+ Auf Thema antworten
Seite 1 von 5 1 2 3 ... LetzteLetzte
Zeige Ergebnis 1 bis 10 von 50

Thema: Bitte hier einmal gucken ..

  1. 14.08.2010 21:04 #1
    Kadice
    Kadice ist offline
    Forenbenutzer
    Registriert seit
    14.08.2010
    Beiträge
    30

    Bitte hier einmal gucken ..

    Vielleicht kann hier mal jemand drübergucken. Ist Einiges im Argen. Recher macht quasi, was und wann er will. Vielen Dank.

    Code:
    Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:53:57, on 14.08.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Programme\Hamachi\hamachi.exe
C:\Programme\ICQ6Toolbar\ICQ Service.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Programme\Spyware Doctor\pctsAuxs.exe
C:\Programme\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\alg.exe
C:\Programme\Spyware Doctor\pctsTray.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.t-online.de/service/redir/ie_suche.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von T-Online International AG
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=www-proxy.t-online.de:80;ftp=ftp-proxy.t-online.de:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.t-online.de;localhost;<local>
R3 - URLSearchHook: DVDVideoSoftTB Toolbar - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Programme\DVDVideoSoftTB\tbDVD1.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Programme\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: DVDVideoSoftTB Toolbar - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Programme\DVDVideoSoftTB\tbDVD1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Programme\Spyware Doctor\BDT\PCTBrowserDefender.dll
O3 - Toolbar: DVDVideoSoftTB Toolbar - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Programme\DVDVideoSoftTB\tbDVD1.dll
O4 - HKLM\..\Run: [EPSON Stylus DX4000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE /FU "C:\WINDOWS\TEMP\E_SD9.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Programme\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Verknüpfung mit NODfix.lnk = F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\DVDVideoSoftIEHelpers\youtubetomp3.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.t-online.de/service/redir/ie_t-online.htm
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://icq.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Hamachi Service (HamachiService) - LogMeIn Inc. - C:\Programme\Hamachi\hamachi.exe
O23 - Service: ICQ Service - Unknown owner - C:\Programme\ICQ6Toolbar\ICQ Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Programme\CDBurnerXP\NMSAccessU.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe
O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O24 - Desktop Component 0: (no name) - http://www.cowboysonlineproshop.com//CatalogImages/18-1050-Large_Image.jpeg

--
End of file - 8349 bytes
    Vielleicht noch zusätzlich:
    zwischendurch kann ich mich oft nicht mehr anmelden. Sobald ich versuche, mich anzumelden, erscheitn nur "Abmeldung" ... und ich kann es wieder von vorne versuchen. Ich bekomme dann auch die Meldung "winlogon.exe hat ein Problem festgestellt".

    Des Weiteren kann ich über Google auf keine Seiten zugreifen. Heißt, wenn ich über Google eine Seite suche, kann ich sie anklicken, lande dann aber bei einer Fehlermeldung. Bei Direkteingabe funktioniert es einwandfrei.
    Geändert von Kadice (14.08.2010 um 22:37 Uhr)
    Mit Zitat antworten Mit Zitat antworten
  2. 15.08.2010 00:21 #2
    Swisstreasure
    Swisstreasure ist offline
    Moderator Team-Mitglied Benutzerbild von Swisstreasure
    Registriert seit
    13.08.2009
    Ort
    Schweiz
    Beiträge
    3.534
    Swisstreasure eine Nachricht über MSN schicken

    AW: Bitte hier einmal gucken ..

    Willkommen im HijackThis.de Supportforum Kadice,

    ein System zu bereinigen ist unter Umständen aufwändig und mit einiger Arbeit für Dich verbunden.
    Bitte folgende Punkte beachten:
    • Respektiere unsere Forenregeln und sei nicht zu ungeduldig, wenn es mal etwas länger dauert.
    • Während der Bereinigung alle vorhandenen externen Speichermedien (USB Sticks, Festplatten) anschließen,
    • und keine Programme ohne Absprache installieren oder deinstallieren.
    • Programme ausschließlich von den in unserer Anleitung angegebenen Links herunterladen!
    • Logfiles in Code-Tags posten und ggfs. persönliche Daten anonymisieren.
    • Arbeite jeden Punkt der Reihe nach ab und berichte, dass Du ihn erledigt hast.
    • Wenn es ein Problem gibt, stoppen und es so genau wie möglich beschreiben.
    • Achtung: Das Verschwinden der Symptome bedeutet nicht das Dein Rechner schon sauber ist.
      Bitte arbeite solange mit bis wir sagen, dass der Rechner sauber ist.
    • Nur Anleitungen/Anweisungen eines hier aufgeführten Team-Mitglieds ausführen.
    • Es gibt grundsätzlich keinen Support per PN oder Mail.
    • Wir bereinigen keine Rechner, die geschäftlich genutzt werden.
    • Der Besitz legaler Software ist Vorraussetzung für die Support.
      Sollten wir illegale Software finden, wird der Support eingestellt.
    Vista und Win7 User:
    • Alle Programme und Tools, die wir anordnen, immer mit Rechtsklick und Als Administrator ausführen.

    Schritt 1

    Kannst Du auf Deinem Computer alle Dateien und Datei-Endungen sehen? Falls nein, bitte diese Einstellungen in den Ordneroptionen vornehmen.


    Schritt 2

    Systemscan mit OTL

    Lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop.
    • Doppelklick auf die OTL.exe
    • Vista und Windows 7 User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen.
    • Oben findest Du ein Kästchen mit Ausgabe.
      Wähle bitte Minimal-Ausgabe
    • Unter Extra-Registrierung wähle bitte Benutze SafeList.
    • Mache Häckchen bei LOP- und Purity-Prüfung.
    • Klicke nun auf Scan links oben.


    • Wenn der Scan beendet wurde werden zwei Logfiles erstellt.
      Du findest die Logfiles auf Deinem Desktop => OTL.txt und Extras.txt
    • Poste die Logfiles in Code-Tags hier in den Thread.

    Schritt 3

    Rootkit-Suche mit Gmer

    Was sind Rootkits?

    Wichtig: Bei jedem Rootkit-Scans soll/en:
    • Deaktiviere zunächst nach dieser Anleitung evtl. vorhandene CD-Emulatoren wie Alcohol, Daemon-Tools oder ähnliche.
    • Alle anderen Programme gegen Viren, Spyware, usw. deaktiviert sein,
    • keine Verbindung zu einem Netzwerk/Internet bestehen (WLAN nicht vergessen),
    • nichts am Rechner getan werden,
    • nach jedem Scan der Rechner neu gestartet werden.
    • Nicht vergessen, nach dem Rootkit-Scan die Security-Programme wieder einzuschalten!

    Lade Dir Gmer von dieser Seite herunter
    (auf den Button Download EXE drücken) und das Programm auf dem Desktop speichern.
    • Gmer ist geeignet für => NT/W2K/XP/VISTA (nur 32Bit).
    • Alle anderen Programme sollen geschlossen sein.
    • Starte gmer.exe (hat einen willkürlichen Programm-Namen).
    • Vista-User mit Rechtsklick und als Administrator starten.
    • Gmer startet automatisch einen ersten Scan.
    • Sollte sich ein Fenster mit folgender Warnung öffnen:
      Code:
      WARNING !!!
GMER has found system modification, which might have been caused by ROOTKIT activity.
Do you want to fully scan your system?
    • Unbedingt auf "No" klicken,
      in dem Fall über den Save-Button das bisherige Resultat auf dem Desktop als gmer_first.log speichern.

      .
    • Falls das nicht der Fall war, wähle nun den Reiter "Rootkit/Malware",
    • Hake an: System, Sections, Devices, Modules, Processes, Threads, Libraries, Services, Registry und Files.
    • Wichtig: "Show all" darf nicht angehakt sein!
    • Starte den Scan durch Drücken des Buttons "Scan".
      Mache nichts am Computer während der Scan läuft (unten links wird angezeigt, was gerade gescannt wird).
    • Wenn der Scan fertig ist, bleibt die Zeile leer.
      Kllicke auf "Save" und speichere das Logfile als gmer.log auf dem Desktop.
      Mit "Ok" wird Gmer beendet.
    Antiviren-Programm und sonstige Scanner wieder einschalten, bevor Du ins Netz gehst!

    Nun das Logfile in Code-Tags posten.
    Gruss Swiss

    freiwillige Spende
    Mit Zitat antworten Mit Zitat antworten
  3. 15.08.2010 16:52 #3
    Kadice
    Kadice ist offline
    Forenbenutzer
    Registriert seit
    14.08.2010
    Beiträge
    30

    AW: Bitte hier einmal gucken ..

    Hallo Swiss, vielen Dank für deine schnelle Hilfe. Bis hier bin ich jetzt

    1. erledigt

    2.
    OTL Logfile:

    Code:
    OTL logfile created on: 15.08.2010 15:57:15 - Run 2
OTL by OldTimer - Version 3.2.9.1     Folder = C:\Dokumente und Einstellungen\Menni\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
511,00 Mb Total Physical Memory | 164,00 Mb Available Physical Memory | 32,00% Memory free
1,00 Gb Paging File | 1,00 Gb Available in Paging File | 51,00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 13,28 Gb Total Space | 1,11 Gb Free Space | 8,36% Space Free | Partition Type: NTFS
Drive D: | 48,82 Gb Total Space | 35,75 Gb Free Space | 73,22% Space Free | Partition Type: FAT32
Drive E: | 12,43 Gb Total Space | 4,75 Gb Free Space | 38,19% Space Free | Partition Type: FAT32
Drive F: | 5,94 Gb Total Space | 5,25 Gb Free Space | 88,46% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: KLAUS
Current User Name: klaus_2
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
 
========== Processes (SafeList) ==========
 
PRC - C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe (Threat Expert Ltd.)
PRC - C:\Programme\Spyware Doctor\pctsSvc.exe (PC Tools)
PRC - C:\Programme\Spyware Doctor\pctsAuxs.exe (PC Tools)
PRC - C:\Programme\Spyware Doctor\pctsTray.exe (PC Tools)
PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Programme\ICQ6Toolbar\ICQ Service.exe ()
PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Programme\Hamachi\hamachi.exe (LogMeIn Inc.)
PRC - C:\Programme\CDBurnerXP\NMSAccessU.exe ()
PRC - F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe (UltraVNC)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
 
 
========== Modules (SafeList) ==========
 
MOD - C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Programme\Spyware Doctor\PCTGMhk.dll (PC Tools)
MOD - C:\Programme\Spyware Doctor\smum32.dll (PC Tools)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)
 
 
========== Win32 Services (SafeList) ==========
 
SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
SRV - (Browser Defender Update Service) -- C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe (Threat Expert Ltd.)
SRV - (sdCoreService) -- C:\Programme\Spyware Doctor\pctsSvc.exe (PC Tools)
SRV - (sdAuxService) -- C:\Programme\Spyware Doctor\pctsAuxs.exe (PC Tools)
SRV - (AntiVirService) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (TuneUp.Defrag) -- C:\WINDOWS\system32\TuneUpDefragService.exe (TuneUp Software GmbH)
SRV - (ICQ Service) -- C:\Programme\ICQ6Toolbar\ICQ Service.exe ()
SRV - (AntiVirSchedulerService) -- C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (HamachiService) -- C:\Programme\Hamachi\hamachi.exe (LogMeIn Inc.)
SRV - (NMSAccessU) -- C:\Programme\CDBurnerXP\NMSAccessU.exe ()
SRV - (UxTuneUp) -- C:\WINDOWS\system32\uxtuneup.dll (TuneUp Software GmbH)
SRV - (IDriverT) -- C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe (Macrovision Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (PCANDIS5) -- H:\TDSLTE~7\PCANDIS5.SYS File not found
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (PCTCore) -- C:\WINDOWS\system32\drivers\PCTCore.sys (PC Tools)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgio) -- C:\Programme\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (hamachi) -- C:\WINDOWS\system32\drivers\hamachi.sys (LogMeIn, Inc.)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (VClone) -- C:\WINDOWS\system32\drivers\VClone.sys (Elaborate Bytes AG)
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (nm) -- C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation)
DRV - (CAM1210) -- C:\WINDOWS\system32\drivers\cam1210.sys (USB video camera)
DRV - (MTOnlPktAlyX) -- C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\MTOnlPktAlyx.sys (Deutsche Telekom AG AG, Marmiko IT-Solutions GmbH)
DRV - (MIINPazX) -- C:\Programme\Gemeinsame Dateien\Marmiko Shared\MInfraIS\MIINPazx.sys (Deutsche Telekom AG, Marmiko IT-Solutions GmbH)
DRV - (se27unic) Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (WDM) -- C:\WINDOWS\system32\drivers\se27unic.sys (MCCI)
DRV - (se27nd5) Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (NDIS) -- C:\WINDOWS\system32\drivers\se27nd5.sys (MCCI)
DRV - (SE27mgmt) Sony Ericsson Device 039 USB WMC Device Management Drivers (WDM) -- C:\WINDOWS\system32\drivers\SE27mgmt.sys (MCCI)
DRV - (SE27obex) -- C:\WINDOWS\system32\drivers\SE27obex.sys (MCCI)
DRV - (SE27mdm) -- C:\WINDOWS\system32\drivers\SE27mdm.sys (MCCI)
DRV - (SE27mdfl) -- C:\WINDOWS\system32\drivers\SE27mdfl.sys (MCCI)
DRV - (SE27bus) Sony Ericsson Device 039 Driver driver (WDM) -- C:\WINDOWS\system32\drivers\SE27bus.sys (MCCI)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)
DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.)
DRV - (SiSGbeXP) -- C:\WINDOWS\system32\drivers\SiSGbeXP.sys (Silicon Integrated Systems Corp.)
DRV - (SiSide) -- C:\WINDOWS\system32\DRIVERS\siside.sys (Silicon Integrated Systems Corp.)
DRV - (sisidex) -- C:\WINDOWS\system32\drivers\sisidex.sys (Windows (R) 2000 DDK provider)
DRV - (sisperf) -- C:\WINDOWS\system32\drivers\sisperf.sys (Silicon Integrated Systems Corp.)
DRV - (ms_mpu401) -- C:\WINDOWS\system32\drivers\msmpu401.sys (Microsoft Corporation)
DRV - (irsir) -- C:\WINDOWS\system32\drivers\irsir.sys (Microsoft Corporation)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\..\URLSearchHook: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Programme\DVDVideoSoftTB\tbDVD1.dll (Conduit Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.t-online.de;localhost;<local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=www-proxy.t-online.de:80;ftp=ftp-proxy.t-online.de:80
 
========== FireFox ==========
 
FF - prefs.js..CommunityToolbar.SearchFromAddressBarSavedUrl: "data:text/plain,keyword.URL=http://de.search.yahoo.com/search?ei=UTF-8&fr=ffbr&type=moz35awe&p="
FF - prefs.js..browser.search.defaultenginename: "ICQ Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "www.google.de"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.63
FF - prefs.js..extensions.enabledItems: {872b5b88-9db5-4310-bdd0-ac189557e5f5}:2.7.0.14
FF - prefs.js..extensions.enabledItems: {ACAA314B-EEBA-48e4-AD47-84E31C44796C}:1.0.1
 
 
FF - HKLM\software\mozilla\Mozilla Firefox 3.1b1\extensions\\Components: C:\Programme\Mozilla Firefox 3.1 Beta 1\components [2008.12.05 22:46:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.1b1\extensions\\Plugins: C:\Programme\Mozilla Firefox 3.1 Beta 1\plugins [2010.07.03 01:34:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.07.31 00:04:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2010.07.29 00:02:57 | 000,000,000 | ---D | M]
 
[2009.01.12 13:18:22 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\Mozilla\Extensions
[2010.07.07 23:56:47 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\Mozilla\Firefox\Profiles\8jskr57y.default\extensions
[2010.07.07 23:56:47 | 000,000,000 | ---D | M] (DVDVideoSoftTB Toolbar) -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\Mozilla\Firefox\Profiles\8jskr57y.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}
[2010.07.07 23:56:38 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\Mozilla\Firefox\Profiles\8jskr57y.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
[2010.08.15 15:57:19 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\Mozilla\Firefox\Profiles\hkmsn0s5.default\extensions
[2010.08.14 03:53:08 | 000,000,000 | ---D | M] (DVDVideoSoftTB Toolbar) -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\Mozilla\Firefox\Profiles\hkmsn0s5.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}
[2010.07.08 12:19:48 | 000,000,000 | ---D | M] (DVDVideoSoftTB Toolbar) -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\Mozilla\Firefox\Profiles\hkmsn0s5.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}-trash
[2010.08.14 03:53:03 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\Mozilla\Firefox\Profiles\hkmsn0s5.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
[2010.06.30 00:31:56 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus(R))) -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\Mozilla\Firefox\Profiles\hkmsn0s5.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2009.07.15 16:32:53 | 000,000,694 | ---- | M] () -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\Mozilla\Firefox\Profiles\hkmsn0s5.default\searchplugins\icq-search.xml
[2009.08.05 12:52:40 | 000,000,961 | ---- | M] () -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\Mozilla\Firefox\Profiles\hkmsn0s5.default\searchplugins\icqplugin-1.xml
[2009.08.07 11:25:57 | 000,000,961 | ---- | M] () -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\Mozilla\Firefox\Profiles\hkmsn0s5.default\searchplugins\icqplugin-2.xml
[2009.10.29 14:17:56 | 000,000,961 | ---- | M] () -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\Mozilla\Firefox\Profiles\hkmsn0s5.default\searchplugins\icqplugin-3.xml
[2009.11.10 14:13:26 | 000,000,961 | ---- | M] () -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\Mozilla\Firefox\Profiles\hkmsn0s5.default\searchplugins\icqplugin-4.xml
[2009.12.16 19:10:10 | 000,000,961 | ---- | M] () -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\Mozilla\Firefox\Profiles\hkmsn0s5.default\searchplugins\icqplugin-5.xml
[2009.07.18 19:45:20 | 000,000,961 | ---- | M] () -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\Mozilla\Firefox\Profiles\hkmsn0s5.default\searchplugins\icqplugin.xml
[2009.08.15 19:30:30 | 000,009,949 | ---- | M] () -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\Mozilla\Firefox\Profiles\hkmsn0s5.default\searchplugins\mywebsearch.xml
[2010.08.15 15:57:19 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2010.05.26 21:01:21 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010.04.12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\npdeployJava1.dll
[2010.07.23 02:48:56 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010.07.23 02:48:56 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2010.07.23 02:48:56 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010.07.23 02:48:56 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010.07.23 02:48:56 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2002.12.31 13:00:00 | 000,000,820 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Programme\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O2 - BHO: (DVDVideoSoftTB Toolbar) - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Programme\DVDVideoSoftTB\tbDVD1.dll (Conduit Ltd.)
O2 - BHO: (EpsonToolBandKicker Class) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programme\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Programme\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll (ICQ)
O3 - HKLM\..\Toolbar: (DVDVideoSoftTB Toolbar) - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Programme\DVDVideoSoftTB\tbDVD1.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O3 - HKCU\..\Toolbar\ShellBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Programme\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Programme\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (DVDVideoSoftTB Toolbar) - {872B5B88-9DB5-4310-BDD0-AC189557E5F5} - C:\Programme\DVDVideoSoftTB\tbDVD1.dll (Conduit Ltd.)
O4 - HKLM..\Run: [Adobe ARM] C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avgnt] C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [EPSON Stylus DX4000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [ISTray] C:\Programme\Spyware Doctor\pctsTray.exe (PC Tools)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Verknüpfung mit NODfix.lnk = F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe (UltraVNC)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoMSAppLogo5ChannelNotify = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarCustomize = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\DVDVideoSoftIEHelpers\youtubetomp3.htm ()
O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} http://icq.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab (Oberon Flash Game Host)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 () - http://www.cowboysonlineproshop.com//CatalogImages/18-1050-Large_Image.jpeg
O24 - Desktop Components:1 (Die derzeitige Homepage) - About:Home
O24 - Desktop WallPaper: C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O27 - HKLM IFEO\RapportMgmtService.exe: Debugger - ZASRAKOMONDOHUI31338.EXE File not found
O27 - HKLM IFEO\RapportService.exe: Debugger - ZASRAKOMONDOHUI31338.EXE File not found
O27 - HKLM IFEO\userinit.exe: Debugger - mony.exe ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008.11.30 18:09:35 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{1afde51e-6db9-11de-8842-00138f3296ff}\Shell - "" = AutoRun
O33 - MountPoints2\{1afde51e-6db9-11de-8842-00138f3296ff}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2010.08.15 15:55:18 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe
[2010.08.15 11:06:45 | 000,000,000 | ---D | C] -- C:\DVDVideoSoft
[2010.08.14 13:51:49 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\NCH Swift Sound
[2010.08.12 02:45:06 | 018,119,680 | ---- | C] (DVDVideoSoft Limited.                                       ) -- C:\Dokumente und Einstellungen\Menni\Eigene Dateien\FreeYouTubeToMp3Converter.exe
[2010.08.01 11:45:17 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\NCH Swift Sound
[2010.08.01 11:44:07 | 000,000,000 | ---D | C] -- C:\Programme\NCH Software
[2010.08.01 11:43:01 | 000,000,000 | ---D | C] -- C:\Programme\NCH Swift Sound
[2010.07.27 01:04:36 | 000,000,000 | ---D | C] -- C:\Programme\WinRAR
[2010.07.21 15:22:46 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Menni\Lokale Einstellungen\Anwendungsdaten\Downloaded Installations
[2010.07.16 23:33:29 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010.07.16 17:59:23 | 000,000,000 | ---D | C] -- C:\Programme\Gemeinsame Dateien\Windows Live
[12 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2010.08.15 16:00:03 | 000,000,496 | ---- | M] () -- C:\WINDOWS\tasks\1-Klick-Wartung.job
[2010.08.15 15:55:19 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe
[2010.08.15 15:44:20 | 000,000,262 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010.08.15 15:42:14 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.08.15 15:42:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.08.15 15:42:11 | 000,060,452 | ---- | M] () -- C:\WINDOWS\System32\ativvaxx.cap
[2010.08.15 14:06:32 | 003,407,872 | ---- | M] () -- C:\Dokumente und Einstellungen\Menni\ntuser.dat
[2010.08.15 13:56:16 | 004,310,688 | -H-- | M] () -- C:\Dokumente und Einstellungen\Menni\Lokale Einstellungen\Anwendungsdaten\IconCache.db
[2010.08.15 13:39:35 | 000,000,190 | -HS- | M] () -- C:\Dokumente und Einstellungen\Menni\ntuser.ini
[2010.08.15 13:36:34 | 000,000,000 | ---- | M] () -- C:\Dokumente und Einstellungen\Menni\defogger_reenable
[2010.08.12 23:47:00 | 000,000,034 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
[2010.08.12 21:51:55 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\switchShakeIcon.job
[2010.08.12 02:50:11 | 000,000,906 | ---- | M] () -- C:\Dokumente und Einstellungen\Menni\Desktop\DVDVideoSoft Free Studio.lnk
[2010.08.12 02:47:16 | 018,119,680 | ---- | M] (DVDVideoSoft Limited.                                       ) -- C:\Dokumente und Einstellungen\Menni\Eigene Dateien\FreeYouTubeToMp3Converter.exe
[2010.08.05 14:53:39 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.08.01 11:44:08 | 000,000,290 | ---- | M] () -- C:\WINDOWS\tasks\expressripShakeIcon.job
[2010.08.01 11:44:08 | 000,000,290 | ---- | M] () -- C:\WINDOWS\tasks\expressripSevenDays.job
[2010.07.29 00:03:02 | 000,001,566 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Mozilla Firefox.lnk
[2010.07.17 13:43:48 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[12 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2010.08.15 13:36:34 | 000,000,000 | ---- | C] () -- C:\Dokumente und Einstellungen\Menni\defogger_reenable
[2010.08.12 21:51:55 | 000,000,274 | ---- | C] () -- C:\WINDOWS\tasks\switchShakeIcon.job
[2010.08.01 11:44:08 | 000,000,290 | ---- | C] () -- C:\WINDOWS\tasks\expressripSevenDays.job
[2010.08.01 11:44:07 | 000,000,290 | ---- | C] () -- C:\WINDOWS\tasks\expressripShakeIcon.job
[2009.11.24 22:39:34 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll.old
[2009.11.24 22:39:34 | 000,763,832 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll
[2009.08.16 18:16:53 | 000,139,152 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2009.01.18 21:51:50 | 000,000,103 | ---- | C] () -- C:\WINDOWS\EmSoft.ini
[2009.01.15 18:23:50 | 000,000,012 | ---- | C] () -- C:\WINDOWS\dirsaver.ini
[2008.12.16 19:11:53 | 000,000,027 | ---- | C] () -- C:\WINDOWS\CDE DX4400DEFGIPS.ini
[2008.12.07 22:08:54 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2008.12.07 22:03:58 | 000,000,027 | ---- | C] () -- C:\WINDOWS\CDE DX4000EFDG.ini
[2008.12.07 21:24:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\CLASSIC.INI
[2008.12.07 15:56:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\dpd.ini
[2008.12.07 00:33:05 | 000,000,177 | ---- | C] () -- C:\WINDOWS\funsol.ini
[2008.12.07 00:32:55 | 000,000,019 | ---- | C] () -- C:\WINDOWS\VPOKER.ini
[2008.12.07 00:27:49 | 000,000,281 | ---- | C] () -- C:\WINDOWS\MATCHBOX.INI
[2008.12.06 23:19:41 | 000,000,074 | ---- | C] () -- C:\WINDOWS\winhelp.ini
[2008.12.05 20:50:38 | 000,287,744 | ---- | C] () -- C:\WINDOWS\uno364mi.dll
[2008.12.05 20:50:38 | 000,109,568 | ---- | C] () -- C:\WINDOWS\vos364mi.dll
[2008.12.05 20:50:38 | 000,091,648 | ---- | C] () -- C:\WINDOWS\osl364mi.dll
[2008.12.05 20:50:38 | 000,000,211 | ---- | C] () -- C:\WINDOWS\uno.ini
[2008.12.01 13:12:06 | 000,000,034 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008.12.01 12:08:20 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2008.12.01 12:07:08 | 000,139,264 | R--- | C] () -- C:\WINDOWS\System32\IDEproperty.dll
[2007.03.07 20:07:12 | 000,021,174 | ---- | C] () -- C:\WINDOWS\cam1210.ini
[2006.11.08 14:27:06 | 000,030,208 | ---- | C] () -- C:\WINDOWS\System32\cam1210.dll
 
========== LOP Check ==========
 
[2010.06.08 03:32:44 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\EPSON
[2008.12.01 12:24:37 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ESET
[2009.07.15 15:57:09 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ICQ
[2010.08.01 11:45:17 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\NCH Swift Sound
[2009.06.13 14:24:22 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\T-Online
[2008.12.09 03:03:45 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\T-Online_ZusatzSoftware
[2008.12.30 16:52:12 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Teleca
[2010.08.15 15:55:20 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP
[2010.01.04 00:25:58 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TrackMania
[2008.12.01 12:02:22 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TuneUp Software
[2008.12.16 20:05:34 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\UDL
[2008.12.25 20:37:13 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\WinZip
[2009.07.03 21:57:38 | 000,000,000 | -HSD | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{55A29068-F2CE-456C-9148-C869879E2357}
[2010.07.07 23:56:37 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\DVDVideoSoftIEHelpers
[2009.10.10 20:59:45 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\EPSON
[2010.06.26 02:14:24 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\ICQ
[2010.08.14 13:51:49 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\NCH Swift Sound
[2009.01.11 17:56:18 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\OpenOffice.org
[2010.08.15 15:52:23 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\PriceGong
[2009.09.03 22:54:48 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\putzi4win
[2009.06.13 14:24:22 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\T-Online
[2009.08.21 21:21:08 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\Teleca
[2009.01.12 13:22:09 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\TuneUp Software
[2009.11.24 22:28:13 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Menni\Anwendungsdaten\Uniblue
[2010.08.15 16:00:03 | 000,000,496 | ---- | M] () -- C:\WINDOWS\Tasks\1-Klick-Wartung.job
[2010.08.01 11:44:08 | 000,000,290 | ---- | M] () -- C:\WINDOWS\Tasks\expressripSevenDays.job
[2010.08.01 11:44:08 | 000,000,290 | ---- | M] () -- C:\WINDOWS\Tasks\expressripShakeIcon.job
[2010.08.12 21:51:55 | 000,000,274 | ---- | M] () -- C:\WINDOWS\Tasks\switchShakeIcon.job
[2010.08.15 15:44:20 | 000,000,262 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 210 bytes -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:A8ADE5D8
< End of report >

    Extras Logfile:

    Code:
    OTL Extras logfile created on: 15.08.2010 15:57:15 - Run 2
OTL by OldTimer - Version 3.2.9.1     Folder = C:\Dokumente und Einstellungen\Menni\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
511,00 Mb Total Physical Memory | 164,00 Mb Available Physical Memory | 32,00% Memory free
1,00 Gb Paging File | 1,00 Gb Available in Paging File | 51,00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 13,28 Gb Total Space | 1,11 Gb Free Space | 8,36% Space Free | Partition Type: NTFS
Drive D: | 48,82 Gb Total Space | 35,75 Gb Free Space | 73,22% Space Free | Partition Type: FAT32
Drive E: | 12,43 Gb Total Space | 4,75 Gb Free Space | 38,19% Space Free | Partition Type: FAT32
Drive F: | 5,94 Gb Total Space | 5,25 Gb Free Space | 88,46% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: KLAUS
Current User Name: klaus_2
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- c:\programme\t-online\t-online_software_6\browser\Browser.exe (Deutsche Telekom AG)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- c:\programme\t-online\t-online_software_6\browser\Browser.exe "%1" (Deutsche Telekom AG)
htmlfile [opennew] -- c:\programme\t-online\t-online_software_6\browser\Browser.exe "%1" (Deutsche Telekom AG)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Enqueue] -- "C:\Programme\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Programme\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Programme\ICQ6.5\ICQ.exe" = C:\Programme\ICQ6.5\ICQ.exe:*:Enabled:ICQ6 -- (ICQ, LLC.)
"F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe" = F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe:*:Disabled:VNC server for Win32 -- (UltraVNC)
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{04B45310-A5FE-4425-BFCA-1A6D8920DE74}" = OpenOffice.org 3.0
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 20
"{32C2F9AA-7484-48C2-AC19-2031F2ADD8F2}" = HAMA WEBCAM AC-130
"{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3F0D0ABE-CDAF-431A-00BC-CBBE018EA74E}" = SimCity 4 Deluxe
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5888428E-699C-4E71-BF71-94EE06B497DA}" = TuneUp Utilities 2008
"{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6.5
"{6AFCA4E1-9B78-3640-8F72-A7BF33448200}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7C32C567-DC0F-4C80-B06C-7873850A2E06}" = Die Sims - Tierisch gut drauf
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}" = EPSON Web-To-Page
"{9309DD7E-EBFE-3C95-8B47-30D3A012F606}" = Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - DEU
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{AC76BA86-7AD7-1031-7B44-A93000000001}" = Adobe Reader 9.3.3 - Deutsch
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{B1275E23-717A-4D52-997A-1AD1E24BC7F3}" = T-Online 6.0
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B90450DF-E781-46FD-B1F1-0C86DA40E443}" = PIF DESIGNER
"{C151CE54-E7EA-4804-854B-F515368B0798}" = Athlon 64 Processor Driver
"{C2FCB62F-D79F-4395-009C-A703AC9FB64F}" = Madden NFL 2004
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{E78BFA60-5393-4C38-82AB-E8019E464EB4}" = Microsoft .NET Framework 1.1 German Language Pack
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"7-Zip" = 7-Zip 4.60 beta
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ATI Display Driver" = ATI Display Driver
"Audiograbber" = Audiograbber 1.83 SE 
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Browser Defender_is1" = Browser Defender 2.0.6.15
"DVDVideoSoftTB Toolbar" = DVDVideoSoftTB Toolbar
"EPSON Printer and Utilities" = EPSON-Drucker-Software
"ExpressRip" = Express Rip
"FileZilla Client" = FileZilla Client 3.1.5
"Free Audio CD Burner_is1" = Free Audio CD Burner version 1.4
"Free Download Manager_is1" = Free Download Manager 2.5 Language pack
"Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.8
"Hamachi" = Hamachi 1.0.3.0
"HijackThis" = HijackThis 2.0.2
"ICQToolbar" = ICQ Toolbar
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"InstallShield_{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email
"Microsoft .NET Framework 1.1  (1033)" = Microsoft .NET Framework 1.1
"Miranda IM" = Miranda IM 0.7.10
"Mozilla Firefox (3.1b1)" = Mozilla Firefox (3.1b1)
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Project IGI" = Project IGI
"PunkBusterSvc" = PunkBuster Services
"screensaver.scr" = screensaver
"Spyware Doctor" = Spyware Doctor 7.0
"Switch" = Switch Sound File Converter
"TmNationsForever_is1" = TmNationsForever
"Ultravnc2_is1" = UltraVNC 1.0.5.1
"Uninstall_is1" = Uninstall 1.0.0.1
"VLC media player" = VLC media player 0.9.6
"Winamp5Lite_is1" = Winamp 5.541 Lite
"WinRAR archiver" = WinRAR
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
 
========== HKEY_CURRENT_USER Uninstall List ==========
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer
 
========== Last 10 Event Log Errors ==========
 
[ Application Events ]
Error - 14.08.2010 11:14:05 | Computer Name = KLAUS | Source = Application Error | ID = 1004
Description = Fehlgeschlagene Anwendung winlogon.exe, Version 0.0.0.0, fehlgeschlagenes
 Modul unknown, Version 0.0.0.0, Fehleradresse 0x00fa0005.
 
Error - 14.08.2010 11:54:16 | Computer Name = KLAUS | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung , Version 0.0.0.0, fehlgeschlagenes Modul
 unknown, Version 0.0.0.0, Fehleradresse 0x015e0005.
 
Error - 14.08.2010 14:51:56 | Computer Name = KLAUS | Source = Application Error | ID = 1004
Description = Fehlgeschlagene Anwendung winlogon.exe, Version 0.0.0.0, fehlgeschlagenes
 Modul unknown, Version 0.0.0.0, Fehleradresse 0x01810005.
 
Error - 14.08.2010 14:52:13 | Computer Name = KLAUS | Source = Application Error | ID = 1004
Description = Fehlgeschlagene Anwendung winlogon.exe, Version 0.0.0.0, fehlgeschlagenes
 Modul unknown, Version 0.0.0.0, Fehleradresse 0x015e0005.
 
Error - 14.08.2010 15:40:19 | Computer Name = KLAUS | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung , Version 0.0.0.0, fehlgeschlagenes Modul
 unknown, Version 0.0.0.0, Fehleradresse 0x01710005.
 
Error - 14.08.2010 16:05:44 | Computer Name = KLAUS | Source = Application Error | ID = 1004
Description = Fehlgeschlagene Anwendung winlogon.exe, Version 0.0.0.0, fehlgeschlagenes
 Modul unknown, Version 0.0.0.0, Fehleradresse 0x01710005.
 
Error - 14.08.2010 17:37:29 | Computer Name = KLAUS | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung , Version 0.0.0.0, fehlgeschlagenes Modul
 unknown, Version 0.0.0.0, Fehleradresse 0x01810005.
 
Error - 15.08.2010 06:38:04 | Computer Name = KLAUS | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung , Version 0.0.0.0, fehlgeschlagenes Modul
 unknown, Version 0.0.0.0, Fehleradresse 0x00000000.
 
Error - 15.08.2010 07:43:05 | Computer Name = KLAUS | Source = Application Error | ID = 1004
Description = Fehlgeschlagene Anwendung winlogon.exe, Version 0.0.0.0, fehlgeschlagenes
 Modul unknown, Version 0.0.0.0, Fehleradresse 0x01810005.
 
Error - 15.08.2010 07:43:28 | Computer Name = KLAUS | Source = Application Error | ID = 1004
Description = Fehlgeschlagene Anwendung winlogon.exe, Version 0.0.0.0, fehlgeschlagenes
 Modul unknown, Version 0.0.0.0, Fehleradresse 0x00000000.
 
[ System Events ]
Error - 15.08.2010 06:38:48 | Computer Name = KLAUS | Source = RemoteAccess | ID = 20151
Description = Das Steuerungsprotokoll EAP in dem Point-to-Point-Protkoll-Modul C:\WINDOWS\System32\rasppp.dll
 lieferte  bei der Initialisierung einen Fehler zurück. Das Medium ist schreibgeschützt.

 
Error - 15.08.2010 06:38:48 | Computer Name = KLAUS | Source = Rasman | ID = 20063
Description = Die RAS-Verbindungsverwaltung konnte nicht gestartet werden, da das
Point-to-Point-Protokoll
 nicht initialisiert werden konnte. Das Medium ist schreibgeschützt.  
 
Error - 15.08.2010 06:38:48 | Computer Name = KLAUS | Source = Service Control Manager | ID = 7023
Description = Der Dienst "RAS-Verbindungsverwaltung" wurde mit folgendem Fehler 
beendet:   %%19
 
Error - 15.08.2010 06:38:49 | Computer Name = KLAUS | Source = Service Control Manager | ID = 7009
Description = Zeitüberschreitung (30000 ms) beim Verbindungsversuch mit Dienst Gatewaydienst
 auf Anwendungsebene.
 
Error - 15.08.2010 06:38:49 | Computer Name = KLAUS | Source = Service Control Manager | ID = 7000
Description = Der Dienst "Gatewaydienst auf Anwendungsebene" wurde aufgrund folgenden
 Fehlers nicht gestartet:   %%1053
 
Error - 15.08.2010 06:38:49 | Computer Name = KLAUS | Source = Service Control Manager | ID = 7000
Description = Der Dienst "IMAPI-CD-Brenn-COM-Dienste" wurde aufgrund folgenden Fehlers
 nicht gestartet:   %%3
 
Error - 15.08.2010 06:38:50 | Computer Name = KLAUS | Source = Service Control Manager | ID = 7000
Description = Der Dienst "RAS-Verbindungsverwaltung" wurde aufgrund folgenden Fehlers
 nicht gestartet:   %%3
 
Error - 15.08.2010 06:38:50 | Computer Name = KLAUS | Source = Service Control Manager | ID = 7000
Description = Der Dienst "RAS-Verbindungsverwaltung" wurde aufgrund folgenden Fehlers
 nicht gestartet:   %%3
 
Error - 15.08.2010 06:38:50 | Computer Name = KLAUS | Source = Service Control Manager | ID = 7000
Description = Der Dienst "RAS-Verbindungsverwaltung" wurde aufgrund folgenden Fehlers
 nicht gestartet:   %%3
 
Error - 15.08.2010 06:38:50 | Computer Name = KLAUS | Source = Service Control Manager | ID = 7000
Description = Der Dienst "RAS-Verbindungsverwaltung" wurde aufgrund folgenden Fehlers
 nicht gestartet:   %%3
 
 
< End of report >

    3.

    Defogger Disable Log:
    Code:
    defogger_disable by jpshortstuff (23.02.10.1)
Log created at 16:04 on 15/08/2010 (klaus_2)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

    Gmer Log:
    Code:
    GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-15 16:21:39
Windows 5.1.2600 Service Pack 3
Running: l6m18jg0.exe; Driver: C:\DOKUME~1\Menni\LOKALE~1\Temp\kxtdqpog.sys


---- System - GMER 1.0.15 ----

SSDT            PCTCore.sys (PC Tools KDS Core Driver/PC Tools)                                                         ZwCreateKey [0xF8486E22]
SSDT            PCTCore.sys (PC Tools KDS Core Driver/PC Tools)                                                         ZwCreateProcess [0xF8467CDC]
SSDT            PCTCore.sys (PC Tools KDS Core Driver/PC Tools)                                                         ZwCreateProcessEx [0xF8467ECE]
SSDT            F8C3D7BC                                                                                                ZwCreateThread
SSDT            PCTCore.sys (PC Tools KDS Core Driver/PC Tools)                                                         ZwDeleteKey [0xF8487610]
SSDT            PCTCore.sys (PC Tools KDS Core Driver/PC Tools)                                                         ZwDeleteValueKey [0xF84878C4]
SSDT            F8C3D7DA                                                                                                ZwLoadKey
SSDT            PCTCore.sys (PC Tools KDS Core Driver/PC Tools)                                                         ZwOpenKey [0xF8485B14]
SSDT            F8C3D7A8                                                                                                ZwOpenProcess
SSDT            F8C3D7AD                                                                                                ZwOpenThread
SSDT            PCTCore.sys (PC Tools KDS Core Driver/PC Tools)                                                         ZwRenameKey [0xF8487D30]
SSDT            F8C3D7E4                                                                                                ZwReplaceKey
SSDT            F8C3D7DF                                                                                                ZwRestoreKey
SSDT            PCTCore.sys (PC Tools KDS Core Driver/PC Tools)                                                         ZwSetValueKey [0xF84870E2]
SSDT            PCTCore.sys (PC Tools KDS Core Driver/PC Tools)                                                         ZwTerminateProcess [0xF8467982]

---- Kernel code sections - GMER 1.0.15 ----

.text           C:\WINDOWS\system32\DRIVERS\ati2mtag.sys                                                                section is writeable [0xF7282000, 0x1A9158, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtClose                                                  7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtClose + 4                                              7C91CFF2 2 Bytes  [2C, 5F] {SUB AL, 0x5f}
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtCreateFile                                             7C91D0AE 1 Byte  [FF]
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtCreateFile                                             7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtCreateFile + 4                                         7C91D0B2 2 Bytes  [17, 5F] {POP SS; POP EDI}
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtCreateKey                                              7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtCreateKey + 4                                          7C91D0F2 2 Bytes  [05, 5F]
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtCreateSection                                          7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtCreateSection + 4                                      7C91D182 2 Bytes  [23, 5F]
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtDeleteKey                                              7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtDeleteKey + 4                                          7C91D252 2 Bytes  [0B, 5F]
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtDeleteValueKey                                         7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtDeleteValueKey + 4                                     7C91D272 2 Bytes  [11, 5F]
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtRenameKey                                              7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtRenameKey + 4                                          7C91DA62 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtSetInformationFile                                     7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtSetInformationFile + 4                                 7C91DC62 2 Bytes  [20, 5F]
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtSetValueKey                                            7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtSetValueKey + 4                                        7C91DDD2 2 Bytes  [0E, 5F] {PUSH CS; POP EDI}
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtTerminateProcess                                       7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtTerminateProcess + 4                                   7C91DE72 2 Bytes  [26, 5F]
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtWriteFile                                              7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtWriteFile + 4                                          7C91DF82 2 Bytes  [1A, 5F]
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtWriteFileGather                                        7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtWriteFileGather + 4                                    7C91DF92 2 Bytes  [1D, 5F]
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtWriteVirtualMemory                                     7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!NtWriteVirtualMemory + 4                                 7C91DFB2 2 Bytes  [29, 5F]
.text           C:\WINDOWS\system32\spoolsv.exe[172] kernel32.dll!LoadLibraryExW + C4                                   7C801BB9 4 Bytes  CALL 00FA0001 
.text           C:\WINDOWS\system32\spoolsv.exe[172] C:\WINDOWS\system32\WS2_32.dll                                     section is writeable [0x71A11000, 0x12153, 0xE0000040]
.data           C:\WINDOWS\system32\spoolsv.exe[172] C:\WINDOWS\system32\WS2_32.dll                                     entry point in ".data" section [0x71A241A1]
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtClose                                                          7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtClose + 4                                                      7C91CFF2 2 Bytes  [2C, 5F] {SUB AL, 0x5f}
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtCreateFile                                                     7C91D0AE 1 Byte  [FF]
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtCreateFile                                                     7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtCreateFile + 4                                                 7C91D0B2 2 Bytes  [17, 5F] {POP SS; POP EDI}
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtCreateKey                                                      7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtCreateKey + 4                                                  7C91D0F2 2 Bytes  [05, 5F]
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtCreateSection                                                  7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtCreateSection + 4                                              7C91D182 2 Bytes  [23, 5F]
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtDeleteKey                                                      7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtDeleteKey + 4                                                  7C91D252 2 Bytes  [0B, 5F]
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtDeleteValueKey                                                 7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtDeleteValueKey + 4                                             7C91D272 2 Bytes  [11, 5F]
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtRenameKey                                                      7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtRenameKey + 4                                                  7C91DA62 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtSetInformationFile                                             7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtSetInformationFile + 4                                         7C91DC62 2 Bytes  [20, 5F]
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtSetValueKey                                                    7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtSetValueKey + 4                                                7C91DDD2 2 Bytes  [0E, 5F] {PUSH CS; POP EDI}
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtTerminateProcess                                               7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtTerminateProcess + 4                                           7C91DE72 2 Bytes  [26, 5F]
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtWriteFile                                                      7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtWriteFile + 4                                                  7C91DF82 2 Bytes  [1A, 5F]
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtWriteFileGather                                                7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtWriteFileGather + 4                                            7C91DF92 2 Bytes  [1D, 5F]
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtWriteVirtualMemory                                             7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtWriteVirtualMemory + 4                                         7C91DFB2 2 Bytes  [29, 5F]
.text           C:\WINDOWS\Explorer.EXE[308] kernel32.dll!LoadLibraryExW + C4                                           7C801BB9 4 Bytes  CALL 02740001 
.text           C:\WINDOWS\Explorer.EXE[308] WININET.dll!InternetReadFile                                               408C654B 5 Bytes  JMP 0134D178 
.text           C:\WINDOWS\Explorer.EXE[308] WININET.dll!HttpQueryInfoA                                                 408C878D 5 Bytes  JMP 0134D3BC 
.text           C:\WINDOWS\Explorer.EXE[308] WININET.dll!InternetCloseHandle                                            408C9088 5 Bytes  JMP 0134D42C 
.text           C:\WINDOWS\Explorer.EXE[308] WININET.dll!InternetQueryDataAvailable                                     408CBF7F 5 Bytes  JMP 0134CF54 
.text           C:\WINDOWS\Explorer.EXE[308] WININET.dll!HttpOpenRequestA                                               408CD508 5 Bytes  JMP 0134B894 
.text           C:\WINDOWS\Explorer.EXE[308] WININET.dll!InternetConnectA                                               408CDEAE 5 Bytes  JMP 0134B5D0 
.text           C:\WINDOWS\Explorer.EXE[308] WININET.dll!HttpSendRequestW                                               408CFABE 5 Bytes  JMP 0134C86C 
.text           C:\WINDOWS\Explorer.EXE[308] WININET.dll!InternetOpenA                                                  408DD690 5 Bytes  JMP 0134B57C 
.text           C:\WINDOWS\Explorer.EXE[308] WININET.dll!HttpSendRequestA                                               408DEE89 5 Bytes  JMP 0134C380 
.text           C:\WINDOWS\Explorer.EXE[308] WININET.dll!InternetReadFileExW                                            408E3349 5 Bytes  JMP 0134D36C 
.text           C:\WINDOWS\Explorer.EXE[308] WININET.dll!InternetReadFileExA                                            408E3381 5 Bytes  JMP 0134D31C 
.text           C:\WINDOWS\Explorer.EXE[308] C:\WINDOWS\system32\WS2_32.dll                                             section is writeable [0x71A11000, 0x12153, 0xE0000040]
.data           C:\WINDOWS\Explorer.EXE[308] C:\WINDOWS\system32\WS2_32.dll                                             entry point in ".data" section [0x71A241A1]
.text           C:\Programme\Avira\AntiVir Desktop\sched.exe[384] C:\WINDOWS\system32\WS2_32.dll                        section is writeable [0x71A11000, 0x12153, 0xE0000040]
.data           C:\Programme\Avira\AntiVir Desktop\sched.exe[384] C:\WINDOWS\system32\WS2_32.dll                        entry point in ".data" section [0x71A241A1]
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtClose                                                           7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtClose + 4                                                       7C91CFF2 2 Bytes  [39, 5F]
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtCreateFile                                                      7C91D0AE 1 Byte  [FF]
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtCreateFile                                                      7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtCreateFile + 4                                                  7C91D0B2 2 Bytes  [24, 5F] {AND AL, 0x5f}
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtCreateKey                                                       7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtCreateKey + 4                                                   7C91D0F2 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtCreateSection                                                   7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtCreateSection + 4                                               7C91D182 2 Bytes  [30, 5F]
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtDeleteKey                                                       7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtDeleteKey + 4                                                   7C91D252 2 Bytes  [18, 5F]
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtDeleteValueKey                                                  7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtDeleteValueKey + 4                                              7C91D272 2 Bytes  [1E, 5F] {PUSH DS; POP EDI}
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtRenameKey                                                       7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtRenameKey + 4                                                   7C91DA62 2 Bytes  [21, 5F]
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtSetInformationFile                                              7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtSetInformationFile + 4                                          7C91DC62 2 Bytes  [2D, 5F]
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtSetValueKey                                                     7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtSetValueKey + 4                                                 7C91DDD2 2 Bytes  [1B, 5F]
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtTerminateProcess                                                7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtTerminateProcess + 4                                            7C91DE72 2 Bytes  [33, 5F]
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtWriteFile                                                       7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtWriteFile + 4                                                   7C91DF82 2 Bytes  [27, 5F] {DAA ; POP EDI}
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtWriteFileGather                                                 7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtWriteFileGather + 4                                             7C91DF92 2 Bytes  [2A, 5F]
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtWriteVirtualMemory                                              7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[420] ntdll.dll!NtWriteVirtualMemory + 4                                          7C91DFB2 2 Bytes  [36, 5F]
.text           C:\WINDOWS\notepad.exe[420] kernel32.dll!LoadLibraryExW + C4                                            7C801BB9 4 Bytes  CALL 00AC0001 
.text           C:\WINDOWS\notepad.exe[420] USER32.dll!ChangeDisplaySettingsExA                                         7E37384E 6 Bytes  JMP 5F0D0F5A 
.text           C:\WINDOWS\notepad.exe[420] USER32.dll!SetForegroundWindow                                              7E3742ED 6 Bytes  JMP 5F040F5A 
.text           C:\WINDOWS\notepad.exe[420] USER32.dll!SetWindowPos                                                     7E3799F3 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[420] USER32.dll!SetWindowPos + 4                                                 7E3799F7 2 Bytes  [0B, 5F]
.text           C:\WINDOWS\notepad.exe[420] USER32.dll!ChangeDisplaySettingsExW                                         7E3A95BD 6 Bytes  JMP 5F100F5A 
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtClose                                                 7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtClose + 4                                             7C91CFF2 2 Bytes  [2C, 5F] {SUB AL, 0x5f}
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtCreateFile                                            7C91D0AE 1 Byte  [FF]
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtCreateFile                                            7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtCreateFile + 4                                        7C91D0B2 2 Bytes  [17, 5F] {POP SS; POP EDI}
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtCreateKey                                             7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtCreateKey + 4                                         7C91D0F2 2 Bytes  [05, 5F]
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtCreateSection                                         7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtCreateSection + 4                                     7C91D182 2 Bytes  [23, 5F]
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtDeleteKey                                             7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtDeleteKey + 4                                         7C91D252 2 Bytes  [0B, 5F]
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtDeleteValueKey                                        7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtDeleteValueKey + 4                                    7C91D272 2 Bytes  [11, 5F]
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtRenameKey                                             7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtRenameKey + 4                                         7C91DA62 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtSetInformationFile                                    7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtSetInformationFile + 4                                7C91DC62 2 Bytes  [20, 5F]
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtSetValueKey                                           7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtSetValueKey + 4                                       7C91DDD2 2 Bytes  [0E, 5F] {PUSH CS; POP EDI}
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtTerminateProcess                                      7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtTerminateProcess + 4                                  7C91DE72 2 Bytes  [26, 5F]
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtWriteFile                                             7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtWriteFile + 4                                         7C91DF82 2 Bytes  [1A, 5F]
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtWriteFileGather                                       7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtWriteFileGather + 4                                   7C91DF92 2 Bytes  [1D, 5F]
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtWriteVirtualMemory                                    7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Hamachi\hamachi.exe[424] ntdll.dll!NtWriteVirtualMemory + 4                                7C91DFB2 2 Bytes  [29, 5F]
.text           C:\Programme\Hamachi\hamachi.exe[424] kernel32.dll!LoadLibraryExW + C4                                  7C801BB9 4 Bytes  CALL 010A0001 
.text           C:\Programme\Hamachi\hamachi.exe[424] C:\WINDOWS\system32\WS2_32.dll                                    section is writeable [0x71A11000, 0x12153, 0xE0000040]
.data           C:\Programme\Hamachi\hamachi.exe[424] C:\WINDOWS\system32\WS2_32.dll                                    entry point in ".data" section [0x71A241A1]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtClose                        7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtClose + 4                    7C91CFF2 2 Bytes  [39, 5F]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtCreateFile                   7C91D0AE 1 Byte  [FF]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtCreateFile                   7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtCreateFile + 4               7C91D0B2 2 Bytes  [24, 5F] {AND AL, 0x5f}
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtCreateKey                    7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtCreateKey + 4                7C91D0F2 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtCreateSection                7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtCreateSection + 4            7C91D182 2 Bytes  [30, 5F]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtDeleteKey                    7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtDeleteKey + 4                7C91D252 2 Bytes  [18, 5F]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtDeleteValueKey               7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtDeleteValueKey + 4           7C91D272 2 Bytes  [1E, 5F] {PUSH DS; POP EDI}
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtRenameKey                    7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtRenameKey + 4                7C91DA62 2 Bytes  [21, 5F]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtSetInformationFile           7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtSetInformationFile + 4       7C91DC62 2 Bytes  [2D, 5F]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtSetValueKey                  7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtSetValueKey + 4              7C91DDD2 2 Bytes  [1B, 5F]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtTerminateProcess             7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtTerminateProcess + 4         7C91DE72 2 Bytes  [33, 5F]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtWriteFile                    7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtWriteFile + 4                7C91DF82 2 Bytes  [27, 5F] {DAA ; POP EDI}
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtWriteFileGather              7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtWriteFileGather + 4          7C91DF92 2 Bytes  [2A, 5F]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtWriteVirtualMemory           7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] ntdll.dll!NtWriteVirtualMemory + 4       7C91DFB2 2 Bytes  [36, 5F]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] kernel32.dll!LoadLibraryExW + C4         7C801BB9 4 Bytes  CALL 003C0001 
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] USER32.dll!ChangeDisplaySettingsExA      7E37384E 6 Bytes  JMP 5F0D0F5A 
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] USER32.dll!SetForegroundWindow           7E3742ED 6 Bytes  JMP 5F040F5A 
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] USER32.dll!SetWindowPos                  7E3799F3 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] USER32.dll!SetWindowPos + 4              7E3799F7 2 Bytes  [0B, 5F]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\l6m18jg0.exe[516] USER32.dll!ChangeDisplaySettingsExW      7E3A95BD 6 Bytes  JMP 5F100F5A 
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtClose                                         7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtClose + 4                                     7C91CFF2 2 Bytes  [2C, 5F] {SUB AL, 0x5f}
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtCreateFile                                    7C91D0AE 1 Byte  [FF]
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtCreateFile                                    7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtCreateFile + 4                                7C91D0B2 2 Bytes  [17, 5F] {POP SS; POP EDI}
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtCreateKey                                     7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtCreateKey + 4                                 7C91D0F2 2 Bytes  [05, 5F]
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtCreateSection                                 7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtCreateSection + 4                             7C91D182 2 Bytes  [23, 5F]
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtDeleteKey                                     7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtDeleteKey + 4                                 7C91D252 2 Bytes  [0B, 5F]
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtDeleteValueKey                                7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtDeleteValueKey + 4                            7C91D272 2 Bytes  [11, 5F]
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtRenameKey                                     7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtRenameKey + 4                                 7C91DA62 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtSetInformationFile                            7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtSetInformationFile + 4                        7C91DC62 2 Bytes  [20, 5F]
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtSetValueKey                                   7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtSetValueKey + 4                               7C91DDD2 2 Bytes  [0E, 5F] {PUSH CS; POP EDI}
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtTerminateProcess                              7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtTerminateProcess + 4                          7C91DE72 2 Bytes  [26, 5F]
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtWriteFile                                     7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtWriteFile + 4                                 7C91DF82 2 Bytes  [1A, 5F]
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtWriteFileGather                               7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtWriteFileGather + 4                           7C91DF92 2 Bytes  [1D, 5F]
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtWriteVirtualMemory                            7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] ntdll.dll!NtWriteVirtualMemory + 4                        7C91DFB2 2 Bytes  [29, 5F]
.text           C:\Programme\ICQ6Toolbar\ICQ Service.exe[564] kernel32.dll!LoadLibraryExW + C4                          7C801BB9 4 Bytes  CALL 01470001 
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtClose                                               7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtClose + 4                                           7C91CFF2 2 Bytes  [2C, 5F] {SUB AL, 0x5f}
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtCreateFile                                          7C91D0AE 1 Byte  [FF]
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtCreateFile                                          7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtCreateFile + 4                                      7C91D0B2 2 Bytes  [17, 5F] {POP SS; POP EDI}
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtCreateKey                                           7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtCreateKey + 4                                       7C91D0F2 2 Bytes  [05, 5F]
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtCreateSection                                       7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtCreateSection + 4                                   7C91D182 2 Bytes  [23, 5F]
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtDeleteKey                                           7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtDeleteKey + 4                                       7C91D252 2 Bytes  [0B, 5F]
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtDeleteValueKey                                      7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtDeleteValueKey + 4                                  7C91D272 2 Bytes  [11, 5F]
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtRenameKey                                           7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtRenameKey + 4                                       7C91DA62 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtSetInformationFile                                  7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtSetInformationFile + 4                              7C91DC62 2 Bytes  [20, 5F]
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtSetValueKey                                         7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtSetValueKey + 4                                     7C91DDD2 2 Bytes  [0E, 5F] {PUSH CS; POP EDI}
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtTerminateProcess                                    7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtTerminateProcess + 4                                7C91DE72 2 Bytes  [26, 5F]
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtWriteFile                                           7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtWriteFile + 4                                       7C91DF82 2 Bytes  [1A, 5F]
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtWriteFileGather                                     7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtWriteFileGather + 4                                 7C91DF92 2 Bytes  [1D, 5F]
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtWriteVirtualMemory                                  7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtWriteVirtualMemory + 4                              7C91DFB2 2 Bytes  [29, 5F]
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] kernel32.dll!LoadLibraryExW + C4                                7C801BB9 4 Bytes  CALL 02720001 
.text           C:\Programme\Java\jre6\bin\jqs.exe[636] C:\WINDOWS\system32\WS2_32.dll                                  section is writeable [0x71A11000, 0x12153, 0xE0000040]
.data           C:\Programme\Java\jre6\bin\jqs.exe[636] C:\WINDOWS\system32\WS2_32.dll                                  entry point in ".data" section [0x71A241A1]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtClose                                                  7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtClose + 4                                              7C91CFF2 2 Bytes  [39, 5F]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtCreateFile                                             7C91D0AE 1 Byte  [FF]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtCreateFile                                             7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtCreateFile + 4                                         7C91D0B2 2 Bytes  [24, 5F] {AND AL, 0x5f}
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtCreateKey                                              7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtCreateKey + 4                                          7C91D0F2 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtCreateSection                                          7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtCreateSection + 4                                      7C91D182 2 Bytes  [30, 5F]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtDeleteKey                                              7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtDeleteKey + 4                                          7C91D252 2 Bytes  [18, 5F]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtDeleteValueKey                                         7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtDeleteValueKey + 4                                     7C91D272 2 Bytes  [1E, 5F] {PUSH DS; POP EDI}
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtRenameKey                                              7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtRenameKey + 4                                          7C91DA62 2 Bytes  [21, 5F]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtSetInformationFile                                     7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtSetInformationFile + 4                                 7C91DC62 2 Bytes  [2D, 5F]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtSetValueKey                                            7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtSetValueKey + 4                                        7C91DDD2 2 Bytes  [1B, 5F]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtTerminateProcess                                       7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtTerminateProcess + 4                                   7C91DE72 2 Bytes  [33, 5F]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtWriteFile                                              7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtWriteFile + 4                                          7C91DF82 2 Bytes  [27, 5F] {DAA ; POP EDI}
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtWriteFileGather                                        7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtWriteFileGather + 4                                    7C91DF92 2 Bytes  [2A, 5F]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtWriteVirtualMemory                                     7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] ntdll.dll!NtWriteVirtualMemory + 4                                 7C91DFB2 2 Bytes  [36, 5F]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] kernel32.dll!LoadLibraryExW + C4                                   7C801BB9 4 Bytes  CALL 00AC0001 
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] USER32.dll!ChangeDisplaySettingsExA                                7E37384E 6 Bytes  JMP 5F0D0F5A 
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] USER32.dll!SetForegroundWindow                                     7E3742ED 6 Bytes  JMP 5F040F5A 
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] USER32.dll!SetWindowPos                                            7E3799F3 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] USER32.dll!SetWindowPos + 4                                        7E3799F7 2 Bytes  [0B, 5F]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[728] USER32.dll!ChangeDisplaySettingsExW                                7E3A95BD 6 Bytes  JMP 5F100F5A 
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtClose                                           7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtClose + 4                                       7C91CFF2 2 Bytes  [2C, 5F] {SUB AL, 0x5f}
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtCreateFile                                      7C91D0AE 1 Byte  [FF]
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtCreateFile                                      7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtCreateFile + 4                                  7C91D0B2 2 Bytes  [17, 5F] {POP SS; POP EDI}
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtCreateKey                                       7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtCreateKey + 4                                   7C91D0F2 2 Bytes  [05, 5F]
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtCreateSection                                   7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtCreateSection + 4                               7C91D182 2 Bytes  [23, 5F]
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtDeleteKey                                       7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtDeleteKey + 4                                   7C91D252 2 Bytes  [0B, 5F]
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtDeleteValueKey                                  7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtDeleteValueKey + 4                              7C91D272 2 Bytes  [11, 5F]
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtRenameKey                                       7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtRenameKey + 4                                   7C91DA62 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtSetInformationFile                              7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtSetInformationFile + 4                          7C91DC62 2 Bytes  [20, 5F]
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtSetValueKey                                     7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtSetValueKey + 4                                 7C91DDD2 2 Bytes  [0E, 5F] {PUSH CS; POP EDI}
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtTerminateProcess                                7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtTerminateProcess + 4                            7C91DE72 2 Bytes  [26, 5F]
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtWriteFile                                       7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtWriteFile + 4                                   7C91DF82 2 Bytes  [1A, 5F]
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtWriteFileGather                                 7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtWriteFileGather + 4                             7C91DF92 2 Bytes  [1D, 5F]
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtWriteVirtualMemory                              7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] ntdll.dll!NtWriteVirtualMemory + 4                          7C91DFB2 2 Bytes  [29, 5F]
.text           C:\Programme\CDBurnerXP\NMSAccessU.exe[784] kernel32.dll!LoadLibraryExW + C4                            7C801BB9 4 Bytes  CALL 00650001 
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtClose                                                 7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtClose + 4                                             7C91CFF2 2 Bytes  [2C, 5F] {SUB AL, 0x5f}
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtCreateFile                                            7C91D0AE 1 Byte  [FF]
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtCreateFile                                            7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtCreateFile + 4                                        7C91D0B2 2 Bytes  [17, 5F] {POP SS; POP EDI}
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtCreateKey                                             7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtCreateKey + 4                                         7C91D0F2 2 Bytes  [05, 5F]
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtCreateSection                                         7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtCreateSection + 4                                     7C91D182 2 Bytes  [23, 5F]
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtDeleteKey                                             7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtDeleteKey + 4                                         7C91D252 2 Bytes  [0B, 5F]
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtDeleteValueKey                                        7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtDeleteValueKey + 4                                    7C91D272 2 Bytes  [11, 5F]
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtRenameKey                                             7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtRenameKey + 4                                         7C91DA62 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtSetInformationFile                                    7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtSetInformationFile + 4                                7C91DC62 2 Bytes  [20, 5F]
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtSetValueKey                                           7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtSetValueKey + 4                                       7C91DDD2 2 Bytes  [0E, 5F] {PUSH CS; POP EDI}
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtTerminateProcess                                      7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtTerminateProcess + 4                                  7C91DE72 2 Bytes  [26, 5F]
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtWriteFile                                             7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtWriteFile + 4                                         7C91DF82 2 Bytes  [1A, 5F]
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtWriteFileGather                                       7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtWriteFileGather + 4                                   7C91DF92 2 Bytes  [1D, 5F]
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtWriteVirtualMemory                                    7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] ntdll.dll!NtWriteVirtualMemory + 4                                7C91DFB2 2 Bytes  [29, 5F]
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] kernel32.dll!LoadLibraryExW + C4                                  7C801BB9 4 Bytes  CALL 00640001 
.text           C:\WINDOWS\system32\PnkBstrA.exe[796] C:\WINDOWS\system32\WS2_32.dll                                    section is writeable [0x71A11000, 0x12153, 0xE0000040]
.data           C:\WINDOWS\system32\PnkBstrA.exe[796] C:\WINDOWS\system32\WS2_32.dll                                    entry point in ".data" section [0x71A241A1]
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtClose                                         7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtClose + 4                                     7C91CFF2 2 Bytes  [2C, 5F] {SUB AL, 0x5f}
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtCreateFile                                    7C91D0AE 1 Byte  [FF]
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtCreateFile                                    7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtCreateFile + 4                                7C91D0B2 2 Bytes  [17, 5F] {POP SS; POP EDI}
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtCreateKey                                     7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtCreateKey + 4                                 7C91D0F2 2 Bytes  [05, 5F]
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtCreateSection                                 7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtCreateSection + 4                             7C91D182 2 Bytes  [23, 5F]
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtDeleteKey                                     7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtDeleteKey + 4                                 7C91D252 2 Bytes  [0B, 5F]
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtDeleteValueKey                                7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtDeleteValueKey + 4                            7C91D272 2 Bytes  [11, 5F]
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtRenameKey                                     7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtRenameKey + 4                                 7C91DA62 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtSetInformationFile                            7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtSetInformationFile + 4                        7C91DC62 2 Bytes  [20, 5F]
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtSetValueKey                                   7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtSetValueKey + 4                               7C91DDD2 2 Bytes  [0E, 5F] {PUSH CS; POP EDI}
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtTerminateProcess                              7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtTerminateProcess + 4                          7C91DE72 2 Bytes  [26, 5F]
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtWriteFile                                     7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtWriteFile + 4                                 7C91DF82 2 Bytes  [1A, 5F]
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtWriteFileGather                               7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtWriteFileGather + 4                           7C91DF92 2 Bytes  [1D, 5F]
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtWriteVirtualMemory                            7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] ntdll.dll!NtWriteVirtualMemory + 4                        7C91DFB2 2 Bytes  [29, 5F]
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] kernel32.dll!LoadLibraryExW + C4                          7C801BB9 4 Bytes  CALL 00730001 
.text           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] C:\WINDOWS\system32\WS2_32.dll                            section is writeable [0x71A11000, 0x12153, 0xE0000040]
.data           C:\Programme\Spyware Doctor\pctsAuxs.exe[812] C:\WINDOWS\system32\WS2_32.dll                            entry point in ".data" section [0x71A241A1]
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtClose                                                    7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtClose + 4                                                7C91CFF2 2 Bytes  [2C, 5F] {SUB AL, 0x5f}
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtCreateFile                                               7C91D0AE 1 Byte  [FF]
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtCreateFile                                               7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtCreateFile + 4                                           7C91D0B2 2 Bytes  [17, 5F] {POP SS; POP EDI}
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtCreateKey                                                7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtCreateKey + 4                                            7C91D0F2 2 Bytes  [05, 5F]
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtCreateSection                                            7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtCreateSection + 4                                        7C91D182 2 Bytes  [23, 5F]
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtDeleteKey                                                7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtDeleteKey + 4                                            7C91D252 2 Bytes  [0B, 5F]
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtDeleteValueKey                                           7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtDeleteValueKey + 4                                       7C91D272 2 Bytes  [11, 5F]
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtRenameKey                                                7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtRenameKey + 4                                            7C91DA62 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtSetInformationFile                                       7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtSetInformationFile + 4                                   7C91DC62 2 Bytes  [20, 5F]
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtSetValueKey                                              7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtSetValueKey + 4                                          7C91DDD2 2 Bytes  [0E, 5F] {PUSH CS; POP EDI}
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtTerminateProcess                                         7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtTerminateProcess + 4                                     7C91DE72 2 Bytes  [26, 5F]
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtWriteFile                                                7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtWriteFile + 4                                            7C91DF82 2 Bytes  [1A, 5F]
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtWriteFileGather                                          7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtWriteFileGather + 4                                      7C91DF92 2 Bytes  [1D, 5F]
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtWriteVirtualMemory                                       7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\csrss.exe[824] ntdll.dll!NtWriteVirtualMemory + 4                                   7C91DFB2 2 Bytes  [29, 5F]
.text           C:\WINDOWS\system32\csrss.exe[824] KERNEL32.dll!LoadLibraryExW + C4                                     7C801BB9 4 Bytes  CALL 01830001 
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtClose                                                 7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtClose + 4                                             7C91CFF2 2 Bytes  [2D, 5F]
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtCreateFile                                            7C91D0AE 1 Byte  [FF]
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtCreateFile                                            7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtCreateFile + 4                                        7C91D0B2 2 Bytes  [18, 5F]
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtCreateKey                                             7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtCreateKey + 4                                         7C91D0F2 2 Bytes  [05, 5F]
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtCreateSection                                         7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtCreateSection + 4                                     7C91D182 2 Bytes  [24, 5F] {AND AL, 0x5f}
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtDeleteKey                                             7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtDeleteKey + 4                                         7C91D252 2 Bytes  [0B, 5F]
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtDeleteValueKey                                        7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtDeleteValueKey + 4                                    7C91D272 2 Bytes  [12, 5F]
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtRenameKey                                             7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtRenameKey + 4                                         7C91DA62 2 Bytes  [15, 5F]
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtSetInformationFile                                    7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtSetInformationFile + 4                                7C91DC62 2 Bytes  [21, 5F]
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtSetValueKey                                           7C91DDCE 5 Bytes  JMP 01B412B0 
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtTerminateProcess                                      7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtTerminateProcess + 4                                  7C91DE72 2 Bytes  [27, 5F] {DAA ; POP EDI}
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtWriteFile                                             7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtWriteFile + 4                                         7C91DF82 2 Bytes  [1B, 5F]
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtWriteFileGather                                       7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtWriteFileGather + 4                                   7C91DF92 2 Bytes  [1E, 5F] {PUSH DS; POP EDI}
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtWriteVirtualMemory                                    7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!NtWriteVirtualMemory + 4                                7C91DFB2 2 Bytes  [2A, 5F]
.text           C:\WINDOWS\system32\winlogon.exe[856] kernel32.dll!LoadLibraryExW + C4                                  7C801BB9 4 Bytes  CALL 00A60001 
.text           C:\WINDOWS\system32\winlogon.exe[856] C:\WINDOWS\system32\WS2_32.dll                                    section is writeable [0x71A11000, 0x12153, 0xE0000040]
.data           C:\WINDOWS\system32\winlogon.exe[856] C:\WINDOWS\system32\WS2_32.dll                                    entry point in ".data" section [0x71A241A1]
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtClose                                                 7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtClose + 4                                             7C91CFF2 2 Bytes  [2C, 5F] {SUB AL, 0x5f}
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtCreateFile                                            7C91D0AE 1 Byte  [FF]
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtCreateFile                                            7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtCreateFile + 4                                        7C91D0B2 2 Bytes  [17, 5F] {POP SS; POP EDI}
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtCreateKey                                             7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtCreateKey + 4                                         7C91D0F2 2 Bytes  [05, 5F]
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtCreateSection                                         7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtCreateSection + 4                                     7C91D182 2 Bytes  [23, 5F]
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtDeleteKey                                             7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtDeleteKey + 4                                         7C91D252 2 Bytes  [0B, 5F]
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtDeleteValueKey                                        7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtDeleteValueKey + 4                                    7C91D272 2 Bytes  [11, 5F]
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtRenameKey                                             7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtRenameKey + 4                                         7C91DA62 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtSetInformationFile                                    7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtSetInformationFile + 4                                7C91DC62 2 Bytes  [20, 5F]
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtSetValueKey                                           7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtSetValueKey + 4                                       7C91DDD2 2 Bytes  [0E, 5F] {PUSH CS; POP EDI}
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtTerminateProcess                                      7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtTerminateProcess + 4                                  7C91DE72 2 Bytes  [26, 5F]
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtWriteFile                                             7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtWriteFile + 4                                         7C91DF82 2 Bytes  [1A, 5F]
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtWriteFileGather                                       7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtWriteFileGather + 4                                   7C91DF92 2 Bytes  [1D, 5F]
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtWriteVirtualMemory                                    7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\services.exe[900] ntdll.dll!NtWriteVirtualMemory + 4                                7C91DFB2 2 Bytes  [29, 5F]
.text           C:\WINDOWS\system32\services.exe[900] kernel32.dll!LoadLibraryExW + C4                                  7C801BB9 4 Bytes  CALL 00F80001 
.text           C:\WINDOWS\system32\services.exe[900] C:\WINDOWS\system32\WS2_32.dll                                    section is writeable [0x71A11000, 0x12153, 0xE0000040]
.data           C:\WINDOWS\system32\services.exe[900] C:\WINDOWS\system32\WS2_32.dll                                    entry point in ".data" section [0x71A241A1]
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtClose                                                    7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtClose + 4                                                7C91CFF2 2 Bytes  [2C, 5F] {SUB AL, 0x5f}
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtCreateFile                                               7C91D0AE 1 Byte  [FF]
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtCreateFile                                               7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtCreateFile + 4                                           7C91D0B2 2 Bytes  [17, 5F] {POP SS; POP EDI}
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtCreateKey                                                7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtCreateKey + 4                                            7C91D0F2 2 Bytes  [05, 5F]
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtCreateSection                                            7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtCreateSection + 4                                        7C91D182 2 Bytes  [23, 5F]
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtDeleteKey                                                7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtDeleteKey + 4                                            7C91D252 2 Bytes  [0B, 5F]
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtDeleteValueKey                                           7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtDeleteValueKey + 4                                       7C91D272 2 Bytes  [11, 5F]
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtRenameKey                                                7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtRenameKey + 4                                            7C91DA62 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtSetInformationFile                                       7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtSetInformationFile + 4                                   7C91DC62 2 Bytes  [20, 5F]
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtSetValueKey                                              7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtSetValueKey + 4                                          7C91DDD2 2 Bytes  [0E, 5F] {PUSH CS; POP EDI}
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtTerminateProcess                                         7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtTerminateProcess + 4                                     7C91DE72 2 Bytes  [26, 5F]
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtWriteFile                                                7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtWriteFile + 4                                            7C91DF82 2 Bytes  [1A, 5F]
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtWriteFileGather                                          7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtWriteFileGather + 4                                      7C91DF92 2 Bytes  [1D, 5F]
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtWriteVirtualMemory                                       7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!NtWriteVirtualMemory + 4                                   7C91DFB2 2 Bytes  [29, 5F]
.text           C:\WINDOWS\system32\lsass.exe[912] kernel32.dll!LoadLibraryExW + C4                                     7C801BB9 4 Bytes  CALL 00C50001 
.text           C:\WINDOWS\system32\lsass.exe[912] C:\WINDOWS\system32\WS2_32.dll                                       section is writeable [0x71A11000, 0x12153, 0xE0000040]
.data           C:\WINDOWS\system32\lsass.exe[912] C:\WINDOWS\system32\WS2_32.dll                                       entry point in ".data" section [0x71A241A1]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtClose                                                7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtClose + 4                                            7C91CFF2 2 Bytes  [2C, 5F] {SUB AL, 0x5f}
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtCreateFile                                           7C91D0AE 1 Byte  [FF]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtCreateFile                                           7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtCreateFile + 4                                       7C91D0B2 2 Bytes  [17, 5F] {POP SS; POP EDI}
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtCreateKey                                            7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtCreateKey + 4                                        7C91D0F2 2 Bytes  [05, 5F]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtCreateSection                                        7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtCreateSection + 4                                    7C91D182 2 Bytes  [23, 5F]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtDeleteKey                                            7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtDeleteKey + 4                                        7C91D252 2 Bytes  [0B, 5F]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtDeleteValueKey                                       7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtDeleteValueKey + 4                                   7C91D272 2 Bytes  [11, 5F]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtRenameKey                                            7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtRenameKey + 4                                        7C91DA62 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtSetInformationFile                                   7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtSetInformationFile + 4                               7C91DC62 2 Bytes  [20, 5F]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtSetValueKey                                          7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtSetValueKey + 4                                      7C91DDD2 2 Bytes  [0E, 5F] {PUSH CS; POP EDI}
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtTerminateProcess                                     7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtTerminateProcess + 4                                 7C91DE72 2 Bytes  [26, 5F]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtWriteFile                                            7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtWriteFile + 4                                        7C91DF82 2 Bytes  [1A, 5F]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtWriteFileGather                                      7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtWriteFileGather + 4                                  7C91DF92 2 Bytes  [1D, 5F]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtWriteVirtualMemory                                   7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] ntdll.dll!NtWriteVirtualMemory + 4                               7C91DFB2 2 Bytes  [29, 5F]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1084] kernel32.dll!LoadLibraryExW + C4                                 7C801BB9 4 Bytes  CALL 01090001 
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtClose                                                 7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtClose + 4                                             7C91CFF2 2 Bytes  [2C, 5F] {SUB AL, 0x5f}
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtCreateFile                                            7C91D0AE 1 Byte  [FF]
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtCreateFile                                            7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtCreateFile + 4                                        7C91D0B2 2 Bytes  [17, 5F] {POP SS; POP EDI}
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtCreateKey                                             7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtCreateKey + 4                                         7C91D0F2 2 Bytes  [05, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtCreateSection                                         7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtCreateSection + 4                                     7C91D182 2 Bytes  [23, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtDeleteKey                                             7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtDeleteKey + 4                                         7C91D252 2 Bytes  [0B, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtDeleteValueKey                                        7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtDeleteValueKey + 4                                    7C91D272 2 Bytes  [11, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtRenameKey                                             7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtRenameKey + 4                                         7C91DA62 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtSetInformationFile                                    7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtSetInformationFile + 4                                7C91DC62 2 Bytes  [20, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtSetValueKey                                           7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtSetValueKey + 4                                       7C91DDD2 2 Bytes  [0E, 5F] {PUSH CS; POP EDI}
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtTerminateProcess                                      7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtTerminateProcess + 4                                  7C91DE72 2 Bytes  [26, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtWriteFile                                             7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtWriteFile + 4                                         7C91DF82 2 Bytes  [1A, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtWriteFileGather                                       7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtWriteFileGather + 4                                   7C91DF92 2 Bytes  [1D, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtWriteVirtualMemory                                    7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtWriteVirtualMemory + 4                                7C91DFB2 2 Bytes  [29, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExW + C4                                  7C801BB9 4 Bytes  CALL 00FD0001 
.text           C:\WINDOWS\system32\svchost.exe[1100] c:\windows\system32\WS2_32.dll                                    section is writeable [0x71A11000, 0x12153, 0xE0000040]
.data           C:\WINDOWS\system32\svchost.exe[1100] c:\windows\system32\WS2_32.dll                                    entry point in ".data" section [0x71A241A1]
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtClose                                                 7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtClose + 4                                             7C91CFF2 2 Bytes  [2C, 5F] {SUB AL, 0x5f}
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtCreateFile                                            7C91D0AE 1 Byte  [FF]
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtCreateFile                                            7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtCreateFile + 4                                        7C91D0B2 2 Bytes  [17, 5F] {POP SS; POP EDI}
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtCreateKey                                             7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtCreateKey + 4                                         7C91D0F2 2 Bytes  [05, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtCreateSection                                         7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtCreateSection + 4                                     7C91D182 2 Bytes  [23, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtDeleteKey                                             7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtDeleteKey + 4                                         7C91D252 2 Bytes  [0B, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtDeleteValueKey                                        7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtDeleteValueKey + 4                                    7C91D272 2 Bytes  [11, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtRenameKey                                             7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtRenameKey + 4                                         7C91DA62 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtSetInformationFile                                    7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtSetInformationFile + 4                                7C91DC62 2 Bytes  [20, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtSetValueKey                                           7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtSetValueKey + 4                                       7C91DDD2 2 Bytes  [0E, 5F] {PUSH CS; POP EDI}
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtTerminateProcess                                      7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtTerminateProcess + 4                                  7C91DE72 2 Bytes  [26, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtWriteFile                                             7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtWriteFile + 4                                         7C91DF82 2 Bytes  [1A, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtWriteFileGather                                       7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtWriteFileGather + 4                                   7C91DF92 2 Bytes  [1D, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtWriteVirtualMemory                                    7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtWriteVirtualMemory + 4                                7C91DFB2 2 Bytes  [29, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryExW + C4                                  7C801BB9 4 Bytes  CALL 00F20001 
.text           C:\WINDOWS\system32\svchost.exe[1180] c:\windows\system32\WS2_32.dll                                    section is writeable [0x71A11000, 0x12153, 0xE0000040]
.data           C:\WINDOWS\system32\svchost.exe[1180] c:\windows\system32\WS2_32.dll                                    entry point in ".data" section [0x71A241A1]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtClose                    7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtClose + 4                7C91CFF2 2 Bytes  [2C, 5F] {SUB AL, 0x5f}
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtCreateFile               7C91D0AE 1 Byte  [FF]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtCreateFile               7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtCreateFile + 4           7C91D0B2 2 Bytes  [17, 5F] {POP SS; POP EDI}
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtCreateKey                7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtCreateKey + 4            7C91D0F2 2 Bytes  [05, 5F]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtCreateSection            7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtCreateSection + 4        7C91D182 2 Bytes  [23, 5F]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtDeleteKey                7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtDeleteKey + 4            7C91D252 2 Bytes  [0B, 5F]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtDeleteValueKey           7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtDeleteValueKey + 4       7C91D272 2 Bytes  [11, 5F]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtRenameKey                7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtRenameKey + 4            7C91DA62 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtSetInformationFile       7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtSetInformationFile + 4   7C91DC62 2 Bytes  [20, 5F]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtSetValueKey              7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtSetValueKey + 4          7C91DDD2 2 Bytes  [0E, 5F] {PUSH CS; POP EDI}
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtTerminateProcess         7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtTerminateProcess + 4     7C91DE72 2 Bytes  [26, 5F]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtWriteFile                7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtWriteFile + 4            7C91DF82 2 Bytes  [1A, 5F]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtWriteFileGather          7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtWriteFileGather + 4      7C91DF92 2 Bytes  [1D, 5F]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtWriteVirtualMemory       7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] ntdll.dll!NtWriteVirtualMemory + 4   7C91DFB2 2 Bytes  [29, 5F]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] kernel32.dll!LoadLibraryExW + C4     7C801BB9 4 Bytes  CALL 00E40001 
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] USER32.dll!ChangeDisplaySettingsExA  7E37384E 6 Bytes  JMP 5F350F5A 
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] USER32.dll!SetForegroundWindow       7E3742ED 6 Bytes  JMP 5F2E0F5A 
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] USER32.dll!SetWindowPos              7E3799F3 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] USER32.dll!SetWindowPos + 4          7E3799F7 2 Bytes  [33, 5F]
.text           C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[1336] USER32.dll!ChangeDisplaySettingsExW  7E3A95BD 6 Bytes  JMP 5F380F5A 
.text           C:\Programme\Spyware Doctor\pctsSvc.exe[1404] kernel32.dll!CreateThread + 1A                            7C8106F1 4 Bytes  CALL 0044BC05 C:\Programme\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
.text           C:\Programme\Spyware Doctor\pctsSvc.exe[1404] C:\WINDOWS\system32\WS2_32.dll                            section is writeable [0x71A11000, 0x12153, 0xE0000040]
.data           C:\Programme\Spyware Doctor\pctsSvc.exe[1404] C:\WINDOWS\system32\WS2_32.dll                            entry point in ".data" section [0x71A241A1]
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtClose                                                 7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtClose + 4                                             7C91CFF2 2 Bytes  [2C, 5F] {SUB AL, 0x5f}
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtCreateFile                                            7C91D0AE 1 Byte  [FF]
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtCreateFile                                            7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtCreateFile + 4                                        7C91D0B2 2 Bytes  [17, 5F] {POP SS; POP EDI}
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtCreateKey                                             7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtCreateKey + 4                                         7C91D0F2 2 Bytes  [05, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtCreateSection                                         7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtCreateSection + 4                                     7C91D182 2 Bytes  [23, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtDeleteKey                                             7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtDeleteKey + 4                                         7C91D252 2 Bytes  [0B, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtDeleteValueKey                                        7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtDeleteValueKey + 4                                    7C91D272 2 Bytes  [11, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtRenameKey                                             7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtRenameKey + 4                                         7C91DA62 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtSetInformationFile                                    7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtSetInformationFile + 4                                7C91DC62 2 Bytes  [20, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtSetValueKey                                           7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtSetValueKey + 4                                       7C91DDD2 2 Bytes  [0E, 5F] {PUSH CS; POP EDI}
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtTerminateProcess                                      7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtTerminateProcess + 4                                  7C91DE72 2 Bytes  [26, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtWriteFile                                             7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtWriteFile + 4                                         7C91DF82 2 Bytes  [1A, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtWriteFileGather                                       7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtWriteFileGather + 4                                   7C91DF92 2 Bytes  [1D, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtWriteVirtualMemory                                    7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtWriteVirtualMemory + 4                                7C91DFB2 2 Bytes  [29, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!LoadLibraryExW + C4                                  7C801BB9 4 Bytes  CALL 00E90001 
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtClose                                                 7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtClose + 4                                             7C91CFF2 2 Bytes  [2C, 5F] {SUB AL, 0x5f}
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtCreateFile                                            7C91D0AE 1 Byte  [FF]
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtCreateFile                                            7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtCreateFile + 4                                        7C91D0B2 2 Bytes  [17, 5F] {POP SS; POP EDI}
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtCreateKey                                             7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtCreateKey + 4                                         7C91D0F2 2 Bytes  [05, 5F]
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtCreateSection                                         7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtCreateSection + 4                                     7C91D182 2 Bytes  [23, 5F]
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtDeleteKey                                             7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtDeleteKey + 4                                         7C91D252 2 Bytes  [0B, 5F]
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtDeleteValueKey                                        7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtDeleteValueKey + 4                                    7C91D272 2 Bytes  [11, 5F]
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtRenameKey                                             7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtRenameKey + 4                                         7C91DA62 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtSetInformationFile                                    7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtSetInformationFile + 4                                7C91DC62 2 Bytes  [20, 5F]
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtSetValueKey                                           7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtSetValueKey + 4                                       7C91DDD2 2 Bytes  [0E, 5F] {PUSH CS; POP EDI}
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtTerminateProcess                                      7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtTerminateProcess + 4                                  7C91DE72 2 Bytes  [26, 5F]
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtWriteFile                                             7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtWriteFile + 4                                         7C91DF82 2 Bytes  [1A, 5F]
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtWriteFileGather                                       7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtWriteFileGather + 4                                   7C91DF92 2 Bytes  [1D, 5F]
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtWriteVirtualMemory                                    7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtWriteVirtualMemory + 4                                7C91DFB2 2 Bytes  [29, 5F]
.text           C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!LoadLibraryExW + C4                                  7C801BB9 4 Bytes  CALL 02B50001 
.text           C:\WINDOWS\System32\svchost.exe[1532] c:\windows\system32\WS2_32.dll                                    section is writeable [0x71A11000, 0x12153, 0xE0000040]
.data           C:\WINDOWS\System32\svchost.exe[1532] c:\windows\system32\WS2_32.dll                                    entry point in ".data" section [0x71A241A1]
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtClose                                                 7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtClose + 4                                             7C91CFF2 2 Bytes  [2C, 5F] {SUB AL, 0x5f}
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtCreateFile                                            7C91D0AE 1 Byte  [FF]
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtCreateFile                                            7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtCreateFile + 4                                        7C91D0B2 2 Bytes  [17, 5F] {POP SS; POP EDI}
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtCreateKey                                             7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtCreateKey + 4                                         7C91D0F2 2 Bytes  [05, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtCreateSection                                         7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtCreateSection + 4                                     7C91D182 2 Bytes  [23, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtDeleteKey                                             7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtDeleteKey + 4                                         7C91D252 2 Bytes  [0B, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtDeleteValueKey                                        7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtDeleteValueKey + 4                                    7C91D272 2 Bytes  [11, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtRenameKey                                             7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtRenameKey + 4                                         7C91DA62 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtSetInformationFile                                    7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtSetInformationFile + 4                                7C91DC62 2 Bytes  [20, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtSetValueKey                                           7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtSetValueKey + 4                                       7C91DDD2 2 Bytes  [0E, 5F] {PUSH CS; POP EDI}
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtTerminateProcess                                      7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtTerminateProcess + 4                                  7C91DE72 2 Bytes  [26, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtWriteFile                                             7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtWriteFile + 4                                         7C91DF82 2 Bytes  [1A, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtWriteFileGather                                       7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtWriteFileGather + 4                                   7C91DF92 2 Bytes  [1D, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtWriteVirtualMemory                                    7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1608] ntdll.dll!NtWriteVirtualMemory + 4                                7C91DFB2 2 Bytes  [29, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!LoadLibraryExW + C4                                  7C801BB9 4 Bytes  CALL 00BB0001 
.text           C:\WINDOWS\system32\svchost.exe[1608] c:\windows\system32\WS2_32.dll                                    section is writeable [0x71A11000, 0x12153, 0xE0000040]
.data           C:\WINDOWS\system32\svchost.exe[1608] c:\windows\system32\WS2_32.dll                                    entry point in ".data" section [0x71A241A1]
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtClose                                                  7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtClose + 4                                              7C91CFF2 2 Bytes  [2C, 5F] {SUB AL, 0x5f}
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtCreateFile                                             7C91D0AE 1 Byte  [FF]
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtCreateFile                                             7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtCreateFile + 4                                         7C91D0B2 2 Bytes  [17, 5F] {POP SS; POP EDI}
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtCreateKey                                              7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtCreateKey + 4                                          7C91D0F2 2 Bytes  [05, 5F]
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtCreateSection                                          7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtCreateSection + 4                                      7C91D182 2 Bytes  [23, 5F]
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtDeleteKey                                              7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtDeleteKey + 4                                          7C91D252 2 Bytes  [0B, 5F]
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtDeleteValueKey                                         7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtDeleteValueKey + 4                                     7C91D272 2 Bytes  [11, 5F]
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtRenameKey                                              7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtRenameKey + 4                                          7C91DA62 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtSetInformationFile                                     7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtSetInformationFile + 4                                 7C91DC62 2 Bytes  [20, 5F]
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtSetValueKey                                            7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtSetValueKey + 4                                        7C91DDD2 2 Bytes  [0E, 5F] {PUSH CS; POP EDI}
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtTerminateProcess                                       7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtTerminateProcess + 4                                   7C91DE72 2 Bytes  [26, 5F]
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtWriteFile                                              7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtWriteFile + 4                                          7C91DF82 2 Bytes  [1A, 5F]
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtWriteFileGather                                        7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtWriteFileGather + 4                                    7C91DF92 2 Bytes  [1D, 5F]
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtWriteVirtualMemory                                     7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] ntdll.dll!NtWriteVirtualMemory + 4                                 7C91DFB2 2 Bytes  [29, 5F]
.text           C:\WINDOWS\system32\wdfmgr.exe[1652] kernel32.dll!LoadLibraryExW + C4                                   7C801BB9 4 Bytes  CALL 00670001 
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[1684] C:\WINDOWS\system32\WS2_32.dll                     section is writeable [0x71A11000, 0x12153, 0xE0000040]
.data           C:\Programme\Avira\AntiVir Desktop\avguard.exe[1684] C:\WINDOWS\system32\WS2_32.dll                     entry point in ".data" section [0x71A241A1]
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtClose                                                 7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtClose + 4                                             7C91CFF2 2 Bytes  [2C, 5F] {SUB AL, 0x5f}
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtCreateFile                                            7C91D0AE 1 Byte  [FF]
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtCreateFile                                            7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtCreateFile + 4                                        7C91D0B2 2 Bytes  [17, 5F] {POP SS; POP EDI}
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtCreateKey                                             7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtCreateKey + 4                                         7C91D0F2 2 Bytes  [05, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtCreateSection                                         7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtCreateSection + 4                                     7C91D182 2 Bytes  [23, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtDeleteKey                                             7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtDeleteKey + 4                                         7C91D252 2 Bytes  [0B, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtDeleteValueKey                                        7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtDeleteValueKey + 4                                    7C91D272 2 Bytes  [11, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtRenameKey                                             7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtRenameKey + 4                                         7C91DA62 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtSetInformationFile                                    7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtSetInformationFile + 4                                7C91DC62 2 Bytes  [20, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtSetValueKey                                           7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtSetValueKey + 4                                       7C91DDD2 2 Bytes  [0E, 5F] {PUSH CS; POP EDI}
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtTerminateProcess                                      7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtTerminateProcess + 4                                  7C91DE72 2 Bytes  [26, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtWriteFile                                             7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtWriteFile + 4                                         7C91DF82 2 Bytes  [1A, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtWriteFileGather                                       7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtWriteFileGather + 4                                   7C91DF92 2 Bytes  [1D, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtWriteVirtualMemory                                    7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\svchost.exe[1764] ntdll.dll!NtWriteVirtualMemory + 4                                7C91DFB2 2 Bytes  [29, 5F]
.text           C:\WINDOWS\system32\svchost.exe[1764] kernel32.dll!LoadLibraryExW + C4                                  7C801BB9 4 Bytes  CALL 00CC0001 
.text           C:\WINDOWS\system32\svchost.exe[1764] c:\windows\system32\WS2_32.dll                                    section is writeable [0x71A11000, 0x12153, 0xE0000040]
.data           C:\WINDOWS\system32\svchost.exe[1764] c:\windows\system32\WS2_32.dll                                    entry point in ".data" section [0x71A241A1]
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtClose                            7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtClose + 4                        7C91CFF2 2 Bytes  [2C, 5F] {SUB AL, 0x5f}
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtCreateFile                       7C91D0AE 1 Byte  [FF]
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtCreateFile                       7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtCreateFile + 4                   7C91D0B2 2 Bytes  [17, 5F] {POP SS; POP EDI}
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtCreateKey                        7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtCreateKey + 4                    7C91D0F2 2 Bytes  [05, 5F]
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtCreateSection                    7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtCreateSection + 4                7C91D182 2 Bytes  [23, 5F]
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtDeleteKey                        7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtDeleteKey + 4                    7C91D252 2 Bytes  [0B, 5F]
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtDeleteValueKey                   7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtDeleteValueKey + 4               7C91D272 2 Bytes  [11, 5F]
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtRenameKey                        7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtRenameKey + 4                    7C91DA62 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtSetInformationFile               7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtSetInformationFile + 4           7C91DC62 2 Bytes  [20, 5F]
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtSetValueKey                      7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtSetValueKey + 4                  7C91DDD2 2 Bytes  [0E, 5F] {PUSH CS; POP EDI}
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtTerminateProcess                 7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtTerminateProcess + 4             7C91DE72 2 Bytes  [26, 5F]
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtWriteFile                        7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtWriteFile + 4                    7C91DF82 2 Bytes  [1A, 5F]
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtWriteFileGather                  7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtWriteFileGather + 4              7C91DF92 2 Bytes  [1D, 5F]
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtWriteVirtualMemory               7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] ntdll.dll!NtWriteVirtualMemory + 4           7C91DFB2 2 Bytes  [29, 5F]
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] kernel32.dll!LoadLibraryExW + C4             7C801BB9 4 Bytes  CALL 00880001 
.text           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] C:\WINDOWS\system32\ws2_32.dll               section is writeable [0x71A11000, 0x12153, 0xE0000040]
.data           C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe[1804] C:\WINDOWS\system32\ws2_32.dll               entry point in ".data" section [0x71A241A1]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtClose                                                7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtClose + 4                                            7C91CFF2 2 Bytes  [2C, 5F] {SUB AL, 0x5f}
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtCreateFile                                           7C91D0AE 1 Byte  [FF]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtCreateFile                                           7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtCreateFile + 4                                       7C91D0B2 2 Bytes  [17, 5F] {POP SS; POP EDI}
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtCreateKey                                            7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtCreateKey + 4                                        7C91D0F2 2 Bytes  [05, 5F]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtCreateSection                                        7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtCreateSection + 4                                    7C91D182 2 Bytes  [23, 5F]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtDeleteKey                                            7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtDeleteKey + 4                                        7C91D252 2 Bytes  [0B, 5F]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtDeleteValueKey                                       7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtDeleteValueKey + 4                                   7C91D272 2 Bytes  [11, 5F]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtRenameKey                                            7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtRenameKey + 4                                        7C91DA62 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtSetInformationFile                                   7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtSetInformationFile + 4                               7C91DC62 2 Bytes  [20, 5F]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtSetValueKey                                          7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtSetValueKey + 4                                      7C91DDD2 2 Bytes  [0E, 5F] {PUSH CS; POP EDI}
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtTerminateProcess                                     7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtTerminateProcess + 4                                 7C91DE72 2 Bytes  [26, 5F]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtWriteFile                                            7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtWriteFile + 4                                        7C91DF82 2 Bytes  [1A, 5F]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtWriteFileGather                                      7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtWriteFileGather + 4                                  7C91DF92 2 Bytes  [1D, 5F]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtWriteVirtualMemory                                   7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] ntdll.dll!NtWriteVirtualMemory + 4                               7C91DFB2 2 Bytes  [29, 5F]
.text           C:\WINDOWS\system32\Ati2evxx.exe[1824] kernel32.dll!LoadLibraryExW + C4                                 7C801BB9 4 Bytes  CALL 003B0001 
.text           C:\Programme\Spyware Doctor\pctsTray.exe[2156] kernel32.dll!CreateThread + 1A                           7C8106F1 4 Bytes  CALL 0044B8D9 C:\Programme\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
.text           C:\Programme\Spyware Doctor\pctsTray.exe[2156] C:\WINDOWS\system32\WS2_32.dll                           section is writeable [0x71A11000, 0x12153, 0xE0000040]
.data           C:\Programme\Spyware Doctor\pctsTray.exe[2156] C:\WINDOWS\system32\WS2_32.dll                           entry point in ".data" section [0x71A241A1]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtClose                                                  7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtClose + 4                                              7C91CFF2 2 Bytes  [2C, 5F] {SUB AL, 0x5f}
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtCreateFile                                             7C91D0AE 1 Byte  [FF]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtCreateFile                                             7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtCreateFile + 4                                         7C91D0B2 2 Bytes  [17, 5F] {POP SS; POP EDI}
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtCreateKey                                              7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtCreateKey + 4                                          7C91D0F2 2 Bytes  [05, 5F]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtCreateSection                                          7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtCreateSection + 4                                      7C91D182 2 Bytes  [23, 5F]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtDeleteKey                                              7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtDeleteKey + 4                                          7C91D252 2 Bytes  [0B, 5F]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtDeleteValueKey                                         7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtDeleteValueKey + 4                                     7C91D272 2 Bytes  [11, 5F]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtRenameKey                                              7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtRenameKey + 4                                          7C91DA62 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtSetInformationFile                                     7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtSetInformationFile + 4                                 7C91DC62 2 Bytes  [20, 5F]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtSetValueKey                                            7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtSetValueKey + 4                                        7C91DDD2 2 Bytes  [0E, 5F] {PUSH CS; POP EDI}
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtTerminateProcess                                       7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtTerminateProcess + 4                                   7C91DE72 2 Bytes  [26, 5F]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtWriteFile                                              7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtWriteFile + 4                                          7C91DF82 2 Bytes  [1A, 5F]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtWriteFileGather                                        7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtWriteFileGather + 4                                    7C91DF92 2 Bytes  [1D, 5F]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtWriteVirtualMemory                                     7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] ntdll.dll!NtWriteVirtualMemory + 4                                 7C91DFB2 2 Bytes  [29, 5F]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] kernel32.dll!LoadLibraryExW + C4                                   7C801BB9 4 Bytes  CALL 00CD0001 
.text           C:\WINDOWS\system32\ctfmon.exe[2280] USER32.dll!ChangeDisplaySettingsExA                                7E37384E 6 Bytes  JMP 5F350F5A 
.text           C:\WINDOWS\system32\ctfmon.exe[2280] USER32.dll!SetForegroundWindow                                     7E3742ED 6 Bytes  JMP 5F2E0F5A 
.text           C:\WINDOWS\system32\ctfmon.exe[2280] USER32.dll!SetWindowPos                                            7E3799F3 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] USER32.dll!SetWindowPos + 4                                        7E3799F7 2 Bytes  [33, 5F]
.text           C:\WINDOWS\system32\ctfmon.exe[2280] USER32.dll!ChangeDisplaySettingsExW                                7E3A95BD 6 Bytes  JMP 5F380F5A 
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtClose                              7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtClose + 4                          7C91CFF2 2 Bytes  [2C, 5F] {SUB AL, 0x5f}
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtCreateFile                         7C91D0AE 1 Byte  [FF]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtCreateFile                         7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtCreateFile + 4                     7C91D0B2 2 Bytes  [17, 5F] {POP SS; POP EDI}
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtCreateKey                          7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtCreateKey + 4                      7C91D0F2 2 Bytes  [05, 5F]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtCreateSection                      7C91D17E 3 Bytes  [FF, 25, 1E]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtCreateSection + 4                  7C91D182 2 Bytes  [23, 5F]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtDeleteKey                          7C91D24E 3 Bytes  [FF, 25, 1E]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtDeleteKey + 4                      7C91D252 2 Bytes  [0B, 5F]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtDeleteValueKey                     7C91D26E 3 Bytes  [FF, 25, 1E]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtDeleteValueKey + 4                 7C91D272 2 Bytes  [11, 5F]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtRenameKey                          7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtRenameKey + 4                      7C91DA62 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtSetInformationFile                 7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtSetInformationFile + 4             7C91DC62 2 Bytes  [20, 5F]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtSetValueKey                        7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtSetValueKey + 4                    7C91DDD2 2 Bytes  [0E, 5F] {PUSH CS; POP EDI}
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtTerminateProcess                   7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtTerminateProcess + 4               7C91DE72 2 Bytes  [26, 5F]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtWriteFile                          7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtWriteFile + 4                      7C91DF82 2 Bytes  [1A, 5F]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtWriteFileGather                    7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtWriteFileGather + 4                7C91DF92 2 Bytes  [1D, 5F]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtWriteVirtualMemory                 7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] ntdll.dll!NtWriteVirtualMemory + 4             7C91DFB2 2 Bytes  [29, 5F]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] kernel32.dll!LoadLibraryExW + C4               7C801BB9 4 Bytes  CALL 012D0001 
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] C:\WINDOWS\system32\WS2_32.dll                 section is writeable [0x71A11000, 0x12153, 0xE0000040]
.data           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] C:\WINDOWS\system32\WS2_32.dll                 entry point in ".data" section [0x71A241A1]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] USER32.dll!ChangeDisplaySettingsExA            7E37384E 6 Bytes  JMP 5F350F5A 
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] USER32.dll!SetForegroundWindow                 7E3742ED 6 Bytes  JMP 5F2E0F5A 
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] USER32.dll!SetWindowPos                        7E3799F3 3 Bytes  [FF, 25, 1E]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] USER32.dll!SetWindowPos + 4                    7E3799F7 2 Bytes  [33, 5F]
.text           F:\Alle Treiber vom 01.12.08\VNC Server\NODfix.exe[2320] USER32.dll!ChangeDisplaySettingsExW            7E3A95BD 6 Bytes  JMP 5F380F5A 
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtClose                            7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtClose + 4                        7C91CFF2 2 Bytes  [39, 5F]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtCreateFile                       7C91D0AE 1 Byte  [FF]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtCreateFile                       7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtCreateFile + 4                   7C91D0B2 2 Bytes  [24, 5F] {AND AL, 0x5f}
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtCreateKey                        7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtCreateKey + 4                    7C91D0F2 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtCreateSection                    7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtCreateSection + 4                7C91D182 2 Bytes  [30, 5F]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtDeleteKey                        7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtDeleteKey + 4                    7C91D252 2 Bytes  [18, 5F]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtDeleteValueKey                   7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtDeleteValueKey + 4               7C91D272 2 Bytes  [1E, 5F] {PUSH DS; POP EDI}
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtRenameKey                        7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtRenameKey + 4                    7C91DA62 2 Bytes  [21, 5F]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtSetInformationFile               7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtSetInformationFile + 4           7C91DC62 2 Bytes  [2D, 5F]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtSetValueKey                      7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtSetValueKey + 4                  7C91DDD2 2 Bytes  [1B, 5F]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtTerminateProcess                 7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtTerminateProcess + 4             7C91DE72 2 Bytes  [33, 5F]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtWriteFile                        7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtWriteFile + 4                    7C91DF82 2 Bytes  [27, 5F] {DAA ; POP EDI}
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtWriteFileGather                  7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtWriteFileGather + 4              7C91DF92 2 Bytes  [2A, 5F]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtWriteVirtualMemory               7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] ntdll.dll!NtWriteVirtualMemory + 4           7C91DFB2 2 Bytes  [36, 5F]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] kernel32.dll!LoadLibraryExW + C4             7C801BB9 4 Bytes  CALL 003C0001 
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] USER32.dll!ChangeDisplaySettingsExA          7E37384E 6 Bytes  JMP 5F0D0F5A 
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] USER32.dll!SetForegroundWindow               7E3742ED 6 Bytes  JMP 5F040F5A 
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] USER32.dll!SetWindowPos                      7E3799F3 3 Bytes  [FF, 25, 1E]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] USER32.dll!SetWindowPos + 4                  7E3799F7 2 Bytes  [0B, 5F]
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] USER32.dll!ChangeDisplaySettingsExW          7E3A95BD 6 Bytes  JMP 5F100F5A 
.text           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] C:\WINDOWS\system32\WS2_32.dll               section is writeable [0x71A11000, 0x12153, 0xE0000040]
.data           C:\Dokumente und Einstellungen\Menni\Desktop\OTL.exe[2404] C:\WINDOWS\system32\WS2_32.dll               entry point in ".data" section [0x71A241A1]
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtClose                                                     7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtClose + 4                                                 7C91CFF2 2 Bytes  [39, 5F]
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtCreateFile                                                7C91D0AE 1 Byte  [FF]
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtCreateFile                                                7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtCreateFile + 4                                            7C91D0B2 2 Bytes  [24, 5F] {AND AL, 0x5f}
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtCreateKey                                                 7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtCreateKey + 4                                             7C91D0F2 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtCreateSection                                             7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtCreateSection + 4                                         7C91D182 2 Bytes  [30, 5F]
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtDeleteKey                                                 7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtDeleteKey + 4                                             7C91D252 2 Bytes  [18, 5F]
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtDeleteValueKey                                            7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtDeleteValueKey + 4                                        7C91D272 2 Bytes  [1E, 5F] {PUSH DS; POP EDI}
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtRenameKey                                                 7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtRenameKey + 4                                             7C91DA62 2 Bytes  [21, 5F]
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtSetInformationFile                                        7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtSetInformationFile + 4                                    7C91DC62 2 Bytes  [2D, 5F]
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtSetValueKey                                               7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtSetValueKey + 4                                           7C91DDD2 2 Bytes  [1B, 5F]
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtTerminateProcess                                          7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtTerminateProcess + 4                                      7C91DE72 2 Bytes  [33, 5F]
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtWriteFile                                                 7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtWriteFile + 4                                             7C91DF82 2 Bytes  [27, 5F] {DAA ; POP EDI}
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtWriteFileGather                                           7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtWriteFileGather + 4                                       7C91DF92 2 Bytes  [2A, 5F]
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtWriteVirtualMemory                                        7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\alg.exe[2496] ntdll.dll!NtWriteVirtualMemory + 4                                    7C91DFB2 2 Bytes  [36, 5F]
.text           C:\WINDOWS\System32\alg.exe[2496] kernel32.dll!LoadLibraryExW + C4                                      7C801BB9 4 Bytes  CALL 00840001 
.text           C:\WINDOWS\System32\alg.exe[2496] USER32.dll!ChangeDisplaySettingsExA                                   7E37384E 6 Bytes  JMP 5F0D0F5A 
.text           C:\WINDOWS\System32\alg.exe[2496] USER32.dll!SetForegroundWindow                                        7E3742ED 6 Bytes  JMP 5F040F5A 
.text           C:\WINDOWS\System32\alg.exe[2496] USER32.dll!SetWindowPos                                               7E3799F3 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\System32\alg.exe[2496] USER32.dll!SetWindowPos + 4                                           7E3799F7 2 Bytes  [0B, 5F]
.text           C:\WINDOWS\System32\alg.exe[2496] USER32.dll!ChangeDisplaySettingsExW                                   7E3A95BD 6 Bytes  JMP 5F100F5A 
.text           C:\WINDOWS\System32\alg.exe[2496] C:\WINDOWS\System32\WS2_32.dll                                        section is writeable [0x71A11000, 0x12153, 0xE0000040]
.data           C:\WINDOWS\System32\alg.exe[2496] C:\WINDOWS\System32\WS2_32.dll                                        entry point in ".data" section [0x71A241A1]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtClose                                                 7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtClose + 4                                             7C91CFF2 2 Bytes  [39, 5F]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtCreateFile                                            7C91D0AE 1 Byte  [FF]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtCreateFile                                            7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtCreateFile + 4                                        7C91D0B2 2 Bytes  [24, 5F] {AND AL, 0x5f}
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtCreateKey                                             7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtCreateKey + 4                                         7C91D0F2 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtCreateSection                                         7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtCreateSection + 4                                     7C91D182 2 Bytes  [30, 5F]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtDeleteKey                                             7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtDeleteKey + 4                                         7C91D252 2 Bytes  [18, 5F]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtDeleteValueKey                                        7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtDeleteValueKey + 4                                    7C91D272 2 Bytes  [1E, 5F] {PUSH DS; POP EDI}
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtRenameKey                                             7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtRenameKey + 4                                         7C91DA62 2 Bytes  [21, 5F]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtSetInformationFile                                    7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtSetInformationFile + 4                                7C91DC62 2 Bytes  [2D, 5F]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtSetValueKey                                           7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtSetValueKey + 4                                       7C91DDD2 2 Bytes  [1B, 5F]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtTerminateProcess                                      7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtTerminateProcess + 4                                  7C91DE72 2 Bytes  [33, 5F]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtWriteFile                                             7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtWriteFile + 4                                         7C91DF82 2 Bytes  [27, 5F] {DAA ; POP EDI}
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtWriteFileGather                                       7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtWriteFileGather + 4                                   7C91DF92 2 Bytes  [2A, 5F]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtWriteVirtualMemory                                    7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] ntdll.dll!NtWriteVirtualMemory + 4                                7C91DFB2 2 Bytes  [36, 5F]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] kernel32.dll!LoadLibraryExW + C4                                  7C801BB9 4 Bytes  CALL 00AC0001 
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] USER32.dll!ChangeDisplaySettingsExA                               7E37384E 6 Bytes  JMP 5F0D0F5A 
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] USER32.dll!SetForegroundWindow                                    7E3742ED 6 Bytes  JMP 5F040F5A 
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] USER32.dll!SetWindowPos                                           7E3799F3 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] USER32.dll!SetWindowPos + 4                                       7E3799F7 2 Bytes  [0B, 5F]
.text           C:\WINDOWS\system32\NOTEPAD.EXE[2852] USER32.dll!ChangeDisplaySettingsExW                               7E3A95BD 6 Bytes  JMP 5F100F5A 
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtClose                                                          7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtClose + 4                                                      7C91CFF2 2 Bytes  [39, 5F]
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtCreateFile                                                     7C91D0AE 1 Byte  [FF]
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtCreateFile                                                     7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtCreateFile + 4                                                 7C91D0B2 2 Bytes  [24, 5F] {AND AL, 0x5f}
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtCreateKey                                                      7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtCreateKey + 4                                                  7C91D0F2 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtCreateSection                                                  7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtCreateSection + 4                                              7C91D182 2 Bytes  [30, 5F]
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtDeleteKey                                                      7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtDeleteKey + 4                                                  7C91D252 2 Bytes  [18, 5F]
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtDeleteValueKey                                                 7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtDeleteValueKey + 4                                             7C91D272 2 Bytes  [1E, 5F] {PUSH DS; POP EDI}
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtRenameKey                                                      7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtRenameKey + 4                                                  7C91DA62 2 Bytes  [21, 5F]
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtSetInformationFile                                             7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtSetInformationFile + 4                                         7C91DC62 2 Bytes  [2D, 5F]
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtSetValueKey                                                    7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtSetValueKey + 4                                                7C91DDD2 2 Bytes  [1B, 5F]
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtTerminateProcess                                               7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtTerminateProcess + 4                                           7C91DE72 2 Bytes  [33, 5F]
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtWriteFile                                                      7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtWriteFile + 4                                                  7C91DF82 2 Bytes  [27, 5F] {DAA ; POP EDI}
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtWriteFileGather                                                7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtWriteFileGather + 4                                            7C91DF92 2 Bytes  [2A, 5F]
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtWriteVirtualMemory                                             7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[3712] ntdll.dll!NtWriteVirtualMemory + 4                                         7C91DFB2 2 Bytes  [36, 5F]
.text           C:\WINDOWS\notepad.exe[3712] kernel32.dll!LoadLibraryExW + C4                                           7C801BB9 4 Bytes  CALL 00AC0001 
.text           C:\WINDOWS\notepad.exe[3712] USER32.dll!ChangeDisplaySettingsExA                                        7E37384E 6 Bytes  JMP 5F0D0F5A 
.text           C:\WINDOWS\notepad.exe[3712] USER32.dll!SetForegroundWindow                                             7E3742ED 6 Bytes  JMP 5F040F5A 
.text           C:\WINDOWS\notepad.exe[3712] USER32.dll!SetWindowPos                                                    7E3799F3 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\notepad.exe[3712] USER32.dll!SetWindowPos + 4                                                7E3799F7 2 Bytes  [0B, 5F]
.text           C:\WINDOWS\notepad.exe[3712] USER32.dll!ChangeDisplaySettingsExW                                        7E3A95BD 6 Bytes  JMP 5F100F5A 
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtClose                                           7C91CFEE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtClose + 4                                       7C91CFF2 2 Bytes  [39, 5F]
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtCreateFile                                      7C91D0AE 1 Byte  [FF]
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtCreateFile                                      7C91D0AE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtCreateFile + 4                                  7C91D0B2 2 Bytes  [24, 5F] {AND AL, 0x5f}
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtCreateKey                                       7C91D0EE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtCreateKey + 4                                   7C91D0F2 2 Bytes  [14, 5F] {ADC AL, 0x5f}
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtCreateSection                                   7C91D17E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtCreateSection + 4                               7C91D182 2 Bytes  [30, 5F]
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtDeleteKey                                       7C91D24E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtDeleteKey + 4                                   7C91D252 2 Bytes  [18, 5F]
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtDeleteValueKey                                  7C91D26E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtDeleteValueKey + 4                              7C91D272 2 Bytes  [1E, 5F] {PUSH DS; POP EDI}
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtRenameKey                                       7C91DA5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtRenameKey + 4                                   7C91DA62 2 Bytes  [21, 5F]
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtSetInformationFile                              7C91DC5E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtSetInformationFile + 4                          7C91DC62 2 Bytes  [2D, 5F]
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtSetValueKey                                     7C91DDCE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtSetValueKey + 4                                 7C91DDD2 2 Bytes  [1B, 5F]
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtTerminateProcess                                7C91DE6E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtTerminateProcess + 4                            7C91DE72 2 Bytes  [33, 5F]
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtWriteFile                                       7C91DF7E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtWriteFile + 4                                   7C91DF82 2 Bytes  [27, 5F] {DAA ; POP EDI}
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtWriteFileGather                                 7C91DF8E 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtWriteFileGather + 4                             7C91DF92 2 Bytes  [2A, 5F]
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtWriteVirtualMemory                              7C91DFAE 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] ntdll.dll!NtWriteVirtualMemory + 4                          7C91DFB2 2 Bytes  [36, 5F]
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] kernel32.dll!LoadLibraryExW + C4                            7C801BB9 4 Bytes  CALL 00940001 
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] USER32.dll!ChangeDisplaySettingsExA                         7E37384E 6 Bytes  JMP 5F0D0F5A 
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] USER32.dll!SetForegroundWindow                              7E3742ED 6 Bytes  JMP 5F040F5A 
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] USER32.dll!SetWindowPos                                     7E3799F3 3 Bytes  [FF, 25, 1E]
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] USER32.dll!SetWindowPos + 4                                 7E3799F7 2 Bytes  [0B, 5F]
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] USER32.dll!ChangeDisplaySettingsExW                         7E3A95BD 6 Bytes  JMP 5F100F5A 
.text           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] C:\WINDOWS\system32\WS2_32.dll                              section is writeable [0x71A11000, 0x12153, 0xE0000040]
.data           C:\WINDOWS\system32\wbem\wmiapsrv.exe[4080] C:\WINDOWS\system32\WS2_32.dll                              entry point in ".data" section [0x71A241A1]

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                  sisidex.sys (SISIDEX Driver/Windows (R) 2000 DDK provider)

Device          \Driver\PCTSDInjDriver32 \Device\PCTSDInjDriver32                                                       PCTSDInj32.sys

AttachedDevice  \FileSystem\Fastfat \Fat                                                                                fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice  \FileSystem\Fastfat \Fat                                                                                sisidex.sys (SISIDEX Driver/Windows (R) 2000 DDK provider)

---- EOF - GMER 1.0.15 ----
    Mit Zitat antworten Mit Zitat antworten
  4. 15.08.2010 16:56 #4
    Kadice
    Kadice ist offline
    Forenbenutzer
    Registriert seit
    14.08.2010
    Beiträge
    30

    AW: Bitte hier einmal gucken ..

    Aus Versehen doppelt.
    Geändert von Kadice (15.08.2010 um 17:21 Uhr)
    Mit Zitat antworten Mit Zitat antworten
  5. 15.08.2010 21:11 #5
    Swisstreasure
    Swisstreasure ist offline
    Moderator Team-Mitglied Benutzerbild von Swisstreasure
    Registriert seit
    13.08.2009
    Ort
    Schweiz
    Beiträge
    3.534
    Swisstreasure eine Nachricht über MSN schicken

    AW: Bitte hier einmal gucken ..

    Wurde der Proxy durch Dich so eingerichtet?
    "ProxyServer" = http=www-proxy.t-online.de:80;ftp=ftp-proxy.t-online.de:80
    Gruss Swiss

    freiwillige Spende
    Mit Zitat antworten Mit Zitat antworten
  6. 15.08.2010 21:26 #6
    Kadice
    Kadice ist offline
    Forenbenutzer
    Registriert seit
    14.08.2010
    Beiträge
    30

    AW: Bitte hier einmal gucken ..

    Falls da was faul dran ist, ist es nicht von mir bewusst so eingerichtet worden. Ich hab das vor ca. 2 Jahren nach t-online Anleitung eingerichtet.
    Mit Zitat antworten Mit Zitat antworten
  7. 15.08.2010 21:43 #7
    Kadice
    Kadice ist offline
    Forenbenutzer
    Registriert seit
    14.08.2010
    Beiträge
    30

    AW: Bitte hier einmal gucken ..

    Mir fällt eben ein:
    Seit einiger Zeit (ein paar monate) hab ich, wenn ich eine e-mail schreiben will, den Hinweis, dass meine aktuelle e-mail Adresse
    [lange Zahlenkombination] lautet, obwohl ich weiterhin e-mails unter meiner persönlichen Adresse erhalte. Hat das damit zu tun?
    Mit Zitat antworten Mit Zitat antworten
  8. 15.08.2010 22:59 #8
    Swisstreasure
    Swisstreasure ist offline
    Moderator Team-Mitglied Benutzerbild von Swisstreasure
    Registriert seit
    13.08.2009
    Ort
    Schweiz
    Beiträge
    3.534
    Swisstreasure eine Nachricht über MSN schicken

    AW: Bitte hier einmal gucken ..

    Ja dann ändere einmal dein passwort der Email.

    Schritt 1

    Fixen mit OTL
    • Starte die OTL.exe.
    • Vista und Windows 7 User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen.
    • Kopiere folgendes Skript:
    Code:
    :OTL
O27 - HKLM IFEO\RapportMgmtService.exe: Debugger - ZASRAKOMONDOHUI31338.EXE File not found
O27 - HKLM IFEO\RapportService.exe: Debugger - ZASRAKOMONDOHUI31338.EXE File not found
O27 - HKLM IFEO\userinit.exe: Debugger - mony.exe ()
@Alternate Data Stream - 210 bytes -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:A8ADE5D8
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
    • und füge es hier ein:
    • Schließe alle Programme.
    • Klicke auf den Fix Button.
    • Klick auf .
    • OTL verlangt einen Neustart. Bitte zulassen.
    • Nach dem Neustart findest Du ein Textdokument.
      Kopiere den Inhalt hier in Code-Tags in Deinen Thread.

    Schritt 2

    Downloade Malwarebytes Anti-Malware (ca. 2 MB) von diesen Downloadspiegel:
    • Installiere das Programm in den vorgegebenen Pfad.
    • Denke daran, bei Vista das Programm als Admin zu starten, ansonsten per Doppelklick starten.
    • Lasse es online updaten (Reiter Updates), wenn das nicht automatisch passiert (ca. 1 MB).
    • Aktiviere "Komplett Scan durchführen" => Scan.
    • Wähle alle verfügbaren Laufwerke aus und starte den Scan.
    • Wenn der Scan beendet ist, klicke auf "Zeige Resultate".
    • Versichere Dich, dass alle Funde markiert sind und drücke "Löschen".
    • Poste das Logfile, welches sich in Notepad öffnet, hier in den Thread.
    • Nachträglich kannst du den Bericht unter "Scan-Berichte" finden.
    • Berichte, wie der Rechner nun läuft.
    Hier findest Du eine ausführliche und bebilderte Anleitung.

    Schritt 3

    Scan mit SystemLook

    Lade SystemLook von jpshortstuff von einem der folgenden Spiegel herunter und speichere das Tool auf dem Desktop.

    Download Mirror #1 - Download Mirror #2
    • Doppelklick auf die SystemLook.exe, um das Tool zu starten.
      Vista-User mit Rechtsklick und als Administrator starten.
    • Kopiere den Inhalt der folgenden Codebox in das Textfeld des Tools:

      Code:
      :regfind
RapportMgmtService
RapportService.exe

:filefind
mony.exe
    • Klicke nun auf den Button Look, um den Scan zu starten.
    • Wenn der Suchlauf beendet ist, wird sich Dein Editor mit den Ergebnissen öffnen, diese hier in den Thread posten.
    • Die Ergebnisse werden auf dem Desktop als SystemLook.txt gespeichert.
    Gruss Swiss

    freiwillige Spende
    Mit Zitat antworten Mit Zitat antworten
  9. 16.08.2010 00:04 #9
    Kadice
    Kadice ist offline
    Forenbenutzer
    Registriert seit
    14.08.2010
    Beiträge
    30

    AW: Bitte hier einmal gucken ..

    Code:
    All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportMgmtService.exe\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportService.exe\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe\ deleted successfully.
File mony.exe not found.
ADS C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:DFC5A2B2 deleted successfully.
ADS C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:A8ADE5D8 deleted successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41 bytes
 
User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 40626 bytes
 
User: Menni
->Temp folder emptied: 76398773 bytes
->Temporary Internet Files folder emptied: 26091929 bytes
->Java cache emptied: 75698478 bytes
->FireFox cache emptied: 39714147 bytes
->Flash cache emptied: 48870 bytes
 
User: menni_2
->Temp folder emptied: 1436460960 bytes
->Temporary Internet Files folder emptied: 4784767 bytes
->Java cache emptied: 65693045 bytes
->FireFox cache emptied: 121713222 bytes
->Flash cache emptied: 143128 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 6502791 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4186837 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 1.772,00 mb
 
 
OTL by OldTimer - Version 3.2.9.1 log created on 08152010_232606

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
    Malwarebytes startet nicht automatisch, ist eine php-Datei, die ich auch nicht öffnen kann
    Mit Zitat antworten Mit Zitat antworten
  10. 16.08.2010 01:29 #10
    Kadice
    Kadice ist offline
    Forenbenutzer
    Registriert seit
    14.08.2010
    Beiträge
    30

    AW: Bitte hier einmal gucken ..

    Jetzt funktionirt es!! Habe die zweite Downloadmöglichkeit (Major Greek) genommen, hab da auch die exe Datei gefunden und habe dann nach deiner Anleitung weitergemacht. Im Moment läuft gerade der Komplettscan. Melde mich wieder, wenn der Scan durch ist.
    Mit Zitat antworten Mit Zitat antworten
+ Auf Thema antworten
Seite 1 von 5 1 2 3 ... LetzteLetzte
« Vorheriges Thema | Nächstes Thema »

Aktive Benutzer

Aktive Benutzer

Aktive Benutzer in diesem Thema: 1 (Registrierte Benutzer: 0, Gäste: 1)

     

Ähnliche Themen

  1. Bitte auch hier einmal schauen --- Laptop extrem langsam
    Von Creamy im Forum Archiv
    Antworten: 62
    Letzter Beitrag: 19.12.2009, 17:55
  2. Bitte hier auch einmal gucken ... schädliche Programme entdeckt!
    Von Creamy im Forum Archiv
    Antworten: 15
    Letzter Beitrag: 26.10.2008, 23:41
  3. Einmal vorsichtshalber drüber gucken?
    Von TooT im Forum Archiv
    Antworten: 18
    Letzter Beitrag: 23.12.2007, 20:01
  4. Bitte mal gucken!
    Von Pro im Forum Archiv
    Antworten: 1
    Letzter Beitrag: 26.10.2005, 17:43
  5. Kann hier mal bitte einer gucken? *laie bin*
    Von Krissi im Forum Archiv
    Antworten: 2
    Letzter Beitrag: 04.03.2005, 02:49

Forumregeln

  • Es ist Ihnen nicht erlaubt, neue Themen zu verfassen.
  • Es ist Ihnen nicht erlaubt, auf Beiträge zu antworten.
  • Es ist Ihnen nicht erlaubt, Anhänge hochzuladen.
  • Es ist Ihnen nicht erlaubt, Ihre Beiträge zu bearbeiten.

Foren-Regeln