| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Trojaner oder defekte Festplatte?Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
| |
24.04.2011, 19:16
| #1 |
 |  Trojaner oder defekte Festplatte? Combofix Logfile: Code:
ATTFilter ComboFix 11-04-23.02 - Tesa 24.04.2011 20:06:18.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.3199.2749 [GMT 2:00]
ausgeführt von:: c:\dokumente und einstellungen\Tesa\Desktop\cofi.exe.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\dokumente und einstellungen\Tesa\WINDOWS
c:\windows\settings.reg
c:\windows\system32\Data
.
.
((((((((((((((((((((((( Dateien erstellt von 2011-03-24 bis 2011-04-24 ))))))))))))))))))))))))))))))
.
.
2011-04-23 23:39 . 2011-04-23 23:39 -------- d-----w- c:\dokumente und einstellungen\Tesa\Anwendungsdaten\The Games Company
2011-04-23 23:31 . 2011-04-23 23:31 -------- d-----w- c:\programme\The Games Company
2011-04-21 21:44 . 2011-04-21 21:44 -------- d-----w- C:\_OTL
2011-04-21 18:14 . 2010-12-20 16:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-21 18:14 . 2010-12-20 16:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-21 15:58 . 2011-04-21 15:58 40960 ----a-r- c:\dokumente und einstellungen\Tesa\Anwendungsdaten\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\WinDlg.exe_0AB76F69E7614CFAB9B0A1906B4E9E4B_3.exe
2011-04-21 15:58 . 2011-04-21 15:58 -------- d-----w- c:\programme\Western Digital Technologies
2011-04-21 08:17 . 2011-04-21 08:17 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-21 08:13 . 2011-04-21 08:13 -------- d-----w- c:\programme\PaintStar
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-18 17:25 . 2010-11-17 11:35 40112 ----a-w- c:\windows\avastSS.scr
2011-04-18 17:25 . 2010-01-22 16:31 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-03-07 05:33 . 2009-06-21 14:32 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:44 . 2006-02-28 12:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:53 . 2006-02-28 12:00 1858048 ----a-w- c:\windows\system32\win32k.sys
2011-02-23 14:56 . 2011-02-23 23:23 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-02-23 14:56 . 2010-01-22 16:31 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-02-23 14:55 . 2010-01-22 16:32 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-02-23 14:55 . 2010-01-22 16:31 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-02-23 14:55 . 2010-01-22 16:31 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-02-23 14:55 . 2010-01-22 16:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-02-23 14:54 . 2010-01-22 16:32 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-02-23 14:54 . 2010-01-22 16:31 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-02-17 13:51 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 13:51 . 2006-02-28 12:00 672768 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51 . 2006-02-28 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-02-17 13:50 . 2006-02-28 12:00 371200 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2006-02-28 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2006-02-28 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:54 . 2008-05-05 05:25 5632 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2006-02-28 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2006-02-28 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2006-02-28 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2006-02-28 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2006-02-28 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2009-06-21 14:31 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-06-21 14:31 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-27 11:35 . 2009-06-24 15:44 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04 122512 ------w- c:\programme\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkinClock"="c:\programme\Free Desktop Clock\DesktopClock.exe" [2006-10-01 334848]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2005-05-03 64512]
"RTHDCPL"="RTHDCPL.EXE" [2009-11-17 18789408]
"SunJavaUpdateSched"="c:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"avast5"="c:\programme\Alwil Software\Avast5\avastUI.exe" [2011-02-23 3451496]
"PDFPrint"="c:\programme\PDF24\pdf24.exe" [2010-12-14 216456]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Programme\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Programme\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Programme\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Programme\\Ascaron Entertainment\\Sacred 2 - Fallen Angel\\system\\s2gs.exe"=
"c:\\Programme\\Ascaron Entertainment\\Sacred 2 - Fallen Angel\\system\\sacred2.exe"=
"c:\\Programme\\Messenger\\msmsgs.exe"=
"c:\\Programme\\ICQ7.0\\ICQ.exe"=
"c:\\Programme\\ICQ7.0\\aolload.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [24.02.2011 01:23 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [22.01.2010 18:31 301528]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [22.01.2010 18:31 19544]
R2 NAUpdate;@c:\programme\Nero\Update\NASvc.exe,-200;c:\programme\Nero\Update\NASvc.exe [04.05.2010 13:07 503080]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [07.11.2007 21:55 332928]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [21.01.2010 22:31 1684736]
S3 gsplittm;gsplittm;\??\c:\dokume~1\Tesa\LOKALE~1\Temp\gsplittm.sys --> c:\dokume~1\Tesa\LOKALE~1\Temp\gsplittm.sys [?]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://start.icq.com/
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\dokumente und einstellungen\Tesa\Anwendungsdaten\Mozilla\Firefox\Profiles\wq4r8qzl.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (de)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programme\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\programme\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\programme\Ask.com\GenericAskToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\programme\Ask.com\GenericAskToolbar.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2011-04-24 20:11
Windows 5.1.2600 Service Pack 3 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
Scanne versteckte Dateien...
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_USERS\S-1-5-21-1844237615-1844823847-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1844237615-1844823847-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f0,a6,e6,dc,dd,11,4b,c5,0e,c8,3c,d3,31,dc,55,d8,ca,4f,39,ac,88,d0,65,
dc,54,ef,ef,3b,bd,a6,5f,5f,38,4d,03,f6,4e,c1,a6,9a,65,aa,34,00,1d,bb,4f,a0,\
"??"=hex:c2,e0,f3,a5,39,30,28,dd,54,d7,87,01,64,75,82,cd
.
[HKEY_USERS\S-1-5-21-1844237615-1844823847-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:3b,76,47,2b,a9,99,db,21,ce,2a,ab,d0,97,70,20,5a,8a,dd,ca,d7,eb,
10,06,5a,75,b3,9a,7e,58,c1,4f,17,1a,90,70,7e,cf,33,21,2f,d0,af,b2,d0,5a,fb,\
"rkeysecu"=hex:41,a1,86,bc,96,01,87,95,c0,ab,4f,26,8d,07,39,b4
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
.
- - - - - - - > 'winlogon.exe'(1136)
c:\windows\system32\Ati2evxx.dll
.
Zeit der Fertigstellung: 2011-04-24 20:14:23
ComboFix-quarantined-files.txt 2011-04-24 18:14
.
Vor Suchlauf: 9 Verzeichnis(se), 209.664.434.176 Bytes frei
Nach Suchlauf: 11 Verzeichnis(se), 209.725.726.720 Bytes frei
.
WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
Current=7 Default=7 Failed=6 LastKnownGood=8 Sets=1,2,3,4,5,6,7,8
- - End Of File - - 6653CD7B77B3973243A6B382464C6E73
|
|
25.04.2011, 13:59
| #2 |
| /// Winkelfunktion /// TB-Süch-Tiger™   | Trojaner oder defekte Festplatte? Combofix - Scripten
__________________1. Starte das Notepad (Start / Ausführen / notepad[Enter]) 2. Jetzt füge mit copy/paste den ganzen Inhalt der untenstehenden Codebox in das Notepad Fenster ein. Code:
ATTFilter File::
c:\dokume~1\Tesa\LOKALE~1\Temp\gsplittm.sys
Driver::
gsplittm
4. Deaktivere den Guard Deines Antivirenprogramms und eine eventuell vorhandene Software Firewall. (Auch Guards von Ad-, Spyware Programmen und den Tea Timer (wenn vorhanden) !) 5. Dann ziehe die CFScript.txt auf die cofi.exe, so wie es im unteren Bild zu sehen ist. Damit wird Combofix neu gestartet.  6. Nach dem Neustart (es wird gefragt ob Du neustarten willst), poste bitte die folgenden Log Dateien: Combofix.txt Hinweis: Das obige Script ist nur für diesen einen User in dieser Situtation erstellt worden. Es ist auf keinen anderen Rechner portierbar und darf nicht anderweitig verwandt werden, da es das System nachhaltig schädigen kann!
__________________ |
|
25.04.2011, 20:49
| #3 |
| | Trojaner oder defekte Festplatte? hier nun die neue Log-Datei.
__________________allerdings habe ich das Anti-Viren-Sytem nur bis zum Neustart deaktiviert und es ist eben nach diesem wieder angesprungen. Ich habe es dan gleich wieder deaktiviert, ich hoffe das hat nichts geändert. Combofix Logfile: Code:
ATTFilter ComboFix 11-04-25.01 - Tesa 25.04.2011 21:33:04.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.3199.2726 [GMT 2:00]
ausgeführt von:: c:\dokumente und einstellungen\Tesa\Desktop\cofi.exe.exe
Benutzte Befehlsschalter :: c:\dokumente und einstellungen\Tesa\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\dokume~1\Tesa\LOKALE~1\Temp\gsplittm.sys"
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_GSPLITTM
-------\Service_gsplittm
.
.
((((((((((((((((((((((( Dateien erstellt von 2011-03-25 bis 2011-04-25 ))))))))))))))))))))))))))))))
.
.
2011-04-23 23:39 . 2011-04-23 23:39 -------- d-----w- c:\dokumente und einstellungen\Tesa\Anwendungsdaten\The Games Company
2011-04-23 23:31 . 2011-04-23 23:31 -------- d-----w- c:\programme\The Games Company
2011-04-21 21:44 . 2011-04-21 21:44 -------- d-----w- C:\_OTL
2011-04-21 18:14 . 2010-12-20 16:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-21 18:14 . 2010-12-20 16:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-21 15:58 . 2011-04-21 15:58 40960 ----a-r- c:\dokumente und einstellungen\Tesa\Anwendungsdaten\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\WinDlg.exe_0AB76F69E7614CFAB9B0A1906B4E9E4B_3.exe
2011-04-21 15:58 . 2011-04-21 15:58 -------- d-----w- c:\programme\Western Digital Technologies
2011-04-21 08:17 . 2011-04-21 08:17 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-21 08:13 . 2011-04-21 08:13 -------- d-----w- c:\programme\PaintStar
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-18 17:25 . 2010-11-17 11:35 40112 ----a-w- c:\windows\avastSS.scr
2011-04-18 17:25 . 2010-01-22 16:31 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-03-07 05:33 . 2009-06-21 14:32 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:44 . 2006-02-28 12:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:53 . 2006-02-28 12:00 1858048 ----a-w- c:\windows\system32\win32k.sys
2011-02-23 14:56 . 2011-02-23 23:23 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-02-23 14:56 . 2010-01-22 16:31 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-02-23 14:55 . 2010-01-22 16:32 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-02-23 14:55 . 2010-01-22 16:31 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-02-23 14:55 . 2010-01-22 16:31 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-02-23 14:55 . 2010-01-22 16:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-02-23 14:54 . 2010-01-22 16:32 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-02-23 14:54 . 2010-01-22 16:31 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-02-17 13:51 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 13:51 . 2006-02-28 12:00 672768 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51 . 2006-02-28 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-02-17 13:50 . 2006-02-28 12:00 371200 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2006-02-28 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2006-02-28 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:54 . 2008-05-05 05:25 5632 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2006-02-28 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2006-02-28 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2006-02-28 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2006-02-28 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2006-02-28 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2009-06-21 14:31 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-06-21 14:31 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-27 11:35 . 2009-06-24 15:44 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-24_18.11.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-25 19:41 . 2011-04-25 19:41 16384 c:\windows\Temp\Perflib_Perfdata_7ec.dat
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04 122512 ------w- c:\programme\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkinClock"="c:\programme\Free Desktop Clock\DesktopClock.exe" [2006-10-01 334848]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2005-05-03 64512]
"RTHDCPL"="RTHDCPL.EXE" [2009-11-17 18789408]
"SunJavaUpdateSched"="c:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"avast5"="c:\programme\Alwil Software\Avast5\avastUI.exe" [2011-02-23 3451496]
"PDFPrint"="c:\programme\PDF24\pdf24.exe" [2010-12-14 216456]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Programme\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Programme\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Programme\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Programme\\Ascaron Entertainment\\Sacred 2 - Fallen Angel\\system\\s2gs.exe"=
"c:\\Programme\\Ascaron Entertainment\\Sacred 2 - Fallen Angel\\system\\sacred2.exe"=
"c:\\Programme\\Messenger\\msmsgs.exe"=
"c:\\Programme\\ICQ7.0\\ICQ.exe"=
"c:\\Programme\\ICQ7.0\\aolload.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [24.02.2011 01:23 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [22.01.2010 18:31 301528]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [22.01.2010 18:31 19544]
R2 NAUpdate;@c:\programme\Nero\Update\NASvc.exe,-200;c:\programme\Nero\Update\NASvc.exe [04.05.2010 13:07 503080]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [07.11.2007 21:55 332928]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [21.01.2010 22:31 1684736]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://start.icq.com/
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\dokumente und einstellungen\Tesa\Anwendungsdaten\Mozilla\Firefox\Profiles\wq4r8qzl.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (de)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programme\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\programme\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2011-04-25 21:43
Windows 5.1.2600 Service Pack 3 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
Scanne versteckte Dateien...
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_USERS\S-1-5-21-1844237615-1844823847-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1844237615-1844823847-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f0,a6,e6,dc,dd,11,4b,c5,0e,c8,3c,d3,31,dc,55,d8,ca,4f,39,ac,88,d0,65,
dc,54,ef,ef,3b,bd,a6,5f,5f,38,4d,03,f6,4e,c1,a6,9a,65,aa,34,00,1d,bb,4f,a0,\
"??"=hex:c2,e0,f3,a5,39,30,28,dd,54,d7,87,01,64,75,82,cd
.
[HKEY_USERS\S-1-5-21-1844237615-1844823847-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:3b,76,47,2b,a9,99,db,21,ce,2a,ab,d0,97,70,20,5a,8a,dd,ca,d7,eb,
10,06,5a,75,b3,9a,7e,58,c1,4f,17,1a,90,70,7e,cf,33,21,2f,d0,af,b2,d0,5a,fb,\
"rkeysecu"=hex:41,a1,86,bc,96,01,87,95,c0,ab,4f,26,8d,07,39,b4
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
.
- - - - - - - > 'winlogon.exe'(1124)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3600)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\programme\Alwil Software\Avast5\AvastSvc.exe
c:\programme\Java\jre6\bin\jqs.exe
c:\windows\system32\Rundll32.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2011-04-25 21:46:01 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2011-04-25 19:45
ComboFix2.txt 2011-04-24 18:14
.
Vor Suchlauf: 10 Verzeichnis(se), 209.750.728.704 Bytes frei
Nach Suchlauf: 10 Verzeichnis(se), 209.546.641.408 Bytes frei
.
Current=7 Default=7 Failed=6 LastKnownGood=8 Sets=1,2,3,4,5,6,7,8
- - End Of File - - 564FD4C4A50C0B15E834C4851D871B5C
|
|
25.04.2011, 20:54
| #4 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Trojaner oder defekte Festplatte? Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten. GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus - die Online-Abfrage durch OSAM bitte überspringen. Bei OSAM bitte darauf auch achten, dass Du das Log auch als *.log und nicht *.html oder so abspeicherst. Downloade Dir danach bitte MBRCheck (by a_d_13) und speichere die Datei auf dem Desktop.
__________________ Logfiles bitte immer in CODE-Tags posten  |
|
25.04.2011, 23:55
| #5 |
| | Trojaner oder defekte Festplatte? GMER Logfile: Code:
ATTFilter GMER 1.0.15.15570 - hxxp://www.gmer.net
Rootkit scan 2011-04-26 00:35:41
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-a ST3750640AS rev.3.AAE
Running: jhjde4i2.exe; Driver: C:\DOKUME~1\Tesa\LOKALE~1\Temp\pxloypow.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xAC9A99CA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xACA26A68]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xAC9C9AF5]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xAC9ABEAC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xAC9ABF04]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xAC9AC01A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xAC9C94A9]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xAC9ABE02]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xAC9ABF54]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xAC9ABE56]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xAC9ABFC8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xAC9A99EE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xAC9CA1BB]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xAC9CA471]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xAC9AC29E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xAC9CA026]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xAC9C9E91]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xACA26B18]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xAC9A97B8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xAC9A9A12]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xAC9AC412]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xAC9AA4AA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xAC9ABEDC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xAC9ABF2C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xAC9AC044]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xAC9C9805]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xAC9ABE2E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xAC9AC0D6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xAC9ABF94]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xAC9ABE84]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xAC9AC1BA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xAC9ABFF2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xACA26BB0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xAC9C9D0C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xAC9AA370]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xAC9C9B5E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xACA2EE26]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xAC9C8B1C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xAC9A9A36]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xAC9A9A5A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xAC9A9812]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xAC9A994E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xAC9CA2C2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xAC9A992A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xAC9A9972]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xAC9A9A7E]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xACA3B8DE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject
---- Kernel code sections - GMER 1.0.15 ----
PAGE ntoskrnl.exe!ObInsertObject 8056DA64 5 Bytes JMP ACA38D38 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC 805766FB 4 Bytes CALL AC9AAE25 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8058B9EC 7 Bytes JMP ACA3B8E2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 805AD1E0 5 Bytes JMP ACA3729E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.sfrelocÿÿÿÿsfsync04unknown last section [0xF74F5000, 0xBC6, 0x40000040] C:\WINDOWS\system32\drivers\sfsync04.sys unknown last section [0xF74F5000, 0xBC6, 0x40000040]
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB95A6000, 0x238E77, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xA94F8300, 0x3ACC8, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xBA34B300, 0x1B7E, 0xE8000020]
? C:\cofi.exe\catchme.sys Das System kann den angegebenen Pfad nicht finden. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS Das System kann die angegebene Datei nicht finden. !
---- User code sections - GMER 1.0.15 ----
.text C:\Programme\Nero\Update\NASvc.exe[216] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 00150030
.text C:\Programme\Nero\Update\NASvc.exe[216] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 0015006C
.text C:\Programme\Nero\Update\NASvc.exe[216] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003900E4
.text C:\Programme\Nero\Update\NASvc.exe[216] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00390120
.text C:\Programme\Nero\Update\NASvc.exe[216] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003900A8
.text C:\Programme\Nero\Update\NASvc.exe[216] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00390030
.text C:\Programme\Nero\Update\NASvc.exe[216] USER32.dll!UnhookWinEvent 7E3818AC 3 Bytes JMP 0039006C
.text C:\Programme\Nero\Update\NASvc.exe[216] USER32.dll!UnhookWinEvent + 4 7E3818B0 1 Byte [82]
.text C:\Programme\Nero\Update\NASvc.exe[216] ADVAPI32.dll!SetServiceObjectSecurity 77E06D81 5 Bytes JMP 003A01D4
.text C:\Programme\Nero\Update\NASvc.exe[216] ADVAPI32.dll!ChangeServiceConfigA 77E06E69 5 Bytes JMP 003A00E4
.text C:\Programme\Nero\Update\NASvc.exe[216] ADVAPI32.dll!ChangeServiceConfigW 77E07001 5 Bytes JMP 003A0120
.text C:\Programme\Nero\Update\NASvc.exe[216] ADVAPI32.dll!ChangeServiceConfig2A 77E07101 5 Bytes JMP 003A015C
.text C:\Programme\Nero\Update\NASvc.exe[216] ADVAPI32.dll!ChangeServiceConfig2W 77E07189 5 Bytes JMP 003A0198
.text C:\Programme\Nero\Update\NASvc.exe[216] ADVAPI32.dll!CreateServiceA 77E07211 5 Bytes JMP 003A0030
.text C:\Programme\Nero\Update\NASvc.exe[216] ADVAPI32.dll!CreateServiceW 77E073A9 5 Bytes JMP 003A006C
.text C:\Programme\Nero\Update\NASvc.exe[216] ADVAPI32.dll!DeleteService 77E074B1 5 Bytes JMP 003A00A8
.text C:\WINDOWS\RTHDCPL.EXE[248] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 00140030
.text C:\WINDOWS\RTHDCPL.EXE[248] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 0014006C
.text C:\WINDOWS\RTHDCPL.EXE[248] ADVAPI32.dll!SetServiceObjectSecurity 77E06D81 5 Bytes JMP 003801D4
.text C:\WINDOWS\RTHDCPL.EXE[248] ADVAPI32.dll!ChangeServiceConfigA 77E06E69 5 Bytes JMP 003800E4
.text C:\WINDOWS\RTHDCPL.EXE[248] ADVAPI32.dll!ChangeServiceConfigW 77E07001 5 Bytes JMP 00380120
.text C:\WINDOWS\RTHDCPL.EXE[248] ADVAPI32.dll!ChangeServiceConfig2A 77E07101 5 Bytes JMP 0038015C
.text C:\WINDOWS\RTHDCPL.EXE[248] ADVAPI32.dll!ChangeServiceConfig2W 77E07189 5 Bytes JMP 00380198
.text C:\WINDOWS\RTHDCPL.EXE[248] ADVAPI32.dll!CreateServiceA 77E07211 5 Bytes JMP 00380030
.text C:\WINDOWS\RTHDCPL.EXE[248] ADVAPI32.dll!CreateServiceW 77E073A9 5 Bytes JMP 0038006C
.text C:\WINDOWS\RTHDCPL.EXE[248] ADVAPI32.dll!DeleteService 77E074B1 5 Bytes JMP 003800A8
.text C:\WINDOWS\RTHDCPL.EXE[248] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003900E4
.text C:\WINDOWS\RTHDCPL.EXE[248] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00390120
.text C:\WINDOWS\RTHDCPL.EXE[248] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003900A8
.text C:\WINDOWS\RTHDCPL.EXE[248] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00390030
.text C:\WINDOWS\RTHDCPL.EXE[248] USER32.dll!UnhookWinEvent 7E3818AC 3 Bytes JMP 0039006C
.text C:\WINDOWS\RTHDCPL.EXE[248] USER32.dll!UnhookWinEvent + 4 7E3818B0 1 Byte [82]
.text C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[260] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 00150030
.text C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[260] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 0015006C
.text C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[260] ADVAPI32.dll!SetServiceObjectSecurity 77E06D81 3 Bytes JMP 003901D4
.text C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[260] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E06D85 1 Byte [88]
.text C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[260] ADVAPI32.dll!ChangeServiceConfigA 77E06E69 5 Bytes JMP 003900E4
.text C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[260] ADVAPI32.dll!ChangeServiceConfigW 77E07001 5 Bytes JMP 00390120
.text C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[260] ADVAPI32.dll!ChangeServiceConfig2A 77E07101 5 Bytes JMP 0039015C
.text C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[260] ADVAPI32.dll!ChangeServiceConfig2W 77E07189 5 Bytes JMP 00390198
.text C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[260] ADVAPI32.dll!CreateServiceA 77E07211 5 Bytes JMP 00390030
.text C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[260] ADVAPI32.dll!CreateServiceW 77E073A9 5 Bytes JMP 0039006C
.text C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[260] ADVAPI32.dll!DeleteService 77E074B1 5 Bytes JMP 003900A8
.text C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[260] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003A00E4
.text C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[260] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 003A0120
.text C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[260] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003A00A8
.text C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[260] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003A0030
.text C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[260] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003A006C
.text C:\Programme\Alwil Software\Avast5\AvastSvc.exe[416] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\WINDOWS\system32\spoolsv.exe[524] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\spoolsv.exe[524] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\spoolsv.exe[524] ADVAPI32.dll!SetServiceObjectSecurity 77E06D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\system32\spoolsv.exe[524] ADVAPI32.dll!ChangeServiceConfigA 77E06E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\spoolsv.exe[524] ADVAPI32.dll!ChangeServiceConfigW 77E07001 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\spoolsv.exe[524] ADVAPI32.dll!ChangeServiceConfig2A 77E07101 5 Bytes JMP 002B015C
.text C:\WINDOWS\system32\spoolsv.exe[524] ADVAPI32.dll!ChangeServiceConfig2W 77E07189 5 Bytes JMP 002B0198
.text C:\WINDOWS\system32\spoolsv.exe[524] ADVAPI32.dll!CreateServiceA 77E07211 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\spoolsv.exe[524] ADVAPI32.dll!CreateServiceW 77E073A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\spoolsv.exe[524] ADVAPI32.dll!DeleteService 77E074B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\spoolsv.exe[524] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\spoolsv.exe[524] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\spoolsv.exe[524] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\system32\spoolsv.exe[524] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\spoolsv.exe[524] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 002C006C
.text C:\WINDOWS\system32\Rundll32.exe[712] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\Rundll32.exe[712] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\Rundll32.exe[712] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\Rundll32.exe[712] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\Rundll32.exe[712] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\Rundll32.exe[712] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\Rundll32.exe[712] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\Rundll32.exe[712] ADVAPI32.dll!SetServiceObjectSecurity 77E06D81 5 Bytes JMP 002C01D4
.text C:\WINDOWS\system32\Rundll32.exe[712] ADVAPI32.dll!ChangeServiceConfigA 77E06E69 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\Rundll32.exe[712] ADVAPI32.dll!ChangeServiceConfigW 77E07001 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\Rundll32.exe[712] ADVAPI32.dll!ChangeServiceConfig2A 77E07101 5 Bytes JMP 002C015C
.text C:\WINDOWS\system32\Rundll32.exe[712] ADVAPI32.dll!ChangeServiceConfig2W 77E07189 5 Bytes JMP 002C0198
.text C:\WINDOWS\system32\Rundll32.exe[712] ADVAPI32.dll!CreateServiceA 77E07211 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\Rundll32.exe[712] ADVAPI32.dll!CreateServiceW 77E073A9 5 Bytes JMP 002C006C
.text C:\WINDOWS\system32\Rundll32.exe[712] ADVAPI32.dll!DeleteService 77E074B1 5 Bytes JMP 002C00A8
.text C:\Programme\PDF24\pdf24.exe[724] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 00140030
.text C:\Programme\PDF24\pdf24.exe[724] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 0014006C
.text C:\Programme\PDF24\pdf24.exe[724] ADVAPI32.dll!SetServiceObjectSecurity 77E06D81 5 Bytes JMP 005401D4
.text C:\Programme\PDF24\pdf24.exe[724] ADVAPI32.dll!ChangeServiceConfigA 77E06E69 5 Bytes JMP 005400E4
.text C:\Programme\PDF24\pdf24.exe[724] ADVAPI32.dll!ChangeServiceConfigW 77E07001 5 Bytes JMP 00540120
.text C:\Programme\PDF24\pdf24.exe[724] ADVAPI32.dll!ChangeServiceConfig2A 77E07101 5 Bytes JMP 0054015C
.text C:\Programme\PDF24\pdf24.exe[724] ADVAPI32.dll!ChangeServiceConfig2W 77E07189 5 Bytes JMP 00540198
.text C:\Programme\PDF24\pdf24.exe[724] ADVAPI32.dll!CreateServiceA 77E07211 5 Bytes JMP 00540030
.text C:\Programme\PDF24\pdf24.exe[724] ADVAPI32.dll!CreateServiceW 77E073A9 5 Bytes JMP 0054006C
.text C:\Programme\PDF24\pdf24.exe[724] ADVAPI32.dll!DeleteService 77E074B1 5 Bytes JMP 005400A8
.text C:\Programme\PDF24\pdf24.exe[724] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 005500E4
.text C:\Programme\PDF24\pdf24.exe[724] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00550120
.text C:\Programme\PDF24\pdf24.exe[724] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 005500A8
.text C:\Programme\PDF24\pdf24.exe[724] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00550030
.text C:\Programme\PDF24\pdf24.exe[724] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0055006C
.text C:\WINDOWS\system32\svchost.exe[1028] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[1028] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!SetServiceObjectSecurity 77E06D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!ChangeServiceConfigA 77E06E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!ChangeServiceConfigW 77E07001 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!ChangeServiceConfig2A 77E07101 5 Bytes JMP 002B015C
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!ChangeServiceConfig2W 77E07189 5 Bytes JMP 002B0198
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!CreateServiceA 77E07211 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!CreateServiceW 77E073A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!DeleteService 77E074B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\svchost.exe[1028] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\svchost.exe[1028] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\svchost.exe[1028] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\system32\svchost.exe[1028] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\svchost.exe[1028] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 002C006C
.text C:\WINDOWS\system32\winlogon.exe[1124] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 00070030
.text C:\WINDOWS\system32\winlogon.exe[1124] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 0007006C
.text C:\WINDOWS\system32\winlogon.exe[1124] ADVAPI32.dll!SetServiceObjectSecurity 77E06D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\system32\winlogon.exe[1124] ADVAPI32.dll!ChangeServiceConfigA 77E06E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\winlogon.exe[1124] ADVAPI32.dll!ChangeServiceConfigW 77E07001 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\winlogon.exe[1124] ADVAPI32.dll!ChangeServiceConfig2A 77E07101 5 Bytes JMP 002B015C
.text C:\WINDOWS\system32\winlogon.exe[1124] ADVAPI32.dll!ChangeServiceConfig2W 77E07189 5 Bytes JMP 002B0198
.text C:\WINDOWS\system32\winlogon.exe[1124] ADVAPI32.dll!CreateServiceA 77E07211 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\winlogon.exe[1124] ADVAPI32.dll!CreateServiceW 77E073A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\winlogon.exe[1124] ADVAPI32.dll!DeleteService 77E074B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\winlogon.exe[1124] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\winlogon.exe[1124] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\winlogon.exe[1124] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\system32\winlogon.exe[1124] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\winlogon.exe[1124] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 002C006C
.text C:\WINDOWS\system32\services.exe[1172] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\services.exe[1172] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\services.exe[1172] ADVAPI32.dll!SetServiceObjectSecurity 77E06D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\system32\services.exe[1172] ADVAPI32.dll!ChangeServiceConfigA 77E06E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\services.exe[1172] ADVAPI32.dll!ChangeServiceConfigW 77E07001 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\services.exe[1172] ADVAPI32.dll!ChangeServiceConfig2A 77E07101 5 Bytes JMP 002B015C
.text C:\WINDOWS\system32\services.exe[1172] ADVAPI32.dll!ChangeServiceConfig2W 77E07189 5 Bytes JMP 002B0198
.text C:\WINDOWS\system32\services.exe[1172] ADVAPI32.dll!CreateServiceA 77E07211 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\services.exe[1172] ADVAPI32.dll!CreateServiceW 77E073A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\services.exe[1172] ADVAPI32.dll!DeleteService 77E074B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\services.exe[1172] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\services.exe[1172] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\services.exe[1172] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\system32\services.exe[1172] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\services.exe[1172] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 002C006C
.text C:\WINDOWS\system32\lsass.exe[1184] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\lsass.exe[1184] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\lsass.exe[1184] ADVAPI32.dll!SetServiceObjectSecurity 77E06D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\system32\lsass.exe[1184] ADVAPI32.dll!ChangeServiceConfigA 77E06E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\lsass.exe[1184] ADVAPI32.dll!ChangeServiceConfigW 77E07001 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\lsass.exe[1184] ADVAPI32.dll!ChangeServiceConfig2A 77E07101 5 Bytes JMP 002B015C
.text C:\WINDOWS\system32\lsass.exe[1184] ADVAPI32.dll!ChangeServiceConfig2W 77E07189 5 Bytes JMP 002B0198
.text C:\WINDOWS\system32\lsass.exe[1184] ADVAPI32.dll!CreateServiceA 77E07211 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\lsass.exe[1184] ADVAPI32.dll!CreateServiceW 77E073A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\lsass.exe[1184] ADVAPI32.dll!DeleteService 77E074B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\lsass.exe[1184] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\lsass.exe[1184] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\lsass.exe[1184] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\system32\lsass.exe[1184] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\lsass.exe[1184] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 002C006C
.text C:\WINDOWS\system32\Ati2evxx.exe[1360] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 00150030
.text C:\WINDOWS\system32\Ati2evxx.exe[1360] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 0015006C
.text C:\WINDOWS\system32\Ati2evxx.exe[1360] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003900E4
.text C:\WINDOWS\system32\Ati2evxx.exe[1360] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00390120
.text C:\WINDOWS\system32\Ati2evxx.exe[1360] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003900A8
.text C:\WINDOWS\system32\Ati2evxx.exe[1360] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00390030
.text C:\WINDOWS\system32\Ati2evxx.exe[1360] USER32.dll!UnhookWinEvent 7E3818AC 3 Bytes JMP 0039006C
.text C:\WINDOWS\system32\Ati2evxx.exe[1360] USER32.dll!UnhookWinEvent + 4 7E3818B0 1 Byte [82]
.text C:\WINDOWS\system32\Ati2evxx.exe[1360] ADVAPI32.dll!SetServiceObjectSecurity 77E06D81 5 Bytes JMP 003A01D4
.text C:\WINDOWS\system32\Ati2evxx.exe[1360] ADVAPI32.dll!ChangeServiceConfigA 77E06E69 5 Bytes JMP 003A00E4
.text C:\WINDOWS\system32\Ati2evxx.exe[1360] ADVAPI32.dll!ChangeServiceConfigW 77E07001 5 Bytes JMP 003A0120
.text C:\WINDOWS\system32\Ati2evxx.exe[1360] ADVAPI32.dll!ChangeServiceConfig2A 77E07101 5 Bytes JMP 003A015C
.text C:\WINDOWS\system32\Ati2evxx.exe[1360] ADVAPI32.dll!ChangeServiceConfig2W 77E07189 5 Bytes JMP 003A0198
.text C:\WINDOWS\system32\Ati2evxx.exe[1360] ADVAPI32.dll!CreateServiceA 77E07211 5 Bytes JMP 003A0030
.text C:\WINDOWS\system32\Ati2evxx.exe[1360] ADVAPI32.dll!CreateServiceW 77E073A9 5 Bytes JMP 003A006C
.text C:\WINDOWS\system32\Ati2evxx.exe[1360] ADVAPI32.dll!DeleteService 77E074B1 5 Bytes JMP 003A00A8
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!SetServiceObjectSecurity 77E06D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!ChangeServiceConfigA 77E06E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!ChangeServiceConfigW 77E07001 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!ChangeServiceConfig2A 77E07101 5 Bytes JMP 002B015C
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!ChangeServiceConfig2W 77E07189 5 Bytes JMP 002B0198
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!CreateServiceA 77E07211 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!CreateServiceW 77E073A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!DeleteService 77E074B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\svchost.exe[1380] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\svchost.exe[1380] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\svchost.exe[1380] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\system32\svchost.exe[1380] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\svchost.exe[1380] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 002C006C
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!SetServiceObjectSecurity 77E06D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!ChangeServiceConfigA 77E06E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!ChangeServiceConfigW 77E07001 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!ChangeServiceConfig2A 77E07101 5 Bytes JMP 002B015C
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!ChangeServiceConfig2W 77E07189 5 Bytes JMP 002B0198
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!CreateServiceA 77E07211 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!CreateServiceW 77E073A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!DeleteService 77E074B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\svchost.exe[1432] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\svchost.exe[1432] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\svchost.exe[1432] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\system32\svchost.exe[1432] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\svchost.exe[1432] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 002C006C
.text C:\WINDOWS\System32\svchost.exe[1576] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 00090030
.text C:\WINDOWS\System32\svchost.exe[1576] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\System32\svchost.exe[1576] ADVAPI32.dll!SetServiceObjectSecurity 77E06D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\System32\svchost.exe[1576] ADVAPI32.dll!ChangeServiceConfigA 77E06E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\System32\svchost.exe[1576] ADVAPI32.dll!ChangeServiceConfigW 77E07001 5 Bytes JMP 002B0120
.text C:\WINDOWS\System32\svchost.exe[1576] ADVAPI32.dll!ChangeServiceConfig2A 77E07101 5 Bytes JMP 002B015C
.text C:\WINDOWS\System32\svchost.exe[1576] ADVAPI32.dll!ChangeServiceConfig2W 77E07189 5 Bytes JMP 002B0198
.text C:\WINDOWS\System32\svchost.exe[1576] ADVAPI32.dll!CreateServiceA 77E07211 5 Bytes JMP 002B0030
.text C:\WINDOWS\System32\svchost.exe[1576] ADVAPI32.dll!CreateServiceW 77E073A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\System32\svchost.exe[1576] ADVAPI32.dll!DeleteService 77E074B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\System32\svchost.exe[1576] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\System32\svchost.exe[1576] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\System32\svchost.exe[1576] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\System32\svchost.exe[1576] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\System32\svchost.exe[1576] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 002C006C
.text C:\WINDOWS\system32\svchost.exe[1616] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[1616] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[1616] ADVAPI32.dll!SetServiceObjectSecurity 77E06D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\system32\svchost.exe[1616] ADVAPI32.dll!ChangeServiceConfigA 77E06E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\svchost.exe[1616] ADVAPI32.dll!ChangeServiceConfigW 77E07001 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\svchost.exe[1616] ADVAPI32.dll!ChangeServiceConfig2A 77E07101 5 Bytes JMP 002B015C
.text C:\WINDOWS\system32\svchost.exe[1616] ADVAPI32.dll!ChangeServiceConfig2W 77E07189 5 Bytes JMP 002B0198
.text C:\WINDOWS\system32\svchost.exe[1616] ADVAPI32.dll!CreateServiceA 77E07211 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\svchost.exe[1616] ADVAPI32.dll!CreateServiceW 77E073A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\svchost.exe[1616] ADVAPI32.dll!DeleteService 77E074B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\svchost.exe[1616] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\svchost.exe[1616] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\svchost.exe[1616] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\system32\svchost.exe[1616] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\svchost.exe[1616] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 002C006C
.text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!SetServiceObjectSecurity 77E06D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!ChangeServiceConfigA 77E06E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!ChangeServiceConfigW 77E07001 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!ChangeServiceConfig2A 77E07101 5 Bytes JMP 002B015C
.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!ChangeServiceConfig2W 77E07189 5 Bytes JMP 002B0198
.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!CreateServiceA 77E07211 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!CreateServiceW 77E073A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!DeleteService 77E074B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\svchost.exe[1668] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\svchost.exe[1668] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\svchost.exe[1668] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\system32\svchost.exe[1668] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\svchost.exe[1668] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 002C006C
.text C:\WINDOWS\system32\svchost.exe[1796] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[1796] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[1796] ADVAPI32.dll!SetServiceObjectSecurity 77E06D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\system32\svchost.exe[1796] ADVAPI32.dll!ChangeServiceConfigA 77E06E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\svchost.exe[1796] ADVAPI32.dll!ChangeServiceConfigW 77E07001 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\svchost.exe[1796] ADVAPI32.dll!ChangeServiceConfig2A 77E07101 5 Bytes JMP 002B015C
.text C:\WINDOWS\system32\svchost.exe[1796] ADVAPI32.dll!ChangeServiceConfig2W 77E07189 5 Bytes JMP 002B0198
.text C:\WINDOWS\system32\svchost.exe[1796] ADVAPI32.dll!CreateServiceA 77E07211 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\svchost.exe[1796] ADVAPI32.dll!CreateServiceW 77E073A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\svchost.exe[1796] ADVAPI32.dll!DeleteService 77E074B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\svchost.exe[1796] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\svchost.exe[1796] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\svchost.exe[1796] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\system32\svchost.exe[1796] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\svchost.exe[1796] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 002C006C
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[1892] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 00150030
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[1892] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 0015006C
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[1892] advapi32.dll!SetServiceObjectSecurity 77E06D81 5 Bytes JMP 003B01D4
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[1892] advapi32.dll!ChangeServiceConfigA 77E06E69 5 Bytes JMP 003B00E4
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[1892] advapi32.dll!ChangeServiceConfigW 77E07001 5 Bytes JMP 003B0120
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[1892] advapi32.dll!ChangeServiceConfig2A 77E07101 5 Bytes JMP 003B015C
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[1892] advapi32.dll!ChangeServiceConfig2W 77E07189 5 Bytes JMP 003B0198
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[1892] advapi32.dll!CreateServiceA 77E07211 5 Bytes JMP 003B0030
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[1892] advapi32.dll!CreateServiceW 77E073A9 5 Bytes JMP 003B006C
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[1892] advapi32.dll!DeleteService 77E074B1 5 Bytes JMP 003B00A8
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[1892] user32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003C00E4
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[1892] user32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 003C0120
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[1892] user32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003C00A8
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[1892] user32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003C0030
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[1892] user32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003C006C
.text C:\WINDOWS\system32\Ati2evxx.exe[1944] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 00150030
.text C:\WINDOWS\system32\Ati2evxx.exe[1944] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 0015006C
.text C:\WINDOWS\system32\Ati2evxx.exe[1944] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003900E4
.text C:\WINDOWS\system32\Ati2evxx.exe[1944] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00390120
.text C:\WINDOWS\system32\Ati2evxx.exe[1944] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003900A8
.text C:\WINDOWS\system32\Ati2evxx.exe[1944] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00390030
.text C:\WINDOWS\system32\Ati2evxx.exe[1944] USER32.dll!UnhookWinEvent 7E3818AC 3 Bytes JMP 0039006C
.text C:\WINDOWS\system32\Ati2evxx.exe[1944] USER32.dll!UnhookWinEvent + 4 7E3818B0 1 Byte [82]
.text C:\WINDOWS\system32\Ati2evxx.exe[1944] ADVAPI32.dll!SetServiceObjectSecurity 77E06D81 5 Bytes JMP 003A01D4
.text C:\WINDOWS\system32\Ati2evxx.exe[1944] ADVAPI32.dll!ChangeServiceConfigA 77E06E69 5 Bytes JMP 003A00E4
.text C:\WINDOWS\system32\Ati2evxx.exe[1944] ADVAPI32.dll!ChangeServiceConfigW 77E07001 5 Bytes JMP 003A0120
.text C:\WINDOWS\system32\Ati2evxx.exe[1944] ADVAPI32.dll!ChangeServiceConfig2A 77E07101 5 Bytes JMP 003A015C
.text C:\WINDOWS\system32\Ati2evxx.exe[1944] ADVAPI32.dll!ChangeServiceConfig2W 77E07189 5 Bytes JMP 003A0198
.text C:\WINDOWS\system32\Ati2evxx.exe[1944] ADVAPI32.dll!CreateServiceA 77E07211 5 Bytes JMP 003A0030
.text C:\WINDOWS\system32\Ati2evxx.exe[1944] ADVAPI32.dll!CreateServiceW 77E073A9 5 Bytes JMP 003A006C
.text C:\WINDOWS\system32\Ati2evxx.exe[1944] ADVAPI32.dll!DeleteService 77E074B1 5 Bytes JMP 003A00A8
.text C:\Programme\Java\jre6\bin\jqs.exe[2028] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 00150030
.text C:\Programme\Java\jre6\bin\jqs.exe[2028] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 0015006C
.text C:\Programme\Java\jre6\bin\jqs.exe[2028] ADVAPI32.dll!SetServiceObjectSecurity 77E06D81 3 Bytes JMP 003901D4
.text C:\Programme\Java\jre6\bin\jqs.exe[2028] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E06D85 1 Byte [88]
.text C:\Programme\Java\jre6\bin\jqs.exe[2028] ADVAPI32.dll!ChangeServiceConfigA 77E06E69 5 Bytes JMP 003900E4
.text C:\Programme\Java\jre6\bin\jqs.exe[2028] ADVAPI32.dll!ChangeServiceConfigW 77E07001 5 Bytes JMP 00390120
.text C:\Programme\Java\jre6\bin\jqs.exe[2028] ADVAPI32.dll!ChangeServiceConfig2A 77E07101 5 Bytes JMP 0039015C
.text C:\Programme\Java\jre6\bin\jqs.exe[2028] ADVAPI32.dll!ChangeServiceConfig2W 77E07189 5 Bytes JMP 00390198
.text C:\Programme\Java\jre6\bin\jqs.exe[2028] ADVAPI32.dll!CreateServiceA 77E07211 5 Bytes JMP 00390030
.text C:\Programme\Java\jre6\bin\jqs.exe[2028] ADVAPI32.dll!CreateServiceW 77E073A9 5 Bytes JMP 0039006C
.text C:\Programme\Java\jre6\bin\jqs.exe[2028] ADVAPI32.dll!DeleteService 77E074B1 5 Bytes JMP 003900A8
.text C:\Programme\Java\jre6\bin\jqs.exe[2028] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003A00E4
.text C:\Programme\Java\jre6\bin\jqs.exe[2028] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 003A0120
.text C:\Programme\Java\jre6\bin\jqs.exe[2028] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003A00A8
.text C:\Programme\Java\jre6\bin\jqs.exe[2028] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003A0030
.text C:\Programme\Java\jre6\bin\jqs.exe[2028] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003A006C
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[2036] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 00150030
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[2036] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 0015006C
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[2036] advapi32.dll!SetServiceObjectSecurity 77E06D81 5 Bytes JMP 003B01D4
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[2036] advapi32.dll!ChangeServiceConfigA 77E06E69 5 Bytes JMP 003B00E4
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[2036] advapi32.dll!ChangeServiceConfigW 77E07001 5 Bytes JMP 003B0120
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[2036] advapi32.dll!ChangeServiceConfig2A 77E07101 5 Bytes JMP 003B015C
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[2036] advapi32.dll!ChangeServiceConfig2W 77E07189 5 Bytes JMP 003B0198
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[2036] advapi32.dll!CreateServiceA 77E07211 5 Bytes JMP 003B0030
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[2036] advapi32.dll!CreateServiceW 77E073A9 5 Bytes JMP 003B006C
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[2036] advapi32.dll!DeleteService 77E074B1 5 Bytes JMP 003B00A8
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[2036] user32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003C00E4
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[2036] user32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 003C0120
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[2036] user32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003C00A8
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[2036] user32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003C0030
.text C:\Programme\Free Desktop Clock\DesktopClock.exe[2036] user32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003C006C
.text C:\WINDOWS\system32\svchost.exe[2044] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[2044] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!SetServiceObjectSecurity 77E06D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!ChangeServiceConfigA 77E06E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!ChangeServiceConfigW 77E07001 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!ChangeServiceConfig2A 77E07101 5 Bytes JMP 002B015C
.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!ChangeServiceConfig2W 77E07189 5 Bytes JMP 002B0198
.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!CreateServiceA 77E07211 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!CreateServiceW 77E073A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!DeleteService 77E074B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\svchost.exe[2044] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\svchost.exe[2044] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\svchost.exe[2044] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\system32\svchost.exe[2044] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\svchost.exe[2044] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 002C006C
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\system32\services.exe[1172] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 005E0002
IAT C:\WINDOWS\system32\services.exe[1172] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 005E0000
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
Device \Driver\atapi \Device\Ide\IdePort0 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdePort1 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdePort2 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdePort3 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdePort4 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdePort5 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-28 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-20 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-a sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdeDeviceP4T1L0-12 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
---- EOF - GMER 1.0.15 ----
|
|
25.04.2011, 23:58
| #6 |
| | Trojaner oder defekte Festplatte? Für eine Antwort war das leider zu viel Text, hier ist das zweite Logfile, das dritte kommt auch gleich noch. OSAM Logfile: Code:
ATTFilter Report of OSAM: Autorun Manager v5.0.11926.0 hxxp://www.online-solutions.ru/en/ Saved at 00:53:02 on 26.04.2011 OS: Windows XP Professional Service Pack 3 (Build 2600) Default Browser: Mozilla Corporation Firefox 3.6.16 Scanner Settings [x] Rootkits detection (hidden registry) [x] Rootkits detection (hidden files) [x] Retrieve files information [x] Check Microsoft signatures Filters [ ] Trusted entries [ ] Empty entries [x] Hidden registry entries (rootkit activity) [x] Exclusively opened files [x] Not found files [x] Files without detailed information [x] Existing files [ ] Non-startable services [ ] Non-startable drivers [x] Active entries [x] Disabled entries [Control Panel Objects] -----( %SystemRoot%\system32 )----- "infocardcpl.cpl" - "Microsoft Corporation" - C:\WINDOWS\system32\infocardcpl.cpl "javacpl.cpl" - "Sun Microsystems, Inc." - C:\WINDOWS\system32\javacpl.cpl "PhysX.cpl" - "NVIDIA Corporation" - C:\WINDOWS\system32\PhysX.cpl [Drivers] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- "aswFsBlk" (aswFsBlk) - "AVAST Software" - C:\WINDOWS\system32\drivers\aswFsBlk.sys "aswRdr" (aswRdr) - "AVAST Software" - C:\WINDOWS\system32\drivers\aswRdr.sys "aswSnx" (aswSnx) - "AVAST Software" - C:\WINDOWS\system32\drivers\aswSnx.sys "aswSP" (aswSP) - "AVAST Software" - C:\WINDOWS\system32\drivers\aswSP.sys "atksgt" (atksgt) - ? - C:\WINDOWS\System32\DRIVERS\atksgt.sys (File found, but it contains no detailed information) "avast! Asynchronous Virus Monitor" (Aavmker4) - "AVAST Software" - C:\WINDOWS\system32\drivers\Aavmker4.sys "avast! Network Shield Support" (aswTdi) - "AVAST Software" - C:\WINDOWS\system32\drivers\aswTdi.sys "avast! Standard Shield Support" (aswMon2) - "AVAST Software" - C:\WINDOWS\system32\drivers\aswMon2.sys "catchme" (catchme) - ? - C:\cofi.exe\catchme.sys (File not found) "Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys (File not found) "i2omgmt" (i2omgmt) - ? - C:\WINDOWS\system32\drivers\i2omgmt.sys (File not found) "lbrtfdc" (lbrtfdc) - ? - C:\WINDOWS\system32\drivers\lbrtfdc.sys (File not found) "lirsgt" (lirsgt) - ? - C:\WINDOWS\System32\DRIVERS\lirsgt.sys (File found, but it contains no detailed information) "mbr" (mbr) - ? - C:\DOKUME~1\Tesa\LOKALE~1\Temp\mbr.sys (Hidden registry entry, rootkit activity | File not found) "PCIDump" (PCIDump) - ? - C:\WINDOWS\system32\drivers\PCIDump.sys (File not found) "PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys (File not found) "PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys (File not found) "PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys (File not found) "PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys (File not found) "pxloypow" (pxloypow) - ? - C:\DOKUME~1\Tesa\LOKALE~1\Temp\pxloypow.sys (Hidden registry entry, rootkit activity | File not found) "StarForce Protection Environment Driver (version 1.x)" (sfdrv01) - "Protection Technology (StarForce)" - C:\WINDOWS\System32\drivers\sfdrv01.sys "StarForce Protection Helper Driver (version 2.x)" (sfhlp02) - "Protection Technology (StarForce)" - C:\WINDOWS\System32\drivers\sfhlp02.sys "StarForce Protection Synchronization Driver (version 4.x)" (sfsync04) - "Protection Technology (StarForce)" - C:\WINDOWS\System32\drivers\sfsync04.sys "StarForce Protection VFS Driver (version 2.x)" (sfvfs02) - "Protection Technology" - C:\WINDOWS\System32\drivers\sfvfs02.sys "WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys (File not found) [Explorer] -----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )----- {89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install -----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )----- {F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" - ? - C:\Programme\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll -----( HKLM\Software\Classes\Protocols\Filter )----- {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )----- {472083B0-C522-11CF-8763-00608CC02F24} "avast" - "AVAST Software" - C:\Programme\Alwil Software\Avast5\ashShell.dll {19741013-C829-11D1-8233-0020AF3E97A9} "Context Menu Shell Extension" - ? - C:\Programme\PaintStar\picview.dll (File found, but it contains no detailed information) {42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" - ? - deskpan.dll (File not found) {853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" - ? - (File not found | COM-object registry key not found) {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "OpenOffice.org Column Handler" - ? - C:\Programme\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll {087B3AE3-E237-4467-B8DB-5A38AB959AC9} "OpenOffice.org Infotip Handler" - ? - C:\Programme\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll {63542C48-9552-494A-84F7-73AA6A7C99C1} "OpenOffice.org Property Sheet Handler" - ? - C:\Programme\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll {3B092F0C-7696-40E3-A80F-68D74DA84210} "OpenOffice.org Thumbnail Viewer" - ? - C:\Programme\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll {45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - ? - (File not found | COM-object registry key not found) {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - C:\WINDOWS\system32\dfshim.dll {764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" - ? - (File not found | COM-object registry key not found) {e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - C:\WINDOWS\system32\dfshim.dll [Internet Explorer] -----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )----- <binary data> "ITBarLayout" - ? - (File not found | COM-object registry key not found) -----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )----- {8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_18" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_18.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} "Java Plug-in 1.6.0_18" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_18.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_18" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_18.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )----- {53707962-6F74-2D53-2644-206D7942484F} "ClsidExtension" - "Safer Networking Limited" - C:\PROGRA~1\SPYBOT~1\SDHelper.dll "ICQ7" - "ICQ, LLC." - C:\Programme\ICQ7.0\ICQ.exe -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )----- {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "Adobe PDF Reader" - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll {DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jp2ssv.dll {E7E6F031-17CE-4C07-BC86-EABFE594F69C} "JQSIEStartDetectorImpl Class" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll {53707962-6F74-2D53-2644-206D7942484F} "Spybot-S&D IE Protection" - "Safer Networking Limited" - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [Logon] -----( %AllUsersProfile%\Startmenü\Programme\Autostart )----- "desktop.ini" - ? - C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini -----( %UserProfile%\Startmenü\Programme\Autostart )----- "desktop.ini" - ? - C:\Dokumente und Einstellungen\Tesa\Startmenü\Programme\Autostart\desktop.ini -----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )----- "SkinClock" - ? - C:\Programme\Free Desktop Clock\DesktopClock.exe (File found, but it contains no detailed information) -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )----- "Adobe Reader Speed Launcher" - "Adobe Systems Incorporated" - "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" "avast5" - "AVAST Software" - "C:\Programme\Alwil Software\Avast5\avastUI.exe" /nogui "PDFPrint" - "Geek Software GmbH" - C:\Programme\PDF24\pdf24.exe "SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" [Services] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- ".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe "@C:\Programme\Nero\Update\NASvc.exe,-200" (NAUpdate) - "Nero AG" - C:\Programme\Nero\Update\NASvc.exe "ASP.NET State Service" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe "avast! Antivirus" (avast! Antivirus) - "AVAST Software" - C:\Programme\Alwil Software\Avast5\AvastSvc.exe "InstallDriver Table Manager" (IDriverT) - "Macrovision Corporation" - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe "Java Quick Starter" (JavaQuickStarterService) - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jqs.exe "Windows CardSpace" (idsvc) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe "Windows Presentation Foundation Font Cache 3.0.0.0" (FontCache3.0.0.0) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [Winlogon] -----( HKCU\Control Panel\IOProcs )----- "MVB" - ? - mvfs32.dll (File not found) -----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )----- "WgaLogon" - "Microsoft Corporation" - C:\WINDOWS\system32\WgaLogon.dll ===[ Logfile end ]=========================================[ Logfile end ]=== If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru |
|
26.04.2011, 11:17
| #7 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Trojaner oder defekte Festplatte? Sieht ok aus. Mach bitte zur Kontrolle Vollscans mit Malwarebytes und SUPERAntiSpyware und poste die Logs. Denk dran beide Tools zu updaten vor dem Scan!!
__________________ Logfiles bitte immer in CODE-Tags posten |
|
| Themen zu Trojaner oder defekte Festplatte? |
| adobe, audio, avast, dateien, dateien unsichtbar, defekt, defekte festplatte, festplatte, festplatte defekt, flash-player, frage, gelöscht, gesperrt, leer, linux, lösung, microsoft, nicht sicher, ordner, problem, programme, rechner, scan, spybot, systemwiederherstellung, tojaner, trojaner, trojaner eingefangen, updates, verdacht, voll, wärend, ändern |
Hybrid-Darstellung
