Windows friert ein, Firefox öffnet willkürlich Fenster ( in Flensburg)

SchmerlenOtt · 06.08.2010, 07:49

GMER Teil 2:

805DAC61 3 Bytes [DF, C1, EB]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToCustomCPN + 95 805DAC65 417 Bytes [0F, B7, 1C, 5A, 89, 7D, 18, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlInitCodePageTable + 61 805DB4A1 63 Bytes [33, F6, 66, 39, 32, 74, 08, ...]
PAGE ntkrnlpa.exe!RtlInitCodePageTable + A1 805DB4E1 56 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...]
PAGE ntkrnlpa.exe!RtlInitCodePageTable + DA 805DB51A 8 Bytes [14, 8D, 46, 2C, 50, FF, 75, ...] {ADC AL, 0x8d; INC ESI; SUB AL, 0x50; PUSH DWORD [EBP+0x8]}
PAGE ntkrnlpa.exe!RtlInitCodePageTable + E3 805DB523 34 Bytes [19, FF, FF, FF, 56, FF, 75, ...]
PAGE ntkrnlpa.exe!RtlInitCodePageTable + 106 805DB546 105 Bytes [55, 8B, EC, 53, 56, 8B, 75, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlGetDefaultCodePage + 26 805DB672 14 Bytes [CC, CC, 8B, FF, 55, 8B, EC, ...]
PAGE ntkrnlpa.exe!PfxInitialize + D 805DB681 118 Bytes [66, C7, 00, 00, 02, 89, 40, ...]
PAGE ntkrnlpa.exe!PfxRemovePrefix + 66 805DB6F8 35 Bytes [01, 02, 89, 41, 04, 8B, 4E, ...]
PAGE ntkrnlpa.exe!PfxRemovePrefix + 8A 805DB71C 138 Bytes [57, 8B, 7D, 08, 0F, B7, 17, ...]
PAGE ntkrnlpa.exe!PfxRemovePrefix + 115 805DB7A7 169 Bytes [D8, 0F, B7, D1, 89, 5D, F0, ...]
PAGE ntkrnlpa.exe!PfxRemovePrefix + 1BF 805DB851 25 Bytes [F8, 72, E1, 8B, 7D, 0C, 39, ...]
PAGE ntkrnlpa.exe!PfxRemovePrefix + 1D9 805DB86B 1 Byte [85]
PAGE ...
PAGE ntkrnlpa.exe!RtlInitializeUnicodePrefix + 2 805DB8DC 20 Bytes [55, 8B, EC, 8B, 45, 08, 66, ...]
PAGE ntkrnlpa.exe!RtlInitializeUnicodePrefix + 17 805DB8F1 46 Bytes [40, 04, 5D, C2, 04, 00, CC, ...]
PAGE ntkrnlpa.exe!RtlRemoveUnicodePrefix + 25 805DB921 142 Bytes [7E, 23, 81, F9, 03, 08, 00, ...]
PAGE ntkrnlpa.exe!RtlRemoveUnicodePrefix + B4 805DB9B0 2 Bytes [19, EB] {SBB EBX, EBP}
PAGE ntkrnlpa.exe!RtlRemoveUnicodePrefix + B7 805DB9B3 57 Bytes [83, C0, 0C, 8B, F0, EB, 02, ...]
PAGE ntkrnlpa.exe!RtlRemoveUnicodePrefix + F1 805DB9ED 20 Bytes [83, C0, F4, EB, 03, 8B, 49, ...]
PAGE ntkrnlpa.exe!RtlRemoveUnicodePrefix + 106 805DBA02 113 Bytes [8B, 4E, 04, 89, 48, 04, 83, ...]
PAGE ntkrnlpa.exe!RtlNextUnicodePrefix + 58 805DBA74 45 Bytes [F7, EB, 18, 8B, 46, 04, 66, ...]
PAGE ntkrnlpa.exe!RtlNextUnicodePrefix + 86 805DBAA2 212 Bytes [55, 8B, EC, 8B, 55, 08, 0F, ...]
PAGE ntkrnlpa.exe!RtlNextUnicodePrefix + 15B 805DBB77 45 Bytes [00, 00, A1, F0, C2, 67, 80, ...]
PAGE ntkrnlpa.exe!RtlNextUnicodePrefix + 189 805DBBA5 240 Bytes [75, 10, EB, 3A, 66, 83, 7D, ...]
PAGE ntkrnlpa.exe!RtlNextUnicodePrefix + 27A 805DBC96 42 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...]
PAGE ntkrnlpa.exe!PfxInsertPrefix + 25 805DBCC1 395 Bytes [83, 66, 08, 00, 89, 36, 8B, ...]
PAGE ntkrnlpa.exe!RtlInsertUnicodePrefix + 2D 805DBE4D 109 Bytes [59, 04, 89, 4D, FC, EB, 06, ...]
PAGE ntkrnlpa.exe!RtlInsertUnicodePrefix + 9B 805DBEBB 19 Bytes [83, F8, 02, 75, C4, 8B, 7D, ...] {CMP EAX, 0x2; JNZ 0xffffffffffffffc9; MOV EDI, [EBP+0x10]; MOV [EBP+0x8], EDI; MOV EAX, [EBP+0x8]; PUSH -0x1; PUSH DWORD [EBP+0xc]}
PAGE ntkrnlpa.exe!RtlInsertUnicodePrefix + AF 805DBECF 107 Bytes CALL 805DBACA \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlInsertUnicodePrefix + 11B 805DBF3B 19 Bytes CALL 8052D134 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlInsertUnicodePrefix + 12F 805DBF4F 47 Bytes [70, 04, B0, 01, 5F, 5E, 5B, ...]
PAGE ntkrnlpa.exe!RtlFindUnicodePrefix + 1F 805DBF7F 29 Bytes [76, 04, 66, 39, 46, 02, 7F, ...]
PAGE ntkrnlpa.exe!RtlFindUnicodePrefix + 3D 805DBF9D 4 Bytes [FF, 83, F8, 03]
PAGE ntkrnlpa.exe!RtlFindUnicodePrefix + 42 805DBFA2 1 Byte [05]
PAGE ntkrnlpa.exe!RtlFindUnicodePrefix + 42 805DBFA2 39 Bytes [05, 8B, 5B, 04, EB, 07, 85, ...]
PAGE ntkrnlpa.exe!RtlFindUnicodePrefix + 6A 805DBFCA 25 Bytes [FF, 83, F8, 02, 74, 55, 83, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlSelfRelativeToAbsoluteSD + 15 805DC1C5 75 Bytes JMP 805DC301 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlSelfRelativeToAbsoluteSD + 61 805DC211 27 Bytes [00, 00, 8B, 7D, 18, 8B, 5D, ...]
PAGE ntkrnlpa.exe!RtlSelfRelativeToAbsoluteSD + 7D 805DC22D 65 Bytes [00, 00, 8B, 7D, FC, 3B, 3A, ...]
PAGE ntkrnlpa.exe!RtlSelfRelativeToAbsoluteSD + BF 805DC26F 34 Bytes [00, 00, 51, 50, 57, E8, 37, ...]
PAGE ntkrnlpa.exe!RtlSelfRelativeToAbsoluteSD + E3 805DC293 105 Bytes CALL 8053A8AC \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ...
PAGE ntkrnlpa.exe!RtlAbsoluteToSelfRelativeSD + 11 805DC43B 126 Bytes [00, C0, EB, 0C, FF, 75, 10, ...]
PAGE ntkrnlpa.exe!RtlCreateAcl + 66 805DC4BA 4 Bytes [C6, 45, E7, 02] {MOV BYTE [EBP-0x19], 0x2}
PAGE ntkrnlpa.exe!RtlCreateAcl + 6B 805DC4BF 10 Bytes [7D, 08, 8A, 07, 3C, 02, 0F, ...]
PAGE ntkrnlpa.exe!RtlCreateAcl + 77 805DC4CB 76 Bytes [3C, 04, 0F, 87, E3, 01, 00, ...]
PAGE ntkrnlpa.exe!RtlCreateAcl + C4 805DC518 104 Bytes [83, 99, 01, 00, 00, 8D, 48, ...]
PAGE ntkrnlpa.exe!RtlCreateAcl + 12D 805DC581 31 Bytes [B6, C0, 8D, 04, 85, 10, 00, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlGetAce + 4 805DC6CE 97 Bytes [EC, 8B, 4D, 08, 8A, 01, 3C, ...]
PAGE ntkrnlpa.exe!RtlGetAce + 66 805DC730 227 Bytes [00, CC, CC, CC, CC, CC, 8B, ...]
PAGE ntkrnlpa.exe!RtlGetAce + 14C 805DC816 60 Bytes [8B, FF, 55, 8B, EC, 56, 8B, ...]
PAGE ntkrnlpa.exe!RtlGetAce + 189 805DC853 199 Bytes [3F, 0F, B7, 4E, 04, 8B, 45, ...]
PAGE ntkrnlpa.exe!RtlAddAce + 7B 805DC91D 63 Bytes [85, C0, 74, 52, 0F, B7, 4E, ...]
PAGE ntkrnlpa.exe!RtlAddAce + BB 805DC95D 24 Bytes [45, 0C, 66, 01, 46, 04, 8A, ...]
PAGE ntkrnlpa.exe!RtlAddAce + D4 805DC976 24 Bytes [00, C0, 5F, 5B, 5E, C9, C2, ...]
PAGE ntkrnlpa.exe!RtlDeleteAce + B 805DC98F 25 Bytes [17, FB, FF, FF, 84, C0, 74, ...]
PAGE ntkrnlpa.exe!RtlDeleteAce + 25 805DC9A9 110 Bytes [FF, 84, C0, 75, 07, B8, 0D, ...]
PAGE ntkrnlpa.exe!RtlDeleteAce + 94 805DCA18 31 Bytes [4D, 0C, 83, F9, 04, 0F, 87, ...]
PAGE ntkrnlpa.exe!RtlDeleteAce + B4 805DCA38 6 Bytes [02, 75, 05, 25, 3F, FF]
PAGE ntkrnlpa.exe!RtlDeleteAce + BB 805DCA3F 51 Bytes [FF, 85, C0, 74, 0A, B8, 0D, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlAddAccessAllowedAce + 1D 805DCAFD 40 Bytes [00, CC, CC, CC, CC, CC, CC, ...]
PAGE ntkrnlpa.exe!RtlAddAccessAllowedAceEx + 24 805DCB28 110 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE ntkrnlpa.exe!RtlAddAccessAllowedAceEx + 93 805DCB97 140 Bytes [88, D4, 00, 00, 00, 6A, 02, ...]
PAGE ntkrnlpa.exe!RtlAddAccessAllowedAceEx + 120 805DCC24 47 Bytes [B0, 01, EB, 02, 32, C0, 5D, ...]
PAGE ntkrnlpa.exe!RtlAddAccessAllowedAceEx + 150 805DCC54 76 Bytes [EC, 8B, 45, 0C, 56, 8B, 75, ...]
PAGE ntkrnlpa.exe!RtlAddAccessAllowedAceEx + 19D 805DCCA1 18 Bytes [70, 08, 89, 75, F8, E8, 7F, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlCreateAtomTable + 55 805DCD61 21 Bytes [F3, AA, 56, 89, 5E, 0C, E8, ...]
PAGE ntkrnlpa.exe!RtlCreateAtomTable + 6B 805DCD77 96 Bytes [C7, 06, 41, 74, 6F, 6D, 89, ...]
PAGE ntkrnlpa.exe!RtlDestroyAtomTable + 3A 805DCDD8 35 Bytes [37, 89, 75, D8, 83, 27, 00, ...]
PAGE ntkrnlpa.exe!RtlDestroyAtomTable + 5E 805DCDFC 58 Bytes [EB, E7, FF, 45, E4, EB, CC, ...]
PAGE ntkrnlpa.exe!RtlDestroyAtomTable + 99 805DCE37 17 Bytes [89, 45, E0, 83, 4D, FC, FF, ...]
PAGE ntkrnlpa.exe!RtlDestroyAtomTable + AB 805DCE49 51 Bytes [CC, CC, CC, CC, CC, 6A, 20, ...]
PAGE ntkrnlpa.exe!RtlEmptyAtomTable + 2F 805DCE7D 1 Byte [75]
PAGE ntkrnlpa.exe!RtlEmptyAtomTable + 2F 805DCE7D 10 Bytes [75, E0, 8B, 45, E0, 3B, 43, ...] {JNZ 0xffffffffffffffe2; MOV EAX, [EBP-0x20]; CMP EAX, [EBX+0xc]; JAE 0x4b}
PAGE ntkrnlpa.exe!RtlEmptyAtomTable + 3A 805DCE88 2 Bytes [7D, E4] {JGE 0xffffffffffffffe6}
PAGE ntkrnlpa.exe!RtlEmptyAtomTable + 3D 805DCE8B 8 Bytes [7D, D8, 83, 45, E4, 04, 8B, ...] {JGE 0xffffffffffffffda; ADD DWORD [EBP-0x1c], 0x4; MOV ESI, [EDI]}
PAGE ntkrnlpa.exe!RtlEmptyAtomTable + 46 805DCE94 22 Bytes [75, D0, 85, F6, 74, 29, 80, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlAddAtomToAtomTable + 13 805DD095 42 Bytes [FF, 84, C0, 75, 0A, B8, 0D, ...]
PAGE ntkrnlpa.exe!RtlAddAtomToAtomTable + 3E 805DD0C0 22 Bytes [72, 0C, 89, 7D, E0, C7, 45, ...]
PAGE ntkrnlpa.exe!RtlAddAtomToAtomTable + 55 805DD0D7 28 Bytes [84, 26, 01, 00, 00, 66, 8B, ...]
PAGE ntkrnlpa.exe!RtlAddAtomToAtomTable + 72 805DD0F4 5 Bytes JMP 805DD202 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlAddAtomToAtomTable + 78 805DD0FA 26 Bytes [45, DC, 50, 8D, 45, D8, 50, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlLookupAtomInAtomTable + 30 805DD24E 3 Bytes CALL 805DCEFD \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlLookupAtomInAtomTable + 34 805DD252 21 Bytes [84, C0, 74, 27, 66, 81, 7D, ...]
PAGE ntkrnlpa.exe!RtlLookupAtomInAtomTable + 4A 805DD268 80 Bytes [EB, 03, 89, 7D, E4, 8B, 45, ...]
PAGE ntkrnlpa.exe!RtlLookupAtomInAtomTable + 9B 805DD2B9 179 Bytes [89, 7D, E4, 8B, 45, 10, 3B, ...]
PAGE ntkrnlpa.exe!RtlDeleteAtomFromAtomTable + 67 805DD36D 3 Bytes [FF, 48, 08] {DEC DWORD [EAX+0x8]}
PAGE ntkrnlpa.exe!RtlDeleteAtomFromAtomTable + 6B 805DD371 59 Bytes [39, 58, 08, 75, 53, 53, 8D, ...]
PAGE ntkrnlpa.exe!RtlDeleteAtomFromAtomTable + A7 805DD3AD 9 Bytes [89, 5D, E4, EB, 17, 8B, 45, ...]
PAGE ntkrnlpa.exe!RtlDeleteAtomFromAtomTable + B2 805DD3B8 39 Bytes [00, 89, 45, D8, 33, C0, 40, ...]
PAGE ntkrnlpa.exe!RtlDeleteAtomFromAtomTable + DA 805DD3E0 25 Bytes [CC, CC, CC, CC, CC, CC, 6A, ...]
PAGE ntkrnlpa.exe!RtlPinAtomInAtomTable + 14 805DD3FA 38 Bytes [84, C0, 75, 07, B8, 0D, 00, ...]
PAGE ntkrnlpa.exe!RtlPinAtomInAtomTable + 3B 805DD421 10 Bytes [00, 50, FF, 75, 08, E8, 25, ...] {ADD [EAX-0x1], DL; JNZ 0xd; CALL 0xfffffffffffff82f}
PAGE ntkrnlpa.exe!RtlPinAtomInAtomTable + 46 805DD42C 40 Bytes [45, DC, 3B, C7, 74, 35, 66, ...]
PAGE ntkrnlpa.exe!RtlPinAtomInAtomTable + 6F 805DD455 12 Bytes [8B, 00, 89, 45, E0, 33, C0, ...] {MOV EAX, [EAX]; MOV [EBP-0x20], EAX; XOR EAX, EAX; INC EAX; RET ; MOV ESP, [EBP-0x18]}
PAGE ntkrnlpa.exe!RtlPinAtomInAtomTable + 7C 805DD462 31 Bytes [45, E0, 89, 45, E4, 83, 4D, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlQueryAtomInAtomTable + 4F 805DD4DB 6 Bytes [85, C0, 75, 0C, C7, 45]
PAGE ntkrnlpa.exe!RtlQueryAtomInAtomTable + 56 805DD4E2 22 Bytes JMP 805DD614 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlQueryAtomInAtomTable + 6D 805DD4F9 14 Bytes [85, FF, 74, 06, C7, 07, 01, ...]
PAGE ntkrnlpa.exe!RtlQueryAtomInAtomTable + 7C 805DD508 324 Bytes [0F, 84, 0A, 01, 00, 00, 0F, ...]
PAGE ntkrnlpa.exe!RtlQueryAtomInAtomTable + 1C1 805DD64D 199 Bytes CALL 805DCB7A \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlInitializeRangeList + 33 805DD715 30 Bytes [56, 57, 8B, 7D, 08, 8D, 77, ...]
PAGE ntkrnlpa.exe!RtlInitializeRangeList + 53 805DD735 93 Bytes [00, 8B, 50, 04, 3B, 51, 04, ...]
PAGE ntkrnlpa.exe!RtlInitializeRangeList + B1 805DD793 114 Bytes [55, FC, 85, D2, 75, 16, 8B, ...]
PAGE ntkrnlpa.exe!RtlInitializeRangeList + 124 805DD806 200 Bytes [05, 89, 37, 89, 47, 04, 8B, ...]
PAGE ntkrnlpa.exe!RtlInitializeRangeList + 1ED 805DD8CF 23 Bytes [8B, 55, 08, 5F, 5E, 52, 53, ...]
PAGE ntkrnlpa.exe!RtlFreeRangeList + 1 805DD8E7 6 Bytes [FF, 55, 8B, EC, 56, 57] {CALL [EBP-0x75]; IN AL, DX ; PUSH ESI; PUSH EDI}
PAGE ntkrnlpa.exe!RtlFreeRangeList + 8 805DD8EE 1 Byte [7D]
PAGE ntkrnlpa.exe!RtlFreeRangeList + 8 805DD8EE 7 Bytes [7D, 08, 8B, 0F, 83, 67, 08]
PAGE ntkrnlpa.exe!RtlFreeRangeList + 10 805DD8F6 27 Bytes [83, 67, 0C, 00, 83, E9, 1C, ...]
PAGE ntkrnlpa.exe!RtlFreeRangeList + 2C 805DD912 40 Bytes [8B, CE, 8D, 46, 1C, 8B, 30, ...]
PAGE ntkrnlpa.exe!RtlGetFirstRange + F 805DD93B 164 Bytes [72, 10, 89, 71, 0C, 8B, 32, ...]
PAGE ntkrnlpa.exe!RtlGetFirstRange + B4 805DD9E0 111 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...]
PAGE ntkrnlpa.exe!RtlGetNextRange + 6A 805DDA50 176 Bytes [14, 8B, 45, 0C, 89, 59, 08, ...]
PAGE ntkrnlpa.exe!RtlGetNextRange + 11B 805DDB01 77 Bytes [01, 89, 43, 04, 8B, 45, 08, ...]
PAGE ntkrnlpa.exe!RtlCopyRangeList + 1B 805DDB4F 53 Bytes [43, 08, 89, 46, 08, 8B, 43, ...]
PAGE ntkrnlpa.exe!RtlCopyRangeList + 51 805DDB85 14 Bytes [78, 1C, 3B, DF, 75, DA, 33, ...]
PAGE ntkrnlpa.exe!RtlCopyRangeList + 60 805DDB94 25 Bytes CALL 805DD8E5 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlCopyRangeList + 7A 805DDBAE 121 Bytes [08, 8B, 46, 08, 85, C0, 57, ...]
PAGE ntkrnlpa.exe!RtlCopyRangeList + F4 805DDC28 55 Bytes [48, 08, 3B, 4D, 0C, 72, 2F, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlFindRange + 12 805DDC9A 25 Bytes [7D, 14, 48, 33, C9, 2B, F8, ...]
PAGE ntkrnlpa.exe!RtlFindRange + 2C 805DDCB4 37 Bytes [1B, DA, 8B, 55, 10, 3B, D6, ...]
PAGE ntkrnlpa.exe!RtlFindRange + 52 805DDCDA 18 Bytes [F1, 0F, 82, 0C, 01, 00, 00, ...]
PAGE ntkrnlpa.exe!RtlFindRange + 65 805DDCED 19 Bytes [00, 00, 8B, 4D, 20, 03, 4D, ...]
PAGE ntkrnlpa.exe!RtlFindRange + 79 805DDD01 29 Bytes [00, 77, 09, 3B, 4D, 0C, 0F, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlIsRangeAvailable + 2 805DE006 7 Bytes [55, 8B, EC, 83, EC, 10, 8D]
PAGE ntkrnlpa.exe!RtlIsRangeAvailable + B 805DE00F 35 Bytes [50, 8D, 45, F0, 50, FF, 75, ...]
PAGE ntkrnlpa.exe!RtlIsRangeAvailable + 2F 805DE033 46 Bytes [45, 1C, FF, 75, 24, 33, C9, ...]
PAGE ntkrnlpa.exe!RtlIsRangeAvailable + 5E 805DE062 163 Bytes [FF, 8B, 4D, 2C, 88, 01, 33, ...]
PAGE ntkrnlpa.exe!RtlIsRangeAvailable + 102 805DE106 69 Bytes [8B, 49, 20, 8B, 39, 8D, 72, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlMergeRangeLists + 1 805DE225 2 Bytes [FF, 55]
PAGE ntkrnlpa.exe!RtlMergeRangeLists + 4 805DE228 157 Bytes [EC, 51, 53, 56, 57, FF, 75, ...]
PAGE ntkrnlpa.exe!RtlMergeRangeLists + A2 805DE2C6 88 Bytes [FF, 85, C0, 74, 25, F6, 46, ...]
PAGE ntkrnlpa.exe!RtlAddRange + 1B 805DE31F 123 Bytes [C0, EB, 5B, 56, FF, 75, 28, ...]
PAGE ntkrnlpa.exe!RtlDeleteRange + 15 805DE39B 7 Bytes [32, 83, EE, 1C, 3B, DA, C7]
PAGE ntkrnlpa.exe!RtlDeleteRange + 1D 805DE3A3 15 Bytes [F8, 8C, 02, 00, C0, 89, 75, ...] {CLC ; MOV WORD [EDX], ES; ADD AL, AL; MOV [EBP-0x4], ESI; JZ 0xf7; PUSH EDI}
PAGE ntkrnlpa.exe!RtlDeleteRange + 2D 805DE3B3 1 Byte [03]
PAGE ntkrnlpa.exe!RtlDeleteRange + 30 805DE3B6 15 Bytes [FC, 8B, 51, 04, 8B, 7D, 18, ...]
PAGE ntkrnlpa.exe!RtlDeleteRange + 40 805DE3C6 119 Bytes [00, 77, 09, 39, 45, 14, 0F, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlDeleteOwnersRanges + 51 805DE509 21 Bytes [CF, 8B, 7F, 1C, EB, C0, 8B, ...]
PAGE ntkrnlpa.exe!RtlDeleteOwnersRanges + 67 805DE51F 51 Bytes [68, 80, 65, 55, 80, 89, 50, ...]
PAGE ntkrnlpa.exe!RtlDeleteOwnersRanges + 9B 805DE553 62 Bytes [FC, 5F, 5E, 5B, C9, C2, 08, ...]
PAGE ntkrnlpa.exe!RtlInvertRangeList + 32 805DE592 100 Bytes [6A, 00, 83, C2, FF, 83, D3, ...]
PAGE ntkrnlpa.exe!RtlInvertRangeList + 97 805DE5F7 81 Bytes [CC, CC, CC, CC, CC, 6A, 30, ...]
PAGE ntkrnlpa.exe!RtlZeroHeap + 4D 805DE649 23 Bytes [8B, 45, D8, 8B, 4D, DC, 8B, ...]
PAGE ntkrnlpa.exe!RtlZeroHeap + 65 805DE661 10 Bytes [77, 20, 89, 75, E0, 3B, 77, ...] {JA 0x22; MOV [EBP-0x20], ESI; CMP ESI, [EDI+0x24]; JAE 0x6f}
PAGE ntkrnlpa.exe!RtlZeroHeap + 71 805DE66D 142 Bytes [06, C1, E0, 03, 89, 45, C4, ...]
PAGE ntkrnlpa.exe!RtlZeroHeap + 101 805DE6FD 38 Bytes CALL 8053BBD9 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlZeroHeap + 128 805DE724 85 Bytes [55, 8B, EC, 83, EC, 0C, 56, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlDestroyHeap + 16 805DF1A2 91 Bytes JMP 805DF235 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlDestroyHeap + 72 805DF1FE 51 Bytes [00, 8D, 45, 08, 50, 8D, 45, ...]
PAGE ntkrnlpa.exe!RtlDestroyHeap + A6 805DF232 52 Bytes [FF, 4E, 75, EE, 5E, 5B, 33, ...]
PAGE ntkrnlpa.exe!RtlSizeHeap + 23 805DF267 47 Bytes [0F, B7, 41, F8, 0F, B6, 49, ...]
PAGE ntkrnlpa.exe!RtlSizeHeap + 53 805DF297 88 Bytes [65, 6E, 74, 20, 28, 25, 78, ...]
PAGE ntkrnlpa.exe!RtlSizeHeap + AC 805DF2F0 38 Bytes [03, 89, 45, F4, 8D, 47, 08, ...]
PAGE ntkrnlpa.exe!RtlSizeHeap + D3 805DF317 5 Bytes [8D, 45, 1C, 50, 6A]
PAGE ntkrnlpa.exe!RtlSizeHeap + D9 805DF31D 143 Bytes CALL 804FFE90 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ...
PAGE ntkrnlpa.exe!RtlCreateHeap + 19 805DF985 104 Bytes [89, 45, D8, F6, 45, 0B, 10, ...]
PAGE ntkrnlpa.exe!RtlCreateHeap + 82 805DF9EE 15 Bytes [C0, 40, C3, 8B, 65, E8, 8B, ...]
PAGE ntkrnlpa.exe!RtlCreateHeap + 92 805DF9FE 85 Bytes [D3, 0F, 8C, AE, 03, 00, 00, ...]
PAGE ntkrnlpa.exe!RtlCreateHeap + E8 805DFA54 57 Bytes [89, 45, B4, 53, 6A, 2C, 8D, ...]
PAGE ntkrnlpa.exe!RtlCreateHeap + 122 805DFA8E 19 Bytes [76, 07, C7, 45, BC, 00, F0, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlAllocateHeap + 45 805E0CE1 50 Bytes [01, 41, 83, C1, 0F, 83, E1, ...]
PAGE ntkrnlpa.exe!RtlAllocateHeap + 78 805E0D14 12 Bytes [83, 3B, 02, 00, 00, 8D, 84, ...] {CMP DWORD [EBX], 0x2; ADD [EAX], AL; LEA EAX, [ESI+EDI*8+0x178]}
PAGE ntkrnlpa.exe!RtlAllocateHeap + 86 805E0D22 46 Bytes [D4, 39, 00, 0F, 84, DA, 00, ...]
PAGE ntkrnlpa.exe!RtlAllocateHeap + B5 805E0D51 65 Bytes [F9, 8B, 4D, A8, 75, 08, 8B, ...]
PAGE ntkrnlpa.exe!RtlAllocateHeap + F7 805E0D93 30 Bytes [0F, 8B, 4D, DC, 29, 4E, 28, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlFreeHeap + 5C 805E15CC 16 Bytes [00, 80, 7B, 07, 40, 0F, 83, ...] {ADD [EAX+0xf40077b], AL; CMP DWORD [EBX-0x7cffffff], 0x4d; CLD ; PUSH DWORD [EBX]}
PAGE ntkrnlpa.exe!RtlFreeHeap + 6D 805E15DD 37 Bytes [40, 89, 45, FC, 84, C8, 75, ...]
PAGE ntkrnlpa.exe!RtlFreeHeap + 93 805E1603 152 Bytes [45, E0, 57, 8D, 45, E0, 50, ...]
PAGE ntkrnlpa.exe!RtlFreeHeap + 12C 805E169C 82 Bytes [00, 00, 81, F9, 00, FE, 00, ...]
PAGE ntkrnlpa.exe!RtlFreeHeap + 17F 805E16EF 23 Bytes [08, 89, 50, 04, 89, 02, 89, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlAnsiCharToUnicodeChar + C 805E17B2 76 Bytes [53, 56, 8B, 75, 08, 8B, 06, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeString + 9 805E17FF 26 Bytes [56, 8B, 75, 0C, 66, 8B, 06, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeString + 24 805E181A 30 Bytes [85, C0, 89, 47, 04, 75, 1A, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeString + 43 805E1839 106 Bytes [00, 00, 0F, B7, 16, 6A, 00, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeString + AE 805E18A4 83 Bytes [B7, C0, 8B, 5F, 04, 66, 89, ...]
PAGE ntkrnlpa.exe!RtlDowncaseUnicodeString + 2E 805E18F8 5 Bytes [00, C0, E9, 93, 00]
PAGE ntkrnlpa.exe!RtlDowncaseUnicodeString + 34 805E18FE 21 Bytes [00, 66, 3B, 47, 02, 76, 0A, ...]
PAGE ntkrnlpa.exe!RtlDowncaseUnicodeString + 4A 805E1914 28 Bytes JMP 08558959
PAGE ntkrnlpa.exe!RtlDowncaseUnicodeString + 67 805E1931 343 Bytes [77, 08, 0F, B7, C0, 83, C0, ...]
PAGE ntkrnlpa.exe!RtlFreeOemString + 9 805E1A89 12 Bytes [40, 04, 85, C0, 74, 07, 50, ...]
PAGE ntkrnlpa.exe!RtlFreeOemString + 16 805E1A96 34 Bytes [5D, C2, 04, 00, CC, CC, CC, ...]
PAGE ntkrnlpa.exe!RtlUnicodeStringToAnsiSize + 19 805E1AB9 13 Bytes [45, 08, 40, 5D, C2, 04, 00, ...] {INC EBP; OR [EAX+0x5d], AL; RET 0x4; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 }
PAGE ntkrnlpa.exe!RtlAnsiStringToUnicodeSize + 1 805E1AC7 23 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...]
PAGE ntkrnlpa.exe!RtlAnsiStringToUnicodeSize + 19 805E1ADF 8 Bytes [45, 08, 83, C0, 02, 5D, C2, ...]
PAGE ntkrnlpa.exe!RtlAnsiStringToUnicodeSize + 22 805E1AE8 45 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...]
PAGE ntkrnlpa.exe!RtlCompareUnicodeString + 28 805E1B16 7 Bytes [C1, 03, C6, 80, 7D, 10, 00] {ROL DWORD [EBX], 0xc6; CMP BYTE [EBP+0x10], 0x0}
PAGE ntkrnlpa.exe!RtlCompareUnicodeString + 30 805E1B1E 23 Bytes [45, FC, 0F, 84, FE, 00, 00, ...]
PAGE ntkrnlpa.exe!RtlCompareUnicodeString + 48 805E1B36 283 Bytes [3A, 33, C0, 66, 8B, 06, 46, ...]
PAGE ntkrnlpa.exe!RtlEqualUnicodeString + 18 805E1C52 32 Bytes [EE, 00, 00, 00, 8B, 71, 04, ...]
PAGE ntkrnlpa.exe!RtlEqualUnicodeString + 39 805E1C73 3 Bytes [83, B3, 00]
PAGE ntkrnlpa.exe!RtlEqualUnicodeString + 3E 805E1C78 4 Bytes [A1, F0, C2, 67]
PAGE ntkrnlpa.exe!RtlEqualUnicodeString + 43 805E1C7D 19 Bytes [66, 8B, 16, 33, C9, 66, 8B, ...]
PAGE ntkrnlpa.exe!RtlEqualUnicodeString + 58 805E1C92 63 Bytes [0F, 84, 8A, 00, 00, 00, 66, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlPrefixUnicodeString + 5C 805E1DAE 132 Bytes [FA, 61, 73, 05, 0F, B7, D2, ...]
PAGE ntkrnlpa.exe!RtlPrefixUnicodeString + E1 805E1E33 1 Byte [5D]
PAGE ntkrnlpa.exe!RtlPrefixUnicodeString + E1 805E1E33 15 Bytes [5D, 0C, FF, 4D, 08, 0F, 85, ...]
PAGE ntkrnlpa.exe!RtlPrefixUnicodeString + F1 805E1E43 10 Bytes [1B, 85, D2, 74, 15, 8B, C3, ...]
PAGE ntkrnlpa.exe!RtlPrefixUnicodeString + FC 805E1E4E 60 Bytes [0F, 66, 8B, 34, 38, 47, 47, ...]
PAGE ntkrnlpa.exe!RtlCreateUnicodeString + 1F 805E1E8B 126 Bytes [55, 08, 89, 42, 04, 74, 22, ...]
PAGE ntkrnlpa.exe!RtlHashUnicodeString + 48 805E1F0A 133 Bytes [53, 66, 8B, 16, 46, 46, 66, ...]
PAGE ntkrnlpa.exe!RtlHashUnicodeString + CE 805E1F90 42 Bytes [55, 8B, EC, 83, EC, 64, A1, ...]
PAGE ntkrnlpa.exe!RtlHashUnicodeString + FA 805E1FBC 13 Bytes [FF, 0F, 85, A6, 02, 00, 00, ...]
PAGE ntkrnlpa.exe!RtlHashUnicodeString + 108 805E1FCA 34 Bytes CALL 8052BB49 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlHashUnicodeString + 12B 805E1FED 43 Bytes [56, 04, 8B, 4D, 08, 33, C0, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlAnsiStringToUnicodeString + 1F 805E22A1 123 Bytes [8D, 44, 00, 02, 3D, FF, FF, ...]
PAGE ntkrnlpa.exe!RtlAnsiStringToUnicodeString + 9B 805E231D 110 Bytes CALL C17AAC88
PAGE ntkrnlpa.exe!RtlUnicodeStringToAnsiString + 58 805E238C 90 Bytes [27, B8, 17, 00, 00, C0, EB, ...]
PAGE ntkrnlpa.exe!RtlUnicodeStringToAnsiString + B3 805E23E7 146 Bytes [46, 04, 8B, 4D, 0C, 88, 1C, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToAnsiString + 7C 805E247A 136 Bytes [FF, 8B, F8, 3B, FB, 7D, 15, ...]
PAGE ntkrnlpa.exe!RtlOemStringToUnicodeString + 55 805E2503 206 Bytes [00, C0, EB, 4D, 66, 3B, 4E, ...]
PAGE ntkrnlpa.exe!RtlUnicodeStringToOemString + 72 805E25D2 65 Bytes [B7, 06, 50, FF, 76, 04, E8, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToOemString + 4 805E2614 38 Bytes [EC, 80, 3D, 28, C7, 67, 80, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToOemString + 2B 805E263B 120 Bytes JMP 805E26CD \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToOemString + A4 805E26B4 36 Bytes [15, 24, FC, 67, 80, 83, 66, ...]
PAGE ntkrnlpa.exe!RtlOemStringToCountedUnicodeString 805E26DA 25 Bytes [8B, FF, 55, 8B, EC, 53, 33, ...]
PAGE ntkrnlpa.exe!RtlOemStringToCountedUnicodeString + 1A 805E26F4 8 Bytes [EB, 07, 0F, B7, 07, 8D, 44, ...]
PAGE ntkrnlpa.exe!RtlOemStringToCountedUnicodeString + 23 805E26FD 146 Bytes [83, C0, FE, 3B, C3, 75, 11, ...]
PAGE ntkrnlpa.exe!RtlOemStringToCountedUnicodeString + B6 805E2790 7 Bytes [CC, CC, CC, CC, CC, CC, 8B]
PAGE ntkrnlpa.exe!RtlUnicodeStringToCountedOemString + 2 805E2798 9 Bytes [55, 8B, EC, 80, 3D, 28, C7, ...]
PAGE ntkrnlpa.exe!RtlUnicodeStringToCountedOemString + C 805E27A2 196 Bytes [53, 57, 8B, 7D, 0C, 74, 08, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToCountedOemString 805E286A 60 Bytes [8B, FF, 55, 8B, EC, 80, 3D, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToCountedOemString + 3D 805E28A7 17 Bytes [3D, FF, FF, 00, 00, 76, 07, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToCountedOemString + 4F 805E28B9 177 Bytes [56, 8B, 75, 08, 66, 89, 06, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToCountedOemString + 101 805E296B 95 Bytes [3C, 50, 2E, 74, 07, 42, 3B, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToCountedOemString + 161 805E29CB 60 Bytes [C0, EB, 13, FF, 75, 10, 8D, ...]
PAGE ntkrnlpa.exe!RtlUpperChar + 14 805E2A08 1 Byte [00]
PAGE ntkrnlpa.exe!RtlUpperChar + 14 805E2A08 7 Bytes [00, 00, 83, F0, 20, E9, F6]
PAGE ntkrnlpa.exe!RtlUpperChar + 1E 805E2A12 5 Bytes [80, 3D, 10, C5, 67]
PAGE ntkrnlpa.exe!RtlUpperChar + 24 805E2A18 10 Bytes [00, 56, 57, 75, 67, 8B, 0D, ...]
PAGE ntkrnlpa.exe!RtlUpperChar + 2F 805E2A23 80 Bytes [0F, B6, C0, 0F, B7, 04, 41, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlCompareString + 26 805E2B38 4 Bytes [C1, 80, 7D, 10]
PAGE ntkrnlpa.exe!RtlCompareString + 2B 805E2B3D 303 Bytes [8D, 1C, 30, 74, 4E, EB, 28, ...]
PAGE ntkrnlpa.exe!RtlUpperString + 9 805E2C6D 1 Byte [4D]
PAGE ntkrnlpa.exe!RtlUpperString + 9 805E2C6D 117 Bytes [4D, 08, 66, 8B, 51, 02, 56, ...]
PAGE ntkrnlpa.exe!RtlAppendAsciizToString + 35 805E2CE3 174 Bytes [00, C0, EB, 17, 51, 8B, 4E, ...]
PAGE ntkrnlpa.exe!RtlValidSid + 34 805E2D92 45 Bytes CALL 805A7B1A \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlValidSid + 62 805E2DC0 104 Bytes [02, 75, 58, 8A, 50, 03, 3A, ...]
PAGE ntkrnlpa.exe!RtlLengthRequiredSid + 1 805E2E29 78 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...]
PAGE ntkrnlpa.exe!RtlSubAuthoritySid + 2 805E2E78 45 Bytes [55, 8B, EC, 8B, 45, 0C, 8B, ...]
PAGE ntkrnlpa.exe!RtlLengthSid + 6 805E2EA6 78 Bytes [45, 08, 0F, B6, 40, 01, 8D, ...]
PAGE ntkrnlpa.exe!RtlCopySid + 39 805E2EF5 160 Bytes [FF, 55, 8B, EC, 51, 83, 65, ...]
PAGE ntkrnlpa.exe!RtlCopySid + DA 805E2F96 21 Bytes [FF, 3C, 01, 74, 07, B8, 78, ...]
PAGE ntkrnlpa.exe!RtlCopySid + F0 805E2FAC 33 Bytes [75, 04, 6A, 0A, EB, 02, 6A, ...]
PAGE ntkrnlpa.exe!RtlCopySid + 112 805E2FCE 3 Bytes [53, 00, 2D]
PAGE ntkrnlpa.exe!RtlCopySid + 116 805E2FD2 1 Byte [31]
PAGE ...
PAGE ntkrnlpa.exe!RtlConvertSidToUnicodeString + 16 805E2FF4 32 Bytes [FC, 8B, 45, 08, 56, 89, 85, ...]
PAGE ntkrnlpa.exe!RtlConvertSidToUnicodeString + 37 805E3015 182 Bytes [00, 57, 8D, 85, FC, FD, FF, ...]
PAGE ntkrnlpa.exe!RtlConvertSidToUnicodeString + EE 805E30CC 80 Bytes [76, 4A, EB, 09, 8D, 45, FA, ...]
PAGE ntkrnlpa.exe!RtlConvertSidToUnicodeString + 13F 805E311D 47 Bytes [2B, 8D, 85, FC, FD, FF, FF, ...]
PAGE ntkrnlpa.exe!RtlConvertSidToUnicodeString + 16F 805E314D 44 Bytes [75, F1, 8D, 85, FC, FD, FF, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlCopyLuid + B 805E31E5 94 Bytes [4D, 08, 89, 11, 8B, 40, 04, ...]
PAGE ntkrnlpa.exe!RtlCreateSecurityDescriptor + 1C 805E3244 51 Bytes [C0, 5F, EB, 05, B8, 58, 00, ...]
PAGE ntkrnlpa.exe!RtlValidSecurityDescriptor + 22 805E3278 105 Bytes [46, 04, 66, 85, 7E, 02, 74, ...]
PAGE ntkrnlpa.exe!RtlValidSecurityDescriptor + 8C 805E32E2 9 Bytes [84, C0, 74, 3F, 66, 8B, 46, ...]
PAGE ntkrnlpa.exe!RtlValidSecurityDescriptor + 96 805E32EC 70 Bytes [75, 04, 33, F6, EB, 13, 66, ...]
PAGE ntkrnlpa.exe!RtlValidSecurityDescriptor + DD 805E3333 158 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...]
PAGE ntkrnlpa.exe!RtlLengthSecurityDescriptor + 9A 805E33D2 19 Bytes [74, 0C, 0F, B7, 49, 02, 83, ...]
PAGE ntkrnlpa.exe!RtlLengthSecurityDescriptor + AE 805E33E6 135 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...]
PAGE ntkrnlpa.exe!RtlGetDaclSecurityDescriptor + 1A 805E346E 18 Bytes [80, E1, 04, 80, F9, 04, 0F, ...]
PAGE ntkrnlpa.exe!RtlGetDaclSecurityDescriptor + 2D 805E3481 43 Bytes [F6, C1, 04, 75, 04, 33, C9, ...]
PAGE ntkrnlpa.exe!RtlGetDaclSecurityDescriptor + 59 805E34AD 155 Bytes [5D, C2, 10, 00, CC, CC, CC, ...]
PAGE ntkrnlpa.exe!RtlGetSaclSecurityDescriptor + 2B 805E3549 60 Bytes [48, 02, F6, C1, 10, 75, 04, ...]
PAGE ntkrnlpa.exe!RtlSetOwnerSecurityDescriptor + 6 805E3586 15 Bytes [45, 08, 80, 38, 01, 74, 07, ...]
PAGE ntkrnlpa.exe!RtlSetOwnerSecurityDescriptor + 16 805E3596 46 Bytes [48, 02, 84, ED, 79, 07, B8, ...]
PAGE ntkrnlpa.exe!RtlSetOwnerSecurityDescriptor + 46 805E35C6 17 Bytes [48, 02, 33, C0, 5D, C2, 0C, ...] {DEC EAX; ADD DH, [EBX]; RCR BYTE [EBP-0x3e], 0xc; ADD AH, CL; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; MOV EDI, EDI; PUSH EBP}
PAGE ntkrnlpa.exe!RtlGetOwnerSecurityDescriptor + 4 805E35D8 14 Bytes [EC, 8B, 45, 08, 80, 38, 01, ...] {IN AL, DX ; MOV EAX, [EBP+0x8]; CMP BYTE [EAX], 0x1; JZ 0x10; MOV EAX, 0xc0000058}
PAGE ntkrnlpa.exe!RtlGetOwnerSecurityDescriptor + 13 805E35E7 3 Bytes [28, F6, 40] {SUB DH, DH; INC EAX}
PAGE ntkrnlpa.exe!RtlGetOwnerSecurityDescriptor + 17 805E35EB 47 Bytes [80, 8B, 48, 04, 74, 06, 85, ...]
PAGE ntkrnlpa.exe!RtlSetGroupSecurityDescriptor + 1 805E361B 34 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...]
PAGE ntkrnlpa.exe!RtlSetGroupSecurityDescriptor + 24 805E363E 12 Bytes [55, 0C, 83, 60, 08, 00, 85, ...]
PAGE ntkrnlpa.exe!RtlSetGroupSecurityDescriptor + 31 805E364B 9 Bytes [81, E1, FD, FF, 00, 00, 80, ...]
PAGE ntkrnlpa.exe!RtlSetGroupSecurityDescriptor + 3B 805E3655 60 Bytes [66, 89, 48, 02, 74, 07, 83, ...]
PAGE ntkrnlpa.exe!RtlGetGroupSecurityDescriptor + 24 805E3692 24 Bytes [55, 0C, 89, 0A, 8A, 40, 02, ...]
PAGE ntkrnlpa.exe!RtlGetGroupSecurityDescriptor + 3D 805E36AB 16 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...]
PAGE ntkrnlpa.exe!RtlAreAllAccessesGranted + C 805E36BC 91 Bytes [0C, F7, D8, 1A, C0, FE, C0, ...]
PAGE ntkrnlpa.exe!RtlMapGenericMask + 34 805E3718 38 Bytes [71, 08, 0B, F2, 89, 30, 8B, ...]
PAGE ntkrnlpa.exe!RtlMapGenericMask + 5B 805E373F 82 Bytes [FF, 55, 8B, EC, 53, 8B, 5D, ...]
PAGE ntkrnlpa.exe!RtlMapGenericMask + AE 805E3792 8 Bytes [01, EB, 06, 8B, 45, 0C, 8B, ...]
PAGE ntkrnlpa.exe!RtlMapGenericMask + B7 805E379B 92 Bytes [21, 07, 0F, B7, 46, 02, FF, ...]
PAGE ntkrnlpa.exe!RtlMapGenericMask + 114 805E37F8 67 Bytes [00, 00, 76, 4E, 89, 45, FC, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlValidRelativeSecurityDescriptor + 60 805E3A3C 2 Bytes [75, DE] {JNZ 0xffffffffffffffe0}
PAGE ntkrnlpa.exe!RtlValidRelativeSecurityDescriptor + 63 805E3A3F 15 Bytes [40, 01, 3C, 0F, 77, D7, 0F, ...]
PAGE ntkrnlpa.exe!RtlValidRelativeSecurityDescriptor + 73 805E3A4F 5 Bytes [39, 45, 08, 72, C8] {CMP [EBP+0x8], EAX; JB 0xffffffffffffffcd}
PAGE ntkrnlpa.exe!RtlValidRelativeSecurityDescriptor + 79 805E3A55 68 Bytes [7E, 08, 85, FF, 75, 08, F6, ...]
PAGE ntkrnlpa.exe!RtlValidRelativeSecurityDescriptor + BE 805E3A9A 43 Bytes [7E, 10, 85, FF, 74, 35, 8D, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlEqualSid + 1 805E3B5F 59 Bytes [FF, 55, 8B, EC, 56, 8B, 75, ...]
PAGE ntkrnlpa.exe!RtlEqualSid + 3D 805E3B9B 107 Bytes [FF, 55, 8B, EC, 81, EC, A0, ...]
PAGE ntkrnlpa.exe!RtlEqualSid + A9 805E3C07 16 Bytes [C6, 45, D5, 00, C6, 45, D6, ...] {MOV BYTE [EBP-0x2b], 0x0; MOV BYTE [EBP-0x2a], 0x0; MOV BYTE [EBP-0x29], 0x0; MOV BYTE [EBP-0x28], 0x0}
PAGE ntkrnlpa.exe!RtlEqualSid + BA 805E3C18 76 Bytes CALL 805E2E3D \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlEqualSid + 107 805E3C65 42 Bytes [87, 76, 03, 00, 00, 83, 65, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlInitializeBitMap + C 805E5F28 42 Bytes [08, 8B, 4D, 0C, 89, 48, 04, ...]
PAGE ntkrnlpa.exe!RtlIntegerToChar + 1B 805E5F53 112 Bytes CALL C888D358
PAGE ntkrnlpa.exe!RtlIntegerToChar + 8C 805E5FC4 54 Bytes [88, 0E, 85, C0, 75, E0, 8D, ...]
PAGE ntkrnlpa.exe!RtlIntegerToChar + C3 805E5FFB 79 Bytes [7D, BC, 8B, D9, C1, E9, 02, ...]
PAGE ntkrnlpa.exe!RtlIntegerToChar + 113 805E604B 13 Bytes [CC, 6A, 0C, 68, 60, B1, 4D, ...] {INT 3 ; PUSH 0xc; PUSH 0x804db160; CALL 0xfffffffffff55b55}
PAGE ntkrnlpa.exe!RtlCharToInteger + D 805E6059 26 Bytes [75, 08, 8A, 1E, EB, 09, 46, ...]
PAGE ntkrnlpa.exe!RtlCharToInteger + 28 805E6074 9 Bytes [05, 80, FB, 2B, 75, 03, 8A, ...]
PAGE ntkrnlpa.exe!RtlCharToInteger + 32 805E607E 91 Bytes [7D, 0C, 85, FF, 75, 38, 6A, ...]
PAGE ntkrnlpa.exe!RtlCharToInteger + 8E 805E60DA 80 Bytes [6A, 04, EB, 06, 33, C9, EB, ...]
PAGE ntkrnlpa.exe!RtlCharToInteger + DF 805E612B 30 Bytes [D3, E2, 0B, D0, 8A, 06, 46, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlUnicodeStringToInteger + 7 805E617B 15 Bytes CALL 8053BBA0 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlUnicodeStringToInteger + 17 805E618B 80 Bytes [5E, D1, EF, 74, 1A, 4F, 33, ...]
PAGE ntkrnlpa.exe!RtlUnicodeStringToInteger + 68 805E61DC 65 Bytes [75, 7A, 85, FF, 74, 46, 4F, ...]
PAGE ntkrnlpa.exe!RtlUnicodeStringToInteger + AA 805E621E 213 Bytes [74, 08, 4F, 66, 8B, 02, 03, ...]
PAGE ntkrnlpa.exe!RtlUnicodeStringToInteger + 180 805E62F4 37 Bytes [CC, CC, CC, CC, CC, CC, 6A, ...]
PAGE ntkrnlpa.exe!RtlIntegerToUnicode + 20 805E631A 23 Bytes [74, 2A, 48, 48, 74, 21, 83, ...]
PAGE ntkrnlpa.exe!RtlIntegerToUnicode + 38 805E6332 3 Bytes JMP 805E6409 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlIntegerToUnicode + 3C 805E6336 1 Byte [00]
PAGE ntkrnlpa.exe!RtlIntegerToUnicode + 3C 805E6336 20 Bytes [00, 00, 6A, 04, EB, 02, 6A, ...]
PAGE ntkrnlpa.exe!RtlIntegerToUnicode + 52 805E634C 29 Bytes [00, 33, FF, 85, FF, 74, 0C, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlIntegerToUnicodeString + D 805E642D 72 Bytes [56, 8B, 75, 10, 89, 45, FC, ...]
PAGE ntkrnlpa.exe!RtlIntegerToUnicodeString + 56 805E6476 3 Bytes CALL 804EE1C9 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlIntegerToUnicodeString + 5A 805E647A 75 Bytes [C9, C2, 0C, 00, CC, CC, CC, ...]
PAGE ntkrnlpa.exe!RtlIntegerToUnicodeString + A6 805E64C6 47 Bytes JMP 805E6633 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlIntegerToUnicodeString + D6 805E64F6 91 Bytes [8B, BD, 7C, FF, FF, FF, 3B, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlInt64ToUnicodeString + 18 805E6838 18 Bytes [0C, 56, 8B, 75, 14, 89, 45, ...]
PAGE ntkrnlpa.exe!RtlInt64ToUnicodeString + 2B 805E684B 37 Bytes CALL 805E6482 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlInt64ToUnicodeString + 51 805E6871 17 Bytes [D4, 6A, 00, 8D, 45, D4, 50, ...] {AAM 0x6a; ADD [EBP+0x5650d445], CL; CALL 0xffffffffffffba11; MOV ECX, [EBP-0x4]; POP ESI}
PAGE ntkrnlpa.exe!RtlInt64ToUnicodeString + 63 805E6883 3 Bytes CALL 804EE1C9 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlInt64ToUnicodeString + 67 805E6887 124 Bytes [C9, C2, 10, 00, CC, CC, CC, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlGetNtGlobalFlags + A 805E6B06 17 Bytes [45, 00, 47, 00, 49, 00, 53, ...] {INC EBP; ADD [EDI+0x0], AL; DEC ECX; ADD [EBX+0x0], DL; PUSH ESP; ADD [EDX+0x0], DL; POP ECX; ADD [EAX+EAX+0x55], BL}
PAGE ntkrnlpa.exe!RtlGetNtGlobalFlags + 1C 805E6B18 7 Bytes [53, 00, 45, 00, 52, 00, 5C]
PAGE ntkrnlpa.exe!RtlGetNtGlobalFlags + 24 805E6B20 61 Bytes [00, 00, CC, CC, CC, CC, CC, ...]
PAGE ntkrnlpa.exe!RtlFormatCurrentUserKeyPath + 37 805E6B5F 4 Bytes [C0, 0F, 85, B7]
PAGE ntkrnlpa.exe!RtlFormatCurrentUserKeyPath + 3C 805E6B64 54 Bytes [00, 00, 8D, 45, A8, 50, 53, ...]
PAGE ntkrnlpa.exe!RtlFormatCurrentUserKeyPath + 73 805E6B9B 68 Bytes [3B, DF, 7C, 7C, 8D, 45, A4, ...]
PAGE ntkrnlpa.exe!RtlFormatCurrentUserKeyPath + B8 805E6BE0 15 Bytes [8B, 45, A4, 8B, 4E, 04, 66, ...] {MOV EAX, [EBP-0x5c]; MOV ECX, [ESI+0x4]; MOV [EBP-0x62], AX; MOVZX EAX, [ESI]; SHR EAX, 0x1}
PAGE ntkrnlpa.exe!RtlFormatCurrentUserKeyPath + C9 805E6BF1 66 Bytes [41, 57, FF, 75, AC, 89, 45, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlQueryRegistryValues + 1 805E73A5 37 Bytes [FF, 55, 8B, EC, 83, EC, 3C, ...]
PAGE ntkrnlpa.exe!RtlQueryRegistryValues + 27 805E73CB 151 Bytes [00, 89, 75, EC, 81, 65, EC, ...]
PAGE ntkrnlpa.exe!RtlQueryRegistryValues + BF 805E7463 141 Bytes [3B, 45, F0, 74, 0C, 50, E8, ...]
PAGE ntkrnlpa.exe!RtlQueryRegistryValues + 14D 805E74F1 29 Bytes CALL 805002EE \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlQueryRegistryValues + 16B 805E750F 82 Bytes [80, 0F, 84, ED, 01, 00, 00, ...]
PAGE

SchmerlenOtt · 06.08.2010, 07:50

GMER Teil 3:

...
PAGE ntkrnlpa.exe!RtlWriteRegistryValue + 37 805E77B5 27 Bytes CALL 80501084 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlWriteRegistryValue + 53 805E77D1 1 Byte [C9]
PAGE ntkrnlpa.exe!RtlWriteRegistryValue + 53 805E77D1 3 Bytes [C9, C2, 18]
PAGE ntkrnlpa.exe!RtlCheckRegistryKey + 5 805E77DF 1 Byte [8D]
PAGE ntkrnlpa.exe!RtlCheckRegistryKey + 8 805E77E2 9 Bytes [50, 6A, 00, FF, 75, 0C, FF, ...] {PUSH EAX; PUSH 0x0; PUSH DWORD [EBP+0xc]; PUSH DWORD [EBP+0x8]}
PAGE ntkrnlpa.exe!RtlCheckRegistryKey + 12 805E77EC 22 Bytes [E4, F4, FF, FF, 85, C0, 7C, ...]
PAGE ntkrnlpa.exe!RtlCheckRegistryKey + 2A 805E7804 139 Bytes [CC, CC, CC, CC, 8B, FF, 55, ...]
PAGE ntkrnlpa.exe!RtlDeleteRegistryValue + 54 805E7890 9 Bytes [5A, 00, 6F, 00, 6E, 00, 65, ...] {POP EDX; ADD [EDI+0x0], CH; OUTSB ; ADD [EBP+0x0], AH; DEC ECX}
PAGE ntkrnlpa.exe!RtlDeleteRegistryValue + 5E 805E789A 7 Bytes [6E, 00, 66, 00, 6F, 00, 72]
PAGE ntkrnlpa.exe!RtlDeleteRegistryValue + 66 805E78A2 28 Bytes [6D, 00, 61, 00, 74, 00, 69, ...]
PAGE ntkrnlpa.exe!RtlDeleteRegistryValue + 83 805E78BF 24 Bytes [75, 08, 68, 88, 78, 5E, 80, ...]
PAGE ntkrnlpa.exe!RtlQueryTimeZoneInformation + 2 805E78D8 6 Bytes [55, 8B, EC, 81, EC, F4]
PAGE ntkrnlpa.exe!RtlQueryTimeZoneInformation + B 805E78E1 21 Bytes [53, 8D, 45, FC, 50, 33, DB, ...]
PAGE ntkrnlpa.exe!RtlQueryTimeZoneInformation + 21 805E78F7 49 Bytes [55, 08, 56, 57, 6A, 2B, 59, ...]
PAGE ntkrnlpa.exe!RtlQueryTimeZoneInformation + 53 805E7929 38 Bytes [50, FF, FF, FF, 8D, 4A, 44, ...]
PAGE ntkrnlpa.exe!RtlQueryTimeZoneInformation + 7A 805E7950 46 Bytes [48, FF, FF, FF, 89, 85, 64, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlSetTimeZoneInformation + 5 805E7A03 1 Byte [51]
PAGE ntkrnlpa.exe!RtlSetTimeZoneInformation + A 805E7A08 13 Bytes CALL 805E78B4 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlSetTimeZoneInformation + 18 805E7A16 22 Bytes [00, 53, 56, 57, 8B, 7D, 08, ...]
PAGE ntkrnlpa.exe!RtlSetTimeZoneInformation + 2F 805E7A2D 41 Bytes CALL 805E777B \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlSetTimeZoneInformation + 59 805E7A57 6 Bytes [75, FC, 56, E8, 1F, FD]
PAGE ...
PAGE ntkrnlpa.exe!RtlDecompressBuffer + 35 805E7C13 36 Bytes [14, 85, 78, F1, 67, 80, EB, ...]
PAGE ntkrnlpa.exe!RtlDecompressFragment + F 805E7C39 5 Bytes [74, 32, 66, 3D, 01]
PAGE ntkrnlpa.exe!RtlDecompressFragment + 15 805E7C3F 133 Bytes [74, 2C, A8, F0, 74, 07, B8, ...]
PAGE ntkrnlpa.exe!RtlReserveChunk + 1 805E7CC5 13 Bytes [FF, 55, 8B, EC, 33, C0, 8A, ...]
PAGE ntkrnlpa.exe!RtlReserveChunk + F 805E7CD3 153 Bytes [74, 29, 66, 3D, 01, 00, 74, ...]
PAGE ntkrnlpa.exe!RtlDecompressChunks + 61 805E7D6D 53 Bytes [00, 00, 8B, 45, 08, 8B, 75, ...]
PAGE ntkrnlpa.exe!RtlDecompressChunks + 97 805E7DA3 52 Bytes [83, E1, 03, 83, 65, 1C, 00, ...]
PAGE ntkrnlpa.exe!RtlDecompressChunks + CC 805E7DD8 80 Bytes [00, 8B, 45, 08, 53, FF, 75, ...]
PAGE ntkrnlpa.exe!RtlDecompressChunks + 11D 805E7E29 13 Bytes CALL 805E7BDD \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlDecompressChunks + 12B 805E7E37 83 Bytes [8B, 55, F0, 8B, 4D, 14, 3B, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlCompressChunks + 16 805E7EE6 73 Bytes CALL AC4651EF
PAGE ntkrnlpa.exe!RtlCompressChunks + 60 805E7F30 23 Bytes [75, 06, 83, 65, FC, 00, EB, ...]
PAGE ntkrnlpa.exe!RtlCompressChunks + 78 805E7F48 52 Bytes JMP 0C04724F
PAGE ntkrnlpa.exe!RtlCompressChunks + AD 805E7F7D 12 Bytes [75, FC, 8B, 75, 14, 8B, 4D, ...]
PAGE ntkrnlpa.exe!RtlCompressChunks + BA 805E7F8A 52 Bytes [F8, 04, 89, 0A, 8B, 4D, 18, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlCreateSystemVolumeInformationFolder + 18 805E83E2 1 Byte [5D]
PAGE ntkrnlpa.exe!RtlCreateSystemVolumeInformationFolder + 18 805E83E2 46 Bytes CALL 0BC5441A
PAGE ntkrnlpa.exe!RtlCreateSystemVolumeInformationFolder + 47 805E8411 29 Bytes [8B, 45, F0, 83, C0, 02, 66, ...]
PAGE ntkrnlpa.exe!RtlCreateSystemVolumeInformationFolder + 65 805E842F 31 Bytes JMP 805E857E \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlCreateSystemVolumeInformationFolder + 85 805E844F 82 Bytes [F3, A4, 66, 8B, 1B, 66, 89, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlFindMessage + 2 805E858C 43 Bytes [55, 8B, EC, 83, EC, 0C, 8B, ...]
PAGE ntkrnlpa.exe!RtlFindMessage + 2F 805E85B9 13 Bytes [85, C0, 7C, 3C, 6A, 00, 8D, ...] {TEST EAX, EAX; JL 0x40; PUSH 0x0; LEA EAX, [EBP+0x10]; PUSH EAX; PUSH DWORD [EBP+0xc]}
PAGE ntkrnlpa.exe!RtlFindMessage + 3D 805E85C7 20 Bytes CALL 805D8D8C \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlFindMessage + 52 805E85DC 65 Bytes [04, 74, 14, 8B, 55, 14, 49, ...]
PAGE ntkrnlpa.exe!RtlStringFromGUID + 2 805E861E 252 Bytes [55, 8B, EC, 56, 8B, 75, 0C, ...]
PAGE ntkrnlpa.exe!RtlStringFromGUID + FF 805E871B 84 Bytes [EB, 53, 4E, 83, 7D, 08, 00, ...]
PAGE ntkrnlpa.exe!RtlStringFromGUID + 154 805E8770 237 Bytes [85, F6, 75, A9, 83, 45, FC, ...]
PAGE ntkrnlpa.exe!RtlIsValidOemCharacter + C 805E885E 122 Bytes [00, 8B, 45, 08, 0F, B7, 00, ...]
PAGE ntkrnlpa.exe!RtlIsValidOemCharacter + 88 805E88DA 30 Bytes [00, 8B, 35, 24, C7, 67, 80, ...]
PAGE ntkrnlpa.exe!RtlIsValidOemCharacter + A7 805E88F9 10 Bytes [10, 0F, B7, C9, 03, C8, A1, ...]
PAGE ntkrnlpa.exe!RtlIsValidOemCharacter + B2 805E8904 11 Bytes [0F, B7, 04, 48, EB, 0A, 8B, ...]
PAGE ntkrnlpa.exe!RtlIsValidOemCharacter + BE 805E8910 54 Bytes [0F, B7, 04, 41, 66, 8B, D0, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlIsNameLegalDOS8Dot3 + D 805E8AB9 47 Bytes [56, 8B, 75, 0C, 89, 45, FC, ...]
PAGE ntkrnlpa.exe!RtlIsNameLegalDOS8Dot3 + 3D 805E8AE9 50 Bytes [8D, 75, E0, 89, 4D, E4, 66, ...]
PAGE ntkrnlpa.exe!RtlIsNameLegalDOS8Dot3 + 70 805E8B1C 10 Bytes [F9, 02, 75, 1C, 8B, 46, 04, ...] {STC ; ADD DH, [EBP+0x1c]; MOV EAX, [ESI+0x4]; CMP BYTE [EAX], 0x2e}
PAGE ntkrnlpa.exe!RtlIsNameLegalDOS8Dot3 + 7B 805E8B27 94 Bytes [14, 80, 78, 01, 2E, 75, 0E, ...]
PAGE ntkrnlpa.exe!RtlIsNameLegalDOS8Dot3 + DA 805E8B86 168 Bytes [43, EB, 61, 80, F9, 80, 73, ...]
PAGE ntkrnlpa.exe!RtlGenerate8dot3Name + 1 805E8C2F 15 Bytes [FF, 55, 8B, EC, 83, EC, 30, ...]
PAGE ntkrnlpa.exe!RtlGenerate8dot3Name + 11 805E8C3F 33 Bytes [53, 8B, 5D, 10, 56, 89, 45, ...]
PAGE ntkrnlpa.exe!RtlGenerate8dot3Name + 33 805E8C61 18 Bytes [C6, 45, EB, 01, 75, 04, C6, ...]
PAGE ntkrnlpa.exe!RtlGenerate8dot3Name + 47 805E8C75 36 Bytes [66, 8B, 37, 83, 4D, E4, FF, ...]
PAGE ntkrnlpa.exe!RtlGenerate8dot3Name + 6C 805E8C9A 168 Bytes [75, D0, EB, 11, 66, 3D, 2E, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlLockBootStatusData + 19 805E9073 33 Bytes [00, 56, 89, 45, FC, 8D, 85, ...]
PAGE ntkrnlpa.exe!RtlLockBootStatusData + 3B 805E9095 13 Bytes [2B, F0, 56, 8D, 85, F8, FD, ...]
PAGE ntkrnlpa.exe!RtlLockBootStatusData + 49 805E90A3 21 Bytes CALL 8053B928 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlLockBootStatusData + 5F 805E90B9 21 Bytes CALL 8052E787 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlLockBootStatusData + 75 805E90CF 6 Bytes [56, 8D, 85, CC, FD, FF]
PAGE ...
PAGE ntkrnlpa.exe!RtlUnlockBootStatusData + 2 805E913A 28 Bytes [55, 8B, EC, 83, EC, 0C, 33, ...]
PAGE ntkrnlpa.exe!RtlUnlockBootStatusData + 1F 805E9157 40 Bytes [75, 08, 89, 45, FC, E8, 6B, ...]
PAGE ntkrnlpa.exe!RtlGetSetBootStatusData + 2 805E9180 201 Bytes [55, 8B, EC, 83, EC, 44, 53, ...]
PAGE ntkrnlpa.exe!RtlGetSetBootStatusData + CC 805E924A 38 Bytes CALL 80500B84 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlGetSetBootStatusData + F3 805E9271 6 Bytes [CC, CC, CC, CC, CC, 8B]
PAGE ntkrnlpa.exe!RtlGetVersion + 2 805E9278 7 Bytes [55, 8B, EC, A1, 98, A8, 55]
PAGE ntkrnlpa.exe!RtlGetVersion + A 805E9280 19 Bytes [56, 8B, 75, 08, 89, 46, 04, ...]
PAGE ntkrnlpa.exe!RtlGetVersion + 1E 805E9294 67 Bytes [25, FF, 3F, 00, 00, 81, 3E, ...]
PAGE ntkrnlpa.exe!RtlGetVersion + 62 805E92D8 84 Bytes CALL 805EAD8D \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlNtStatusToDosError + 2D 805E932D 26 Bytes [4D, FC, FF, FF, 75, 08, E8, ...]
PAGE ntkrnlpa.exe!RtlRandom + 2 805E9348 13 Bytes [55, 8B, EC, 53, 56, 8B, 75, ...]
PAGE ntkrnlpa.exe!RtlRandom + 10 805E9356 86 Bytes [FF, 7F, 57, B9, C3, FF, FF, ...]
PAGE ntkrnlpa.exe!RtlTimeToElapsedTimeFields + 15 805E93AD 145 Bytes [2F, 71, F4, FF, 8B, 45, 08, ...]
PAGE ntkrnlpa.exe!RtlTimeToElapsedTimeFields + A9 805E9441 5 Bytes [8B, 07, 3B, 03, 0F]
PAGE ntkrnlpa.exe!RtlTimeToElapsedTimeFields + AF 805E9447 32 Bytes [66, 01, 00, 00, B0, 01, E9, ...]
PAGE ntkrnlpa.exe!RtlTimeToElapsedTimeFields + D0 805E9468 30 Bytes [0F, 84, 43, 01, 00, 00, 66, ...]
PAGE ntkrnlpa.exe!RtlTimeToElapsedTimeFields + EF 805E9487 7 Bytes [89, 45, F0, 0F, 85, D7, 00]
PAGE ...
PAGE ntkrnlpa.exe!NtAdjustPrivilegesToken + 4B 805EBB61 8 Bytes [5D, FC, 80, 7D, 0C, 00, 75, ...] {POP EBP; CLD ; CMP BYTE [EBP+0xc], 0x0; JNZ 0x56}
PAGE ntkrnlpa.exe!NtAdjustPrivilegesToken + 54 805EBB6A 29 Bytes [75, D0, 83, 65, D0, 03, 74, ...]
PAGE ntkrnlpa.exe!NtAdjustPrivilegesToken + 72 805EBB88 27 Bytes [7C, 5B, FD, 8D, 3C, BD, 10, ...]
PAGE ntkrnlpa.exe!NtAdjustPrivilegesToken + 8E 805EBBA4 41 Bytes [03, FE, 3B, FE, 72, 08, 3B, ...]
PAGE ntkrnlpa.exe!NtAdjustPrivilegesToken + B8 805EBBCE 1 Byte [39]
PAGE ...
PAGE ntkrnlpa.exe!ZwAdjustGroupsToken + 66 805EBF24 41 Bytes [FE, 74, 1D, 6A, 04, FF, 75, ...]
PAGE ntkrnlpa.exe!ZwAdjustGroupsToken + 91 805EBF4F 4 Bytes [8B, 00, 89, 45]
PAGE ntkrnlpa.exe!ZwAdjustGroupsToken + 96 805EBF54 61 Bytes [33, C0, 40, C3, 8B, 65, E8, ...]
PAGE ntkrnlpa.exe!ZwAdjustGroupsToken + D4 805EBF92 73 Bytes [00, 89, 45, C4, 3B, C6, 0F, ...]
PAGE ntkrnlpa.exe!ZwAdjustGroupsToken + 11E 805EBFDC 10 Bytes [89, 45, BC, 33, C0, 40, C3, ...] {MOV [EBP-0x44], EAX; XOR EAX, EAX; INC EAX; RET ; MOV ESP, [EBP-0x18]}
PAGE ...
? spjb.sys Das System kann die angegebene Datei nicht finden. !
.text USBPORT.SYS!DllUnload B8A368AC 5 Bytes JMP 8A8F01D8
.rsrc C:\WINDOWS\system32\DRIVERS\serial.sys entry point in ".rsrc" section [0xBA0D5094]
.text win32k.sys!EngSetLastError + 34D5 BF81FE00 3 Bytes JMP BF81FECE \SystemRoot\System32\win32k.sys (Mehrbenutzer-Win32-Treiber/Microsoft Corporation)
.text win32k.sys!EngSetLastError + 34D9 BF81FE04 1 Byte [00]
.text win32k.sys!EngSetLastError + 34D9 BF81FE04 18 Bytes [00, 00, 8B, 45, 08, F6, 40, ...]
.text win32k.sys!EngSetLastError + 34EC BF81FE17 5 Bytes [50, E8, 12, D4, 04]
.text win32k.sys!EngSetLastError + 34F2 BF81FE1D 209 Bytes [0F, B7, C0, EB, 20, 90, 90, ...]
.text ...
.text win32k.sys!CLIPOBJ_bEnum + 51 BF824343 11 Bytes JMP 8D3A8B04
.text win32k.sys!CLIPOBJ_bEnum + 5D BF82434F 88 Bytes [00, 00, 2B, D7, 8B, 7A, 04, ...]
.text win32k.sys!CLIPOBJ_bEnum + B6 BF8243A8 61 Bytes [8B, 51, 30, A5, A5, A5, A5, ...]
.text win32k.sys!CLIPOBJ_bEnum + F4 BF8243E6 81 Bytes [3E, 89, 51, 44, EB, E8, 8B, ...]
.text win32k.sys!CLIPOBJ_bEnum + 146 BF824438 43 Bytes [C1, EB, ED, 83, C0, FC, 8B, ...]
.text ...
.text win32k.sys!EngLpkInstalled + 1 BF825866 12 Bytes [0D, BC, 7B, 9A, BF, 33, C0, ...]
.text win32k.sys!EngLpkInstalled + E BF825873 20 Bytes [0F, 95, C0, C3, 90, 90, 90, ...]
.text win32k.sys!EngLpkInstalled + 23 BF825888 137 Bytes [91, B0, 00, 00, 00, 89, 10, ...]
.text win32k.sys!EngLpkInstalled + AD BF825912 27 Bytes [81, F9, FF, 00, 00, 00, 74, ...]
.text win32k.sys!EngLpkInstalled + C9 BF82592E 32 Bytes [40, EB, F9, 90, 90, 90, 90, ...]
.text ...
.text win32k.sys!EngBitBlt + 42 BF827284 101 Bytes [47, 1C, 52, 52, 51, 8D, 4D, ...]
.text win32k.sys!EngBitBlt + A8 BF8272EA 38 Bytes [3D, 55, 55, 00, 00, 0F, 84, ...]
.text win32k.sys!EngBitBlt + CF BF827311 8 Bytes [FF, 75, 1C, 57, E8, 3C, 1D, ...]
.text win32k.sys!EngBitBlt + D8 BF82731A 27 Bytes [33, C0, 40, 5F, 5E, 5B, C9, ...]
.text win32k.sys!EngBitBlt + F4 BF827336 2 Bytes [45, 1C]
.text ...
.text win32k.sys!EngPaint + 2 BF8281DD 78 Bytes [55, 8B, EC, 8B, 45, 18, 8B, ...]
.text win32k.sys!EngPaint + 51 BF82822C 5 Bytes [90, 90, 90, 90, 90] {NOP ; NOP ; NOP ; NOP ; NOP }
.text win32k.sys!EngPaint + 57 BF828232 62 Bytes [FF, 55, 8B, EC, 56, 8B, F1, ...]
.text win32k.sys!EngPaint + 96 BF828271 9 Bytes [8B, F0, 85, F6, 74, 24, 83, ...]
.text win32k.sys!EngPaint + A0 BF82827B 69 Bytes [74, CF, FF, 75, 08, 56, E8, ...]
.text ...
.text win32k.sys!EngCopyBits + 1 BF838873 63 Bytes [FF, 55, 8B, EC, 81, EC, FC, ...]
.text win32k.sys!EngCopyBits + 41 BF8388B3 20 Bytes [83, 65, 0C, 00, F6, 40, 4A, ...]
.text win32k.sys!EngCopyBits + 56 BF8388C8 11 Bytes [75, 1C, FF, 75, 18, 57, FF, ...] {JNZ 0x1e; PUSH DWORD [EBP+0x18]; PUSH EDI; PUSH DWORD [EBP+0x10]; PUSH EBX; PUSH ESI}
.text win32k.sys!EngCopyBits + 62 BF8388D4 11 Bytes [55, 08, 8B, D8, 8D, 4D, 0C, ...]
.text win32k.sys!EngCopyBits + 6E BF8388E0 39 Bytes [8B, C3, 5F, 5E, 5B, C9, C2, ...]
.text ...
.text win32k.sys!EngLockSurface + 1 BF8393CA 11 Bytes [FF, 55, 8B, EC, 51, 83, 65, ...]
.text win32k.sys!EngLockSurface + D BF8393D6 9 Bytes CALL BF8137EF \SystemRoot\System32\win32k.sys (Mehrbenutzer-Win32-Treiber/Microsoft Corporation)
.text win32k.sys!EngLockSurface + 17 BF8393E0 44 Bytes [75, FC, 85, F6, 74, 1A, 57, ...]
.text win32k.sys!EngLockSurface + 44 BF83940D 59 Bytes [EC, 8B, 55, 14, 53, 8B, 5D, ...]
.text win32k.sys!EngLockSurface + 80 BF839449 73 Bytes [D1, 85, C0, 74, 12, 50, E8, ...]
.text ...
.text win32k.sys!EngMapFontFileFD + 22 BF83CA6E 33 Bytes [EC, 8B, 45, 08, 85, C0, 74, ...]
.text win32k.sys!EngMapFontFileFD + 44 BF83CA90 3 Bytes [F8, 89, 7D]
.text win32k.sys!EngMapFontFileFD + 48 BF83CA94 31 Bytes JMP BF83CB5C \SystemRoot\System32\win32k.sys (Mehrbenutzer-Win32-Treiber/Microsoft Corporation)
.text win32k.sys!EngMapFontFileFD + 68 BF83CAB4 233 Bytes [6A, 02, 8D, 4D, 08, 51, 8D, ...]
.text win32k.sys!EngMapFontFileFD + 152 BF83CB9E 58 Bytes [FF, 6A, 02, 68, 00, 00, 40, ...]
.text ...
.text win32k.sys!EngUnmapFontFileFD + 4 BF83CC6B 59 Bytes [EC, 83, EC, 20, 53, FF, 35, ...]
.text win32k.sys!EngUnmapFontFileFD + 40 BF83CCA7 8 Bytes [8D, 45, E0, 50, E8, 78, 85, ...]
.text win32k.sys!EngUnmapFontFileFD + 49 BF83CCB0 8 Bytes [EB, F1, 85, C9, 0F, 84, 2E, ...]
.text win32k.sys!EngUnmapFontFileFD + 53 BF83CCBA 64 Bytes [F6, C1, 01, 0F, 85, 25, 03, ...]
.text win32k.sys!EngUnmapFontFileFD + 94 BF83CCFB 53 Bytes [4D, 0C, 85, C9, 0F, 84, A5, ...]
.text ...
.text win32k.sys!EngCreateBitmap + 1B BF83DA49 72 Bytes CALL BF814219 \SystemRoot\System32\win32k.sys (Mehrbenutzer-Win32-Treiber/Microsoft Corporation)
.text win32k.sys!EngCreateBitmap + 64 BF83DA92 89 Bytes [1D, 8B, 55, 10, 8B, 4D, 0C, ...]
.text win32k.sys!EngCreateBitmap + BE BF83DAEC 140 Bytes CALL BF83D997 \SystemRoot\System32\win32k.sys (Mehrbenutzer-Win32-Treiber/Microsoft Corporation)
.text win32k.sys!EngCreateBitmap + 14B BF83DB79 28 Bytes [55, 8B, EC, 83, EC, 14, 53, ...]
.text win32k.sys!EngCreateBitmap + 168 BF83DB96 17 Bytes [00, 00, 39, 43, 0C, 0F, 85, ...]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[644] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[644] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[644] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 0099000C
.text C:\WINDOWS\System32\svchost.exe[644] ole32.dll!CoCreateInstance 774D057E 5 Bytes JMP 00E5000A
.text C:\WINDOWS\Explorer.EXE[1744] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1744] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[1744] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\system32\wuauclt.exe[3208] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\wuauclt.exe[3208] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\system32\wuauclt.exe[3208] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 0099000C

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA9040] spjb.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA913C] spjb.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA90BE] spjb.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA97FC] spjb.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA96D2] spjb.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A93B1F8

AttachedDevice \FileSystem\Ntfs \Ntfs szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)

Device \FileSystem\MacOpen \MacOpenCd 8A8CE1F8
Device \FileSystem\MacOpen \MacOpen 8A8CE1F8
Device \Driver\usbstor \Device\0000009b 89D91388
Device \Driver\usbstor \Device\0000009c 89D91388

AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)

Device \Driver\usbstor \Device\0000009d 89D91388
Device \Driver\usbstor \Device\0000009e 89D91388
Device \Driver\usbuhci \Device\USBPDO-0 8A6491F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A8C31F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A8C31F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A8C31F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A8C31F8
Device \Driver\usbuhci \Device\USBPDO-1 8A6491F8
Device \Driver\usbuhci \Device\USBPDO-2 8A6491F8
Device \Driver\usbehci \Device\USBPDO-3 8A6021F8
Device \Driver\usbuhci \Device\USBPDO-4 8A6491F8

AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)

Device \Driver\usbuhci \Device\USBPDO-5 8A6491F8
Device \Driver\usbuhci \Device\USBPDO-6 8A6491F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A8A41F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis)

Device \Driver\usbehci \Device\USBPDO-7 8A6021F8
Device \Driver\Cdrom \Device\CdRom0 8A4FC1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A8A41F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume3 8A8A41F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation)

Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-2f [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-10 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort4 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort5 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-1c [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP3T1L0-24 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP5T0L0-3a [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Ftdisk \Device\HarddiskVolume4 8A8A41F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume5 8A8A41F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume6 8A8A41F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation)

Device \Driver\NetBT \Device\NetBt_Wins_Export 89EBD500
Device \Driver\NetBT \Device\NetbiosSmb 89EBD500

AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)

Device \Driver\NetBT \Device\NetBT_Tcpip_{69F97877-8014-439F-9E28-C81CEEA5E4DA} 89EBD500
Device \Driver\usbuhci \Device\USBFDO-0 8A6491F8
Device \Driver\usbstor \Device\00000099 89D91388
Device \Driver\usbuhci \Device\USBFDO-1 8A6491F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89E27500
Device \Driver\usbuhci \Device\USBFDO-2 8A6491F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89E27500
Device \Driver\usbehci \Device\USBFDO-3 8A6021F8
Device \Driver\usbuhci \Device\USBFDO-4 8A6491F8
Device \Driver\Ftdisk \Device\FtControl 8A8A41F8
Device \Driver\usbuhci \Device\USBFDO-5 8A6491F8
Device \Driver\usbuhci \Device\USBFDO-6 8A6491F8
Device \Driver\usbehci \Device\USBFDO-7 8A6021F8
Device \Driver\usbstor \Device\0000009a 89D91388

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation)

Device \FileSystem\Fastfat \Fat 874A71F8
Device \FileSystem\Fastfat \Fat A258C297

AttachedDevice \FileSystem\Fastfat \Fat szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 89E37500
Device -> \Driver\atapi \Device\Harddisk0\DR0 8A530EC5

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@LicenseKey H5D0-56B3-DA23-009B
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@NumberOfcdroms 3
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@ServiceBinary C:\WINDOWS\system32\drivers\vbev5mp.sys
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@Group SCSI Miniport
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@ImagePath System32\Drivers\vbev5mp.sys
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@Start 1
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@Type 1
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@Tag 66
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\DrvInstaller (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\DrvInstaller\Error (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\DrvInstaller\Error@
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\DrvInstaller\Result (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\DrvInstaller\Result@ 0
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\Enum (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\Enum@0 ROOT\SCSIADAPTER\0000
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\Enum@Count 1
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\Enum@NextInstance 1
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\parameters\pnpinterface (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\parameters\pnpinterface@1 1
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@LicenseKey H5D0-56B3-DA23-009B
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@NumberOfcdroms 3
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@ServiceBinary C:\WINDOWS\system32\drivers\vbev5mp.sys
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@Group SCSI Miniport
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@ImagePath System32\Drivers\vbev5mp.sys
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@Start 1
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@Tag 66
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\DrvInstaller (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\DrvInstaller\Error (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\DrvInstaller\Error@
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\DrvInstaller\Result (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\DrvInstaller\Result@ 0
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\Enum (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\Enum@0 ROOT\SCSIADAPTER\0000
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\Enum@Count 1
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\Enum@NextInstance 1
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\parameters\pnpinterface (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\parameters\pnpinterface@1 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 6F2A49C98638B9D2D727ECDED6EB32A8B0FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7F D869164D67949DB7CE019D40AA5CBA7FD869164D6794A8566D9058DD216FD032E9B997302F064346536927F9F0C8B26EA11AF4556B30999138D2DAE70ACEB58A33404FD65731EB1D816263 3E7DCE68FAD64217C39E101E5DE142F8B572DA892B5EF09136C53ECB2A6CFCADFCB29C93CDC22762A3BD6F538724D0FA86389FCDB0B3189F2FF3E16A7D897DD858452B5E0727A460F75DB4 29E0AD9542DEEA0BD73EEC244CE80EB320A83F4D4E39A05EC94AB83AAC09C42863BC9E4ABE09CF6E5078B8267D4CF8AD9B436A758AC8E378263EA010F9E26EF818F48E4BF692DC80B289BA D73009C62FDD68D9A81E7760A29B107B6C8ED68B3636E5081C86CBC15DD01F8A13F211437DBDB4D2B8ACF71DE8A36D5ABD40F77E567AEF866299C9DD81506A325669196A3F64CC8C9EEDC1 54BB0F0CC293001E5F34F9F6FEE6F4E5C450A8A032C4CA1D6FFECE56B476AF10F56FFEA1AD24CD66780B9CE455196CBD400FA5FD7C25615936ACCFFB6900D06123BCEA6B88473EAFCA7C1D 26650A6CB14DE9EA3C77620DD1D81D0D6D3F1DC6F933BF9DA8B37AFA9F898F8D2BFBEFF1679AEDEAA0FE8BC14BA40580DB3FD897DFAE78369C045E411E1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\serial.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

SchmerlenOtt · 06.08.2010, 07:52

Noch eine Frage: Kann/darf ich ComboFix wieder deinstallieren?

markusg · 06.08.2010, 11:15

noch nicht, machen wir zum schluss
so und nu gehts los :-)
kaspersky tdss killer
Wie werden Schadprogramme der Familie Rootkit.Win32.TDSS bekämpft?
ausführen, log posten

SchmerlenOtt · 06.08.2010, 12:05

Ok. Mit der Voreinstellung "cure" nehme ich an!?

markusg · 06.08.2010, 12:12

ja, genau.

SchmerlenOtt · 06.08.2010, 12:13

Nun hier der TDSKiller Report:

2010/08/06 13:06:04.0765 TDSS rootkit removing tool 2.4.1.0 Aug 4 2010 15:06:41
2010/08/06 13:06:04.0765 ================================================================================
2010/08/06 13:06:04.0765 SystemInfo:
2010/08/06 13:06:04.0765
2010/08/06 13:06:04.0765 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/06 13:06:04.0765 Product type: Workstation
2010/08/06 13:06:04.0765 ComputerName: XXXXXXX
2010/08/06 13:06:04.0765 UserName: xxxxxxx xxx
2010/08/06 13:06:04.0765 Windows directory: C:\WINDOWS
2010/08/06 13:06:04.0765 System windows directory: C:\WINDOWS
2010/08/06 13:06:04.0765 Processor architecture: Intel x86
2010/08/06 13:06:04.0765 Number of processors: 2
2010/08/06 13:06:04.0765 Page size: 0x1000
2010/08/06 13:06:04.0765 Boot type: Normal boot
2010/08/06 13:06:04.0765 ================================================================================
2010/08/06 13:06:05.0625 Initialize success
2010/08/06 13:06:15.0171 ================================================================================
2010/08/06 13:06:15.0171 Scan started
2010/08/06 13:06:15.0171 Mode: Manual;
2010/08/06 13:06:15.0171 ================================================================================
2010/08/06 13:06:16.0265 ACPI (ac407f1a62c3a300b4f2b5a9f1d55b2c) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/06 13:06:16.0328 ACPIEC (9e1ca3160dafb159ca14f83b1e317f75) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/08/06 13:06:16.0421 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/08/06 13:06:16.0468 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/06 13:06:16.0703 AnyDVD (82ce157ff3701ab50769b2654d0b0215) C:\WINDOWS\system32\Drivers\AnyDVD.sys
2010/08/06 13:06:16.0750 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/08/06 13:06:16.0890 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/06 13:06:16.0937 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/06 13:06:17.0015 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/06 13:06:17.0093 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/06 13:06:17.0125 AVMCOWAN (0bcb6b3df2e248c8e8f2ffc6f58d1341) C:\WINDOWS\system32\DRIVERS\AVMCOWAN.sys
2010/08/06 13:06:17.0156 AVMWAN (c997af59c54d69232fb7bbea4dad86e2) C:\WINDOWS\system32\DRIVERS\avmwan.sys
2010/08/06 13:06:17.0171 bdfm (ced6717bd8b67284afcf692b9316b464) C:\WINDOWS\system32\drivers\bdfm.sys
2010/08/06 13:06:17.0234 bdfsfltr (70975049e22b2efec260816cf505e6e7) C:\WINDOWS\system32\drivers\bdfsfltr.sys
2010/08/06 13:06:17.0343 bdftdif (a7bdb1958d9b8245a0ba83f46abb630c) C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Firewall\bdftdif.sys
2010/08/06 13:06:17.0359 BDSelfPr (5eaf583c0b1cc2499761ea3b065f5db2) C:\Programme\BitDefender\BitDefender 2009\bdselfpr.sys
2010/08/06 13:06:17.0421 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/06 13:06:17.0484 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/06 13:06:17.0562 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/06 13:06:17.0625 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/06 13:06:17.0687 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/06 13:06:17.0906 cxbu0wdm (ee1d91022fc0df4f0434ec11c65e6649) C:\WINDOWS\system32\DRIVERS\cxbu0wdm.sys
2010/08/06 13:06:18.0015 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/06 13:06:18.0078 dmboot (0dcfc8395a99fecbb1ef771cec7fe4ea) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/06 13:06:18.0156 dmio (53720ab12b48719d00e327da470a619a) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/06 13:06:18.0187 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/06 13:06:18.0281 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/06 13:06:18.0343 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/06 13:06:18.0390 dsltestSp5 (c6b2e10cfe79169c72f0269087b9a603) C:\WINDOWS\system32\Drivers\dsltestSp5.sys
2010/08/06 13:06:18.0437 E1000 (4de4bae4accb5a49fa85801d4f226355) C:\WINDOWS\system32\DRIVERS\e1000325.sys
2010/08/06 13:06:18.0484 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2010/08/06 13:06:18.0531 ElbyCDFL (ce37e3d51912e59c80c6d84337c0b4cd) C:\WINDOWS\system32\Drivers\ElbyCDFL.sys
2010/08/06 13:06:18.0578 ElbyCDIO (309ac30471a0f1c3a89dee1c81230576) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
2010/08/06 13:06:18.0625 ENUM1394 (80d1b490b60e74e002dc116ec5d41748) C:\WINDOWS\system32\DRIVERS\enum1394.sys
2010/08/06 13:06:18.0687 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/06 13:06:18.0718 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/08/06 13:06:18.0781 Fips (b0678a548587c5f1967b0d70bacad6c1) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/06 13:06:18.0828 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/08/06 13:06:18.0875 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/08/06 13:06:18.0953 fpcibase (25baa9e7e21ca204b3202637c4f0d44e) C:\WINDOWS\system32\DRIVERS\fpcibase.sys
2010/08/06 13:06:19.0000 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/06 13:06:19.0046 Ftdisk (8f1955ce42e1484714b542f341647778) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/06 13:06:19.0140 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/06 13:06:19.0171 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/08/06 13:06:19.0218 HECI (cc2c8c23417cc7ddf5eddb17e60a14db) C:\WINDOWS\system32\DRIVERS\HECI.sys
2010/08/06 13:06:19.0281 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/06 13:06:19.0406 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/06 13:06:19.0562 i8042prt (e283b97cfbeb86c1d86baed5f7846a92) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/06 13:06:19.0625 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/06 13:06:19.0781 intelppm (4c7d2750158ed6e7ad642d97bffae351) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/08/06 13:06:19.0828 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/08/06 13:06:19.0875 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/06 13:06:19.0921 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/06 13:06:19.0968 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/06 13:06:20.0000 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/06 13:06:20.0046 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
2010/08/06 13:06:20.0078 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/06 13:06:20.0156 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
2010/08/06 13:06:20.0203 is3srv (8fe4ecc7877fcfe4e59414708898073d) C:\WINDOWS\system32\drivers\is3srv.sys
2010/08/06 13:06:20.0281 isapnp (6dfb88f64135c525433e87648bda30de) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/06 13:06:20.0328 Kbdclass (1704d8c4c8807b889e43c649b478a452) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/06 13:06:20.0375 kbdhid (b6d6c117d771c98130497265f26d1882) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/08/06 13:06:20.0437 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/06 13:06:20.0468 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/06 13:06:20.0562 MacOpen (f1d23f78dcd65c8132c908b1e72e9143) C:\WINDOWS\system32\drivers\MacOpen.sys
2010/08/06 13:06:20.0625 MagicTune (f627e9da4d3d8dc05a15b68944302f14) C:\WINDOWS\system32\drivers\MTiCtwl.sys
2010/08/06 13:06:20.0687 MaxtorFrontPanel1 (dad2801f46631b625fb4fb37265fbe6e) C:\WINDOWS\system32\DRIVERS\mxofwfp.sys
2010/08/06 13:06:20.0750 MLPTDR_B (124aaf5d2a58e00c05019b0fb77c0966) C:\WINDOWS\system32\MLPTDR_B.sys
2010/08/06 13:06:20.0812 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/06 13:06:20.0875 Modem (6fb74ebd4ec57a6f1781de3852cc3362) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/06 13:06:20.0937 motmodem (54fee02961c70fd9d4d7e2f87afa23fa) C:\WINDOWS\system32\DRIVERS\motmodem.sys
2010/08/06 13:06:20.0984 Mouclass (b24ce8005deab254c0251e15cb71d802) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/06 13:06:21.0015 mouhid (66a6f73c74e1791464160a7065ce711a) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/06 13:06:21.0062 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/06 13:06:21.0156 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/06 13:06:21.0203 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/06 13:06:21.0265 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/06 13:06:21.0312 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/06 13:06:21.0375 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/06 13:06:21.0421 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/06 13:06:21.0500 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/06 13:06:21.0562 MTXPAR (0f83a76c82d5b9f672b33923759b2b12) C:\WINDOWS\system32\DRIVERS\MTXPARM.sys
2010/08/06 13:06:21.0703 MTXPARH (6dda78a0be692b61b668fab860f276cf) C:\WINDOWS\system32\DRIVERS\MTXPARHM.sys
2010/08/06 13:06:21.0734 Mtxparmx (a9948d5ed30db457ff92239802d97e34) C:\WINDOWS\system32\DRIVERS\Mtxparmx.sys
2010/08/06 13:06:21.0765 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/06 13:06:21.0812 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/06 13:06:21.0859 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/06 13:06:21.0890 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/06 13:06:21.0921 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/06 13:06:21.0968 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/06 13:06:22.0000 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/06 13:06:22.0046 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/06 13:06:22.0093 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/08/06 13:06:22.0140 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/06 13:06:22.0187 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/06 13:06:22.0265 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/06 13:06:22.0312 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/06 13:06:22.0359 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/06 13:06:22.0390 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/08/06 13:06:22.0437 Parport (f84785660305b9b903fb3bca8ba29837) C:\WINDOWS\system32\drivers\Parport.sys
2010/08/06 13:06:22.0468 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/06 13:06:22.0531 ParVdm (c2bf987829099a3eaa2ca6a0a90ecb4f) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/06 13:06:22.0593 PCANDIS5 (d0084a9ade989fe703e4f22171f4e4dc) C:\PROGRA~1\GEMEIN~1\T-Com\DSLCheck\PCANDIS5.SYS
2010/08/06 13:06:22.0640 PCI (387e8dedc343aa2d1efbc30580273acd) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/06 13:06:22.0718 PCIIde (59ba86d9a61cbcf4df8e598c331f5b82) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/08/06 13:06:22.0781 Pcmcia (a2a966b77d61847d61a3051df87c8c97) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/06 13:06:23.0171 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/06 13:06:23.0203 Processor (2cb55427c58679f49ad600fccba76360) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/08/06 13:06:23.0265 Profos (1bfe86c679a43994e36e623fb6898cdb) C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Threat Scanner\profos.sys
2010/08/06 13:06:23.0312 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/06 13:06:23.0343 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/06 13:06:23.0421 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/08/06 13:06:23.0703 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/06 13:06:23.0750 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2010/08/06 13:06:23.0796 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/06 13:06:23.0843 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/06 13:06:23.0906 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/06 13:06:23.0968 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/06 13:06:24.0000 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/06 13:06:24.0078 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/08/06 13:06:24.0156 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/06 13:06:24.0234 redbook (ed761d453856f795a7fe056e42c36365) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/06 13:06:24.0312 sbp2port (b244960e5a1db8e9d5d17086de37c1e4) C:\WINDOWS\system32\DRIVERS\sbp2port.sys
2010/08/06 13:06:24.0359 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/06 13:06:24.0406 Sentinel (7e5c2c58fc4e3862e7bf88bfb809a9b0) C:\WINDOWS\System32\Drivers\SENTINEL.SYS
2010/08/06 13:06:24.0484 serenum (5944622925d74268228222298e14dcaa) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/08/06 13:06:24.0546 Serial (ab6aa911ad51766e28c1339464809699) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/08/06 13:06:24.0546 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\serial.sys. Real md5: ab6aa911ad51766e28c1339464809699, Fake md5: cf24eb4f0412c82bcd1f4f35a025e31d
2010/08/06 13:06:24.0546 Serial - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/08/06 13:06:24.0609 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2010/08/06 13:06:24.0656 sfng32 (76bd55922b3179fa7b5bd528839e6fb4) C:\WINDOWS\system32\drivers\sfng32.sys
2010/08/06 13:06:24.0718 snapman380 (5ce1cf27620b144e212d407cdb14d339) C:\WINDOWS\system32\DRIVERS\snman380.sys
2010/08/06 13:06:24.0828 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/06 13:06:24.0875 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\system32\Drivers\sptd.sys
2010/08/06 13:06:24.0875 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 71e276f6d189413266ea22171806597b
2010/08/06 13:06:24.0875 sptd - detected Locked file (1)
2010/08/06 13:06:24.0906 sr (50fa898f8c032796d3b1b9951bb5a90f) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/06 13:06:24.0937 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/06 13:06:25.0062 STHDA (527fd7d6919734c2a61c8aa3d5740e61) C:\WINDOWS\system32\drivers\sthda.sys
2010/08/06 13:06:25.0140 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/06 13:06:25.0187 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/06 13:06:25.0437 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/06 13:06:25.0500 szkg5 (8fe4ecc7877fcfe4e59414708898073d) C:\WINDOWS\system32\DRIVERS\szkg.sys
2010/08/06 13:06:25.0546 szkgfs (410a02a920fa9daeec56364e839597c1) C:\WINDOWS\system32\drivers\szkgfs.sys
2010/08/06 13:06:25.0593 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/06 13:06:25.0671 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/06 13:06:25.0718 tdrpman147 (be7b1a73272648622b39be3c610e3ca0) C:\WINDOWS\system32\DRIVERS\tdrpm147.sys
2010/08/06 13:06:25.0765 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/06 13:06:25.0828 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/06 13:06:25.0906 tifsfilter (6dcb8ddb481cd3c40fa68593723b4d89) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
2010/08/06 13:06:25.0953 timounter (394fc70b88b7958fa85798bbc76d140a) C:\WINDOWS\system32\DRIVERS\timntr.sys
2010/08/06 13:06:26.0078 Trufos (b16d66a71de03285e14e9f165b59eda4) C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Threat Scanner\trufos.sys
2010/08/06 13:06:26.0125 TSMPacket (7c1367bff5587cf49c0ed2e664f6eac0) C:\WINDOWS\system32\DRIVERS\tsmpkt.sys
2010/08/06 13:06:26.0187 TuneUpUtilitiesDrv (f2107c9d85ec0df116939ccce06ae697) C:\Programme\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys
2010/08/06 13:06:26.0234 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/06 13:06:26.0343 UltraMonUtility (5a5bd0f66e84eb039cb227520d49908c) C:\Programme\Gemeinsame Dateien\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys
2010/08/06 13:06:26.0390 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/06 13:06:26.0437 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/06 13:06:26.0468 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/06 13:06:26.0500 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/06 13:06:26.0546 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/08/06 13:06:26.0578 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/08/06 13:06:26.0625 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/08/06 13:06:26.0703 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\DRIVERS\usbser.sys
2010/08/06 13:06:26.0734 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/06 13:06:26.0812 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/08/06 13:06:26.0859 VClone (9bf2ea54e5ed5acdf96f1dec84c117c4) C:\WINDOWS\system32\DRIVERS\VClone.sys
2010/08/06 13:06:26.0937 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/06 13:06:27.0046 VolSnap (a5a712f4e880874a477af790b5186e1d) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/06 13:06:27.0093 wacommousefilter (427a8bc96f16c40df81c2d2f4edd32dd) C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
2010/08/06 13:06:27.0140 wacomvhid (73e6f16a1f187d71fb26af308551e54a) C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
2010/08/06 13:06:27.0156 WacomVKHid (889459833432b161cb99cfdf84a1a9bb) C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys
2010/08/06 13:06:27.0250 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/06 13:06:27.0296 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/08/06 13:06:27.0390 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/06 13:06:27.0437 WinDriver6 (2c7d830e86b378771af5dafeae428a09) C:\WINDOWS\system32\drivers\windrvr6.sys
2010/08/06 13:06:27.0531 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/08/06 13:06:27.0593 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/08/06 13:06:27.0843 ================================================================================
2010/08/06 13:06:27.0843 Scan finished
2010/08/06 13:06:27.0843 ================================================================================
2010/08/06 13:06:27.0859 Detected object count: 2
2010/08/06 13:07:53.0906 Serial (ab6aa911ad51766e28c1339464809699) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/08/06 13:07:53.0906 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\serial.sys. Real md5: ab6aa911ad51766e28c1339464809699, Fake md5: cf24eb4f0412c82bcd1f4f35a025e31d
2010/08/06 13:07:55.0125 Backup copy found, using it..
2010/08/06 13:07:55.0140 C:\WINDOWS\system32\DRIVERS\serial.sys - will be cured after reboot
2010/08/06 13:07:55.0140 Rootkit.Win32.TDSS.tdl3(Serial) - User select action: Cure
2010/08/06 13:07:55.0140 Locked file(sptd) - User select action: Skip

SchmerlenOtt · 06.08.2010, 12:16

Gerade hat Firefox unerwünscht/automatisch eine Seite namens "texasboy" aufgerufen ...
Neustart noch nicht durchgeführt.
Soll ich jetzt?

SchmerlenOtt · 06.08.2010, 12:27

Mach' ich – ich bin doch nicht

Bis gleich.

SchmerlenOtt · 06.08.2010, 12:41

Neustart durchgeführt.
Lauere, was der Feuerfuchs jetzt tut ...

markusg · 06.08.2010, 12:25

ja außer natürlich dir gefällt die werbung so gut das du sie gar nicht mehr los werden willst *g*

markusg · 06.08.2010, 12:57

dann versuch mal den norman tdss cleaner und poste das ergebniss, sollte n log erstellt werden

SchmerlenOtt · 06.08.2010, 13:10

Also ich habe noch nicht versucht, das von Kaspersky als "suspicious object" sptd.sys zu beseitigen. Die Voreinstellung hier ist "skip". Soll da mal cure oder kill wählen.
Ich wollte auf deine Expertenmeinung hören, bevor ich etwas falsch mache und mehr Schaden als Nutzen anrichte.

SchmerlenOtt · 06.08.2010, 13:27

Oups, war das TBB überlastet ... nun geht's wieder:

Habe mit Kaspersky nichts mehr entfernt. Soll ich die Datei sptd.sys lassen oder muss mit der noch etwas gemacht werden. Hier der Report von

Norman TDSS Cleaner
Version 1.9.3
Copyright © 1990 - 2010, Norman ASA. Built 2010/05/25 11:56:03

Norman Scanner Engine Version: 6.04.08
Nvcbin.def Version: 6.04.00, Date: 2010/05/25 11:56:03, Variants: 57644

Scan started: 2010/08/06 14:12:39

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600 Service Pack 3
Logged on user: xxxxxxx\xxxxxxxx

Removed registry key: HKCR\.exe -> shell
Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLS = -> ""
Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000
Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000

Running anti-TDSS module:

No TDSS infection detected

TDSS scan complete. Will now scan for related malware

Scanning bootsectors...

Number of sectors found: 5
Number of sectors scanned: 5
Number of sectors not scanned: 0
Number of infections found: 0
Number of infections removed: 0
Total scanning time: 0s 125ms

Scanning running processes and process memory...

Number of processes/threads found: 4448
Number of processes/threads scanned: 4448
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 31s

Scanning file system...

Scanning: prescan

Scanning: C:\WINDOWS\system32\drivers\*

Scanning: postscan

Running post-scan cleanup routine:
Removed registry key: HKCR\.exe -> shell

Number of files found: 346
Number of archives unpacked: 0
Number of files scanned: 346
Number of files not scanned: 0
Number of files skipped due to exclude list: 0
Number of infected files found: 0
Number of infected files repaired/deleted: 0
Number of infections removed: 0
Total scanning time: 7s

markusg · 06.08.2010, 13:31

ok, wir versuchen mal folgendes
Du hast CD-Emulatoren wie Alcohol, DaemonTools oder ähnliche auf diesem Computer installiert. Da diese Emulatoren mit Rootkit-Technik arbeiten, können sie die Fahndung nach bösartigen Rootkits verfälschen und erschweren.
Lade
http://filepony.de/download-defogger/
herunter und speichere es auf Deinem Desktop.

Doppelklicke DeFogger, um das Tool zu starten.

• Es öffnet sich das Programm-Fenster des Tools.
• Klick auf den Button Disable, um die CD- Emulation-Treiber zu deaktivieren.
• Klicke Ja, um fortzufahren.
• Wenn die Nachricht 'Finished!' erscheint,
• klicke OK.
• DeFogger wird nun einen Reboot erfragen - klicke OK
• Poste mir das defogger_disable.log hier in den Thread. Keinesfalls die Treiber reaktivieren, bevor es angewiesen wird.

neustart, nun noch mal kaspersky tdss killer nutzen und das log posten.

06.08.2010, 11:15	#4
markusg /// Malware-holic	Windows friert ein, Firefox öffnet willkürlich Fenster ( in Flensburg) noch nicht, machen wir zum schluss so und nu gehts los :-) kaspersky tdss killer Wie werden Schadprogramme der Familie Rootkit.Win32.TDSS bekämpft? ausführen, log posten

06.08.2010, 12:12	#6
markusg /// Malware-holic	Windows friert ein, Firefox öffnet willkürlich Fenster ( in Flensburg) ja, genau.

06.08.2010, 12:25	#11
markusg /// Malware-holic	Windows friert ein, Firefox öffnet willkürlich Fenster ( in Flensburg) ja außer natürlich dir gefällt die werbung so gut das du sie gar nicht mehr los werden willst g

06.08.2010, 12:57	#12
markusg /// Malware-holic	Windows friert ein, Firefox öffnet willkürlich Fenster ( in Flensburg) dann versuch mal den norman tdss cleaner und poste das ergebniss, sollte n log erstellt werden

Windows friert ein, Firefox öffnet willkürlich Fenster ( in Flensburg)

Plagegeister aller Art und deren Bekämpfung: Windows friert ein, Firefox öffnet willkürlich Fenster ( in Flensburg)