Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet)
            Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\[email protected] \DosDevices\C:\Program Files\AVAST Software\Avast
            Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\[email protected] \DosDevices\C:\ProgramData\AVAST Software\Avast
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 1
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 1
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 1
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] aswSP
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] avast! Self Protection
            Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet)
            Reg HKLM\SYSTEM\ControlSet002\services\aswSP\[email protected] 1
            Reg HKLM\SYSTEM\ControlSet002\services\aswSP\[email protected] \DosDevices\C:\Program Files\AVAST Software\Avast
            Reg HKLM\SYSTEM\ControlSet002\services\aswSP\[email protected] \DosDevices\C:\ProgramData\AVAST Software\Avast
            Reg HKLM\SYSTEM\ControlSet002\services\aswSP\[email protected] \DosDevices\C:\Program Files
            Reg HKLM\SYSTEM\ControlSet002\services\aswSP\[email protected] \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 1
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 1
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 1
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] avast! Network Shield Support
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] PNP_TDI
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] tcpip?
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] avast! Network Shield TDI driver
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 10
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 1
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 0
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] 1
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] aswVmm
            Reg HKLM\SYSTEM\ControlSet002\services\[email protected] avast! VM Monitor
            Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet)
            Reg HKLM\SYSTEM\ControlSet002\services\avast! [email protected] 32
            Reg HKLM\SYSTEM\ControlSet002\services\avast! [email protected] 2
            Reg HKLM\SYSTEM\ControlSet002\services\avast! [email protected] 1
            Reg HKLM\SYSTEM\ControlSet002\services\avast! [email protected] "C:\Program Files\AVAST Software\Avast\AvastSvc.exe"
            Reg HKLM\SYSTEM\ControlSet002\services\avast! [email protected] avast! Antivirus
            Reg HKLM\SYSTEM\ControlSet002\services\avast! [email protected] ShellSvcGroup
            Reg HKLM\SYSTEM\ControlSet002\services\avast! [email protected] aswMonFlt?RpcSS?
            Reg HKLM\SYSTEM\ControlSet002\services\avast! [email protected] 1
            Reg HKLM\SYSTEM\ControlSet002\services\avast! [email protected] LocalSystem
            Reg HKLM\SYSTEM\ControlSet002\services\avast! [email protected] 1
            Reg HKLM\SYSTEM\ControlSet002\services\avast! [email protected] Behandelt en implementeert avast! antivirus diensten voor deze computer. Dit bevat de interne bescherming, de viruskluis en de planner.

            ---- EOF - GMER 2.1 ----

            Comment


            • #7
              in meerdere delen, het paste niet in 1 keer

              Comment


              • #8
                Download Zoek.zip naar het bureaublad.
                1. Wanneer Internet Explorer of een andere browser of virusscanner melding geeft dat dit bestand onveilig zou zijn kun je negeren, dit is namelijk een onterechte waarschuwing.
                2. Schakel je antivirus- en antispywareprogramma's uit, mogelijk kunnen ze conflicteren met zoek.exe (hier en hier) kan je lezen hoe je dat doet.

                • Klik met de rechtermuisknop op Zoek.zip en klik op de optie "Alles uitpakken".
                • Dubbelklik vervolgens op Zoek.exe om de tool te starten.
                • Windows Vista, 7 en 8 gebruikers dienen de tool als "administrator" uit te voeren door middel van de rechtermuisknop en kiezen voor Als Administrator uitvoeren.
                • Kopieer nu onderstaande code en plak die in het grote invulvenster:
                • Note: Dit script is speciaal bedoeld voor deze PC, gebruik dit dan ook niet op andere PC's met een gelijkaardig probleem.
                  Code:
                   
                  torpigcheck;
                  emptyclsid;
                  emptyfolderscheck;delete
                  firefoxlook; 
                  Chromelook;  
                  autoclean; 
                  iedefaults; 
                  filesrcm;
                • Klik nu op de knop "Run script".
                • Wacht nu geduldig af tot er een logje opent (dit kan na een herstart zijn als deze benodigd is).
                • Mocht na de herstart geen logje verschijnen, start zoek.exe dan opnieuw, de log verschijnt dan alsnog.
                • Post het geopende logje in het volgende bericht als bijlage.

                Windows 10 opstarten in Veilige Modus

                Comment


                • #9
                  Zoek.exe Version 4.0.0.5 Updated 14-November-2013
                  Tool run by wdellink on vr 22-11-2013 at 11:06:59,91.
                  Microsoft Windows 7 Home Premium 6.1.7601 Service Pack 1 x64
                  Running in: Normal Mode Internet Access Detected
                  Launched: C:\Users\wdellink\Desktop\zoek.scr [Script inserted]

                  ==== System Restore Info ======================

                  22-11-2013 11:07:35 Zoek.exe System Restore Point Created Succesfully.

                  ==== Torpig Check ======================

                  HKEY_CLASSES_ROOT\Directory\shellex\CopyHookHandlers\FileSystem {217FC9C0-3AEA-1069-A2DB-08002B30309D} %SystemRoot%\system32\shell32.dll
                  HKEY_CLASSES_ROOT\Directory\shellex\CopyHookHandlers\Sharing {40dd6e20-7c17-11ce-a804-00aa003ca9f6} %SystemRoot%\system32\ntshrui.dll


                  ==== Empty Folders Check ======================

                  C:\PROGRA~2\MSXML 4.0 deleted successfully
                  C:\PROGRA~2\Panda Security deleted successfully
                  C:\PROGRA~2\TomTom DesktopSuite deleted successfully
                  C:\ProgramData\Oracle deleted successfully
                  C:\Users\wdellink\AppData\Local\VirtualStore deleted successfully

                  ==== Deleting CLSID Registry Keys ======================

                  HKEY_USERS\S-1-5-21-2796179789-2381606202-1169918839-1001\Software\Microsoft\Internet Explorer\SearchScopes\{5E7356F0-3829-4801-A7F9-35BD7F83FCA2} deleted successfully
                  HKEY_USERS\S-1-5-21-2796179789-2381606202-1169918839-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4F524A2D-5637-006A-76A7-7A786E7484D7} deleted successfully
                  HKEY_USERS\S-1-5-21-2796179789-2381606202-1169918839-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{4F524A2D-5637-006A-76A7-7A786E7484D7} deleted successfully
                  HKEY_USERS\S-1-5-21-2796179789-2381606202-1169918839-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{318A227B-5E9F-45BD-8999-7F8F10CA4CF5} deleted successfully
                  HKEY_CLASSES_ROOT\CLSID\{4F524A2D-5637-006A-76A7-7A786E7484D7} deleted successfully
                  HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{4F524A2D-5637-006A-76A7-7A786E7484D7} deleted successfully
                  HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4F524A2D-5637-006A-76A7-7A786E7484D7} deleted successfully
                  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4F524A2D-5637-006A-76A7-7A786E7484D7} deleted successfully
                  HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{D8278076-BC68-4484-9233-6E7F1628B56C} deleted successfully
                  HKEY_CLASSES_ROOT\CLSID\{318A227B-5E9F-45BD-8999-7F8F10CA4CF5} deleted successfully
                  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{318A227B-5E9F-45BD-8999-7F8F10CA4CF5} deleted successfully

                  ==== Deleting CLSID Registry Values ======================

                  HKEY_USERS\S-1-5-21-2796179789-2381606202-1169918839-1001\Software\Microsoft\Internet Explorer\URLSearchHooks\{D8278076-BC68-4484-9233-6E7F1628B56C} deleted successfully
                  HKEY_USERS\S-1-5-21-2796179789-2381606202-1169918839-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully
                  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{4F524A2D-5637-006A-76A7-7A786E7484D7} deleted successfully
                  HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{4F524A2D-5637-006A-76A7-7A786E7484D7} deleted successfully
                  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{318A227B-5E9F-45BD-8999-7F8F10CA4CF5} deleted successfully

                  ==== Deleting Services ======================

                  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\APNMCP deleted successfully
                  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\APNMCP deleted successfully

                  ==== Deleting Files \ Folders ======================

                  C:\found.000 deleted
                  C:\ProgramData\Ask deleted
                  C:\ProgramData\AskPartnerNetwork deleted
                  C:\ProgramData\APN deleted
                  C:\ProgramData\OberonGameConsole deleted
                  "C:\PROGRA~2\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe" deleted
                  "C:\PROGRA~2\AskPartnerNetwork" deleted
                  "C:\PROGRA~2\AskPartnerNetwork\Toolbar" deleted
                  "C:\PROGRA~2\AskPartnerNetwork\Toolbar\Updater" deleted

                  ==== Files Recently Created / Modified ======================

                  ====== C:\Windows ====
                  ====== C:\Users\wdellink\AppData\Local\Temp ====
                  ====== Java Cache =====
                  ====== C:\Windows\SysWOW64 =====
                  2013-11-14 22:12:08 FED1803F2F9C4BDBA8267EA2DE47CFE2 2706432 ----a-w- C:\Windows\SysWOW64\mshtml.tlb
                  2013-11-14 22:12:08 FEB2F07A980A9844AD1B5E886C9B5338 391168 ----a-w- C:\Windows\SysWOW64\ieui.dll
                  2013-11-14 22:12:07 E841206E319069920C394A5E3842568F 61440 ----a-w- C:\Windows\SysWOW64\iesetup.dll
                  2013-11-14 22:12:06 8D98D99DC6D4033591354156CEB25153 109056 ----a-w- C:\Windows\SysWOW64\iesysprep.dll
                  2013-11-14 22:12:06 8317DD8D4095FE4076E9F6EC3A747940 71680 ----a-w- C:\Windows\SysWOW64\RegisterIEPKEYs.exe
                  2013-11-14 22:12:06 70F131E94E1B4496469A563C85279192 33280 ----a-w- C:\Windows\SysWOW64\iernonce.dll
                  2013-11-14 22:12:05 DA5374911037841F81072A4DCBB02D93 2049024 ----a-w- C:\Windows\SysWOW64\iertutil.dll
                  2013-11-14 22:12:03 AD6639EF2BD655C7E630B6BCF7203463 493056 ----a-w- C:\Windows\SysWOW64\msfeeds.dll
                  2013-11-14 22:12:03 6AD683FF326836EB6AE63B1F144A4F9D 690688 ----a-w- C:\Windows\SysWOW64\jscript.dll
                  2013-11-14 22:12:02 D42525513055C0A65FD4BEFAFACEB134 2877952 ----a-w- C:\Windows\SysWOW64\jscript9.dll
                  2013-11-14 22:12:01 A5897063A4B6796EFB7B34CEC5BC739F 1138176 ----a-w- C:\Windows\SysWOW64\urlmon.dll
                  2013-11-14 22:12:00 98B05ADD60BAA432E708BAFEBE5B1D70 39424 ----a-w- C:\Windows\SysWOW64\jsproxy.dll
                  2013-11-14 22:12:00 5FD4335DCD343D0FEA9FA6B18ED408D9 1767936 ----a-w- C:\Windows\SysWOW64\wininet.dll
                  2013-11-14 22:11:58 1191434BB424F18C2609AB5C955DD14E 13761024 ----a-w- C:\Windows\SysWOW64\ieframe.dll
                  2013-11-14 22:11:54 02A04841906A8892AD6CC7BDBCB5F61D 14355968 ----a-w- C:\Windows\SysWOW64\mshtml.dll
                  2013-11-14 17:09:57 CC09E0C9A2D89C6E71D093DC8BD121B7 1168384 ----a-w- C:\Windows\SysWOW64\crypt32.dll
                  2013-11-14 17:09:45 EE7CB55F77465CDAC4C80F587FF7C278 1796096 ----a-w- C:\Windows\SysWOW64\authui.dll
                  2013-11-14 17:09:45 E9BB0CD09DA17C71FD1B9954D75AEEF7 168960 ----a-w- C:\Windows\SysWOW64\credui.dll
                  2013-11-14 17:09:45 4BCC63ED1C3D15B2635A8AE2B854B3EB 152576 ----a-w- C:\Windows\SysWOW64\SmartcardCredentialProvider.dll
                  2013-11-14 17:09:40 AA6F6457116B559B76BC6A012CB4C293 247808 ----a-w- C:\Windows\SysWOW64\schannel.dll
                  2013-11-14 17:09:39 AD7FB087A238883D1618F29F7BBBD584 220160 ----a-w- C:\Windows\SysWOW64\ncrypt.dll
                  2013-11-14 17:09:39 42B924C5F3924C1EB2539F22C10D7DF1 96768 ----a-w- C:\Windows\SysWOW64\sspicli.dll
                  2013-11-14 17:09:39 372948BB5E41CE42341C4398DE572E56 22016 ----a-w- C:\Windows\SysWOW64\secur32.dll
                  2013-11-14 17:09:37 56E3313690866F99CD17AA1342F64AE1 311808 ----a-w- C:\Windows\SysWOW64\gdi32.dll
                  2013-11-14 17:09:36 F0D0E883EBBDC7615DC9EDEA0FFB2817 216576 ----a-w- C:\Windows\SysWOW64\FWPUCLNT.DLL
                  2013-11-14 17:09:36 CE2A48CD0D2B39FB77FA4797C6434E71 656896 ----a-w- C:\Windows\SysWOW64\nshwfp.dll
                  ====== C:\Windows\SysWOW64\drivers =====
                  ====== C:\Windows\Sysnative =====
                  2013-11-14 22:12:08 8D0D46B480BB260FA2AEA1201F15E784 526336 ----a-w- C:\Windows\Sysnative\ieui.dll
                  2013-11-14 22:12:08 668653D2C9ED9E7529386DD8138FAAEB 2706432 ----a-w- C:\Windows\Sysnative\mshtml.tlb
                  2013-11-14 22:12:06 F08BF4FC30F31350DCAB06F2B59ED1E9 136704 ----a-w- C:\Windows\Sysnative\iesysprep.dll
                  2013-11-14 22:12:06 9F1D74E792DADA30809FCA64F705C042 89600 ----a-w- C:\Windows\Sysnative\RegisterIEPKEYs.exe
                  2013-11-14 22:12:06 59AD440EFC7A653B55D5DC34E75960B2 39936 ----a-w- C:\Windows\Sysnative\iernonce.dll
                  2013-11-14 22:12:06 3E86B4126D4CD0D9CA5B78DBE9F8D7CB 51712 ----a-w- C:\Windows\Sysnative\ie4uinit.exe
                  2013-11-14 22:12:06 2CA49EB6296DBC1A5CEE141009A6F757 67072 ----a-w- C:\Windows\Sysnative\iesetup.dll
                  2013-11-14 22:12:05 A96B3E9D360DE75B09EE77698A54412B 2648576 ----a-w- C:\Windows\Sysnative\iertutil.dll
                  2013-11-14 22:12:03 EFB4937249C7E4D57F69CC4B1986BC4B 855552 ----a-w- C:\Windows\Sysnative\jscript.dll
                  2013-11-14 22:12:03 1E47964351EA38C20A8E28B413769C80 603136 ----a-w- C:\Windows\Sysnative\msfeeds.dll
                  2013-11-14 22:12:02 90868BDD4047BF951E03620961945149 3959808 ----a-w- C:\Windows\Sysnative\jscript9.dll
                  2013-11-14 22:12:01 F13305A81317DDAEA3968D2D8EC0C0A4 1364992 ----a-w- C:\Windows\Sysnative\urlmon.dll
                  2013-11-14 22:12:00 B83DB27D36C697760E0D33AE0CF76AAD 53248 ----a-w- C:\Windows\Sysnative\jsproxy.dll
                  2013-11-14 22:11:59 9706C99DAEBE3FEAC811B239617E98C4 2241536 ----a-w- C:\Windows\Sysnative\wininet.dll
                  2013-11-14 22:11:57 9991ABD246ED906CF420B2CA08BF685A 15404544 ----a-w- C:\Windows\Sysnative\ieframe.dll
                  2013-11-14 22:11:56 25C356A79B7002E0A20AAF592ED59DE4 19269632 ----a-w- C:\Windows\Sysnative\mshtml.dll
                  2013-11-14 17:09:58 780F6ECC4F55D76C9730E6B6C9B31913 1474048 ----a-w- C:\Windows\Sysnative\crypt32.dll
                  2013-11-14 17:09:45 8563BA40DF4F1E93A61B70E2C8B60CF8 190464 ----a-w- C:\Windows\Sysnative\SmartcardCredentialProvider.dll
                  2013-11-14 17:09:45 4403D5ECE7D8323CAF1207D1AA38FA01 197120 ----a-w- C:\Windows\Sysnative\credui.dll
                  2013-11-14 17:09:45 34152997FB906895290E0199AC94B85F 1930752 ----a-w- C:\Windows\Sysnative\authui.dll
                  2013-11-14 17:09:40 31FFED18C7B836CEC1B559347E32E151 340992 ----a-w- C:\Windows\Sysnative\schannel.dll
                  2013-11-14 17:09:39 B08EA91C774AA734E0B9881F85CD9F42 135680 ----a-w- C:\Windows\Sysnative\sspicli.dll
                  2013-11-14 17:09:39 7C46EC9CCDE6E793713FA01DB2EB918E 28672 ----a-w- C:\Windows\Sysnative\sspisrv.dll
                  2013-11-14 17:09:39 747B9BA5412422F27934CB21131F0A3E 307200 ----a-w- C:\Windows\Sysnative\ncrypt.dll
                  2013-11-14 17:09:39 4D71227301DD8D09097B9E4CC6527E5A 30720 ----a-w- C:\Windows\Sysnative\lsass.exe
                  2013-11-14 17:09:39 208EAAFF40DA400190AA0605C797BEA2 28160 ----a-w- C:\Windows\Sysnative\secur32.dll
                  2013-11-14 17:09:39 086F906B1D30C0A5D35FE0F6362DAB21 1447936 ----a-w- C:\Windows\Sysnative\lsasrv.dll
                  2013-11-14 17:09:38 56325BB1FF19F2A5AC8713756AC41140 404480 ----a-w- C:\Windows\Sysnative\gdi32.dll
                  2013-11-14 17:09:37 344789398EC3EE5A4E00C52B31847946 859648 ----a-w- C:\Windows\Sysnative\IKEEXT.DLL
                  2013-11-14 17:09:36 D07EB640618F96490DB88C3CE58DB608 324096 ----a-w- C:\Windows\Sysnative\FWPUCLNT.DLL
                  2013-11-14 17:09:36 660C06F663F27760F565FD567B57625C 830464 ----a-w- C:\Windows\Sysnative\nshwfp.dll
                  ====== C:\Windows\Sysnative\drivers =====
                  2013-11-14 17:09:47 79059559E89D06E8B80CE2944BE20228 497152 ----a-w- C:\Windows\Sysnative\drivers\afd.sys
                  2013-11-14 17:09:40 8F489706472F7E9A06BAAA198703FA64 95680 ----a-w- C:\Windows\Sysnative\drivers\ksecdd.sys
                  2013-11-14 17:09:39 EBF28856F69CF094A902F884CF989706 458712 ----a-w- C:\Windows\Sysnative\drivers\cng.sys
                  2013-11-14 17:09:39 868A2CAAB12EFC7A021682BCA0EEC54C 154560 ----a-w- C:\Windows\Sysnative\drivers\ksecpkg.sys
                  ====== C:\Windows\Tasks ======
                  ====== C:\Windows\Temp ======
                  ======= C:\Program Files =====
                  ======= C:\PROGRA~2 =====
                  ======= C: =====
                  ====== C:\Users\wdellink\AppData\Roaming ======
                  ====== C:\Users\wdellink ======
                  2013-11-17 14:54:45 60BF4AE8CC40B0E3E28613657ED2EED8 377856 ----a-w- C:\Users\wdellink\Downloads\tonuuimm.exe
                  2013-11-17 14:53:22 8B968045D75783A09592C3105F2865DA 688992 ------r- C:\Users\wdellink\Downloads\dds.com
                  2013-11-17 14:53:13 D41D8CD98F00B204E9800998ECF8427E 0 ----a-w- C:\Users\wdellink\defogger_reenable
                  2013-11-17 14:53:05 9146F21288AB749C4C729343F5F285A1 50477 ----a-w- C:\Users\wdellink\Downloads\Defogger.exe

                  ====== C: exe-files ==
                  2013-11-17 14:54:45 60BF4AE8CC40B0E3E28613657ED2EED8 377856 ----a-w- C:\Users\wdellink\Downloads\tonuuimm.exe
                  2013-11-17 14:53:05 9146F21288AB749C4C729343F5F285A1 50477 ----a-w- C:\Users\wdellink\Downloads\Defogger.exe
                  2013-11-15 12:31:30 E714A26715478EAC94DEB4514BF68EA2 35300192 ----a-w- C:\Program Files (x86)\Google\Update\Download\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\31.0.1650.57\31.0.1650.57_chrome_installer.exe
                  === C: other files ==
                  2013-11-17 14:53:22 8B968045D75783A09592C3105F2865DA 688992 ------r- C:\Users\wdellink\Downloads\dds.com

                  ==== Folders in C:\ProgramData 0-6 Months Old ======================

                  No folders found aged 0-6 months

                  ==== Firefox Extensions Registry ======================

                  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
                  "[email protected]"="C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3" [19-01-2012 18:20]
                  [HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions]
                  "[email protected]"="C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3" [19-01-2012 18:20]

                  ==== Chrome Look ======================

                  avast Online Security - wdellink - Default\Extensions\gomekmidlodglbbmalcneegieacbdmki
                  Google Wallet - wdellink - Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
                  Google Docs - C:\Windows\sysWoW64\config\systemprofile - Default\Extensions\aohghmighlieiainnegkcijnfilokake
                  Google Drive - C:\Windows\sysWoW64\config\systemprofile - Default\Extensions\apdfllckaahabafndbhieahigkjlhalf
                  YouTube - C:\Windows\sysWoW64\config\systemprofile - Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo
                  Google Search - C:\Windows\sysWoW64\config\systemprofile - Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf
                  Chrome In-App Payments service - C:\Windows\sysWoW64\config\systemprofile - Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
                  Gmail - C:\Windows\sysWoW64\config\systemprofile - Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia

                  ==== Set IE to Default ======================

                  Old Values:
                  [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
                  "Start Page"="http://www.startpagina.nl/"

                  New Values:
                  [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
                  "Start Page"="http://www.startpagina.nl/"

                  ==== All HKCU SearchScopes ======================

                  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
                  "DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
                  {0633EE93-D776-472f-A0FF-E1416B8B2E3A} Unknown Url="Not_Found"
                  {6A1806CD-94D4-4689-BA73-E35EA1EA9990} Google Url="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startInde x={startIndex?}&startPage={startPage}"

                  ==== Deleting CLSID Registry Keys ======================

                  HKEY_USERS\S-1-5-21-2796179789-2381606202-1169918839-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} deleted successfully

                  ==== Deleting CLSID Registry Values ======================


                  ==== Empty IE Cache ======================

                  C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
                  C:\Users\wdellink\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
                  C:\Users\wdellink\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
                  C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
                  C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
                  C:\Windows\serviceprofiles\networkservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
                  C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
                  C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp\Temporary Internet Files\Content.IE5 emptied successfully
                  C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

                  ==== Empty FireFox Cache ======================

                  No FireFox Profiles found

                  ==== Empty Chrome Cache ======================

                  C:\Users\wdellink\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
                  C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
                  C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

                  ==== Empty All Flash Cache ======================

                  Flash Cache Emptied Successfully

                  ==== Empty All Java Cache ======================

                  Java Cache cleared successfully

                  ==== After Reboot ======================

                  ==== Empty Temp Folders ======================

                  C:\Windows\Temp successfully emptied
                  C:\Users\wdellink\AppData\Local\Temp successfully emptied

                  ==== Empty Recycle Bin ======================

                  C:\$RECYCLE.BIN successfully emptied

                  ==== EOF on vr 22-11-2013 at 11:20:52,66 ======================

                  Comment


                  • #10
                    Netjes, vertel even hoe het nu gaat aub.

                    Windows 10 opstarten in Veilige Modus

                    Comment


                    • #11
                      het is de computer van mijn ouders, ze hebben het ontdekt doordat ze de virusscan lieten draaien, verder niet echt., gaf geen foutmelding ergens oid.

                      Dus misschien is het wel goed zo? de trj is verwijdert?
                      Of moet ik nog een scan draaien voor de check?

                      Comment


                      • #12
                        Even goed poetsen maar.


                        Download zhpdiag.exe vanaf deze website: http://en.kioskea.net/download/download-23176-zhpdiag
                        • KLIK HIER voor een vergroting!
                          (Klik bovenstaande afbeelding aan voor een vergroting!)
                        1. XP gebruikers: dubbelklik zhpdiag.exe om het te installeren.
                          Voor Windows Vista en hoger: rechtsklik zhpdiag.exe en kies voor "Uitvoeren als administrator".
                        2. Klik meerdere keren op "Suivant" om het installatieproces te doorlopen.
                        3. Klik op "Installer" wanneer daar om gevraagd wordt en op "Terminer" wanneer de installatie voltooid is.
                        4. Er zijn nu 2 pictogrammen op je bureaublad verschenen: ZHPDiag en ZHPFix.
                        5. Dubbelklik nu op de snelkoppeling met de naam ZHPDiag
                        6. Het startvenster verschijnt, klik nu op "Configureren".
                        7. Als de taal niet als Nederlands is ingesteld klik rechts onderaan op het icoontje met het huisje "Sélectionner une langue" en kies "Néerlandais".
                        8. Klik daarna links onderaan op het middelste icoontje(een vergrootglas en een + symbool) "Diagnosemogelijkheden".
                        9. Er wordt nu een scan van je systeem gemaakt wacht geduldig tot deze voltooid is.
                        10. Na afloop staat er een tekstbestand met de naam ZHPDiag.txt op je bureaublad, post deze in je volgende bericht.

                        Windows 10 opstarten in Veilige Modus

                        Comment


                        • #13
                          ~ Verslag van ZHPDiag v2013.11.22.46 - Nicolas Coolman (22-11-2013)
                          ~ Gelanceerd door wdellink (23-11-2013 15:37:19)
                          ~ Het adres van de website : http://nicolascoolman.webs.com
                          ~ Gratis supportforum voor desinfectie : http://nicolascoolman.webs.com/apps/links/
                          ~ Vertaald door de gebruiker
                          ~ Staat van de versie :
                          ~ Lijst wit : Ingeschakeld door het programma
                          ~ Tot misbruik van bevoegdheden : OK
                          ~ Gebruikersaccountbeheer (UAC) : Activate by user


                          ---\\ Internet-browsers
                          MSIE: Internet Explorer v10.0.9200.16736 (Defaut)
                          GCIE: Google Chrome v31.0.1650.57

                          ---\\ Windows productinformatie
                          ~ Langage: Néerlandais
                          Windows 7 Home Premium Edition, 64-bit Service Pack 1 (Build 7601)
                          Windows Server License Manager Script : OK
                          Software Protection Service (Protection logicielle) : OK
                          Windows Automatic Updates : OK
                          Windows Activation Technologies : OK

                          ---\\ Software om het systeem te beveiligen
                          avast! Free Antivirus v8.0.1497.0
                          Malwarebytes Anti-Malware versie 1.75.0.1300
                          Windows Defender W7

                          ---\\ Systeem optimalisatie software
                          CCleaner v4.04 =>Piriform Ltd

                          ---\\ Delen van software PeerToPeer

                          ---\\ Software die extra aandacht behoeft
                          Adobe Flash Player 11 ActiveX
                          Adobe Reader 9.5.5 MUI
                          Java 7 Update 45

                          ---\\ Informatie over het systeem
                          ~ Processor: Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
                          ~ Operating System: 64 Bits
                          Boot mode: Normal (Normal boot)
                          Total RAM: 6126 MB (73% free)
                          System Restore: Activé (Enable)
                          System drive C: has 386 GB (84%) free of 457 GB

                          ---\\ Verbinding met het systeem-modus
                          ~ Computer Name: WDELLINK-PC
                          ~ User Name: wdellink
                          ~ All Users Names: wdellink, UpdatusUser, HomeGroupUser$, Gast, Administrator,
                          ~ Unselected Option: None
                          Logged in as Administrator

                          ---\\ Omgevingsvariabelen
                          ~ System Unit : C:\
                          ~ %AppZHP% : C:\Users\wdellink\AppData\Roaming\ZHP\
                          ~ %AppData% : C:\Users\wdellink\AppData\Roaming\
                          ~ %Desktop% : C:\Users\wdellink\Desktop\
                          ~ %Favorites% : C:\Users\wdellink\Favorites\
                          ~ %LocalAppData% : C:\Users\wdellink\AppData\Local\
                          ~ %StartMenu% : C:\Users\wdellink\AppData\Roaming\Microsoft\Windows\Start Menu\
                          ~ %Windir% : C:\Windows\
                          ~ %System% : C:\Windows\System32\

                          ---\\ Overzicht vaste en verwisselbare stations
                          C: Hard drive, Flash drive, Thumb drive (Free 386 Go of 457 Go)
                          D: Hard drive, Flash drive, Thumb drive (Free 456 Go of 457 Go)
                          E: CD-ROM drive (Not Inserted)
                          G: Floppy drive, Flash card reader, USB Key (Not Inserted)
                          H: Floppy drive, Flash card reader, USB Key (Not Inserted)



                          ---\\ Staat van het Windows Beveiligingscentrum
                          ~ Security Center: 49 Legitimates Filtered in 00mn 00s



                          ---\\ Zoeken naar bepaalde algemene bestanden
                          [MD5.332FEAB1435662FC6C672E25BEB37BE3] - (.Microsoft Corporation - Windows Verkenner.) (.25-2-2011 - 7:19:30.) -- C:\Windows\Explorer.exe [2871808]
                          [MD5.94355C28C1970635A31B3FE52EB7CEBA] - (.Microsoft Corporation - Windows Toepassing Opstarten.) (.14-7-2009 - 2:39:52.) -- C:\Windows\System32\Wininit.exe [129024]
                          [MD5.9706C99DAEBE3FEAC811B239617E98C4] - (.Microsoft Corporation - Internetuitbreidingen voor Win32.) (.12-10-2013 - 9:45:20.) -- C:\Windows\System32\wininet.dll [2241536]
                          [MD5.1151B1BAA6F350B1DB6598E0FEA7C457] - (.Microsoft Corporation - Toepassing Windows-aanmelden.) (.20-11-2010 - 14:25:30.) -- C:\Windows\System32\Winlogon.exe [390656]
                          [MD5.067FA52BFB59A56110A12312EF9AF243] - (.Microsoft Corporation - Software Licensing-bibliotheek.) (.20-11-2010 - 14:27:26.) -- C:\Windows\System32\sppcomapi.dll [232448]
                          [MD5.79059559E89D06E8B80CE2944BE20228] - (.Microsoft Corporation - Ancillary Function Driver for WinSock.) (.28-9-2013 - 2:09:10.) -- C:\Windows\system32\Drivers\AFD.sys [497152]
                          [MD5.02062C0B390B7729EDC9E69C680A6F3C] - (.Microsoft Corporation - ATAPI IDE Miniport Driver.) (.14-7-2009 - 2:52:21.) -- C:\Windows\system32\Drivers\atapi.sys [24128]
                          [MD5.B8BD2BB284668C84865658C77574381A] - (.Microsoft Corporation - CD-ROM File System Driver.) (.14-7-2009 - 0:19:47.) -- C:\Windows\system32\Drivers\Cdfs.sys [92160]
                          [MD5.F036CE71586E93D94DAB220D7BDF4416] - (.Microsoft Corporation - SCSI CD-ROM Driver.) (.20-11-2010 - 10:19:21.) -- C:\Windows\system32\Drivers\Cdrom.sys [147456]
                          [MD5.9BB2EF44EAA163B29C4A4587887A0FE4] - (.Microsoft Corporation - DFS Namespace Client Driver.) (.20-11-2010 - 10:26:32.) -- C:\Windows\system32\Drivers\DfsC.sys [102400]
                          [MD5.97BFED39B6B79EB12CDDBFEED51F56BB] - (.Microsoft Corporation - High Definition Audio Bus Driver.) (.20-11-2010 - 11:43:43.) -- C:\Windows\system32\Drivers\HDAudBus.sys [122368]
                          [MD5.FA55C73D4AFFA7EE23AC4BE53B4592D3] - (.Microsoft Corporation - i8042-poortstuurprogramma.) (.14-7-2009 - 0:19:57.) -- C:\Windows\system32\Drivers\i8042prt.sys [105472]
                          [MD5.AF9B39A7E7B6CAA203B3862582E9F2D0] - (.Microsoft Corporation - IP Network Address Translator.) (.14-7-2009 - 1:10:03.) -- C:\Windows\system32\Drivers\IpNat.sys [116224]
                          [MD5.A5D9106A73DC88564C825D317CAC68AC] - (.Microsoft Corporation - Windows NT SMB Minirdr.) (.27-4-2011 - 3:40:40.) -- C:\Windows\system32\Drivers\MRxSmb.sys [158208]
                          [MD5.09594D1089C523423B32A4229263F068] - (.Microsoft Corporation - MBT Transport driver.) (.20-11-2010 - 10:23:20.) -- C:\Windows\system32\Drivers\netBT.sys [261632]
                          [MD5.B98F8C6E31CD07B2E6F71F7F648E38C0] - (.Microsoft Corporation - NT-bestandssysteemstuurprogramma.) (.12-4-2013 - 15:45:08.) -- C:\Windows\system32\Drivers\ntfs.sys [1656680]
                          [MD5.0086431C29C35BE1DBC43F52CC273887] - (.Microsoft Corporation - Stuurprogramma voor parallelle poort.) (.14-7-2009 - 1:00:41.) -- C:\Windows\system32\Drivers\Parport.sys [97280]
                          [MD5.471815800AE33E6F1C32FB1B97C490CA] - (.Microsoft Corporation - RAS L2TP mini-port/call-manager driver.) (.20-11-2010 - 11:52:35.) -- C:\Windows\system32\Drivers\Rasl2tp.sys [129536]
                          [MD5.548260A7B8654E024DC30BF8A7C5BAA4] - (.Microsoft Corporation - SMB Transport driver.) (.14-7-2009 - 1:09:09.) -- C:\Windows\system32\Drivers\smb.sys [93184]
                          [MD5.DDAD5A7AB24D8B65F8D724F5C20FD806] - (.Microsoft Corporation - TDI Translation Driver.) (.20-11-2010 - 10:21:56.) -- C:\Windows\system32\Drivers\tdx.sys [119296]
                          [MD5.0D08D2F3B3FF84E433346669B5E0F639] - (.Microsoft Corporation - Volume Shadow Copy-stuurprogramma.) (.20-11-2010 - 14:34:02.) -- C:\Windows\system32\Drivers\volsnap.sys [295808]
                          ~ Generic Processes: Scanned in 00mn 01s



                          ---\\ Status van de verborgen bestanden (verborgen/totaal)
                          ~ Mes images (My Pictures) : 2/3409
                          ~ Mes musiques (My Musics) : 1/31
                          ~ Mes Favoris (My Favorites) : 1/30
                          ~ Mes Documents (My Documents) : 2/563
                          ~ Mon Bureau (My Desktop) : 1/11
                          ~ Menu demarrer (Programs) : 1/23
                          ~ Hidden Files: Scanned in 00mn 03s



                          ---\\ Gestarte processen
                          [MD5.77521A9A82A4F8BA1B50ECDB4AAB407B] - (.CyberLink Corp. - Acer Arcade Deluxe Resident Program.) -- C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe [361768] [PID.3660]
                          [MD5.0D6972A795995F07B6D78CA7724744FB] - (.Egis Technology Inc. - MyWinLocker.) -- C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe [349552] [PID.3764]
                          [MD5.9AF1C70202FB6A84F177D497D75BC5FC] - (.TomTom - System Tray application for TomTom HOME.) -- C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe [247728] [PID.3780]
                          [MD5.B54921381A950C8215FB363B485C432B] - (.Hewlett-Packard Co. - HP Digital Imaging Monitor.) -- C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [270336] [PID.3836]
                          [MD5.C0B97E53A0E39A48EEA2DCD500EEA07A] - (.Intel Corporation - IAStorIcon.) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [283160] [PID.4080]
                          [MD5.0ADF079D36B2C25E6E9BECE1BD937ACE] - (.Egis Technology Inc. - PMM Update Application.) -- C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe [407920] [PID.3564]
                          [MD5.F4F7C86191A981C804326E2EF6F3604F] - (.Adobe Systems Incorporated - Adobe Acrobat SpeedLauncher.) -- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe [41056] [PID.3604]
                          [MD5.4DE65D85EDA92323AFD72C7B149BF38C] - (.CyberLink Corp. - Arcade Movie Resident Program.) -- C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe [419112] [PID.1804]
                          [MD5.1C6C79E260175B8F94F46100597C1E91] - (.No owner - Hotkey Utility.) -- C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe [613480] [PID.3228]
                          [MD5.CBC7D8E5416AD30CF16DC2FD4A6AA399] - (.AVAST Software - avast! Antivirus.) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe [4858968] [PID.3620]
                          [MD5.C637FC4638A96165256B28D38DE7B953] - (.Hewlett-Packard - hpwuSchd Application.) -- C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe [49208] [PID.3048]
                          [MD5.5B6E8E09BE6401A7E022F52FDFCB2FF8] - (.Oracle Corporation - Java(TM) Update Scheduler.) -- C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336] [PID.3224]
                          [MD5.F255E48EA981E943A14CF16269F3F3AF] - (.Egis Technology Inc. - EgisUpdate Release Application.) -- C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe [201584] [PID.3792]
                          [MD5.636D97B3BAF854511FF3F4093E895FED] - (.Google Inc. - Google Chrome.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [863184] [PID.4872]
                          [MD5.06BC146E6C2E881A7235A142BA877B82] - (.Nicolas Coolman - ZHPDiag.) -- C:\Program Files (x86)\ZHPDiag\ZHPDiag.exe [8262144] [PID.5320]
                          [MD5.5A19667A580B1CE886EAF968B9743F45] - (.NVIDIA Corporation - Stereo Vision Control Panel API Server.) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [383264] [PID.952]
                          [MD5.9330941C8F6DF417F6DBBE998DB6687E] - (.AVAST Software - avast! Service.) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe [46808] [PID.1308]
                          [MD5.0191DEE9B9EB7902AF2CF4F67301095D] - (.Acer Incorporated - Global Registration Service.) -- C:\Program Files (x86)\Acer\Registration\GREGsvc.exe [23584] [PID.1772]
                          [MD5.33966A658FF37E0C65D46E59F37E2380] - (.TeamViewer GmbH - TeamViewer Remote Control Application.) -- C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2984832] [PID.2188]
                          [MD5.39BD95A9FE72AAF5C675AD146BE456A9] - (.TomTom - Windows Service for TomTom HOME.) -- C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [92592] [PID.2336]
                          [MD5.F9EC9ACD504D823D9B9CA98A4F8D3CA2] - (.Acer Group - Updater Service.) -- C:\Program Files\Acer\Acer Updater\UpdaterService.exe [243232] [PID.2380]
                          [MD5.B25F192EA1F84A316EB7C19EFCCCF33D] - (.Intel Corporation - IAStorDataSvc.) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [13336] [PID.4840]
                          [MD5.926EBA26A8B49D1597751CED06B50862] - (.Intel Corporation - Local Manageability Service.) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe [325656] [PID.4036]
                          [MD5.FDF92EC84FECEE834FB10A2A0A19BCDA] - (.Intel Corporation - User Notification Service.) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2655768] [PID.4580]
                          ~ Processes Running: Scanned in 00mn 00s



                          ---\\ Google Chrome, start, zoeken, extensies (G0, G1, G2)
                          C:\Users\wdellink\AppData\Local\Google\Chrome\User Data\Default\Preferences
                          G1 - GCS: Preference [User Data\Default] http://websearch.ask.com =>Toolbar.Ask
                          G2 - GCE: Preference [User Data\Default] [gfdkimpbcpahaombhbimeihdjnejgicl] Feedback v.1.0 (Activé)
                          ~ Google Browser: 11 Legitimates Filtered in 00mn 05s



                          ---\\ Internet Explorer, start, zoeken, URLSearchHook, Phishing (R0, R1, R3, R4)
                          R0 - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl
                          ~ IE Browser: 19 Legitimates Filtered in 00mn 00s



                          ---\\ Internet Explorer, proxybeheer (R5)
                          R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = no key
                          R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyEnable = 0
                          R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,MigrateProxy = 1
                          R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,EnableHttp1_1 = 1
                          R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigProxy = wininet.dll
                          ~ Proxy management: Scanned in 00mn 00s



                          ---\\ Analyse van lijnen F0, F1, F2, F3 - IniFiles, Autoloading programma's
                          F2 - REG:system.ini: USERINIT=C:\Windows\system32\userinit.exe,
                          F2 - REG:system.ini: Shell=C:\Windows\explorer.exe
                          F2 - REG:system.ini: VMApplet=C:\Windows\System32\SystemPropertiesPerformance.exe
                          ~ Keys: Scanned in 00mn 00s



                          ---\\ Hosts-bestand omleiding (O1)
                          ~ Le fichier hosts est sain (The hosts file is clean).
                          ~ Hosts File: Scanned in 00mn 00s
                          ~ Nombre de lignes (Lines number): 1



                          ---\\ Internet Explorer werkbalken (O3)
                          O3 - Toolbar: Google Toolbar [64Bits] - [HKLM]{2318C2B1-4965-11d4-9B18-009027A5CD4F} . (.Google Inc. - Google Toolbar.) -- C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll =>Toolbar.Google
                          ~ Toolbar: Scanned in 00mn 00s



                          ---\\ Andere Verwijzigingen gebruikers (O4)
                          O4 - GS\Desktop [Public]: SpywareBlaster.lnk . (...) -- C:\Program Files (x86)\SpywareBlaster\spywareblaster.exe
                          O4 - GS\Program [Public]: I.R.I.S. OCR-registratie.lnk . (.I.R.I.S. Image Recognition Integarted Syste - Registration Wizard.) -- C:\Program Files (x86)\HP\Digital Imaging\DocProc\regipe.exe
                          O4 - GS\QuickLaunch [wdellink]: Google Chrome.lnk . (.Google Inc. - Google Chrome.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                          O4 - GS\QuickLaunch [wdellink]: Launch Internet Explorer Browser.lnk . (.Microsoft Corporation - Internet Explorer.) -- C:\Program Files (x86)\Internet Explorer\iexplore.exe
                          O4 - GS\TaskBar [wdellink]: Google Chrome.lnk . (.Google Inc. - Google Chrome.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                          O4 - GS\Program [wdellink]: Internet Explorer.lnk . (.Microsoft Corporation - Internet Explorer.) -- C:\Program Files (x86)\Internet Explorer\iexplore.exe
                          O4 - GS\SystemTools [wdellink]: Internet Explorer (No Add-ons).lnk . (.Microsoft Corporation - Internet Explorer.) -- C:\Program Files (x86)\Internet Explorer\iexplore.exe
                          O4 - GS\Desktop [wdellink]: Google Chrome.lnk . (.Google Inc. - Google Chrome.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                          O4 - GS\QuickLaunch [UpdatusUser]: Google Chrome.lnk . (.Google Inc. - Google Chrome.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                          ~ Global Startup: 67 Legitimates Filtered in 00mn 01s



                          ---\\ Toepassingen gestart door register &amp; bestand (O4)
                          O4 - GS\Startup [Public]: HP Digital Imaging Monitor.lnk . (.Hewlett-Packard Co. - HP Digital Imaging Monitor.) -- C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe =>.Hewlett-Packard Co
                          O4 - HKLM\..\Run: [mwlDaemon] . (.Egis Technology Inc. - MyWinLocker.) -- C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe
                          O4 - HKLM\..\Run: [RtHDVCpl] . (.Realtek Semiconductor - Realtek HD Audio configuratie.) -- C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
                          O4 - HKCU\..\Run: [TomTomHOME.exe] . (.TomTom - System Tray application for TomTom HOME.) -- C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe
                          O4 - HKLM\..\Wow6432Node\Run: [IAStorIcon] . (.Intel Corporation - IAStorIcon.) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
                          O4 - HKLM\..\Wow6432Node\Run: [SuiteTray] . (.Egis Technology Inc. - SuiteTray.) -- C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe
                          O4 - HKLM\..\Wow6432Node\Run: [EgisUpdate] . (.Egis Technology Inc. - EgisUpdate Release Application.) -- C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe
                          O4 - HKLM\..\Wow6432Node\Run: [EgisTecPMMUpdate] . (.Egis Technology Inc. - PMM Update Application.) -- C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe
                          O4 - HKLM\..\Wow6432Node\Run: [Adobe Reader Speed Launcher] . (.Adobe Systems Incorporated - Adobe Acrobat SpeedLauncher.) -- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe
                          O4 - HKLM\..\Wow6432Node\Run: [MDS_Menu] . (.CyberLink Corp. - MUI StartMenu Application.) -- C:\Program Files (x86)\Acer Arcade Deluxe\MediaEspresso\MUITransfer\MUIStartMenu.exe
                          O4 - HKLM\..\Wow6432Node\Run: [ArcadeMovieService] . (.CyberLink Corp. - Arcade Movie Resident Program.) -- C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe
                          O4 - HKLM\..\Wow6432Node\Run: [Hotkey Utility] . (.No owner - Hotkey Utility.) -- C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe
                          O4 - HKLM\..\Wow6432Node\Run: [avast] . (.AVAST Software - avast! Antivirus.) -- C:\Program Files\AVAST Software\Avast\avastUI.exe
                          O4 - HKLM\..\Wow6432Node\Run: [Adobe ARM] . (.Adobe Systems Incorporated - Adobe Reader and Acrobat Manager.) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe =>.Adobe Systems Incorporated
                          O4 - HKLM\..\Wow6432Node\Run: [HP Software Update] . (.Hewlett-Packard - hpwuSchd Application.) -- C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe =>.Hewlett-Packard Co
                          O4 - HKLM\..\Wow6432Node\Run: [SunJavaUpdateSched] . (.Oracle Corporation - Java(TM) Update Scheduler.) -- C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe =>.Oracle Corporation
                          O4 - HKLM\..\Wow6432Node\Run: [ApnTBMon] C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe (.not file.)
                          O4 - HKUS\S-1-5-21-2796179789-2381606202-1169918839-1001\..\Run: [TomTomHOME.exe] . (.TomTom - System Tray application for TomTom HOME.) -- C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe
                          ~ Application: Scanned in 00mn 00s



                          ---\\ Knoppen op de werkbalk "belangrijkste instrumenten" Internet Explorer (O9)
                          O9 - Extra button: &Verzenden naar OneNote [64Bits] - {2670000A-7350-4f3c-8081-5663EE0C6C49} -- C:\Program Files (x86)\MICROS~2\Office14\ONBttnIE.dll (.not file.)
                          O9 - Extra button: &Gekoppelde notities van OneNote [64Bits] - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} -- C:\Program Files (x86)\MICROS~2\Office14\ONBTTN~1.dll (.not file.)
                          ~ IE Extra Buttons: Scanned in 00mn 00s



                          ---\\ Domeinadres van de DNS (O17) wijzigen
                          O17 - HKLM\System\CCS\Services\Tcpip\..\{5F638E70-97FD-4814-8E1C-CFB47F1BC004}: DhcpNameServer = 192.168.0.1
                          O17 - HKLM\System\CCS\Services\Tcpip\..\{5F638E70-97FD-4814-8E1C-CFB47F1BC004}: DhcpDomain = sitecomwlr3100
                          O17 - HKLM\System\CS1\Services\Tcpip\..\{5F638E70-97FD-4814-8E1C-CFB47F1BC004}: DhcpNameServer = 192.168.0.1
                          O17 - HKLM\System\CS1\Services\Tcpip\..\{5F638E70-97FD-4814-8E1C-CFB47F1BC004}: DhcpDomain = sitecomwlr3100
                          O17 - HKLM\System\CS2\Services\Tcpip\..\{5F638E70-97FD-4814-8E1C-CFB47F1BC004}: DhcpNameServer = 192.168.0.1
                          O17 - HKLM\System\CS2\Services\Tcpip\..\{5F638E70-97FD-4814-8E1C-CFB47F1BC004}: DhcpDomain = sitecomwlr3100
                          O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
                          ~ Domain: Scanned in 00mn 00s



                          ---\\ Aanvullend Protocol (O18)
                          O18 - Handler: wlpg [64Bits] - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} . (...) --
                          O18 - Filter: text/xml [64Bits] - {807573E5-5146-11D5-A672-00B0D022E945} . (.Microsoft Corporation - Microsoft Office XML MIME Filter.) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.dll =>.Microsoft Corporation
                          ~ Protocole Additionnel: Scanned in 00mn 00s



                          ---\\ Taken die zijn gepland in de automatische modus (O39)
                          [MD5.00000000000000000000000000000000] [APT] [{F071210E-30D5-4468-9FC3-A57C60425720}] (...) -- C:\Users\wdellink\Documents\programma's majo\ie6setupOe.exe (.not file.) [0]
                          ~ Scheduled Task: 17 Legitimates Filtered in 00mn 10s



                          ---\\ Geïnstalleerde software (O42)
                          O42 - Logiciel: Aangifte inkomstenbelasting 2012 - (.Belastingdienst.) [HKLM][64Bits] -- Aangifte inkomstenbelasting 2012
                          O42 - Logiciel: Ask Toolbar - (.APN, LLC.) [HKLM][64Bits] -- {4F524A2D-5637-006A-76A7-A758B70C0600} =>Toolbar.Ask
                          ~ Logic: 115 Legitimates Filtered in 00mn 00s



                          ---\\ HKCU & HKLM Software Keys
                          [HKCU\Software\AskPartnerNetwork]
                          [HKLM\Software\AskPartnerNetwork]
                          [HKLM\Software\Wow6432Node\AskPartnerNetwork]
                          ~ Key Software: 166 Legitimates Filtered in 00mn 00s



                          ---\\ 'Inhoud van mappen programma's, ProgramFiles, ProgramData, AppData (O43)
                          O43 - CFD: 12-3-2013 - 20:18:29 - [8,518] ----D C:\Program Files (x86)\Belastingdienst
                          O43 - CFD: 12-3-2013 - 22:05:04 - [0] ----D C:\Users\wdellink\AppData\Roaming\Belastingdienst
                          O43 - CFD: 17-2-2012 - 19:42:04 - [0,001] ----D C:\Users\wdellink\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MMI Products
                          ~ Program Folder: 136 Legitimates Filtered in 00mn 45s



                          ---\\ Meest recente bestanden gewijzigd of gemaakt op Windows en System32 (O44)
                          O44 - LFC:[MD5.02940D6C7722E91342A32CFF5C60F4E4] - 22-11-2013 - 11:19:11 ---A- . (...) -- C:\Windows\zoek-delete.exe [24064]
                          O44 - LFC:[MD5.EC634E5367BF5A5BA2DD0DD27E275D78] - 22-11-2013 - 11:20:52 ---A- . (...) -- C:\zoek-results.log [16594]
                          ~ Files: 86 Legitimates Filtered in 00mn 07s



                          ---\\ Laatste bestanden die zijn gemaakt in Windows Prefetcher (O45)
                          O45 - LFCP:[MD5.6D3C3D37C47BD06AB21268F2BF2263EF] - 17-11-2013 - 15:48:00 ---A- - C:\Windows\Prefetch\SUITETRAY.EXE-42757614.pf
                          O45 - LFCP:[MD5.4DA1984D4563A5AE5A5158398D2F9119] - 22-11-2013 - 10:57:13 ---A- - C:\Windows\Prefetch\ARCADEMOVIESERVICE.EXE-A8FA7CD9.pf
                          ~ Prefetcher: 119 Legitimates Filtered in 00mn 00s



                          ---\\ Opsomming van het register sleutels PoliciesSystem (MWPS) (O55)
                          O55 - MWPS:[HKLM\...\Policies\System] - "EnableUIADesktopToggle"=0
                          O55 - MWPS:[HKLM\...\Policies\System] - "FilterAdministratorToken"=0
                          ~ MWPS: 16 Legitimates Filtered in 00mn 00s



                          ---\\ Overzicht van de drivers (SDL) (O58)
                          O58 - SDL:[MD5.286193DC28CFB4CEB8D378E20A0850A9] - 30-8-2013 - 8:48:10 ---A- . (...) -- C:\Windows\System32\Drivers\aswRvrt.sys [65336]
                          ~ Drivers: 16 Legitimates Filtered in 00mn 00s



                          ---\\ Meest recente bestanden gewijzigd of gemaakt (gebruiker) (O61)
                          O61 - LFC: 22-11-2013 - 15:38:53 ---A- . (...) -- C:\Users\wdellink\AppData\Local\Google\Chrome\User Data\Certificate Revocation Lists [266033]
                          O61 - LFC: 22-11-2013 - 15:39:00 ---A- . (...) -- C:\Users\wdellink\Downloads\zoek (1).zip [4044244]
                          O61 - LFC: 22-11-2013 - 15:39:00 ---A- . (...) -- C:\Users\wdellink\Downloads\zoek.rar [4182609]
                          O61 - LFC: 22-11-2013 - 15:39:00 ---A- . (...) -- C:\Users\wdellink\Downloads\zoek.zip [4044244]
                          O61 - LFC: 23-11-2013 - 15:38:53 ---A- . (...) -- C:\Users\wdellink\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt [4]
                          O61 - LFC: 23-11-2013 - 15:38:54 ---A- . (...) -- C:\Users\wdellink\AppData\Local\Google\Chrome\User Data\Local State [56401]
                          O61 - LFC: 23-11-2013 - 15:39:00 ---A- . (...) -- C:\Users\wdellink\AppData\Roaming\ZHP\Log.txt [18861] =>.Nicolas Coolman
                          O61 - LFC: 23-11-2013 - 15:39:00 ---A- . (...) -- C:\Users\wdellink\AppData\Roaming\ZHP\TestsZHPDiag.txt [2939] =>.Nicolas Coolman
                          ~ 2 Fichiers temporaires (Temporary files)
                          ~ Files: 70 Legitimates Filtered in 00mn 08s



                          ---\\ Lijst van cleaning tools (CLAB) (O63)
                          O63 - Logiciel: ZHPDiag 2013 - (.Nicolas Coolman.) [HKLM] -- ZHPDiag_is1 =>.Nicolas Coolman
                          ~ ADS: Scanned in 00mn 00s



                          ---\\ Overzicht met LEGACY services (LALS) (O64)
                          O64 - Services: CurCS - 10-6-2009 - C:\Windows\System32\Drivers\secdrv.sys (secdrv) .(.Macrovision Corporation, Macrovision Europe - Macrovision SECURITY Driver.) - LEGACY_SECDRV
                          ~ Legacy: 123 Legitimates Filtered in 00mn 00s



                          ---\\ Bestandsassociaties mogelijk aangepast (O67)
                          O67 - Shell Spawning: <.html> <ChromeHTML>[HKCU\..\open\Command] (.Not Key.)
                          ~ FASS Keys: 11 Legitimates Filtered in 00mn 00s



                          ---\\ Startmenu Internet (SMI) (O68)
                          O68 - StartMenuInternet: <Google Chrome> <Google Chrome>[HKLM\..\Shell\open\Command] (.Google Inc. - Google Chrome.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                          O68 - StartMenuInternet: <IEXPLORE.EXE> <Internet Explorer>[HKLM\..\Shell\open\Command] (.Microsoft Corporation - Internet Explorer.) -- C:\Program Files\Internet Explorer\iexplore.exe
                          ~ Keys: Scanned in 00mn 00s



                          ---\\ Zoek "infecties in internetbrowsers (SBI) (O69)
                          O69 - SBI: SearchScopes [HKCU] {6A1806CD-94D4-4689-BA73-E35EA1EA9990} [DefaultScope] - (Google) - http://www.google.com
                          ~ Keys: Scanned in 00mn 00s



                          ---\\ Bepaalde zoekopdracht in de hoofdmap van het systeem (SPRF) (O84)
                          [MD5.7F76465E46BAC41BB9FA0388AA501A40] [SPRF][22-11-2013] (...) -- C:\Users\wdellink\Desktop\zoek.com [1397113]
                          [MD5.254EBC33BEA62A9AB96F3DDE2BF79CB0] [SPRF][22-11-2013] (...) -- C:\Users\wdellink\Desktop\zoek.exe [1269760]
                          ~ Files: 2 Legitimates Filtered in 00mn 01s



                          ---\\ Overzicht van de productcodes van software (PUC) (O90)
                          O90 - PUC: "D2A425F47365A600677A7A857BC06000" . (.Ask Toolbar.) -- C:\Windows\Installer\{4F524A2D-5637-006A-76A7-A758B70C0600}\ToolbarIcon.exe =>Toolbar.Ask
                          ~ Update Products: 129 Legitimates Filtered in 00mn 00s



                          ---\\ Microsoft Installer-bestanden (WIS) (NTFS) (O93)
                          [MD5.EAAA28A8BCCD0BD18EA34746B72CBBE3] [WIS][16-10-2013] (.APN, LLC - Ask Toolbar.) -- C:\Windows\Installer\1526d.msi [464896] =>Toolbar.Ask
                          [MD5.B30273F8BC9043B004778D133ADC7655] [WIS][21-9-2013] (.Google Inc. - Google Toolbar for Internet Explorer.) -- C:\Windows\Installer\23916.msi [28672] =>Toolbar.Google
                          [MD5.7AE5FF598B22E4F65558BAF73107FA7E] [WIS][14-5-2009] (.Builds the Destinations MSI - Builds the Destinations MSI.) -- C:\Windows\Installer\2c7125.msi [459264]
                          ~ WIS: 131 Legitimates Filtered in 00mn 14s



                          ---\\ Algemene toestand van niet-Microsoft services (GSR) (SR = Running, SS = gestopt)
                          SS - | Demand 9-10-2013 257416 | (AdobeFlashPlayerUpdateSvc) . (.Adobe Systems Incorporated.) - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
                          SR - | Auto 30-8-2013 46808 | (avast! Antivirus) . (.AVAST Software.) - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
                          SR - | Auto 8-1-2010 23584 | (GREGService) . (.Acer Incorporated.) - C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
                          SS - | Auto 10-6-2011 136176 | (gupdate) . (.Google Inc..) - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
                          SS - | Demand 10-6-2011 136176 | (gupdatem) . (.Google Inc..) - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
                          SS - | Demand 25-10-2012 194032 | (gusvc) . (.Google.) - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
                          SR - | Demand 14-7-2009 27136 | C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll (hpqcxs08) . (.Hewlett-Packard Co..) - C:\Windows\System32\svchost.exe
                          SR - | Auto 14-7-2009 27136 | C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll (hpqddsvc) . (.Hewlett-Packard Co..) - C:\Windows\System32\svchost.exe
                          SR - | Auto 14-7-2009 27136 | C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.dll (HPSLPSVC) . (.Hewlett-Packard Co..) - C:\Windows\System32\svchost.exe
                          SR - | Auto 14-9-2010 13336 | (IAStorDataMgrSvc) . (.Intel Corporation.) - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
                          SR - | Auto 5-10-2010 325656 | (LMS) . (.Intel Corporation.) - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
                          SS - | Demand 27-5-2010 305520 | (MWLService) . (.Egis Technology Inc..) - C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe
                          SS - | Demand 15-1-2010 935208 | (Nero BackItUp Scheduler 4.0) . (.Nero AG.) - C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
                          SR - | Auto 14-7-2009 27136 | C:\Windows\system32\HPZinw12.dll (Net Driver HPZ12) . (.Hewlett-Packard.) - C:\Windows\System32\svchost.exe
                          SR - | Auto 18-1-2013 884512 | (NVSvc) . (.NVIDIA Corporation.) - C:\Windows\system32\nvvsvc.exe
                          SS - | Auto 25-2-2013 1260320 | (nvUpdatusService) . (.NVIDIA Corporation.) - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
                          SR - | Auto 14-7-2009 27136 | C:\Windows\system32\HPZipm12.dll (Pml Driver HPZ12) . (.Hewlett-Packard.) - C:\Windows\System32\svchost.exe
                          SR - | Auto 18-1-2013 383264 | (Stereo Service) . (.NVIDIA Corporation.) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
                          SR - | Auto 14-12-2011 2984832 | (TeamViewer7) . (.TeamViewer GmbH.) - C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
                          SR - | Auto 9-3-2011 92592 | (TomTomHOMEService) . (.TomTom.) - C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
                          SR - | Auto 5-10-2010 2655768 | (UNS) . (.Intel Corporation.) - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
                          SR - | Auto 29-1-2010 243232 | (Updater Service) . (.Acer Group.) - C:\Program Files\Acer\Acer Updater\UpdaterService.exe
                          SR - | Auto 14-7-2009 27136 | C:\Program Files (x86)\Windows Defender\mpsvc.dll (WinDefend) . (.Microsoft Corporation.) - C:\Windows\System32\svchost.exe
                          SR - | Auto 10-7-1658 0 | (WMPNetworkSvc) . (...) - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe =>.Microsoft Corporation
                          SR - | Auto 14-7-2009 27136 | C:\Windows\System32\wuaueng.dll (wuauserv) . (.Microsoft Corporation.) - C:\Windows\System32\svchost.exe
                          ~ Services: Scanned in 00mn 15s



                          ---\\ Onderzoek gelijktijdige op de Master Boot Record (MBR) (O80)
                          Run by wdellink at 23-11-2013 15:39:43
                          ~ OS 64 not supported by MBR tool
                          ~ MBR: 0 Legitimates Filtered in 00mn 00s



                          ---\\ Onderzoek de Master Boot Record op Infecties (MBRCheck) (O80)
                          Written by ad13, http://ad13.geekstog
                          Run by wdellink at 23-11-2013 15:39:45

                          ********* Dump file Name *********
                          C:\PhysicalDisk0_MBR.bin
                          ~ MBR: Scanned in 00mn 02s



                          ---\\ Extra scan (O88)
                          Database Version : 12996 - (22-11-2013)
                          Clés trouvées (Keys found) : 20
                          Valeurs trouvées (Values found) : 1
                          Dossiers trouvés (Folders found) : 0
                          Fichiers trouvés (Files found) : 2

                          [HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{4F524A2D-5637-006A-76A7-A758B70C0600}] =>Toolbar.Ask^
                          [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E] =>Toolbar.Ask
                          [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6] =>Toolbar.Ask
                          [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852] =>Toolbar.Ask
                          [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0] =>Toolbar.Ask
                          [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA] =>Toolbar.Ask
                          [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96] =>Toolbar.Ask
                          [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59] =>Toolbar.Ask
                          [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC] =>Toolbar.Ask
                          [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA] =>Toolbar.Ask
                          [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E] =>Toolbar.Ask
                          [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF] =>Toolbar.Ask
                          [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E] =>Toolbar.Ask
                          [HKCU\Software\AskPartnerNetwork] =>Toolbar.Ask
                          [HKLM\Software\AskPartnerNetwork] =>Toolbar.Ask
                          [HKLM\Software\Wow6432Node\AskPartnerNetwork] =>Toolbar.Ask
                          [HKLM\Software\Wow6432Node\Microsoft\Tracing\apnstub_RASAPI32] =>Toolbar.Ask
                          [HKLM\Software\Wow6432Node\Microsoft\Tracing\apnstub_RASMANCS] =>Toolbar.Ask
                          [HKLM\Software\Classes\protector_dll.protectorbho] =>PUP.BProtector
                          [HKLM\Software\Classes\protector_dll.protectorbho.1] =>PUP.BProtector
                          [HKLM\Software\Microsoft\Internet Explorer\Toolbar]:{2318C2B1-4965-11d4-9B18-009027A5CD4F} =>Toolbar.Google^
                          C:\Windows\Installer\1526d.msi =>Toolbar.Ask^
                          C:\Windows\Installer\23916.msi =>Toolbar.Google^
                          ~ Additionnel Scan: 269762 Items scanned in 00mn 15s



                          ---\\ Samenvatting van detecties gevonden op uw werkstation
                          ~ http://nicolascoolman.webs.com/apps/...46-toolbar-ask =>Toolbar.Ask
                          ~ http://nicolascoolman.webs.com/apps/...pup-bprotector =>PUP.BProtector
                          ~ MSI: 2 link(s) detected in 00mn 15s



                          ~ 1324 Legitimates filtered by white list
                          End of the scan (463 lines in 02mn 42s)(0)

                          Comment


                          • #14
                            Start ZHPFix opnieuw.

                            Kopieer de tekst in het code-veld volledig:

                            Code:
                            Script ZHPFix 
                            [HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{4F524A2D-5637-006A-76A7-A758B70C0600}] =>Toolbar.Ask^
                            [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E] =>Toolbar.Ask
                            [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6] =>Toolbar.Ask
                            [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852] =>Toolbar.Ask
                            [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0] =>Toolbar.Ask
                            [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA] =>Toolbar.Ask
                            [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96] =>Toolbar.Ask
                            [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59] =>Toolbar.Ask
                            [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC] =>Toolbar.Ask
                            [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA] =>Toolbar.Ask
                            [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E] =>Toolbar.Ask
                            [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF] =>Toolbar.Ask
                            [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E] =>Toolbar.Ask
                            [HKCU\Software\AskPartnerNetwork] =>Toolbar.Ask
                            [HKLM\Software\AskPartnerNetwork] =>Toolbar.Ask
                            [HKLM\Software\Wow6432Node\AskPartnerNetwork] =>Toolbar.Ask
                            [HKLM\Software\Wow6432Node\Microsoft\Tracing\apnstub_RASAPI32] =>Toolbar.Ask
                            [HKLM\Software\Wow6432Node\Microsoft\Tracing\apnstub_RASMANCS] =>Toolbar.Ask
                            [HKLM\Software\Classes\protector_dll.protectorbho] =>PUP.BProtector
                            [HKLM\Software\Classes\protector_dll.protectorbho.1] =>PUP.BProtector
                            [HKLM\Software\Microsoft\Internet Explorer\Toolbar]:{2318C2B1-4965-11d4-9B18-009027A5CD4F} =>Toolbar.Google^
                            C:\Windows\Installer\1526d.msi =>Toolbar.Ask^
                            C:\Windows\Installer\23916.msi =>Toolbar.Google^
                            
                            shortcutfix
                            emptytemp
                            emptyflash
                            emptyjava
                            Dubbelklik de snelkoppeling: ZHPFix
                            Druk op de button "Import"
                            Druk daarna onderaan op de knop "Go".
                            De fix zal beginnen post het resultaat ZPHFix[r2].txt

                            Windows 10 opstarten in Veilige Modus

                            Comment


                            • #15
                              Rapport de ZHPFix 2013.11.19.7 par Nicolas Coolman, Update du 19/11/2013
                              Fichier d'export Registre :
                              Run by wdellink at 23-11-2013 19:17:56
                              High Elevated Privileges : OK
                              Windows 7 Home Premium Edition, 64-bit Service Pack 1 (Build 7601)

                              Prullenbak geleegd (00mn 04s)
                              Reparatie van browser snelkoppelingen

                              ========== Registersleutels ==========
                              HIERMEE VERWIJDERT U:* HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E
                              HIERMEE VERWIJDERT U:* HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6
                              HIERMEE VERWIJDERT U:* HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852
                              HIERMEE VERWIJDERT U:* HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0
                              HIERMEE VERWIJDERT U:* HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA
                              HIERMEE VERWIJDERT U:* HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96
                              HIERMEE VERWIJDERT U:* HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59
                              HIERMEE VERWIJDERT U:* HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC
                              HIERMEE VERWIJDERT U:* HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA
                              HIERMEE VERWIJDERT U:* HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E
                              HIERMEE VERWIJDERT U:* HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF
                              HIERMEE VERWIJDERT U:* HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E
                              HIERMEE VERWIJDERT U: HKCU\Software\AskPartnerNetwork
                              HIERMEE VERWIJDERT U:* HKLM\Software\AskPartnerNetwork
                              HIERMEE VERWIJDERT U: HKLM\Software\Wow6432Node\Microsoft\Tracing\apnstub_RASAPI32
                              HIERMEE VERWIJDERT U: HKLM\Software\Wow6432Node\Microsoft\Tracing\apnstub_RASMANCS
                              HIERMEE VERWIJDERT U: HKLM\Software\Classes\protector_dll.protectorbho
                              HIERMEE VERWIJDERT U: HKLM\Software\Classes\protector_dll.protectorbho.1

                              ========== De registerwaarden ==========
                              HIERMEE VERWIJDERT U [HKLM\Software\Microsoft\Internet Explorer\Toolbar]:{2318C2B1-4965-11d4-9B18-009027A5CD4F}

                              ========== Mappen ==========
                              Verwijderen tijdelijke Windows (5)
                              Hiermee verwijdert u Flash Cookies (0)

                              ========== Bestanden ==========
                              HIERMEE VERWIJDERT U: C:\Windows\Installer\1526d.msi
                              HIERMEE VERWIJDERT U: C:\Windows\Installer\23916.msi
                              Verwijderen tijdelijke Windows (12) (3.825.081 octets)
                              Hiermee verwijdert u Flash Cookies (0) (0 octets)

                              ========== Andere ==========
                              NIET-VERDRAG emptyjava


                              ========== Samenvatting ==========
                              18 : Registersleutels
                              1 : De registerwaarden
                              2 : Mappen
                              4 : Bestanden
                              1 : Andere


                              End of clean in 00mn 06s

                              ========== Pad naar bestand verslag ==========
                              C:\Users\wdellink\AppData\Roaming\ZHP\ZHPFix[R1].txt - 23-11-2013 19:18:00 [3275]

                              Comment

                              Sorry, you are not authorized to view this page
                              Working...
                              X