| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Starker Verdacht auf Virus/TrojanerWindows 7 Hier gehören alle Fragen zum Thema Trojaner, Viren, Würmer, Dialer, Spyware und andere Plagegeister hinein. |
 |
30.04.2012, 13:13
| #1 |
 |  Hallo! Mir ist aufgefallen das mein PC in den letzten Tagen deutlich langsamer wurde. Ebenfalls hat mein Antivirus (Avast) vor ca. 2 Wochen einen Trojaner gefunden, der aber gelöscht wurde, daher dachte ich es wäre wieder alles okay. Naja, ich habe nun wie in der Anleitung beschrieben die 3 Programme laufen lassen und die Logfiles angehängt. Ich hoffe ihr könnt mir weiterhelfen! MfG Mhh, hab ich was falsch gemacht? Ich möchte ja nicht nerven aber ich glaube mein Thread geht langsam unter  Geändert von Da GuRu (30.04.2012 um 19:06 Uhr) Grund: Starker Verdacht auf Virus/Trojaner |
|
30.04.2012, 20:14
| #2 | |
| /// Winkelfunktion /// TB-Süch-Tiger™   | AW: Starker Verdacht auf Virus/TrojanerZitat:
Bitte alles nach Möglichkeit hier in CODE-Tags posten. Wird so gemacht: [code] hier steht das Log [/code] Und das ganze sieht dann so aus: Code:
hier steht das Log
__________________ Keine Hilfe per PN! Nutze das Forum! Daten retten nach Verschlüsselungstrojaner | Bitte keine HijackThis Logs posten Das Trojaner-Board unterstützen |
|
30.04.2012, 20:55
| #3 |
| | AW: Starker Verdacht auf Virus/Trojaner Avast Reports: Code:
C:\Users\****\AppData\Local\Temp\cgs8h0.exe Bedrohung: Win32:Rootkit-gen [Rtk]
C:\Users\****\AppData\Local\Temp\cgs8h1.exe Bedrohung: Win32:Rootkit-gen [Rtk]
C:\Users\****\AppData\Local\Temp\cgs8h2.exe Bedrohung: Win32:Rootkit-gen [Rtk]
C:\Users\****\AppData\Local\Temp\cgs8h3.exe Bedrohung: Win32:Rootkit-gen [Rtk]
Code:
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 12:21 on 30/04/2012 (****)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
[code].DDS Logfile: DDS Logfile: Code:
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_30
Run by **** at 12:22:49 on 2012-04-30
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.49.1031.18.3583.2406 [GMT 2:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://start.facemoods.com/?a=ddrnw
mSearchAssistant = hxxp://start.facemoods.com/?a=ddrnw&s={searchTerms}&f=4
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [PlayNC Launcher]
mRun: [HDAudDeck] c:\program files\via\viaudioi\vdeck\VDeck.exe -r
mRun: [VIAAUD] c:\program files\via\viaudioi\vdeck\VIAAUD.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Free YouTube to MP3 Converter - c:\users\****\appdata\roaming\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/de/uno1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{007D5165-2504-47F8-9C7C-854EE0914DDF} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{17C25BBA-AB76-4DFC-BC39-D08E14B664D4}\57E6A756E6762757265627 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{17C25BBA-AB76-4DFC-BC39-D08E14B664D4}\64259445A51224F6870275C414E40233033303 : DhcpNameServer = 192.168.178.1
TCP: Interfaces\{17C25BBA-AB76-4DFC-BC39-D08E14B664D4}\B4572616D275C414E4 : DhcpNameServer = 192.168.178.1
TCP: Interfaces\{1B35AB03-FB5D-4CEC-9676-FB06B274D7F1} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{1B35AB03-FB5D-4CEC-9676-FB06B274D7F1}\16577656 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{1B35AB03-FB5D-4CEC-9676-FB06B274D7F1}\75C414E4D2131303243383 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{1B35AB03-FB5D-4CEC-9676-FB06B274D7F1}\B4572616D275C414E4 : DhcpNameServer = 192.168.178.1
TCP: Interfaces\{46474865-D3E9-44C0-825C-C49669E17E4E} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{62B1F67C-720E-4910-9143-FC4B0B1434D0} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{62B1F67C-720E-4910-9143-FC4B0B1434D0}\75C414E4D2131303243383 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{62B1F67C-720E-4910-9143-FC4B0B1434D0}\D496B6B6F6C69636A71224F68702 : DhcpNameServer = 192.168.178.1
TCP: Interfaces\{B6BD8B91-C2D2-4A2A-A256-C158072F3593} : DhcpNameServer = 192.168.2.1
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\****\appdata\roaming\mozilla\firefox\profiles\wxoysspe.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.facemoods.com/?a=ddrnw
FF - prefs.js: network.proxy.http - 70.89.2.57
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\users\****\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-11-18 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-11-18 337880]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-1-16 218688]
R1 ntiomin;ntiomin;c:\windows\system32\drivers\ntiomin.sys [2010-8-10 11392]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-12-6 163328]
R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2011-12-5 291840]
R2 AODDriver4.01;AODDriver4.01;c:\program files\ati technologies\ati.ace\fuel\i386\aoddriver2.sys [2011-6-24 39424]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-11-18 20696]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-11-18 57688]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-3-25 44768]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2012-2-28 1373576]
R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-8-30 2358656]
R3 amdiox86;AMD IO Driver;c:\windows\system32\drivers\amdiox86.sys [2011-6-1 37944]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-12-6 9067008]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-12-6 264192]
R3 athur;Wireless Network Adapter Service;c:\windows\system32\drivers\athur.sys [2011-10-27 1559552]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2011-10-17 85520]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2011-11-23 131856]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-11-25 1108480]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\drivers\MijXfilt.sys [2012-1-7 95304]
S3 netr73;RT73 USB-Drahtlos-LAN-Kartentreiber für Vista;c:\windows\system32\drivers\netr73.sys [2009-6-10 545792]
S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Win7 Driver;c:\windows\system32\drivers\wg111v3.sys [2011-7-8 376832]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [2010-1-6 583680]
S4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2012-03-24 22:43:28 314880 ----a-w- c:\windows\system32\fmodex.dll
2012-03-06 23:15:19 41184 ----a-w- c:\windows\avastSS.scr
2012-03-06 23:03:51 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-06 23:02:14 44376 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-03-06 23:01:48 57688 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-03-06 05:59:41 3958128 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-06 05:59:41 3902320 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-01 05:53:27 19312 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-03-01 05:49:05 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-03-01 05:45:05 158720 ----a-w- c:\windows\system32\imagehlp.dll
2012-03-01 05:40:44 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-23 08:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-15 05:44:57 826368 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-15 04:22:43 177152 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-15 04:22:18 24064 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-10 05:41:38 1074176 ----a-w- c:\windows\system32\DWrite.dll
2012-02-10 05:41:20 218624 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-02-10 05:41:20 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2012-02-10 05:41:20 1170944 ----a-w- c:\windows\system32\d3d10warp.dll
2012-02-10 05:41:19 739840 ----a-w- c:\windows\system32\d2d1.dll
2012-02-03 04:01:58 2341376 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 12:23:15,06 ===============
--- --- --- Attach: Code:
. UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2011-08-26.01) . Microsoft Windows 7 Home Premium Boot Device: \Device\HarddiskVolume1 Install Date: 01.06.2011 19:12:03 System Uptime: 30.04.2012 11:58:03 (1 hours ago) . Motherboard: ASRock | | N68-S3 UCC Processor: AMD Phenom(tm) II X6 1055T Processor | CPUSocket | 2800/200mhz . ==== Disk Partitions ========================= . C: is FIXED (NTFS) - 931 GiB total, 395,408 GiB free. D: is CDROM () E: is CDROM () . ==== Disabled Device Manager Items ============= . ==== System Restore Points =================== . RP187: 17.04.2012 23:12:30 - Windows Update RP188: 21.04.2012 03:32:02 - Windows Update RP189: 24.04.2012 17:53:41 - Windows Update RP190: 27.04.2012 20:02:31 - Windows Update . ==== Installed Programs ====================== . Adobe AIR Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Reader X (10.1.1) - Deutsch Aion AMD APP SDK Runtime AMD Catalyst Install Manager AMD Drag and Drop Transcoding AMD Fuel AMD Media Foundation Decoders AMD VISION Engine Control Center Apple Application Support Apple Software Update ASIO4ALL µTorrent Audiosurf avast! Free Antivirus Battlefield Play4Free Belkin Connect Wireless USB Adapter Bully Scholarship Edition Camtasia Studio 7 Catalyst Control Center - Branding Catalyst Control Center Graphics Previews Common Catalyst Control Center InstallProxy Catalyst Control Center Localization All ccc-utility CCC Help Chinese Standard CCC Help Chinese Traditional CCC Help Czech CCC Help Danish CCC Help Dutch CCC Help English CCC Help Finnish CCC Help French CCC Help German CCC Help Greek CCC Help Hungarian CCC Help Italian CCC Help Japanese CCC Help Korean CCC Help Norwegian CCC Help Polish CCC Help Portuguese CCC Help Russian CCC Help Spanish CCC Help Swedish CCC Help Thai CCC Help Turkish CPUCooL (remove only) Curse Client D3DX10 DAEMON Tools Lite Diablo III Beta DIE SIEDLER - Das Erbe der Könige EVE Online (remove only) Fallout New Vegas FL Studio 10 FL Studio 9 Forsaken World Fraps (remove only) Free YouTube to MP3 Converter version 3.10.5.722 Garena 2010 GIMP 2.6.11 Global Agenda GUILD WARS Half-Life 2 Half-Life 2: Episode One Hardcore Hydra VSTi/DXi v1.2 IL Download Manager ILLUSION RapeLay iZotope Ozone 4 JA Launcher Java Auto Updater Java(TM) 6 Update 30 JDownloader 0.9 League of Legends LogMeIn Hamachi LOLReplay Malwarebytes Anti-Malware Version 1.60.1.1000 Mass Effect 2 German Messenger Plus! 5 Microsoft .NET Framework 4 Client Profile Microsoft .NET Framework 4 Client Profile DEU Language Pack Microsoft .NET Framework 4 Extended Microsoft .NET Framework 4 Extended DEU Language Pack Microsoft Application Error Reporting Microsoft Games for Windows - LIVE Redistributable Microsoft Games for Windows Marketplace Microsoft Silverlight Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 Microsoft XNA Framework Redistributable 4.0 MotioninJoy ds3 driver version 0.6.0005 Mozilla Firefox 11.0 (x86 de) MSVCRT MTA:SA v1.0.5 NCsoft Launcher NETGEAR WG111v3 wireless USB 2.0 adapter NVIDIA Drivers NVIDIA PhysX Ohm Force - Ohmicide VST Orcs Must Die! Pando Media Booster Platform PoiZone PunkBuster Services QuickTime Realtek High Definition Audio Driver reFX Nexus VSTi RTAS v2.2.0 Sandboxie 3.62 (32-bit) Sawer Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708) Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663) Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636) Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078) Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368) Security Update for Microsoft .NET Framework 4 Client Profile DEU Language Pack (KB2478663) Security Update for Microsoft .NET Framework 4 Client Profile DEU Language Pack (KB2518870) Security Update for Microsoft .NET Framework 4 Extended (KB2416472) Security Update for Microsoft .NET Framework 4 Extended (KB2487367) Security Update for Microsoft .NET Framework 4 Extended (KB2656351) Sonic Charge µTonic VSTi v2.0.1 Spiral Knights Supreme Commander Supreme Commander 2 Supreme Commander: Forged Alliance Sylenth1 v2.20 TeamSpeak 3 Client TeamViewer 6 Terraria thriXXX 3DSexVilla2-114.001 TmNationsForever Toxic Biohazard TP-LINK Drahtlos Tool Unity Web Player Update for Microsoft .NET Framework 4 Client Profile (KB2468871) Update for Microsoft .NET Framework 4 Client Profile (KB2473228) Update for Microsoft .NET Framework 4 Client Profile (KB2533523) Update for Microsoft .NET Framework 4 Client Profile (KB2600217) Update for Microsoft .NET Framework 4 Extended (KB2468871) Update for Microsoft .NET Framework 4 Extended (KB2533523) Update for Microsoft .NET Framework 4 Extended (KB2600217) VIA Plattform-Geräte-Manager VirtualDJ Home FREE Vista Anti-Lag 1.1.1 VLC media player 1.1.10 Waves Diamond Bundle v5.2 Windows Live Communications Platform Windows Live Essentials Windows Live ID Sign-in Assistant Windows Live Installer Windows Live Messenger Windows Live Photo Common Windows Live PIMT Platform Windows Live SOXE Windows Live SOXE Definitions Windows Live UX Platform Windows Live UX Platform Language Pack WinRAR 4.01 (32-Bit) World of Warcraft X-Universe Plugin Manager V1.30 by Cycrow X3 Terran Conflict v3.1 . ==== End Of File =========================== Code:
GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-04-30 13:09:53
Windows 6.1.7600 Harddisk0\DR0 -> \Device\00000069 SAMSUNG_ rev.1AJ1
Running: v7pnp6d1.exe; Driver: C:\Users\****\AppData\Local\Temp\kxldqpog.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x9203CDF8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x92384A5A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x9203D85E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x920422E4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x92042330]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x92042422]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x92042252]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x92042374]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x9204229A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x920423DC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x9203CE44]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x92384B34]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x9203CAD6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x9203CE90]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x9203FD1C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x9203DB02]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x9204230E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x92042352]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x92042446]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x92042278]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x920423AE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x920422C2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x92042400]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x92384CA0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x9203D9CE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x9203CEDC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x9203CF28]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x9203CB46]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x9203CCEA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x9203CC92]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x9203CD5A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x92384D60]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x9203CF74]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x92384BE0]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x9239AD92]
Code 9A668BFC ZwTraceEvent
Code 9A668BFB NtTraceEvent
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!NtTraceEvent 82E71E24 5 Bytes JMP 9A668C00
.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82E825C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EA7092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 244 82EAE884 4 Bytes [F8, CD, 03, 92] {CLC ; INT 0x3; XCHG EDX, EAX}
.text ntkrnlpa.exe!RtlSidHashLookup + 26C 82EAE8AC 4 Bytes [5A, 4A, 38, 92]
.text ntkrnlpa.exe!RtlSidHashLookup + 2CC 82EAE90C 2 Bytes [5E, D8]
.text ntkrnlpa.exe!RtlSidHashLookup + 2CF 82EAE90F 1 Byte [92]
.text ntkrnlpa.exe!RtlSidHashLookup + 320 82EAE960 8 Bytes [E4, 22, 04, 92, 30, 23, 04, ...] {IN AL, 0x22; ADD AL, 0x92; XOR [EBX], AH; ADD AL, 0x92}
.text ...
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 830483BE 5 Bytes JMP 92397C8C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject + 27 830620CD 5 Bytes JMP 92399764 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 830AC75A 4 Bytes CALL 9203E1B5 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 2 830B474B 5 Bytes JMP 9A668DE0
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 830B486B 4 Bytes CALL 9203E1CB \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!NtRequestWaitReplyPort + 2 830B6173 5 Bytes JMP 9A668D40
PAGE ntkrnlpa.exe!NtRequestPort + 2 830CA3D9 5 Bytes JMP 9A668CA0
PAGE ntkrnlpa.exe!ZwCreateProcessEx 8311A4FE 7 Bytes JMP 9239AD96 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9623A000, 0x3C12C5, 0xE8000020]
.text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x95DB5300, 0x1BCE, 0xE8000020]
? C:\Users\****\AppData\Local\Temp\mbr.sys Das System kann die angegebene Datei nicht finden. !
.text kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\svchost.exe[388] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[388] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[388] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\csrss.exe[432] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\wininit.exe[512] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000303FC
.text C:\Windows\system32\wininit.exe[512] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000301F8
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\wininit.exe[512] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 000C0A08
.text C:\Windows\system32\wininit.exe[512] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 000C03FC
.text C:\Windows\system32\wininit.exe[512] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 000C0804
.text C:\Windows\system32\wininit.exe[512] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 000C01F8
.text C:\Windows\system32\wininit.exe[512] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 000C0600
.text C:\Windows\system32\csrss.exe[520] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[524] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000A03FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[524] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000A01F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[524] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[524] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 000D0A08
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[524] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 000D03FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[524] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 000D0804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[524] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 000D01F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[524] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 000D0600
.text C:\Windows\system32\services.exe[560] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000603FC
.text C:\Windows\system32\services.exe[560] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000601F8
.text C:\Windows\system32\services.exe[560] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\lsass.exe[580] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000603FC
.text C:\Windows\system32\lsass.exe[580] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000601F8
.text C:\Windows\system32\lsass.exe[580] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\lsass.exe[580] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 001D0A08
.text C:\Windows\system32\lsass.exe[580] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 001D03FC
.text C:\Windows\system32\lsass.exe[580] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 001D0804
.text C:\Windows\system32\lsass.exe[580] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 001D01F8
.text C:\Windows\system32\lsass.exe[580] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 001D0600
.text C:\Windows\system32\lsm.exe[588] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000603FC
.text C:\Windows\system32\lsm.exe[588] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000601F8
.text C:\Windows\system32\lsm.exe[588] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\winlogon.exe[728] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000303FC
.text C:\Windows\system32\winlogon.exe[728] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000301F8
.text C:\Windows\system32\winlogon.exe[728] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\winlogon.exe[728] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 000C0A08
.text C:\Windows\system32\winlogon.exe[728] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 000C03FC
.text C:\Windows\system32\winlogon.exe[728] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 000C0804
.text C:\Windows\system32\winlogon.exe[728] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 000C01F8
.text C:\Windows\system32\winlogon.exe[728] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 000C0600
.text C:\Windows\system32\svchost.exe[760] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[760] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\svchost.exe[852] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[852] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\atiesrxx.exe[916] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 001603FC
.text C:\Windows\system32\atiesrxx.exe[916] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 001601F8
.text C:\Windows\system32\atiesrxx.exe[916] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\atiesrxx.exe[916] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 002F0A08
.text C:\Windows\system32\atiesrxx.exe[916] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 002F03FC
.text C:\Windows\system32\atiesrxx.exe[916] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 002F0804
.text C:\Windows\system32\atiesrxx.exe[916] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 002F01F8
.text C:\Windows\system32\atiesrxx.exe[916] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 002F0600
.text C:\Windows\system32\AUDIODG.EXE[940] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000A03FC
.text C:\Windows\system32\AUDIODG.EXE[940] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000A01F8
.text C:\Windows\system32\AUDIODG.EXE[940] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\AUDIODG.EXE[940] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 00140A08
.text C:\Windows\system32\AUDIODG.EXE[940] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 001403FC
.text C:\Windows\system32\AUDIODG.EXE[940] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 00140804
.text C:\Windows\system32\AUDIODG.EXE[940] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 001401F8
.text C:\Windows\system32\AUDIODG.EXE[940] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 00140600
.text C:\Windows\System32\svchost.exe[984] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000603FC
.text C:\Windows\System32\svchost.exe[984] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000601F8
.text C:\Windows\System32\svchost.exe[984] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\System32\svchost.exe[984] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 002B0A08
.text C:\Windows\System32\svchost.exe[984] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 002B03FC
.text C:\Windows\System32\svchost.exe[984] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 002B0804
.text C:\Windows\System32\svchost.exe[984] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 002B01F8
.text C:\Windows\System32\svchost.exe[984] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 002B0600
.text C:\Windows\System32\svchost.exe[1036] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000603FC
.text C:\Windows\System32\svchost.exe[1036] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000601F8
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\System32\svchost.exe[1036] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 00940A08
.text C:\Windows\System32\svchost.exe[1036] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 009403FC
.text C:\Windows\System32\svchost.exe[1036] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 00940804
.text C:\Windows\System32\svchost.exe[1036] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 009401F8
.text C:\Windows\System32\svchost.exe[1036] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 00940600
.text C:\Windows\system32\svchost.exe[1064] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1064] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1064] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 00AF0A08
.text C:\Windows\system32\svchost.exe[1064] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 00AF03FC
.text C:\Windows\system32\svchost.exe[1064] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 00AF0804
.text C:\Windows\system32\svchost.exe[1064] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 00AF01F8
.text C:\Windows\system32\svchost.exe[1064] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 00AF0600
.text C:\Windows\system32\wbem\wmiprvse.exe[1176] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000603FC
.text C:\Windows\system32\wbem\wmiprvse.exe[1176] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000601F8
.text C:\Windows\system32\wbem\wmiprvse.exe[1176] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\wbem\wmiprvse.exe[1176] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 00110A08
.text C:\Windows\system32\wbem\wmiprvse.exe[1176] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 001103FC
.text C:\Windows\system32\wbem\wmiprvse.exe[1176] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 00110804
.text C:\Windows\system32\wbem\wmiprvse.exe[1176] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 001101F8
.text C:\Windows\system32\wbem\wmiprvse.exe[1176] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 00110600
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1208] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 00570A08
.text C:\Windows\system32\svchost.exe[1208] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 005703FC
.text C:\Windows\system32\svchost.exe[1208] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 00570804
.text C:\Windows\system32\svchost.exe[1208] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 005701F8
.text C:\Windows\system32\svchost.exe[1208] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 00570600
.text C:\Program Files\Sandboxie\SbieSvc.exe[1272] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000903FC
.text C:\Program Files\Sandboxie\SbieSvc.exe[1272] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000901F8
.text C:\Program Files\Sandboxie\SbieSvc.exe[1272] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Program Files\Sandboxie\SbieSvc.exe[1272] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 00230A08
.text C:\Program Files\Sandboxie\SbieSvc.exe[1272] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 002303FC
.text C:\Program Files\Sandboxie\SbieSvc.exe[1272] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 00230804
.text C:\Program Files\Sandboxie\SbieSvc.exe[1272] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 002301F8
.text C:\Program Files\Sandboxie\SbieSvc.exe[1272] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 00230600
.text C:\Windows\system32\svchost.exe[1416] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1416] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1416] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\atieclxx.exe[1432] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 001603FC
.text C:\Windows\system32\atieclxx.exe[1432] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 001601F8
.text C:\Windows\system32\atieclxx.exe[1432] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\atieclxx.exe[1432] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 00180A08
.text C:\Windows\system32\atieclxx.exe[1432] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 001803FC
.text C:\Windows\system32\atieclxx.exe[1432] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 00180804
.text C:\Windows\system32\atieclxx.exe[1432] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 001801F8
.text C:\Windows\system32\atieclxx.exe[1432] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 00180600
.text C:\Windows\system32\svchost.exe[1472] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1472] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1472] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1536] kernel32.dll!SetUnhandledExceptionFilter 769130E2 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1536] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe[1564] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 001603FC
.text C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe[1564] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 001601F8
.text C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe[1564] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe[1564] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 001F0A08
.text C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe[1564] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 001F03FC
.text C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe[1564] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 001F0804
.text C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe[1564] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 001F01F8
.text C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe[1564] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 001F0600
.text C:\Windows\System32\spoolsv.exe[1744] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000603FC
.text C:\Windows\System32\spoolsv.exe[1744] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000601F8
.text C:\Windows\System32\spoolsv.exe[1744] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\System32\spoolsv.exe[1744] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 00090A08
.text C:\Windows\System32\spoolsv.exe[1744] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 000903FC
.text C:\Windows\System32\spoolsv.exe[1744] USER32.dll!SetWindowsHookExW 767D210A 3 Bytes JMP 00090804
.text C:\Windows\System32\spoolsv.exe[1744] USER32.dll!SetWindowsHookExW + 4 767D210E 1 Byte [89]
.text C:\Windows\System32\spoolsv.exe[1744] USER32.dll!SetWinEventHook 767D507E 3 Bytes JMP 000901F8
.text C:\Windows\System32\spoolsv.exe[1744] USER32.dll!SetWinEventHook + 4 767D5082 1 Byte [89]
.text C:\Windows\System32\spoolsv.exe[1744] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 00090600
.text C:\Windows\system32\svchost.exe[1772] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1772] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1772] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1772] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 00210A08
.text C:\Windows\system32\svchost.exe[1772] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 002103FC
.text C:\Windows\system32\svchost.exe[1772] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 00210804
.text C:\Windows\system32\svchost.exe[1772] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 002101F8
.text C:\Windows\system32\svchost.exe[1772] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 00210600
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1848] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000603FC
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1848] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000601F8
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1848] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1848] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 00090A08
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1848] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 000903FC
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1848] USER32.dll!SetWindowsHookExW 767D210A 3 Bytes JMP 00090804
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1848] USER32.dll!SetWindowsHookExW + 4 767D210E 1 Byte [89]
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1848] USER32.dll!SetWinEventHook 767D507E 3 Bytes JMP 000901F8
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1848] USER32.dll!SetWinEventHook + 4 767D5082 1 Byte [89]
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1848] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 00090600
.text C:\Users\****\Desktop\v7pnp6d1.exe[1876] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1896] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000603FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1896] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000601F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1896] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1896] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 000A0A08
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1896] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 000A03FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1896] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 000A0804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1896] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 000A01F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1896] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 000A0600
.text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[1916] KERNEL32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1944] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 001603FC
.text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1944] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 001601F8
.text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1944] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1944] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 002F0A08
.text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1944] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 002F03FC
.text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1944] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 002F0804
.text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1944] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 002F01F8
.text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1944] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 002F0600
.text C:\Windows\system32\wuauclt.exe[1960] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000703FC
.text C:\Windows\system32\wuauclt.exe[1960] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000701F8
.text C:\Windows\system32\wuauclt.exe[1960] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\wuauclt.exe[1960] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 00100A08
.text C:\Windows\system32\wuauclt.exe[1960] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 001003FC
.text C:\Windows\system32\wuauclt.exe[1960] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 00100804
.text C:\Windows\system32\wuauclt.exe[1960] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 001001F8
.text C:\Windows\system32\wuauclt.exe[1960] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 00100600
.text C:\Windows\system32\PnkBstrA.exe[2012] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 001503FC
.text C:\Windows\system32\PnkBstrA.exe[2012] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 001501F8
.text C:\Windows\system32\PnkBstrA.exe[2012] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\PnkBstrA.exe[2012] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 001F0A08
.text C:\Windows\system32\PnkBstrA.exe[2012] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 001F03FC
.text C:\Windows\system32\PnkBstrA.exe[2012] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 001F0804
.text C:\Windows\system32\PnkBstrA.exe[2012] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 001F01F8
.text C:\Windows\system32\PnkBstrA.exe[2012] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 001F0600
.text C:\Program Files\Mozilla Firefox\firefox.exe[2244] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 58259720 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2244] kernel32.dll!MapViewOfFile 7690C05C 5 Bytes JMP 5848E1F4 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2244] kernel32.dll!VirtualAlloc 76910594 5 Bytes JMP 5848E21B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2244] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2244] GDI32.dll!CreateDIBSection 76CC85F0 5 Bytes JMP 5848E17E C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Windows\System32\svchost.exe[2320] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000603FC
.text C:\Windows\System32\svchost.exe[2320] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000601F8
.text C:\Windows\System32\svchost.exe[2320] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\System32\svchost.exe[2320] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 00210A08
.text C:\Windows\System32\svchost.exe[2320] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 002103FC
.text C:\Windows\System32\svchost.exe[2320] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 00210804
.text C:\Windows\System32\svchost.exe[2320] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 002101F8
.text C:\Windows\System32\svchost.exe[2320] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 00210600
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2328] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000603FC
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2328] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000601F8
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2328] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2328] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 001C0A08
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2328] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 001C03FC
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2328] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 001C0804
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2328] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 001C01F8
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2328] USER32.dll!GetWindowInfo 767D6A82 5 Bytes JMP 583CFE0A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2328] USER32.dll!TrackPopupMenu 767F4B3B 5 Bytes JMP 583D03C5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2328] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 001C0600
.text C:\Windows\system32\taskhost.exe[2512] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000503FC
.text C:\Windows\system32\taskhost.exe[2512] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000501F8
.text C:\Windows\system32\taskhost.exe[2512] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\taskhost.exe[2512] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 000E0A08
.text C:\Windows\system32\taskhost.exe[2512] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 000E03FC
.text C:\Windows\system32\taskhost.exe[2512] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 000E0804
.text C:\Windows\system32\taskhost.exe[2512] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 000E01F8
.text C:\Windows\system32\taskhost.exe[2512] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 000E0600
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2560] KERNEL32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\svchost.exe[2720] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[2720] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[2720] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\svchost.exe[2720] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 00170A08
.text C:\Windows\system32\svchost.exe[2720] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 001703FC
.text C:\Windows\system32\svchost.exe[2720] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 00170804
.text C:\Windows\system32\svchost.exe[2720] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 001701F8
.text C:\Windows\system32\svchost.exe[2720] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 00170600
.text C:\Windows\system32\Dwm.exe[2876] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000603FC
.text C:\Windows\system32\Dwm.exe[2876] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000601F8
.text C:\Windows\system32\Dwm.exe[2876] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\Dwm.exe[2876] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 000F0A08
.text C:\Windows\system32\Dwm.exe[2876] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 000F03FC
.text C:\Windows\system32\Dwm.exe[2876] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 000F0804
.text C:\Windows\system32\Dwm.exe[2876] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 000F01F8
.text C:\Windows\system32\Dwm.exe[2876] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 000F0600
.text C:\Windows\Explorer.EXE[3000] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 002F03FC
.text C:\Windows\Explorer.EXE[3000] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 002F01F8
.text C:\Windows\Explorer.EXE[3000] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\Explorer.EXE[3000] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 003A0A08
.text C:\Windows\Explorer.EXE[3000] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 003A03FC
.text C:\Windows\Explorer.EXE[3000] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 003A0804
.text C:\Windows\Explorer.EXE[3000] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 003A01F8
.text C:\Windows\Explorer.EXE[3000] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 003A0600
.text C:\Windows\system32\taskhost.exe[3112] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000503FC
.text C:\Windows\system32\taskhost.exe[3112] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000501F8
.text C:\Windows\system32\taskhost.exe[3112] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\taskhost.exe[3112] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 00080A08
.text C:\Windows\system32\taskhost.exe[3112] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 000803FC
.text C:\Windows\system32\taskhost.exe[3112] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 00080804
.text C:\Windows\system32\taskhost.exe[3112] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 000801F8
.text C:\Windows\system32\taskhost.exe[3112] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 00080600
.text C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe[3384] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 001603FC
.text C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe[3384] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 001601F8
.text C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe[3384] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe[3384] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 00360A08
.text C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe[3384] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 003603FC
.text C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe[3384] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 00360804
.text C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe[3384] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 003601F8
.text C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe[3384] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 00360600
.text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3432] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\SearchIndexer.exe[3584] ntdll.dll!LdrUnloadDll 77ADBD1F 5 Bytes JMP 000603FC
.text C:\Windows\system32\SearchIndexer.exe[3584] ntdll.dll!LdrLoadDll 77ADF425 5 Bytes JMP 000601F8
.text C:\Windows\system32\SearchIndexer.exe[3584] kernel32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
.text C:\Windows\system32\SearchIndexer.exe[3584] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 00150A08
.text C:\Windows\system32\SearchIndexer.exe[3584] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 001503FC
.text C:\Windows\system32\SearchIndexer.exe[3584] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 00150804
.text C:\Windows\system32\SearchIndexer.exe[3584] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 001501F8
.text C:\Windows\system32\SearchIndexer.exe[3584] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 00150600
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4036] KERNEL32.dll!GetBinaryTypeW + 70 769278FC 1 Byte [62]
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
Device \Driver\ACPI_HAL \Device\00000051 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
---- Files - GMER 1.0.15 ----
File C:\avast! sandbox 0 bytes
File C:\avast! sandbox\S-1-5-21-2709026904-2300073761-1837081891-1000 0 bytes
File C:\avast! sandbox\S-1-5-21-2709026904-2300073761-1837081891-1000\r267 0 bytes
File C:\avast! sandbox\S-1-5-21-2709026904-2300073761-1837081891-1000\r267\PEV.DAT_{fab77c91-92aa-11e1-9930-0025229459ae} 0 bytes
File C:\avast! sandbox\S-1-5-21-2709026904-2300073761-1837081891-1000\r267\PEV.DAT_{fab77cab-92aa-11e1-9930-0025229459ae} 0 bytes
File C:\avast! sandbox\snx_rhive 262144 bytes
File C:\avast! sandbox\snx_rhive.LOG1 5120 bytes
File C:\avast! sandbox\snx_rhive.LOG2 0 bytes
File C:\avast! sandbox\snx_rhive{fab77c93-92aa-11e1-9930-0025229459ae}.TM.blf 65536 bytes
File C:\avast! sandbox\snx_rhive{fab77c93-92aa-11e1-9930-0025229459ae}.TMContainer00000000000000000001.regtrans-ms 524288 bytes
File C:\avast! sandbox\snx_rhive{fab77c93-92aa-11e1-9930-0025229459ae}.TMContainer00000000000000000002.regtrans-ms 524288 bytes
 |
|
01.05.2012, 15:06
| #4 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | AW: Starker Verdacht auf Virus/Trojaner Bitte erstmal routinemäßig einen Vollscan mit Malwarebytes machen und Log posten. =>ALLE lokalen Datenträger (außer CD/DVD) überprüfen lassen! Denk daran, dass Malwarebytes vor jedem Scan manuell aktualisiert werden muss! Außerdem müssen alle Funde entfernt werden. Falls Logs aus älteren Scans mit Malwarebytes vorhanden sind, bitte auch davon alle posten! ESET Online Scanner Vorbereitung
Bitte alles nach Möglichkeit hier in CODE-Tags posten. Wird so gemacht: [code] hier steht das Log [/code] Und das ganze sieht dann so aus: Code:
hier steht das Log
__________________ Keine Hilfe per PN! Nutze das Forum! Daten retten nach Verschlüsselungstrojaner | Bitte keine HijackThis Logs posten Das Trojaner-Board unterstützen |
|
01.05.2012, 20:45
| #5 |
| | AW: Starker Verdacht auf Virus/Trojaner Servus, tut mir leid das ich jetzt erst antworte, die Scans haben ewig gedauert  Hier die Ergebnisse: ESET Code:
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=1494124cc92bd548aa1ba7646097929e
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-05-01 06:39:14
# local_time=2012-05-01 08:39:14 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=5893 16776573 100 94 1365 88326770 0 0
# compatibility_mode=8192 67108863 100 0 241 241 0 0
# scanned=195866
# found=5
# cleaned=0
# scan_time=5927
C:\ProgramData\TmForever\Cache\0FE870AD2DFE199A115E0F2542758E69_www.fileden.com%5cfiles%5c2007%5c3%5c27%5c930376%5cfunteamad.png HTML/Iframe.B.Gen virus (unable to clean) 00000000000000000000000000000000 I
C:\Sandbox\****\DefaultBox\drive\C\Windows\system32\install\WindowsUpdater.exe probably a variant of Win32/TrojanDropper.VB.GADMGGH trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\All Users\TmForever\Cache\0FE870AD2DFE199A115E0F2542758E69_www.fileden.com%5cfiles%5c2007%5c3%5c27%5c930376%5cfunteamad.png HTML/Iframe.B.Gen virus (unable to clean) 00000000000000000000000000000000 I
C:\Users\****\AppData\Local\Temp\jar_cache3327211295830174052.tmp Java/Exploit.CVE-2012-0507.D trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\****\AppData\Local\Temp\Main.class a variant of Java/TrojanDownloader.Agent.NEC trojan (unable to clean) 00000000000000000000000000000000 I
Code:
Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Datenbank Version: v2012.05.01.09 Windows 7 x86 NTFS Internet Explorer 9.0.8112.16421 **** :: **** [Administrator] 01.05.2012 17:40:42 mbam-log-2012-05-01 (17-40-42).txt Art des Suchlaufs: Vollständiger Suchlauf Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 355621 Laufzeit: 1 Stunde(n), 13 Minute(n), 52 Sekunde(n) [Abgebrochen] Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende) Code:
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{007D5165-2504-47F8-9C7C-854EE0914DDF} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{17C25BBA-AB76-4DFC-BC39-D08E14B664D4}\57E6A756E6762757265627 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{17C25BBA-AB76-4DFC-BC39-D08E14B664D4}\64259445A51224F6870275C414E40233033303 : DhcpNameServer = 192.168.178.1
TCP: Interfaces\{17C25BBA-AB76-4DFC-BC39-D08E14B664D4}\B4572616D275C414E4 : DhcpNameServer = 192.168.178.1
TCP: Interfaces\{1B35AB03-FB5D-4CEC-9676-FB06B274D7F1} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{1B35AB03-FB5D-4CEC-9676-FB06B274D7F1}\16577656 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{1B35AB03-FB5D-4CEC-9676-FB06B274D7F1}\75C414E4D2131303243383 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{1B35AB03-FB5D-4CEC-9676-FB06B274D7F1}\B4572616D275C414E4 : DhcpNameServer = 192.168.178.1
TCP: Interfaces\{46474865-D3E9-44C0-825C-C49669E17E4E} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{62B1F67C-720E-4910-9143-FC4B0B1434D0} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{62B1F67C-720E-4910-9143-FC4B0B1434D0}\75C414E4D2131303243383 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{62B1F67C-720E-4910-9143-FC4B0B1434D0}\D496B6B6F6C69636A71224F68702 : DhcpNameServer = 192.168.178.1
TCP: Interfaces\{B6BD8B91-C2D2-4A2A-A256-C158072F3593} : DhcpNameServer = 192.168.2.1
Grüße! |
|
02.05.2012, 13:34
| #6 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | AW: Starker Verdacht auf Virus/Trojaner Malwarebytes erstellt bei jedem Scanvorgang genau ein Log. Hast du in der Vergangenheit schonmal mit Malwarebytes gescannt? Wenn ja dann stehen auch alle Logs zu jedem Scanvorgang im Reiter Logdateien. Bitte alle posten, die dort sichtbar sind.
__________________ Keine Hilfe per PN! Nutze das Forum! Daten retten nach Verschlüsselungstrojaner | Bitte keine HijackThis Logs posten Das Trojaner-Board unterstützen |
|
02.05.2012, 14:21
| #7 |
| | AW: Starker Verdacht auf Virus/Trojaner Das war der erste Fullscan, ansonsten habe ich Malwarebytes immer nur für einzelne Dateien verwendet. |
|
02.05.2012, 15:03
| #8 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | AW: Starker Verdacht auf Virus/Trojaner Hätte da mal zwei Fragen bevor es weiter geht 1.) Geht der normale Modus uneingeschränkt? 2.) Vermisst du irgendwas im Startmenü? Sind da leere Ordner unter alle Programme oder ist alles vorhanden?
__________________ Keine Hilfe per PN! Nutze das Forum! Daten retten nach Verschlüsselungstrojaner | Bitte keine HijackThis Logs posten Das Trojaner-Board unterstützen |
|
02.05.2012, 15:11
| #9 |
| | AW: Starker Verdacht auf Virus/Trojaner Das ist ja das komische, ich bin mir sicher das mit meinem Rechner was faul ist, aber im Startmenü ist alles vorhanden und es funktioniert auch alles wunderbar.. |
|
02.05.2012, 15:48
| #10 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | AW: Starker Verdacht auf Virus/Trojaner Mach bitte ein neues OTL-Log. Bitte alles nach Möglichkeit hier in CODE-Tags posten. Wird so gemacht: [code] hier steht das Log [/code] Und das ganze sieht dann so aus: Code:
hier steht das Log
Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
Code:
netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%ALLUSERSPROFILE%\Application Data\*.
%ALLUSERSPROFILE%\Application Data\*.exe /s
%APPDATA%\*.
%APPDATA%\*.exe /s
%SYSTEMDRIVE%\*.exe
/md5start
wininit.exe
userinit.exe
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
ws2ifsl.sys
sceclt.dll
ntelogon.dll
winlogon.exe
logevent.dll
user32.DLL
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
/md5stop
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
CREATERESTOREPOINT
__________________ Keine Hilfe per PN! Nutze das Forum! Daten retten nach Verschlüsselungstrojaner | Bitte keine HijackThis Logs posten Das Trojaner-Board unterstützen |
|
| Stichworte zu Starker Verdacht auf Virus/Trojaner |
| anleitung, antivirus, avast, deutlich, ebenfalls, gefunde, gelöscht, hoffe, langsamer, laufe, laufen, leitung, logfiles, programme, tagen, troja, trojaner, trojaner gefunden, verdacht, weiterhelfen, woche, wochen |
Textbox von OTL - wenn OTL auf deutsch ist wird sie mit 
beschriftet
.
