![]() |
So, nun scannte er wieder und hängte sich dann bei "\bxipptp" auf. Maus stoppt, WIn stopp! SHIFT-ALT-ENTF geht nicht Mache: ON-Schalter bis AUS... |
Ich bin jetzt mal kurz angebunden, aber bitte nicht unhöflich verstehen: Neustart und nach besten Wissen alle Programme beendet (auch über SHIFT-ALT-ENTF) GMER 1.0.15.15281 scannt. Ich muss jetzt erstmal was essen, bei dem ganzen Stress. Bis dann! Gerhard "Schmerlenotto" |
So, nun hat GMER über Nacht den Scan durchgeführt. Wegen der Länge kommt das Log in drei Teilen (auch als drei .txt-files hochgeladen): GMER Teil 1: GMER 1.0.15.15281 - hxxp://www.gmer.net Rootkit scan 2010-08-06 06:19:44 Windows 5.1.2600 Service Pack 3 Running: u4jf7786.exe; Driver: C:\DOKUME~1\GERHAR~1\LOKALE~1\Temp\pxlyypow.sys ---- System - GMER 1.0.15 ---- SSDT spjb.sys ZwCreateKey [0xB9EA80E0] SSDT spjb.sys ZwEnumerateKey [0xB9EC6CA2] SSDT spjb.sys ZwEnumerateValueKey [0xB9EC7030] SSDT spjb.sys ZwOpenKey [0xB9EA80C0] SSDT \??\C:\Programme\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenProcess [0xA3426C90] SSDT \??\C:\Programme\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenThread [0xA3426D7E] SSDT spjb.sys ZwQueryKey [0xB9EC7108] SSDT spjb.sys ZwQueryValueKey [0xB9EC6F88] SSDT spjb.sys ZwSetValueKey [0xB9EC719A] SSDT \??\C:\Programme\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwTerminateProcess [0xA3426BF4] SSDT \??\C:\Programme\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwTerminateThread [0xA3426EC4] INT 0x74 ? 8A8F0BF8 INT 0x83 ? 8A8F0BF8 INT 0x94 ? 8A8FEBF8 INT 0x94 ? 8A8FEBF8 INT 0x94 ? 8A8FEBF8 INT 0x94 ? 8A8FEBF8 INT 0x94 ? 8A8F0BF8 INT 0x94 ? 8A8FEBF8 INT 0xB4 ? 8A8FEBF8 INT 0xB4 ? 8A8FEBF8 INT 0xB4 ? 8A8F0BF8 INT 0xB4 ? 8A8F0BF8 INT 0xB4 ? 8A8FEBF8 ---- Kernel code sections - GMER 1.0.15 ---- PAGE ntkrnlpa.exe!NtSetInformationThread + 138 805CC200 23 Bytes [EC, 8B, 00, 8B, 00, 89, 45, ...] PAGE ntkrnlpa.exe!NtSetInformationThread + 150 805CC218 2 Bytes [85, 9D] PAGE ntkrnlpa.exe!NtSetInformationThread + 155 805CC21D 5 Bytes [C7, 45, FC, 03, 00] PAGE ntkrnlpa.exe!NtSetInformationThread + 15B 805CC223 42 Bytes [00, 8A, 06, 88, 45, A0, 89, ...] PAGE ntkrnlpa.exe!NtSetInformationThread + 186 805CC24E 22 Bytes [75, A0, FF, 75, CC, E8, 8C, ...] PAGE ... PAGE ntkrnlpa.exe!PsEstablishWin32Callouts + 1 805CC94F 96 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...] PAGE ntkrnlpa.exe!PsEstablishWin32Callouts + 62 805CC9B0 8 Bytes [48, 28, 89, 0D, 04, 4C, 56, ...] PAGE ntkrnlpa.exe!PsEstablishWin32Callouts + 6B 805CC9B9 8 Bytes [48, 2C, 89, 0D, 08, 4C, 56, ...] {DEC EAX; SUB AL, 0x89; OR EAX, 0x80564c08} PAGE ntkrnlpa.exe!PsEstablishWin32Callouts + 74 805CC9C2 33 Bytes [48, 30, 89, 0D, 14, 4C, 56, ...] PAGE ntkrnlpa.exe!PsEstablishWin32Callouts + 96 805CC9E4 77 Bytes [5D, C2, 04, 00, CC, CC, CC, ...] PAGE ntkrnlpa.exe!PsSetProcessPriorityByClass + 44 805CCA32 45 Bytes [00, 74, 11, 8B, 80, D0, 00, ...] PAGE ntkrnlpa.exe!PsSetProcessPriorityByClass + 72 805CCA60 64 Bytes CALL 805AFF63 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!PsSetProcessPriorityByClass + B3 805CCAA1 33 Bytes [0A, B8, 22, 00, 00, C0, E9, ...] PAGE ntkrnlpa.exe!PsSetProcessPriorityByClass + D5 805CCAC3 20 Bytes [46, 44, 89, 45, E0, 38, 9E, ...] PAGE ntkrnlpa.exe!PsSetProcessPriorityByClass + EA 805CCAD8 45 Bytes CALL 80510C49 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntkrnlpa.exe!NtQueryInformationProcess + 6B 805CCFB9 178 Bytes [FC, FF, 8B, 85, 28, FF, FF, ...] PAGE ntkrnlpa.exe!NtQueryInformationProcess + 11E 805CD06C 33 Bytes [00, 8B, 45, E0, 89, 06, E9, ...] PAGE ntkrnlpa.exe!NtQueryInformationProcess + 140 805CD08E 32 Bytes JMP 805CD46C \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!NtQueryInformationProcess + 162 805CD0B0 10 Bytes CALL 805BB47F \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!NtQueryInformationProcess + 16D 805CD0BB 10 Bytes [8C, 3A, 0D, 00, 00, 8B, 3D, ...] PAGE ... PAGE ntkrnlpa.exe!NtSetInformationProcess + 57 805CDE9B 3 Bytes CALL 80614099 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!NtSetInformationProcess + 5B 805CDE9F 4 Bytes [8D, 04, 1F, 3B] PAGE ntkrnlpa.exe!NtSetInformationProcess + 60 805CDEA4 13 Bytes [72, 08, 3B, 05, 34, 21, 56, ...] PAGE ntkrnlpa.exe!NtSetInformationProcess + 6E 805CDEB2 30 Bytes [00, 83, 4D, FC, FF, 8B, 45, ...] PAGE ntkrnlpa.exe!NtSetInformationProcess + 8D 805CDED1 91 Bytes CALL 80592C59 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntkrnlpa.exe!PsDereferenceImpersonationToken + 71 805CED39 59 Bytes [75, 0C, 33, C0, 38, 46, 24, ...] PAGE ntkrnlpa.exe!PsReferencePrimaryToken + D 805CED75 26 Bytes [00, 00, 00, 8B, CB, E8, 9F, ...] PAGE ntkrnlpa.exe!PsReferencePrimaryToken + 28 805CED90 44 Bytes [8F, D4, 00, 00, 00, 83, C6, ...] PAGE ntkrnlpa.exe!PsReferencePrimaryToken + 55 805CEDBD 226 Bytes [89, 45, 08, 8D, 51, FC, 8B, ...] PAGE ntkrnlpa.exe!PsReferenceImpersonationToken + A2 805CEEA0 28 Bytes [13, 8D, 47, 34, 39, 00, 74, ...] PAGE ntkrnlpa.exe!PsReferenceImpersonationToken + BF 805CEEBD 20 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...] PAGE ntkrnlpa.exe!PsReferenceImpersonationToken + D4 805CEED2 28 Bytes [00, 08, 8B, 87, 20, 02, 00, ...] PAGE ntkrnlpa.exe!PsReferenceImpersonationToken + F3 805CEEF1 105 Bytes [8D, B7, 38, 02, 00, 00, 8B, ...] PAGE ntkrnlpa.exe!PsReferenceImpersonationToken + 15D 805CEF5B 71 Bytes [FF, 83, D4, 00, 00, 00, 0F, ...] PAGE ... PAGE ntkrnlpa.exe!PsImpersonateClient + 2B 805CF0D5 16 Bytes [8D, B3, 48, 02, 00, 00, F6, ...] PAGE ntkrnlpa.exe!PsImpersonateClient + 3C 805CF0E6 5 Bytes [00, 64, A1, 24, 01] PAGE ntkrnlpa.exe!PsImpersonateClient + 42 805CF0EC 71 Bytes [00, 8B, F8, FF, 8F, D4, 00, ...] PAGE ntkrnlpa.exe!PsImpersonateClient + 8A 805CF134 30 Bytes CALL 8060C54F \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!PsImpersonateClient + A9 805CF153 22 Bytes JMP 805CF345 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntkrnlpa.exe!PsDisableImpersonation + 68 805CF3D4 25 Bytes [8B, 43, 08, 89, 47, 08, 8A, ...] PAGE ntkrnlpa.exe!PsDisableImpersonation + 82 805CF3EE 22 Bytes [FC, 8B, 4D, 0C, 6A, 02, 33, ...] PAGE ntkrnlpa.exe!PsDisableImpersonation + 99 805CF405 145 Bytes [FF, 86, D4, 00, 00, 00, 75, ...] PAGE ntkrnlpa.exe!PsRevertToSelf + 1F 805CF497 56 Bytes [0F, B1, 0F, 85, C0, 74, 07, ...] PAGE ntkrnlpa.exe!PsRevertToSelf + 58 805CF4D0 19 Bytes CALL 8060C550 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!PsRevertToSelf + 6C 805CF4E4 7 Bytes [74, 0C, B1, 01, C6, 46, 49] PAGE ntkrnlpa.exe!PsRevertToSelf + 74 805CF4EC 53 Bytes [FF, 15, 0C, 81, 4D, 80, 85, ...] PAGE ntkrnlpa.exe!PsRevertThreadToSelf + 1A 805CF522 82 Bytes [00, 00, 8B, F8, FF, 8F, D4, ...] PAGE ntkrnlpa.exe!PsRevertThreadToSelf + 6D 805CF575 2 Bytes [87, D4] {XCHG ESP, EDX} PAGE ntkrnlpa.exe!PsRevertThreadToSelf + 71 805CF579 53 Bytes [00, 75, 13, 8D, 47, 34, 39, ...] PAGE ntkrnlpa.exe!PsRevertThreadToSelf + A7 805CF5AF 73 Bytes [08, 85, F6, 74, 3C, 57, 56, ...] PAGE ntkrnlpa.exe!PsRevertThreadToSelf + F1 805CF5F9 12 Bytes CALL 805C5DF4 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntkrnlpa.exe!PsAssignImpersonationToken + 4A 805CF75A 3 Bytes CALL 805BB483 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!PsAssignImpersonationToken + 4E 805CF75E 35 Bytes [3B, C3, 0F, 8C, D0, 00, 00, ...] PAGE ntkrnlpa.exe!PsAssignImpersonationToken + 72 805CF782 1 Byte [00] PAGE ntkrnlpa.exe!PsAssignImpersonationToken + 72 805CF782 8 Bytes [00, 00, 00, 56, E8, A3, 8A, ...] PAGE ntkrnlpa.exe!PsAssignImpersonationToken + 7B 805CF78B 22 Bytes [50, 53, 53, 56, 8B, 7D, 08, ...] PAGE ... PAGE ntkrnlpa.exe!PsSetCreateProcessNotifyRoutine + 1A 805CFC34 74 Bytes [8B, F0, 85, F6, 74, 1F, 56, ...] PAGE ntkrnlpa.exe!PsSetCreateProcessNotifyRoutine + 65 805CFC7F 49 Bytes [49, D0, 03, 00, 56, E8, 2B, ...] PAGE ntkrnlpa.exe!PsSetCreateProcessNotifyRoutine + 97 805CFCB1 14 Bytes [84, C0, 75, 1F, 83, C3, 04, ...] PAGE ntkrnlpa.exe!PsSetCreateProcessNotifyRoutine + A6 805CFCC0 9 Bytes [BF, 0D, 00, 00, C0, 56, E8, ...] PAGE ntkrnlpa.exe!PsSetCreateProcessNotifyRoutine + B0 805CFCCA 16 Bytes [00, 8B, C7, 5F, 5E, 5B, 5D, ...] PAGE ... PAGE ntkrnlpa.exe!PsSetCreateThreadNotifyRoutine + 12 805CFCFC 20 Bytes [8B, D8, 3B, DF, 75, 07, B8, ...] PAGE ntkrnlpa.exe!PsSetCreateThreadNotifyRoutine + 27 805CFD11 23 Bytes CALL 8060CAFC \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!PsSetCreateThreadNotifyRoutine + 3F 805CFD29 38 Bytes [CB, 02, 02, 00, B8, 9A, 00, ...] PAGE ntkrnlpa.exe!PsRemoveCreateThreadNotifyRoutine + 2 805CFD50 34 Bytes [55, 8B, EC, 53, 56, 57, 33, ...] PAGE ntkrnlpa.exe!PsRemoveCreateThreadNotifyRoutine + 25 805CFD73 9 Bytes [0D, 56, 6A, 00, 57, E8, 81, ...] PAGE ntkrnlpa.exe!PsRemoveCreateThreadNotifyRoutine + 2F 805CFD7D 116 Bytes [84, C0, 75, 1C, 56, 57, E8, ...] PAGE ntkrnlpa.exe!PsRemoveCreateThreadNotifyRoutine + A4 805CFDF2 18 Bytes [F6, 86, 48, 02, 00, 00, 03, ...] PAGE ntkrnlpa.exe!PsRemoveCreateThreadNotifyRoutine + B7 805CFE05 92 Bytes [08, 74, 04, C6, 45, E7, 01, ...] PAGE ... PAGE ntkrnlpa.exe!PsSetLoadImageNotifyRoutine + 4 805CFF92 34 Bytes [EC, 53, 57, 33, FF, 57, FF, ...] PAGE ntkrnlpa.exe!PsSetLoadImageNotifyRoutine + 27 805CFFB5 6 Bytes [53, 56, E8, 42, CB, 03] PAGE ntkrnlpa.exe!PsSetLoadImageNotifyRoutine + 2E 805CFFBC 1 Byte [84] PAGE ntkrnlpa.exe!PsSetLoadImageNotifyRoutine + 2E 805CFFBC 32 Bytes [84, C0, 75, 1D, 83, C7, 04, ...] PAGE ntkrnlpa.exe!PsSetLoadImageNotifyRoutine + 4F 805CFFDD 49 Bytes [33, C9, B8, C8, 39, 56, 80, ...] PAGE ntkrnlpa.exe!PsRemoveLoadImageNotifyRoutine + 15 805D000F 43 Bytes [8B, F0, 85, F6, 74, 1F, 56, ...] PAGE ntkrnlpa.exe!PsRemoveLoadImageNotifyRoutine + 41 805D003B 18 Bytes [72, CC, B8, 7A, 00, 00, C0, ...] PAGE ntkrnlpa.exe!PsRemoveLoadImageNotifyRoutine + 54 805D004E 53 Bytes [83, C9, FF, F0, 0F, C1, 08, ...] PAGE ntkrnlpa.exe!PsRemoveLoadImageNotifyRoutine + 8A 805D0084 28 Bytes [74, 38, 53, 56, 57, 6A, 08, ...] PAGE ntkrnlpa.exe!PsRemoveLoadImageNotifyRoutine + A7 805D00A1 38 Bytes [03, 00, FF, 75, 10, FF, 75, ...] PAGE ... PAGE ntkrnlpa.exe!ZwCreateThread + C 805D0FDE 25 Bytes [83, 65, FC, 00, 64, A1, 24, ...] PAGE ntkrnlpa.exe!ZwCreateThread + 26 805D0FF8 16 Bytes [A1, 34, 21, 56, 80, 8B, 4D, ...] PAGE ntkrnlpa.exe!ZwCreateThread + 38 805D100A 24 Bytes [8B, 01, 89, 01, 8B, 5D, 18, ...] PAGE ntkrnlpa.exe!ZwCreateThread + 51 805D1023 96 Bytes [00, F6, C3, 03, 74, 05, E8, ...] PAGE ntkrnlpa.exe!ZwCreateThread + B2 805D1084 52 Bytes [C0, EB, 63, 8B, 5D, 20, 8B, ...] PAGE ... PAGE ntkrnlpa.exe!PsCreateSystemThread + 37 805D112F 11 Bytes [CC, CC, CC, CC, CC, 6A, 0C, ...] PAGE ntkrnlpa.exe!ZwCreateProcessEx + 7 805D113B 88 Bytes CALL 8053BBA0 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwCreateProcessEx + 60 805D1194 21 Bytes [75, 20, FF, 75, 1C, FF, 75, ...] PAGE ntkrnlpa.exe!ZwCreateProcessEx + 76 805D11AA 5 Bytes [FF, EB, 05, B8, 0D] PAGE ntkrnlpa.exe!ZwCreateProcessEx + 7D 805D11B1 182 Bytes CALL 8053BBDA \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwQueueApcThread + 38 805D1268 2 Bytes [45, 08] PAGE ntkrnlpa.exe!ZwQueueApcThread + 3B 805D126B 95 Bytes [DB, F6, 80, 48, 02, 00, 00, ...] PAGE ntkrnlpa.exe!ZwQueueApcThread + 9C 805D12CC 11 Bytes [C0, 5F, 8B, 4D, 08, E8, C4, ...] PAGE ntkrnlpa.exe!ZwQueueApcThread + A8 805D12D8 104 Bytes [C3, 5B, C9, C2, 14, 00, CC, ...] PAGE ntkrnlpa.exe!PsGetContextThread + 5D 805D1341 16 Bytes [8B, 95, C8, FC, FF, FF, A1, ...] PAGE ntkrnlpa.exe!PsGetContextThread + 6E 805D1352 36 Bytes [8B, 0A, 89, 8D, B0, FC, FF, ...] PAGE ntkrnlpa.exe!PsGetContextThread + 93 805D1377 116 Bytes [CC, 00, 00, 00, 83, 4D, FC, ...] PAGE ntkrnlpa.exe!PsGetContextThread + 108 805D13EC 33 Bytes [00, 8A, 8D, CF, FC, FF, FF, ...] PAGE ntkrnlpa.exe!PsGetContextThread + 12A 805D140E 56 Bytes [FF, 33, C0, 40, C3, 8B, 85, ...] PAGE ... PAGE ntkrnlpa.exe!ZwGetContextThread + A 805D14EE 27 Bytes [01, 00, 00, 8A, 80, 40, 01, ...] PAGE ntkrnlpa.exe!ZwGetContextThread + 26 805D150A 173 Bytes CALL 805BB47E \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!PsSetContextThread + 68 805D15B8 26 Bytes [CA, B8, 20, 00, 01, 00, 23, ...] PAGE ntkrnlpa.exe!PsSetContextThread + 83 805D15D3 16 Bytes [FF, 8B, F3, 8D, BD, 14, FD, ...] PAGE ntkrnlpa.exe!PsSetContextThread + 94 805D15E4 43 Bytes [C8, 83, E1, 03, F3, A4, 83, ...] PAGE ntkrnlpa.exe!PsSetContextThread + C0 805D1610 10 Bytes [89, 85, 0C, FD, FF, FF, 89, ...] PAGE ntkrnlpa.exe!PsSetContextThread + CB 805D161B 21 Bytes [FF, 8A, 45, 10, 88, 85, 00, ...] PAGE ... PAGE ntkrnlpa.exe!ZwSetContextThread + 2F 805D1723 24 Bytes [8B, F0, 85, F6, 7C, 2A, 57, ...] PAGE ntkrnlpa.exe!ZwSetContextThread + 48 805D173C 76 Bytes CALL 805D154F \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!PsGetProcessExitProcessCalled + D 805D1789 59 Bytes CALL DD5E3B90 PAGE ntkrnlpa.exe!PsSetJobUIRestrictionsClass + 11 805D17C5 3 Bytes [5D, C2, 08] PAGE ntkrnlpa.exe!PsSetJobUIRestrictionsClass + 15 805D17C9 5 Bytes [CC, CC, CC, CC, CC] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 } PAGE ntkrnlpa.exe!PsSetProcessPriorityClass + 1 805D17CF 2 Bytes [FF, 55] PAGE ntkrnlpa.exe!PsSetProcessPriorityClass + 4 805D17D2 49 Bytes [EC, 8A, 45, 0C, 8B, 4D, 08, ...] PAGE ntkrnlpa.exe!PsSetThreadWin32Thread + 2 805D1804 82 Bytes [55, 8B, EC, 8B, 45, 0C, 85, ...] PAGE ntkrnlpa.exe!PsSetProcessSecurityPort + 9 805D1857 140 Bytes [4D, 08, 89, 81, 98, 01, 00, ...] PAGE ntkrnlpa.exe!PsSetProcessWin32Process + 2 805D18E4 16 Bytes [55, 8B, EC, 51, 83, 65, FC, ...] PAGE ntkrnlpa.exe!PsSetProcessWin32Process + 13 805D18F5 70 Bytes [8B, 7D, 08, 8B, F0, FF, 8E, ...] PAGE ntkrnlpa.exe!PsSetProcessWin32Process + 5A 805D193C 12 Bytes [C0, EB, 19, 81, C7, 30, 01, ...] PAGE ntkrnlpa.exe!PsSetProcessWin32Process + 67 805D1949 62 Bytes [10, 75, 05, 83, 27, 00, EB, ...] PAGE ntkrnlpa.exe!PsSetProcessWin32Process + A6 805D1988 9 Bytes [8B, 45, FC, 5F, 5E, 5B, C9, ...] PAGE ... PAGE ntkrnlpa.exe!PsSetLegoNotifyRoutine + D 805D19A5 47 Bytes [B8, D0, 00, 00, 00, 5D, C2, ...] PAGE ntkrnlpa.exe!PsSetLegoNotifyRoutine + 3D 805D19D5 23 Bytes CALL 805D7ABA \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!PsSetLegoNotifyRoutine + 55 805D19ED 3 Bytes CALL 805264CB \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!PsSetLegoNotifyRoutine + 59 805D19F1 238 Bytes CALL 805D78CB \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!PsSetLegoNotifyRoutine + 148 805D1AE0 34 Bytes [08, 00, 00, 00, 56, E8, E0, ...] PAGE ... PAGE ntkrnlpa.exe!PsGetProcessExitTime + 66 805D1F80 6 Bytes [EC, 83, EC, 0C, 83, 4D] PAGE ntkrnlpa.exe!PsGetProcessExitTime + 6D 805D1F87 31 Bytes [FF, 53, 56, 57, 33, FF, C7, ...] PAGE ntkrnlpa.exe!PsGetProcessExitTime + 8E 805D1FA8 49 Bytes [74, 11, F6, 86, 48, 02, 00, ...] PAGE ntkrnlpa.exe!PsGetProcessExitTime + C1 805D1FDB 1 Byte [8D] PAGE ntkrnlpa.exe!PsGetProcessExitTime + C1 805D1FDB 164 Bytes [8D, 45, F4, 50, 57, 57, 57, ...] PAGE ... PAGE ntkrnlpa.exe!ZwRegisterThreadTerminatePort + 2 805D273A 142 Bytes [55, 8B, EC, 51, 56, 64, A1, ...] PAGE ntkrnlpa.exe!ZwRegisterThreadTerminatePort + 91 805D27C9 3 Bytes CALL 805D206B \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwRegisterThreadTerminatePort + 95 805D27CD 21 Bytes [5D, C2, 14, 00, CC, CC, CC, ...] PAGE ntkrnlpa.exe!ZwRegisterThreadTerminatePort + AB 805D27E3 12 Bytes [FF, 75, 08, 8B, 7D, 0C, 6A, ...] PAGE ntkrnlpa.exe!ZwRegisterThreadTerminatePort + B8 805D27F0 4 Bytes [68, F8, FF, 5E] PAGE ... PAGE ntkrnlpa.exe!ZwTerminateProcess + 2 805D2984 5 Bytes [55, 8B, EC, 83, EC] PAGE ntkrnlpa.exe!ZwTerminateProcess + 8 805D298A 31 Bytes [53, 56, 57, 64, A1, 24, 01, ...] PAGE ntkrnlpa.exe!ZwTerminateProcess + 28 805D29AA 30 Bytes [FF, C6, 45, FF, 00, 8A, 87, ...] PAGE ntkrnlpa.exe!ZwTerminateProcess + 47 805D29C9 20 Bytes CALL 805BB47F \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwTerminateProcess + 5C 805D29DE 4 Bytes [8D, 86, 48, 02] PAGE ... PAGE ntkrnlpa.exe!ZwTerminateThread + 21 805D2B9D 6 Bytes [01, 75, 43, B8, DB, 00] PAGE ntkrnlpa.exe!ZwTerminateThread + 28 805D2BA4 62 Bytes [C0, EB, 5B, 83, 7D, 08, FE, ...] PAGE ntkrnlpa.exe!ZwTerminateThread + 67 805D2BE3 18 Bytes CALL 805D2856 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwTerminateThread + 7A 805D2BF6 1 Byte [FF] PAGE ntkrnlpa.exe!ZwTerminateThread + 7A 805D2BF6 51 Bytes [FF, 8B, CB, 8B, F8, E8, 9A, ...] PAGE ntkrnlpa.exe!PsTerminateSystemThread + 1C 805D2C2A 7 Bytes [75, 08, 50, E8, 28, FC, FF] PAGE ntkrnlpa.exe!PsTerminateSystemThread + 24 805D2C32 20 Bytes [5D, C2, 04, 00, CC, CC, CC, ...] PAGE ntkrnlpa.exe!PsTerminateSystemThread + 39 805D2C47 96 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...] PAGE ntkrnlpa.exe!PsTerminateSystemThread + 9A 805D2CA8 60 Bytes [00, 3B, 35, B4, 39, 56, 80, ...] PAGE ntkrnlpa.exe!PsTerminateSystemThread + D7 805D2CE5 6 Bytes CALL 805264C9 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntkrnlpa.exe!PsLookupProcessThreadByCid + 4B 805D3051 13 Bytes [86, D4, 00, 00, 00, 75, 13, ...] PAGE ntkrnlpa.exe!PsLookupProcessThreadByCid + 59 805D305F 16 Bytes [B1, 01, C6, 46, 49, 01, FF, ...] PAGE ntkrnlpa.exe!PsLookupProcessThreadByCid + 6A 805D3070 36 Bytes [00, C0, 74, 3F, 80, 3F, 06, ...] PAGE ntkrnlpa.exe!PsLookupProcessThreadByCid + 8F 805D3095 11 Bytes [45, 0C, 85, C0, 74, 0D, 8B, ...] PAGE ntkrnlpa.exe!PsLookupProcessThreadByCid + 9B 805D30A1 57 Bytes CALL 805264C8 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!PsLookupProcessByProcessId + 19 805D30DB 61 Bytes [35, C0, 39, 56, 80, E8, A7, ...] PAGE ntkrnlpa.exe!PsLookupProcessByProcessId + 57 805D3119 4 Bytes [35, C0, 39, 56] PAGE ntkrnlpa.exe!PsLookupProcessByProcessId + 5C 805D311E 62 Bytes CALL 8060D8A4 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!PsLookupThreadByThreadId + F 805D315D 1 Byte [08] PAGE ntkrnlpa.exe!PsLookupThreadByThreadId + F 805D315D 9 Bytes [08, 8B, F0, FF, 8E, D4, 00, ...] PAGE ntkrnlpa.exe!PsLookupThreadByThreadId + 19 805D3167 71 Bytes [35, C0, 39, 56, 80, E8, 1B, ...] PAGE ntkrnlpa.exe!PsLookupThreadByThreadId + 61 805D31AF 5 Bytes [5F, FF, 86, D4, 00] PAGE ntkrnlpa.exe!PsLookupThreadByThreadId + 68 805D31B6 6 Bytes [75, 13, 8D, 46, 34, 39] PAGE ... PAGE ntkrnlpa.exe!ZwSetLdtEntries + B 805D38AF 33 Bytes [CC, CC, CC, CC, CC, 6A, 34, ...] PAGE ntkrnlpa.exe!ZwSetLdtEntries + 2D 805D38D1 30 Bytes [7D, 0C, 10, 73, 0A, B8, 04, ...] PAGE ntkrnlpa.exe!ZwSetLdtEntries + 4C 805D38F0 11 Bytes [D8, 89, 5D, D8, 85, DB, 75, ...] PAGE ntkrnlpa.exe!ZwSetLdtEntries + 58 805D38FC 28 Bytes JMP 805D3B84 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwSetLdtEntries + 75 805D3919 16 Bytes [E1, 03, F3, A4, 83, 4D, FC, ...] PAGE ... PAGE ntkrnlpa.exe!ZwSuspendThread + 7 805D489B 1 Byte [E8] PAGE ntkrnlpa.exe!ZwSuspendThread + 7 805D489B 43 Bytes CALL 8053BBA0 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwSuspendThread + 33 805D48C7 147 Bytes [3B, F0, 72, 02, 89, 18, 8B, ...] PAGE ntkrnlpa.exe!ZwResumeThread + 1 805D495B 5 Bytes [20, 68, 18, AA, 4D] {AND [EAX+0x18], CH; STOSB ; DEC EBP} PAGE ntkrnlpa.exe!ZwResumeThread + 7 805D4961 249 Bytes CALL 8053BBA0 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwSuspendProcess + 3A 805D4A5C 21 Bytes CALL 805D4841 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwSuspendProcess + 50 805D4A72 7 Bytes [00, CC, CC, CC, CC, CC, 8B] PAGE ntkrnlpa.exe!ZwResumeProcess + 2 805D4A7A 54 Bytes [55, 8B, EC, 51, 56, 64, A1, ...] PAGE ntkrnlpa.exe!ZwResumeProcess + 3A 805D4AB2 28 Bytes CALL 805D46F3 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwAlertThread + 1 805D4ACF 9 Bytes [FF, 55, 8B, EC, 51, 64, A1, ...] PAGE ntkrnlpa.exe!ZwAlertThread + B 805D4AD9 29 Bytes [00, 8A, 80, 40, 01, 00, 00, ...] PAGE ntkrnlpa.exe!ZwAlertThread + 29 805D4AF7 28 Bytes CALL 805BB482 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwAlertThread + 47 805D4B15 59 Bytes [C9, C2, 04, 00, CC, CC, CC, ...] PAGE ntkrnlpa.exe!ZwAlertResumeThread + 33 805D4B51 31 Bytes [3B, F0, 72, 02, 89, 18, 8B, ...] PAGE ntkrnlpa.exe!ZwAlertResumeThread + 53 805D4B71 29 Bytes CALL 805BB481 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwAlertResumeThread + 71 805D4B8F 35 Bytes [FC, 01, 00, 00, 00, 3B, F3, ...] PAGE ntkrnlpa.exe!ZwAlertResumeThread + 95 805D4BB3 4 Bytes CALL 8059993B \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwAlertResumeThread + 9A 805D4BB8 132 Bytes [45, DC, EB, 18, 8B, 45, EC, ...] PAGE ntkrnlpa.exe!ZwTestAlert + 5B 805D4C3D 18 Bytes [00, 00, 10, 53, 74, 60, 64, ...] PAGE ntkrnlpa.exe!ZwTestAlert + 6F 805D4C51 54 Bytes [6A, 02, 8D, 4E, 6C, 5A, 33, ...] PAGE ntkrnlpa.exe!ZwTestAlert + A6 805D4C88 26 Bytes [FF, 83, D4, 00, 00, 00, 75, ...] PAGE ntkrnlpa.exe!ZwTestAlert + C1 805D4CA3 40 Bytes [F6, 87, 98, 00, 00, 00, 01, ...] PAGE ntkrnlpa.exe!ZwTestAlert + EB 805D4CCD 93 Bytes [00, 01, 74, 0E, 8B, 87, 38, ...] PAGE ... PAGE ntkrnlpa.exe!ZwIsProcessInJob + 11 805D51B3 51 Bytes [00, 6A, 00, 88, 45, FC, 8D, ...] PAGE ntkrnlpa.exe!ZwIsProcessInJob + 46 805D51E8 49 Bytes [8B, 87, 34, 01, 00, 00, 85, ...] PAGE ntkrnlpa.exe!ZwIsProcessInJob + 78 805D521A 17 Bytes [6A, 00, 8D, 45, FC, 50, FF, ...] {PUSH 0x0; LEA EAX, [EBP-0x4]; PUSH EAX; PUSH DWORD [EBP-0x4]; PUSH DWORD [0x80563940]; PUSH 0x4} PAGE ntkrnlpa.exe!ZwIsProcessInJob + 8A 805D522C 34 Bytes CALL 805BB480 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwIsProcessInJob + AD 805D524F 40 Bytes [75, 13, 8B, 75, 08, 8B, CE, ...] PAGE ... PAGE ntkrnlpa.exe!ZwCreateJobSet + 5A 805D5338 6 Bytes [00, 8A, 80, 40, 01, 00] {ADD [EDX+0x14080], CL} PAGE ntkrnlpa.exe!ZwCreateJobSet + 61 805D533F 48 Bytes [88, 45, D8, 89, 5D, FC, 3C, ...] PAGE ntkrnlpa.exe!ZwCreateJobSet + 92 805D5370 64 Bytes [CE, 8B, 75, 0C, 8B, C1, C1, ...] PAGE ntkrnlpa.exe!ZwCreateJobSet + D3 805D53B1 114 Bytes [35, 40, 39, 56, 80, 6A, 04, ...] PAGE ntkrnlpa.exe!ZwCreateJobSet + 148 805D5426 109 Bytes [75, 40, 3B, DE, 74, 21, 3B, ...] PAGE ... PAGE ntkrnlpa.exe!ZwCreateJobObject + 11 805D55B7 38 Bytes [00, 89, 45, D8, 8A, 80, 40, ...] PAGE ntkrnlpa.exe!ZwCreateJobObject + 38 805D55DE 32 Bytes [01, 89, 19, 83, 4D, FC, FF, ...] PAGE ntkrnlpa.exe!ZwCreateJobObject + 59 805D55FF 86 Bytes CALL 805C135F \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwCreateJobObject + B0 805D5656 55 Bytes [01, 00, 00, 01, C6, 86, 5A, ...] PAGE ntkrnlpa.exe!ZwCreateJobObject + E8 805D568E 23 Bytes CALL 80535705 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntkrnlpa.exe!ZwOpenJobObject + 3A 805D5766 108 Bytes [EB, 16, 8B, 45, EC, 8B, 00, ...] PAGE ntkrnlpa.exe!ZwOpenJobObject + A7 805D57D3 22 Bytes [FF, 55, 8B, EC, 83, EC, 20, ...] PAGE ntkrnlpa.exe!ZwOpenJobObject + BE 805D57EA 54 Bytes [8B, D8, FF, 8B, D4, 00, 00, ...] PAGE ntkrnlpa.exe!ZwOpenJobObject + F6 805D5822 4 Bytes [F6, 86, 98, 00] PAGE ntkrnlpa.exe!ZwOpenJobObject + FC 805D5828 38 Bytes [08, 8B, 86, 80, 00, 00, 00, ...] PAGE ... PAGE ntkrnlpa.exe!ZwQueryInformationJobObject + 4 805D5C02 30 Bytes [00, 68, 98, AA, 4D, 80, E8, ...] PAGE ntkrnlpa.exe!ZwQueryInformationJobObject + 23 805D5C21 13 Bytes [4D, 0C, 83, F9, 0B, 0F, 8D, ...] {DEC EBP; OR AL, 0x83; STC ; OR ECX, [EDI]; LEA EAX, [EBP+0x3b000008]; RETF } PAGE ntkrnlpa.exe!ZwQueryInformationJobObject + 31 805D5C2F 64 Bytes [8E, 7D, 08, 00, 00, 8B, 04, ...] PAGE ntkrnlpa.exe!ZwQueryInformationJobObject + 72 805D5C70 12 Bytes [88, 85, 20, FF, FF, FF, 84, ...] PAGE ntkrnlpa.exe!ZwQueryInformationJobObject + 7F 805D5C7D 27 Bytes [52, 57, 8B, 7D, 10, 57, E8, ...] PAGE ... PAGE ntkrnlpa.exe!ZwAssignProcessToJobObject + 66 805D6648 48 Bytes [00, 0D, 01, 01, 00, 00, 50, ...] PAGE ntkrnlpa.exe!ZwAssignProcessToJobObject + 97 805D6679 25 Bytes [8D, 87, CC, 00, 00, 00, 53, ...] PAGE ntkrnlpa.exe!ZwAssignProcessToJobObject + B3 805D6695 28 Bytes CALL 805CED64 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwAssignProcessToJobObject + D0 805D66B2 122 Bytes CALL 805C5EA9 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwAssignProcessToJobObject + 14B 805D672D 46 Bytes CALL 80526697 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntkrnlpa.exe!ZwSetInformationJobObject + 3D 805D6949 46 Bytes [8D, BD, 7C, FF, FF, FF, AB, ...] PAGE ntkrnlpa.exe!ZwSetInformationJobObject + 6D 805D6979 16 Bytes [8B, 04, 9D, C0, F0, 67, 80, ...] PAGE ntkrnlpa.exe!ZwSetInformationJobObject + 7E 805D698A 44 Bytes [64, A1, 24, 01, 00, 00, 8B, ...] PAGE ntkrnlpa.exe!ZwSetInformationJobObject + AB 805D69B7 36 Bytes [8B, 45, 14, 03, C6, 3B, C6, ...] PAGE ntkrnlpa.exe!ZwSetInformationJobObject + D1 805D69DD 4 Bytes JMP 805D7491 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntkrnlpa.exe!ZwTerminateJobObject + 17 805D74B7 58 Bytes [88, 45, FC, 8D, 45, 08, 50, ...] PAGE ntkrnlpa.exe!ZwTerminateJobObject + 52 805D74F2 197 Bytes CALL 805D656A \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwTerminateJobObject + 118 805D75B8 28 Bytes [8D, 9F, 44, 02, 00, 00, 8B, ...] PAGE ntkrnlpa.exe!ZwTerminateJobObject + 136 805D75D6 33 Bytes [00, 02, 74, 6A, 3B, 96, 8C, ...] PAGE ntkrnlpa.exe!ZwTerminateJobObject + 158 805D75F8 14 Bytes CALL 805D2AFA \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntkrnlpa.exe!ZwImpersonateThread + 43 805D77E5 55 Bytes [00, A1, 34, 21, 56, 80, 3B, ...] PAGE ntkrnlpa.exe!ZwImpersonateThread + 7B 805D781D 40 Bytes [85, C0, 0F, 8C, 91, 00, 00, ...] PAGE ntkrnlpa.exe!ZwImpersonateThread + A4 805D7846 35 Bytes [F0, EB, 47, 8D, 45, A8, 50, ...] PAGE ntkrnlpa.exe!ZwImpersonateThread + C8 805D786A 114 Bytes [F2, 01, 00, 8B, F0, FF, 75, ...] PAGE ntkrnlpa.exe!IoDeleteController + 11 805D78DD 44 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...] PAGE ntkrnlpa.exe!IoDeleteController + 3F 805D790B 55 Bytes CALL 8052665B \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!IoDeleteController + 77 805D7943 47 Bytes [65, FC, 00, 53, 56, 57, 64, ...] PAGE ntkrnlpa.exe!IoDeleteController + A7 805D7973 31 Bytes CALL 8052665B \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!IoDeleteController + C7 805D7993 47 Bytes [B1, 01, C6, 46, 49, 01, FF, ...] PAGE ... PAGE ntkrnlpa.exe!LdrEnumResources + A 805D8B4E 52 Bytes [33, FF, 39, 7D, 18, 89, 7D, ...] PAGE ntkrnlpa.exe!LdrEnumResources + 40 805D8B84 44 Bytes JMP 805D8D7B \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!LdrEnumResources + 6D 805D8BB1 12 Bytes [00, 83, 7D, 10, 00, 76, 14, ...] {ADD [EBX+0x7600107d], AL; ADC AL, 0x8b; INC EBP; OR AL, 0x53; PUSH ESI} PAGE ntkrnlpa.exe!LdrEnumResources + 7A 805D8BBE 47 Bytes CALL 805D87B3 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!LdrEnumResources + AA 805D8BEE 46 Bytes [FF, FF, 7F, 23, CB, 03, CE, ...] PAGE ... PAGE ntkrnlpa.exe!LdrFindResource_U + 14 805D8DB2 3 Bytes CALL 805D8825 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!LdrFindResource_U + 18 805D8DB6 2 Bytes [5D, C2] PAGE ntkrnlpa.exe!LdrFindResource_U + 1B 805D8DB9 7 Bytes [00, CC, CC, CC, CC, CC, CC] {ADD AH, CL; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 } PAGE ntkrnlpa.exe!LdrFindResourceDirectory_U + 1 805D8DC1 21 Bytes [FF, 55, 8B, EC, FF, 75, 14, ...] PAGE ntkrnlpa.exe!LdrFindResourceDirectory_U + 17 805D8DD7 4 Bytes [FF, 5D, C2, 10] PAGE ntkrnlpa.exe!LdrFindResourceDirectory_U + 1C 805D8DDC 24 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...] PAGE ntkrnlpa.exe!RtlMultiByteToUnicodeN + 13 805D8DF5 5 Bytes [00, 0F, 85, D2, 01] PAGE ntkrnlpa.exe!RtlMultiByteToUnicodeN + 1B 805D8DFD 210 Bytes [5D, 18, 3B, FB, 73, 02, 8B, ...] PAGE ntkrnlpa.exe!RtlMultiByteToUnicodeN + EE 805D8ED0 203 Bytes [34, 71, 66, 89, 70, 26, 0F, ...] PAGE ntkrnlpa.exe!RtlMultiByteToUnicodeN + 1BA 805D8F9C 126 Bytes [34, 71, 66, 89, 70, 04, 0F, ...] PAGE ntkrnlpa.exe!RtlMultiByteToUnicodeN + 239 805D901B 59 Bytes [35, 04, C5, 67, 80, 66, 8B, ...] PAGE ... PAGE ntkrnlpa.exe!RtlOemToUnicodeN + 69 805D9139 7 Bytes [59, 1A, 0F, B6, 58, 0C, 66] {POP ECX; SBB CL, [EDI]; MOV DH, 0x58; OR AL, 0x66} PAGE ntkrnlpa.exe!RtlOemToUnicodeN + 71 805D9141 95 Bytes [1C, 5A, 66, 89, 59, 18, 0F, ...] PAGE ntkrnlpa.exe!RtlOemToUnicodeN + D1 805D91A1 15 Bytes [1C, 5A, 66, 89, 59, 08, 0F, ...] PAGE ntkrnlpa.exe!RtlOemToUnicodeN + E1 805D91B1 183 Bytes [59, 06, 0F, B6, 58, 02, 66, ...] PAGE ntkrnlpa.exe!RtlOemToUnicodeN + 199 805D9269 282 Bytes [18, 5F, 1B, C0, 5E, 25, 05, ...] PAGE ntkrnlpa.exe!RtlUnicodeToMultiByteN + 22 805D9384 1 Byte [D6] PAGE ntkrnlpa.exe!RtlUnicodeToMultiByteN + 22 805D9384 222 Bytes [D6, 8B, 45, 10, 85, C0, 74, ...] PAGE ntkrnlpa.exe!RtlUnicodeToMultiByteN + 101 805D9463 78 Bytes [FF, FF, EB, 4E, 85, F6, 8B, ...] PAGE ntkrnlpa.exe!RtlUnicodeToMultiByteN + 150 805D94B2 11 Bytes [08, 89, 01, 5F, 5E, 33, C0, ...] PAGE ntkrnlpa.exe!RtlUnicodeToMultiByteN + 15C 805D94BE 19 Bytes [5A, 94, 5D, 80, 50, 94, 5D, ...] {POP EDX; XCHG ESP, EAX; POP EBP; ADC BYTE [EAX-0x6c], 0x5d; ADD BYTE [ESI-0x6c], 0x5d; CMP BYTE [ESP+EDX*4], 0x5d; XOR BYTE [EDX], 0x94; POP EBP} PAGE ... PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToMultiByteN + 29 805D952D 48 Bytes [45, 10, 85, C0, 89, 4D, 0C, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToMultiByteN + 5A 805D955E 217 Bytes [01, 8B, 15, 04, C5, 67, 80, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToMultiByteN + 134 805D9638 69 Bytes [B7, 4F, E4, 0F, B6, 0C, 01, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToMultiByteN + 17A 805D967E 45 Bytes [83, E3, 0F, 03, F3, 0F, B7, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToMultiByteN + 1A8 805D96AC 33 Bytes [C5, 67, 80, 0F, B7, 0C, 4A, ...] PAGE ... PAGE ntkrnlpa.exe!RtlUnicodeToOemN + 11 805D9D61 19 Bytes [56, 57, 89, 55, 18, 0F, 85, ...] {PUSH ESI; PUSH EDI; MOV [EBP+0x18], EDX; JNZ 0xf7; CMP EDX, [EBP+0xc]; JB 0x13; MOV EDX, [EBP+0xc]} PAGE ntkrnlpa.exe!RtlUnicodeToOemN + 25 805D9D75 38 Bytes [45, 10, 85, C0, 74, 02, 89, ...] PAGE ntkrnlpa.exe!RtlUnicodeToOemN + 4C 805D9D9C 18 Bytes [0F, 77, 07, FF, 24, BD, BD, ...] PAGE ntkrnlpa.exe!RtlUnicodeToOemN + 5F 805D9DAF 65 Bytes [20, 83, C1, 10, 88, 59, FF, ...] PAGE ntkrnlpa.exe!RtlUnicodeToOemN + A1 805D9DF1 79 Bytes [B7, 58, 0C, 8A, 1C, 33, 88, ...] PAGE ... PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToOemN + 29 805D9F2B 9 Bytes [45, 10, 85, C0, 89, 4D, FC, ...] {INC EBP; ADC [EBP-0x3b27640], AL; JZ 0xb} PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToOemN + 33 805D9F35 32 Bytes [08, 8B, 55, 14, A1, 20, C7, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToOemN + 54 805D9F56 67 Bytes [0F, B7, 0F, 0F, B6, 0C, 01, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToOemN + 98 805D9F9A 161 Bytes [B7, D6, 8B, FA, C1, EF, 08, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToOemN + 13A 805DA03C 17 Bytes [01, 8B, 15, 1C, C7, 67, 80, ...] PAGE ... PAGE ntkrnlpa.exe!RtlCustomCPToUnicodeN + 4 805DA840 88 Bytes [EC, 53, 8B, 5D, 08, 56, 57, ...] PAGE ntkrnlpa.exe!RtlCustomCPToUnicodeN + 5D 805DA899 45 Bytes [0F, B6, 58, 0D, 66, 8B, 1C, ...] PAGE ntkrnlpa.exe!RtlCustomCPToUnicodeN + 8B 805DA8C7 83 Bytes [59, 14, 0F, B6, 58, 09, 66, ...] PAGE ntkrnlpa.exe!RtlCustomCPToUnicodeN + DF 805DA91B 7 Bytes [59, 06, 0F, B6, 58, 02, 66] PAGE ntkrnlpa.exe!RtlCustomCPToUnicodeN + E7 805DA923 187 Bytes [1C, 5A, 66, 89, 59, 04, 0F, ...] PAGE ... PAGE ntkrnlpa.exe!RtlUnicodeToCustomCPN + 49 805DAA69 26 Bytes [FF, 0F, 77, 07, FF, 24, BD, ...] PAGE ntkrnlpa.exe!RtlUnicodeToCustomCPN + 64 805DAA84 54 Bytes [0F, B7, 18, 8A, 1C, 33, 88, ...] PAGE ntkrnlpa.exe!RtlUnicodeToCustomCPN + 9B 805DAABB 53 Bytes [88, 59, 05, 0F, B7, 58, 0C, ...] PAGE ntkrnlpa.exe!RtlUnicodeToCustomCPN + D1 805DAAF1 63 Bytes [B7, 58, 16, 8A, 1C, 33, 88, ...] PAGE ntkrnlpa.exe!RtlUnicodeToCustomCPN + 111 805DAB31 8 Bytes [74, 38, 83, 7D, 10, 00, 74, ...] {JZ 0x3a; CMP DWORD [EBP+0x10], 0x0; JZ 0x3a} PAGE ... PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToCustomCPN + 2 805DABD2 40 Bytes [55, 8B, EC, 83, EC, 0C, 8B, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToCustomCPN + 2C 805DABFC 54 Bytes [14, 85, C0, 89, 55, 08, 74, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToCustomCPN + 63 805DAC33 45 Bytes [45, 0C, 10, 83, C1, 20, 66, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToCustomCPN + 91 |
GMER Teil 2: 805DAC61 3 Bytes [DF, C1, EB] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToCustomCPN + 95 805DAC65 417 Bytes [0F, B7, 1C, 5A, 89, 7D, 18, ...] PAGE ... PAGE ntkrnlpa.exe!RtlInitCodePageTable + 61 805DB4A1 63 Bytes [33, F6, 66, 39, 32, 74, 08, ...] PAGE ntkrnlpa.exe!RtlInitCodePageTable + A1 805DB4E1 56 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...] PAGE ntkrnlpa.exe!RtlInitCodePageTable + DA 805DB51A 8 Bytes [14, 8D, 46, 2C, 50, FF, 75, ...] {ADC AL, 0x8d; INC ESI; SUB AL, 0x50; PUSH DWORD [EBP+0x8]} PAGE ntkrnlpa.exe!RtlInitCodePageTable + E3 805DB523 34 Bytes [19, FF, FF, FF, 56, FF, 75, ...] PAGE ntkrnlpa.exe!RtlInitCodePageTable + 106 805DB546 105 Bytes [55, 8B, EC, 53, 56, 8B, 75, ...] PAGE ... PAGE ntkrnlpa.exe!RtlGetDefaultCodePage + 26 805DB672 14 Bytes [CC, CC, 8B, FF, 55, 8B, EC, ...] PAGE ntkrnlpa.exe!PfxInitialize + D 805DB681 118 Bytes [66, C7, 00, 00, 02, 89, 40, ...] PAGE ntkrnlpa.exe!PfxRemovePrefix + 66 805DB6F8 35 Bytes [01, 02, 89, 41, 04, 8B, 4E, ...] PAGE ntkrnlpa.exe!PfxRemovePrefix + 8A 805DB71C 138 Bytes [57, 8B, 7D, 08, 0F, B7, 17, ...] PAGE ntkrnlpa.exe!PfxRemovePrefix + 115 805DB7A7 169 Bytes [D8, 0F, B7, D1, 89, 5D, F0, ...] PAGE ntkrnlpa.exe!PfxRemovePrefix + 1BF 805DB851 25 Bytes [F8, 72, E1, 8B, 7D, 0C, 39, ...] PAGE ntkrnlpa.exe!PfxRemovePrefix + 1D9 805DB86B 1 Byte [85] PAGE ... PAGE ntkrnlpa.exe!RtlInitializeUnicodePrefix + 2 805DB8DC 20 Bytes [55, 8B, EC, 8B, 45, 08, 66, ...] PAGE ntkrnlpa.exe!RtlInitializeUnicodePrefix + 17 805DB8F1 46 Bytes [40, 04, 5D, C2, 04, 00, CC, ...] PAGE ntkrnlpa.exe!RtlRemoveUnicodePrefix + 25 805DB921 142 Bytes [7E, 23, 81, F9, 03, 08, 00, ...] PAGE ntkrnlpa.exe!RtlRemoveUnicodePrefix + B4 805DB9B0 2 Bytes [19, EB] {SBB EBX, EBP} PAGE ntkrnlpa.exe!RtlRemoveUnicodePrefix + B7 805DB9B3 57 Bytes [83, C0, 0C, 8B, F0, EB, 02, ...] PAGE ntkrnlpa.exe!RtlRemoveUnicodePrefix + F1 805DB9ED 20 Bytes [83, C0, F4, EB, 03, 8B, 49, ...] PAGE ntkrnlpa.exe!RtlRemoveUnicodePrefix + 106 805DBA02 113 Bytes [8B, 4E, 04, 89, 48, 04, 83, ...] PAGE ntkrnlpa.exe!RtlNextUnicodePrefix + 58 805DBA74 45 Bytes [F7, EB, 18, 8B, 46, 04, 66, ...] PAGE ntkrnlpa.exe!RtlNextUnicodePrefix + 86 805DBAA2 212 Bytes [55, 8B, EC, 8B, 55, 08, 0F, ...] PAGE ntkrnlpa.exe!RtlNextUnicodePrefix + 15B 805DBB77 45 Bytes [00, 00, A1, F0, C2, 67, 80, ...] PAGE ntkrnlpa.exe!RtlNextUnicodePrefix + 189 805DBBA5 240 Bytes [75, 10, EB, 3A, 66, 83, 7D, ...] PAGE ntkrnlpa.exe!RtlNextUnicodePrefix + 27A 805DBC96 42 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...] PAGE ntkrnlpa.exe!PfxInsertPrefix + 25 805DBCC1 395 Bytes [83, 66, 08, 00, 89, 36, 8B, ...] PAGE ntkrnlpa.exe!RtlInsertUnicodePrefix + 2D 805DBE4D 109 Bytes [59, 04, 89, 4D, FC, EB, 06, ...] PAGE ntkrnlpa.exe!RtlInsertUnicodePrefix + 9B 805DBEBB 19 Bytes [83, F8, 02, 75, C4, 8B, 7D, ...] {CMP EAX, 0x2; JNZ 0xffffffffffffffc9; MOV EDI, [EBP+0x10]; MOV [EBP+0x8], EDI; MOV EAX, [EBP+0x8]; PUSH -0x1; PUSH DWORD [EBP+0xc]} PAGE ntkrnlpa.exe!RtlInsertUnicodePrefix + AF 805DBECF 107 Bytes CALL 805DBACA \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlInsertUnicodePrefix + 11B 805DBF3B 19 Bytes CALL 8052D134 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlInsertUnicodePrefix + 12F 805DBF4F 47 Bytes [70, 04, B0, 01, 5F, 5E, 5B, ...] PAGE ntkrnlpa.exe!RtlFindUnicodePrefix + 1F 805DBF7F 29 Bytes [76, 04, 66, 39, 46, 02, 7F, ...] PAGE ntkrnlpa.exe!RtlFindUnicodePrefix + 3D 805DBF9D 4 Bytes [FF, 83, F8, 03] PAGE ntkrnlpa.exe!RtlFindUnicodePrefix + 42 805DBFA2 1 Byte [05] PAGE ntkrnlpa.exe!RtlFindUnicodePrefix + 42 805DBFA2 39 Bytes [05, 8B, 5B, 04, EB, 07, 85, ...] PAGE ntkrnlpa.exe!RtlFindUnicodePrefix + 6A 805DBFCA 25 Bytes [FF, 83, F8, 02, 74, 55, 83, ...] PAGE ... PAGE ntkrnlpa.exe!RtlSelfRelativeToAbsoluteSD + 15 805DC1C5 75 Bytes JMP 805DC301 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlSelfRelativeToAbsoluteSD + 61 805DC211 27 Bytes [00, 00, 8B, 7D, 18, 8B, 5D, ...] PAGE ntkrnlpa.exe!RtlSelfRelativeToAbsoluteSD + 7D 805DC22D 65 Bytes [00, 00, 8B, 7D, FC, 3B, 3A, ...] PAGE ntkrnlpa.exe!RtlSelfRelativeToAbsoluteSD + BF 805DC26F 34 Bytes [00, 00, 51, 50, 57, E8, 37, ...] PAGE ntkrnlpa.exe!RtlSelfRelativeToAbsoluteSD + E3 805DC293 105 Bytes CALL 8053A8AC \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntkrnlpa.exe!RtlAbsoluteToSelfRelativeSD + 11 805DC43B 126 Bytes [00, C0, EB, 0C, FF, 75, 10, ...] PAGE ntkrnlpa.exe!RtlCreateAcl + 66 805DC4BA 4 Bytes [C6, 45, E7, 02] {MOV BYTE [EBP-0x19], 0x2} PAGE ntkrnlpa.exe!RtlCreateAcl + 6B 805DC4BF 10 Bytes [7D, 08, 8A, 07, 3C, 02, 0F, ...] PAGE ntkrnlpa.exe!RtlCreateAcl + 77 805DC4CB 76 Bytes [3C, 04, 0F, 87, E3, 01, 00, ...] PAGE ntkrnlpa.exe!RtlCreateAcl + C4 805DC518 104 Bytes [83, 99, 01, 00, 00, 8D, 48, ...] PAGE ntkrnlpa.exe!RtlCreateAcl + 12D 805DC581 31 Bytes [B6, C0, 8D, 04, 85, 10, 00, ...] PAGE ... PAGE ntkrnlpa.exe!RtlGetAce + 4 805DC6CE 97 Bytes [EC, 8B, 4D, 08, 8A, 01, 3C, ...] PAGE ntkrnlpa.exe!RtlGetAce + 66 805DC730 227 Bytes [00, CC, CC, CC, CC, CC, 8B, ...] PAGE ntkrnlpa.exe!RtlGetAce + 14C 805DC816 60 Bytes [8B, FF, 55, 8B, EC, 56, 8B, ...] PAGE ntkrnlpa.exe!RtlGetAce + 189 805DC853 199 Bytes [3F, 0F, B7, 4E, 04, 8B, 45, ...] PAGE ntkrnlpa.exe!RtlAddAce + 7B 805DC91D 63 Bytes [85, C0, 74, 52, 0F, B7, 4E, ...] PAGE ntkrnlpa.exe!RtlAddAce + BB 805DC95D 24 Bytes [45, 0C, 66, 01, 46, 04, 8A, ...] PAGE ntkrnlpa.exe!RtlAddAce + D4 805DC976 24 Bytes [00, C0, 5F, 5B, 5E, C9, C2, ...] PAGE ntkrnlpa.exe!RtlDeleteAce + B 805DC98F 25 Bytes [17, FB, FF, FF, 84, C0, 74, ...] PAGE ntkrnlpa.exe!RtlDeleteAce + 25 805DC9A9 110 Bytes [FF, 84, C0, 75, 07, B8, 0D, ...] PAGE ntkrnlpa.exe!RtlDeleteAce + 94 805DCA18 31 Bytes [4D, 0C, 83, F9, 04, 0F, 87, ...] PAGE ntkrnlpa.exe!RtlDeleteAce + B4 805DCA38 6 Bytes [02, 75, 05, 25, 3F, FF] PAGE ntkrnlpa.exe!RtlDeleteAce + BB 805DCA3F 51 Bytes [FF, 85, C0, 74, 0A, B8, 0D, ...] PAGE ... PAGE ntkrnlpa.exe!RtlAddAccessAllowedAce + 1D 805DCAFD 40 Bytes [00, CC, CC, CC, CC, CC, CC, ...] PAGE ntkrnlpa.exe!RtlAddAccessAllowedAceEx + 24 805DCB28 110 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...] PAGE ntkrnlpa.exe!RtlAddAccessAllowedAceEx + 93 805DCB97 140 Bytes [88, D4, 00, 00, 00, 6A, 02, ...] PAGE ntkrnlpa.exe!RtlAddAccessAllowedAceEx + 120 805DCC24 47 Bytes [B0, 01, EB, 02, 32, C0, 5D, ...] PAGE ntkrnlpa.exe!RtlAddAccessAllowedAceEx + 150 805DCC54 76 Bytes [EC, 8B, 45, 0C, 56, 8B, 75, ...] PAGE ntkrnlpa.exe!RtlAddAccessAllowedAceEx + 19D 805DCCA1 18 Bytes [70, 08, 89, 75, F8, E8, 7F, ...] PAGE ... PAGE ntkrnlpa.exe!RtlCreateAtomTable + 55 805DCD61 21 Bytes [F3, AA, 56, 89, 5E, 0C, E8, ...] PAGE ntkrnlpa.exe!RtlCreateAtomTable + 6B 805DCD77 96 Bytes [C7, 06, 41, 74, 6F, 6D, 89, ...] PAGE ntkrnlpa.exe!RtlDestroyAtomTable + 3A 805DCDD8 35 Bytes [37, 89, 75, D8, 83, 27, 00, ...] PAGE ntkrnlpa.exe!RtlDestroyAtomTable + 5E 805DCDFC 58 Bytes [EB, E7, FF, 45, E4, EB, CC, ...] PAGE ntkrnlpa.exe!RtlDestroyAtomTable + 99 805DCE37 17 Bytes [89, 45, E0, 83, 4D, FC, FF, ...] PAGE ntkrnlpa.exe!RtlDestroyAtomTable + AB 805DCE49 51 Bytes [CC, CC, CC, CC, CC, 6A, 20, ...] PAGE ntkrnlpa.exe!RtlEmptyAtomTable + 2F 805DCE7D 1 Byte [75] PAGE ntkrnlpa.exe!RtlEmptyAtomTable + 2F 805DCE7D 10 Bytes [75, E0, 8B, 45, E0, 3B, 43, ...] {JNZ 0xffffffffffffffe2; MOV EAX, [EBP-0x20]; CMP EAX, [EBX+0xc]; JAE 0x4b} PAGE ntkrnlpa.exe!RtlEmptyAtomTable + 3A 805DCE88 2 Bytes [7D, E4] {JGE 0xffffffffffffffe6} PAGE ntkrnlpa.exe!RtlEmptyAtomTable + 3D 805DCE8B 8 Bytes [7D, D8, 83, 45, E4, 04, 8B, ...] {JGE 0xffffffffffffffda; ADD DWORD [EBP-0x1c], 0x4; MOV ESI, [EDI]} PAGE ntkrnlpa.exe!RtlEmptyAtomTable + 46 805DCE94 22 Bytes [75, D0, 85, F6, 74, 29, 80, ...] PAGE ... PAGE ntkrnlpa.exe!RtlAddAtomToAtomTable + 13 805DD095 42 Bytes [FF, 84, C0, 75, 0A, B8, 0D, ...] PAGE ntkrnlpa.exe!RtlAddAtomToAtomTable + 3E 805DD0C0 22 Bytes [72, 0C, 89, 7D, E0, C7, 45, ...] PAGE ntkrnlpa.exe!RtlAddAtomToAtomTable + 55 805DD0D7 28 Bytes [84, 26, 01, 00, 00, 66, 8B, ...] PAGE ntkrnlpa.exe!RtlAddAtomToAtomTable + 72 805DD0F4 5 Bytes JMP 805DD202 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlAddAtomToAtomTable + 78 805DD0FA 26 Bytes [45, DC, 50, 8D, 45, D8, 50, ...] PAGE ... PAGE ntkrnlpa.exe!RtlLookupAtomInAtomTable + 30 805DD24E 3 Bytes CALL 805DCEFD \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlLookupAtomInAtomTable + 34 805DD252 21 Bytes [84, C0, 74, 27, 66, 81, 7D, ...] PAGE ntkrnlpa.exe!RtlLookupAtomInAtomTable + 4A 805DD268 80 Bytes [EB, 03, 89, 7D, E4, 8B, 45, ...] PAGE ntkrnlpa.exe!RtlLookupAtomInAtomTable + 9B 805DD2B9 179 Bytes [89, 7D, E4, 8B, 45, 10, 3B, ...] PAGE ntkrnlpa.exe!RtlDeleteAtomFromAtomTable + 67 805DD36D 3 Bytes [FF, 48, 08] {DEC DWORD [EAX+0x8]} PAGE ntkrnlpa.exe!RtlDeleteAtomFromAtomTable + 6B 805DD371 59 Bytes [39, 58, 08, 75, 53, 53, 8D, ...] PAGE ntkrnlpa.exe!RtlDeleteAtomFromAtomTable + A7 805DD3AD 9 Bytes [89, 5D, E4, EB, 17, 8B, 45, ...] PAGE ntkrnlpa.exe!RtlDeleteAtomFromAtomTable + B2 805DD3B8 39 Bytes [00, 89, 45, D8, 33, C0, 40, ...] PAGE ntkrnlpa.exe!RtlDeleteAtomFromAtomTable + DA 805DD3E0 25 Bytes [CC, CC, CC, CC, CC, CC, 6A, ...] PAGE ntkrnlpa.exe!RtlPinAtomInAtomTable + 14 805DD3FA 38 Bytes [84, C0, 75, 07, B8, 0D, 00, ...] PAGE ntkrnlpa.exe!RtlPinAtomInAtomTable + 3B 805DD421 10 Bytes [00, 50, FF, 75, 08, E8, 25, ...] {ADD [EAX-0x1], DL; JNZ 0xd; CALL 0xfffffffffffff82f} PAGE ntkrnlpa.exe!RtlPinAtomInAtomTable + 46 805DD42C 40 Bytes [45, DC, 3B, C7, 74, 35, 66, ...] PAGE ntkrnlpa.exe!RtlPinAtomInAtomTable + 6F 805DD455 12 Bytes [8B, 00, 89, 45, E0, 33, C0, ...] {MOV EAX, [EAX]; MOV [EBP-0x20], EAX; XOR EAX, EAX; INC EAX; RET ; MOV ESP, [EBP-0x18]} PAGE ntkrnlpa.exe!RtlPinAtomInAtomTable + 7C 805DD462 31 Bytes [45, E0, 89, 45, E4, 83, 4D, ...] PAGE ... PAGE ntkrnlpa.exe!RtlQueryAtomInAtomTable + 4F 805DD4DB 6 Bytes [85, C0, 75, 0C, C7, 45] PAGE ntkrnlpa.exe!RtlQueryAtomInAtomTable + 56 805DD4E2 22 Bytes JMP 805DD614 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlQueryAtomInAtomTable + 6D 805DD4F9 14 Bytes [85, FF, 74, 06, C7, 07, 01, ...] PAGE ntkrnlpa.exe!RtlQueryAtomInAtomTable + 7C 805DD508 324 Bytes [0F, 84, 0A, 01, 00, 00, 0F, ...] PAGE ntkrnlpa.exe!RtlQueryAtomInAtomTable + 1C1 805DD64D 199 Bytes CALL 805DCB7A \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlInitializeRangeList + 33 805DD715 30 Bytes [56, 57, 8B, 7D, 08, 8D, 77, ...] PAGE ntkrnlpa.exe!RtlInitializeRangeList + 53 805DD735 93 Bytes [00, 8B, 50, 04, 3B, 51, 04, ...] PAGE ntkrnlpa.exe!RtlInitializeRangeList + B1 805DD793 114 Bytes [55, FC, 85, D2, 75, 16, 8B, ...] PAGE ntkrnlpa.exe!RtlInitializeRangeList + 124 805DD806 200 Bytes [05, 89, 37, 89, 47, 04, 8B, ...] PAGE ntkrnlpa.exe!RtlInitializeRangeList + 1ED 805DD8CF 23 Bytes [8B, 55, 08, 5F, 5E, 52, 53, ...] PAGE ntkrnlpa.exe!RtlFreeRangeList + 1 805DD8E7 6 Bytes [FF, 55, 8B, EC, 56, 57] {CALL [EBP-0x75]; IN AL, DX ; PUSH ESI; PUSH EDI} PAGE ntkrnlpa.exe!RtlFreeRangeList + 8 805DD8EE 1 Byte [7D] PAGE ntkrnlpa.exe!RtlFreeRangeList + 8 805DD8EE 7 Bytes [7D, 08, 8B, 0F, 83, 67, 08] PAGE ntkrnlpa.exe!RtlFreeRangeList + 10 805DD8F6 27 Bytes [83, 67, 0C, 00, 83, E9, 1C, ...] PAGE ntkrnlpa.exe!RtlFreeRangeList + 2C 805DD912 40 Bytes [8B, CE, 8D, 46, 1C, 8B, 30, ...] PAGE ntkrnlpa.exe!RtlGetFirstRange + F 805DD93B 164 Bytes [72, 10, 89, 71, 0C, 8B, 32, ...] PAGE ntkrnlpa.exe!RtlGetFirstRange + B4 805DD9E0 111 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...] PAGE ntkrnlpa.exe!RtlGetNextRange + 6A 805DDA50 176 Bytes [14, 8B, 45, 0C, 89, 59, 08, ...] PAGE ntkrnlpa.exe!RtlGetNextRange + 11B 805DDB01 77 Bytes [01, 89, 43, 04, 8B, 45, 08, ...] PAGE ntkrnlpa.exe!RtlCopyRangeList + 1B 805DDB4F 53 Bytes [43, 08, 89, 46, 08, 8B, 43, ...] PAGE ntkrnlpa.exe!RtlCopyRangeList + 51 805DDB85 14 Bytes [78, 1C, 3B, DF, 75, DA, 33, ...] PAGE ntkrnlpa.exe!RtlCopyRangeList + 60 805DDB94 25 Bytes CALL 805DD8E5 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlCopyRangeList + 7A 805DDBAE 121 Bytes [08, 8B, 46, 08, 85, C0, 57, ...] PAGE ntkrnlpa.exe!RtlCopyRangeList + F4 805DDC28 55 Bytes [48, 08, 3B, 4D, 0C, 72, 2F, ...] PAGE ... PAGE ntkrnlpa.exe!RtlFindRange + 12 805DDC9A 25 Bytes [7D, 14, 48, 33, C9, 2B, F8, ...] PAGE ntkrnlpa.exe!RtlFindRange + 2C 805DDCB4 37 Bytes [1B, DA, 8B, 55, 10, 3B, D6, ...] PAGE ntkrnlpa.exe!RtlFindRange + 52 805DDCDA 18 Bytes [F1, 0F, 82, 0C, 01, 00, 00, ...] PAGE ntkrnlpa.exe!RtlFindRange + 65 805DDCED 19 Bytes [00, 00, 8B, 4D, 20, 03, 4D, ...] PAGE ntkrnlpa.exe!RtlFindRange + 79 805DDD01 29 Bytes [00, 77, 09, 3B, 4D, 0C, 0F, ...] PAGE ... PAGE ntkrnlpa.exe!RtlIsRangeAvailable + 2 805DE006 7 Bytes [55, 8B, EC, 83, EC, 10, 8D] PAGE ntkrnlpa.exe!RtlIsRangeAvailable + B 805DE00F 35 Bytes [50, 8D, 45, F0, 50, FF, 75, ...] PAGE ntkrnlpa.exe!RtlIsRangeAvailable + 2F 805DE033 46 Bytes [45, 1C, FF, 75, 24, 33, C9, ...] PAGE ntkrnlpa.exe!RtlIsRangeAvailable + 5E 805DE062 163 Bytes [FF, 8B, 4D, 2C, 88, 01, 33, ...] PAGE ntkrnlpa.exe!RtlIsRangeAvailable + 102 805DE106 69 Bytes [8B, 49, 20, 8B, 39, 8D, 72, ...] PAGE ... PAGE ntkrnlpa.exe!RtlMergeRangeLists + 1 805DE225 2 Bytes [FF, 55] PAGE ntkrnlpa.exe!RtlMergeRangeLists + 4 805DE228 157 Bytes [EC, 51, 53, 56, 57, FF, 75, ...] PAGE ntkrnlpa.exe!RtlMergeRangeLists + A2 805DE2C6 88 Bytes [FF, 85, C0, 74, 25, F6, 46, ...] PAGE ntkrnlpa.exe!RtlAddRange + 1B 805DE31F 123 Bytes [C0, EB, 5B, 56, FF, 75, 28, ...] PAGE ntkrnlpa.exe!RtlDeleteRange + 15 805DE39B 7 Bytes [32, 83, EE, 1C, 3B, DA, C7] PAGE ntkrnlpa.exe!RtlDeleteRange + 1D 805DE3A3 15 Bytes [F8, 8C, 02, 00, C0, 89, 75, ...] {CLC ; MOV WORD [EDX], ES; ADD AL, AL; MOV [EBP-0x4], ESI; JZ 0xf7; PUSH EDI} PAGE ntkrnlpa.exe!RtlDeleteRange + 2D 805DE3B3 1 Byte [03] PAGE ntkrnlpa.exe!RtlDeleteRange + 30 805DE3B6 15 Bytes [FC, 8B, 51, 04, 8B, 7D, 18, ...] PAGE ntkrnlpa.exe!RtlDeleteRange + 40 805DE3C6 119 Bytes [00, 77, 09, 39, 45, 14, 0F, ...] PAGE ... PAGE ntkrnlpa.exe!RtlDeleteOwnersRanges + 51 805DE509 21 Bytes [CF, 8B, 7F, 1C, EB, C0, 8B, ...] PAGE ntkrnlpa.exe!RtlDeleteOwnersRanges + 67 805DE51F 51 Bytes [68, 80, 65, 55, 80, 89, 50, ...] PAGE ntkrnlpa.exe!RtlDeleteOwnersRanges + 9B 805DE553 62 Bytes [FC, 5F, 5E, 5B, C9, C2, 08, ...] PAGE ntkrnlpa.exe!RtlInvertRangeList + 32 805DE592 100 Bytes [6A, 00, 83, C2, FF, 83, D3, ...] PAGE ntkrnlpa.exe!RtlInvertRangeList + 97 805DE5F7 81 Bytes [CC, CC, CC, CC, CC, 6A, 30, ...] PAGE ntkrnlpa.exe!RtlZeroHeap + 4D 805DE649 23 Bytes [8B, 45, D8, 8B, 4D, DC, 8B, ...] PAGE ntkrnlpa.exe!RtlZeroHeap + 65 805DE661 10 Bytes [77, 20, 89, 75, E0, 3B, 77, ...] {JA 0x22; MOV [EBP-0x20], ESI; CMP ESI, [EDI+0x24]; JAE 0x6f} PAGE ntkrnlpa.exe!RtlZeroHeap + 71 805DE66D 142 Bytes [06, C1, E0, 03, 89, 45, C4, ...] PAGE ntkrnlpa.exe!RtlZeroHeap + 101 805DE6FD 38 Bytes CALL 8053BBD9 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlZeroHeap + 128 805DE724 85 Bytes [55, 8B, EC, 83, EC, 0C, 56, ...] PAGE ... PAGE ntkrnlpa.exe!RtlDestroyHeap + 16 805DF1A2 91 Bytes JMP 805DF235 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlDestroyHeap + 72 805DF1FE 51 Bytes [00, 8D, 45, 08, 50, 8D, 45, ...] PAGE ntkrnlpa.exe!RtlDestroyHeap + A6 805DF232 52 Bytes [FF, 4E, 75, EE, 5E, 5B, 33, ...] PAGE ntkrnlpa.exe!RtlSizeHeap + 23 805DF267 47 Bytes [0F, B7, 41, F8, 0F, B6, 49, ...] PAGE ntkrnlpa.exe!RtlSizeHeap + 53 805DF297 88 Bytes [65, 6E, 74, 20, 28, 25, 78, ...] PAGE ntkrnlpa.exe!RtlSizeHeap + AC 805DF2F0 38 Bytes [03, 89, 45, F4, 8D, 47, 08, ...] PAGE ntkrnlpa.exe!RtlSizeHeap + D3 805DF317 5 Bytes [8D, 45, 1C, 50, 6A] PAGE ntkrnlpa.exe!RtlSizeHeap + D9 805DF31D 143 Bytes CALL 804FFE90 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntkrnlpa.exe!RtlCreateHeap + 19 805DF985 104 Bytes [89, 45, D8, F6, 45, 0B, 10, ...] PAGE ntkrnlpa.exe!RtlCreateHeap + 82 805DF9EE 15 Bytes [C0, 40, C3, 8B, 65, E8, 8B, ...] PAGE ntkrnlpa.exe!RtlCreateHeap + 92 805DF9FE 85 Bytes [D3, 0F, 8C, AE, 03, 00, 00, ...] PAGE ntkrnlpa.exe!RtlCreateHeap + E8 805DFA54 57 Bytes [89, 45, B4, 53, 6A, 2C, 8D, ...] PAGE ntkrnlpa.exe!RtlCreateHeap + 122 805DFA8E 19 Bytes [76, 07, C7, 45, BC, 00, F0, ...] PAGE ... PAGE ntkrnlpa.exe!RtlAllocateHeap + 45 805E0CE1 50 Bytes [01, 41, 83, C1, 0F, 83, E1, ...] PAGE ntkrnlpa.exe!RtlAllocateHeap + 78 805E0D14 12 Bytes [83, 3B, 02, 00, 00, 8D, 84, ...] {CMP DWORD [EBX], 0x2; ADD [EAX], AL; LEA EAX, [ESI+EDI*8+0x178]} PAGE ntkrnlpa.exe!RtlAllocateHeap + 86 805E0D22 46 Bytes [D4, 39, 00, 0F, 84, DA, 00, ...] PAGE ntkrnlpa.exe!RtlAllocateHeap + B5 805E0D51 65 Bytes [F9, 8B, 4D, A8, 75, 08, 8B, ...] PAGE ntkrnlpa.exe!RtlAllocateHeap + F7 805E0D93 30 Bytes [0F, 8B, 4D, DC, 29, 4E, 28, ...] PAGE ... PAGE ntkrnlpa.exe!RtlFreeHeap + 5C 805E15CC 16 Bytes [00, 80, 7B, 07, 40, 0F, 83, ...] {ADD [EAX+0xf40077b], AL; CMP DWORD [EBX-0x7cffffff], 0x4d; CLD ; PUSH DWORD [EBX]} PAGE ntkrnlpa.exe!RtlFreeHeap + 6D 805E15DD 37 Bytes [40, 89, 45, FC, 84, C8, 75, ...] PAGE ntkrnlpa.exe!RtlFreeHeap + 93 805E1603 152 Bytes [45, E0, 57, 8D, 45, E0, 50, ...] PAGE ntkrnlpa.exe!RtlFreeHeap + 12C 805E169C 82 Bytes [00, 00, 81, F9, 00, FE, 00, ...] PAGE ntkrnlpa.exe!RtlFreeHeap + 17F 805E16EF 23 Bytes [08, 89, 50, 04, 89, 02, 89, ...] PAGE ... PAGE ntkrnlpa.exe!RtlAnsiCharToUnicodeChar + C 805E17B2 76 Bytes [53, 56, 8B, 75, 08, 8B, 06, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeString + 9 805E17FF 26 Bytes [56, 8B, 75, 0C, 66, 8B, 06, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeString + 24 805E181A 30 Bytes [85, C0, 89, 47, 04, 75, 1A, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeString + 43 805E1839 106 Bytes [00, 00, 0F, B7, 16, 6A, 00, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeString + AE 805E18A4 83 Bytes [B7, C0, 8B, 5F, 04, 66, 89, ...] PAGE ntkrnlpa.exe!RtlDowncaseUnicodeString + 2E 805E18F8 5 Bytes [00, C0, E9, 93, 00] PAGE ntkrnlpa.exe!RtlDowncaseUnicodeString + 34 805E18FE 21 Bytes [00, 66, 3B, 47, 02, 76, 0A, ...] PAGE ntkrnlpa.exe!RtlDowncaseUnicodeString + 4A 805E1914 28 Bytes JMP 08558959 PAGE ntkrnlpa.exe!RtlDowncaseUnicodeString + 67 805E1931 343 Bytes [77, 08, 0F, B7, C0, 83, C0, ...] PAGE ntkrnlpa.exe!RtlFreeOemString + 9 805E1A89 12 Bytes [40, 04, 85, C0, 74, 07, 50, ...] PAGE ntkrnlpa.exe!RtlFreeOemString + 16 805E1A96 34 Bytes [5D, C2, 04, 00, CC, CC, CC, ...] PAGE ntkrnlpa.exe!RtlUnicodeStringToAnsiSize + 19 805E1AB9 13 Bytes [45, 08, 40, 5D, C2, 04, 00, ...] {INC EBP; OR [EAX+0x5d], AL; RET 0x4; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 } PAGE ntkrnlpa.exe!RtlAnsiStringToUnicodeSize + 1 805E1AC7 23 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...] PAGE ntkrnlpa.exe!RtlAnsiStringToUnicodeSize + 19 805E1ADF 8 Bytes [45, 08, 83, C0, 02, 5D, C2, ...] PAGE ntkrnlpa.exe!RtlAnsiStringToUnicodeSize + 22 805E1AE8 45 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...] PAGE ntkrnlpa.exe!RtlCompareUnicodeString + 28 805E1B16 7 Bytes [C1, 03, C6, 80, 7D, 10, 00] {ROL DWORD [EBX], 0xc6; CMP BYTE [EBP+0x10], 0x0} PAGE ntkrnlpa.exe!RtlCompareUnicodeString + 30 805E1B1E 23 Bytes [45, FC, 0F, 84, FE, 00, 00, ...] PAGE ntkrnlpa.exe!RtlCompareUnicodeString + 48 805E1B36 283 Bytes [3A, 33, C0, 66, 8B, 06, 46, ...] PAGE ntkrnlpa.exe!RtlEqualUnicodeString + 18 805E1C52 32 Bytes [EE, 00, 00, 00, 8B, 71, 04, ...] PAGE ntkrnlpa.exe!RtlEqualUnicodeString + 39 805E1C73 3 Bytes [83, B3, 00] PAGE ntkrnlpa.exe!RtlEqualUnicodeString + 3E 805E1C78 4 Bytes [A1, F0, C2, 67] PAGE ntkrnlpa.exe!RtlEqualUnicodeString + 43 805E1C7D 19 Bytes [66, 8B, 16, 33, C9, 66, 8B, ...] PAGE ntkrnlpa.exe!RtlEqualUnicodeString + 58 805E1C92 63 Bytes [0F, 84, 8A, 00, 00, 00, 66, ...] PAGE ... PAGE ntkrnlpa.exe!RtlPrefixUnicodeString + 5C 805E1DAE 132 Bytes [FA, 61, 73, 05, 0F, B7, D2, ...] PAGE ntkrnlpa.exe!RtlPrefixUnicodeString + E1 805E1E33 1 Byte [5D] PAGE ntkrnlpa.exe!RtlPrefixUnicodeString + E1 805E1E33 15 Bytes [5D, 0C, FF, 4D, 08, 0F, 85, ...] PAGE ntkrnlpa.exe!RtlPrefixUnicodeString + F1 805E1E43 10 Bytes [1B, 85, D2, 74, 15, 8B, C3, ...] PAGE ntkrnlpa.exe!RtlPrefixUnicodeString + FC 805E1E4E 60 Bytes [0F, 66, 8B, 34, 38, 47, 47, ...] PAGE ntkrnlpa.exe!RtlCreateUnicodeString + 1F 805E1E8B 126 Bytes [55, 08, 89, 42, 04, 74, 22, ...] PAGE ntkrnlpa.exe!RtlHashUnicodeString + 48 805E1F0A 133 Bytes [53, 66, 8B, 16, 46, 46, 66, ...] PAGE ntkrnlpa.exe!RtlHashUnicodeString + CE 805E1F90 42 Bytes [55, 8B, EC, 83, EC, 64, A1, ...] PAGE ntkrnlpa.exe!RtlHashUnicodeString + FA 805E1FBC 13 Bytes [FF, 0F, 85, A6, 02, 00, 00, ...] PAGE ntkrnlpa.exe!RtlHashUnicodeString + 108 805E1FCA 34 Bytes CALL 8052BB49 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlHashUnicodeString + 12B 805E1FED 43 Bytes [56, 04, 8B, 4D, 08, 33, C0, ...] PAGE ... PAGE ntkrnlpa.exe!RtlAnsiStringToUnicodeString + 1F 805E22A1 123 Bytes [8D, 44, 00, 02, 3D, FF, FF, ...] PAGE ntkrnlpa.exe!RtlAnsiStringToUnicodeString + 9B 805E231D 110 Bytes CALL C17AAC88 PAGE ntkrnlpa.exe!RtlUnicodeStringToAnsiString + 58 805E238C 90 Bytes [27, B8, 17, 00, 00, C0, EB, ...] PAGE ntkrnlpa.exe!RtlUnicodeStringToAnsiString + B3 805E23E7 146 Bytes [46, 04, 8B, 4D, 0C, 88, 1C, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToAnsiString + 7C 805E247A 136 Bytes [FF, 8B, F8, 3B, FB, 7D, 15, ...] PAGE ntkrnlpa.exe!RtlOemStringToUnicodeString + 55 805E2503 206 Bytes [00, C0, EB, 4D, 66, 3B, 4E, ...] PAGE ntkrnlpa.exe!RtlUnicodeStringToOemString + 72 805E25D2 65 Bytes [B7, 06, 50, FF, 76, 04, E8, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToOemString + 4 805E2614 38 Bytes [EC, 80, 3D, 28, C7, 67, 80, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToOemString + 2B 805E263B 120 Bytes JMP 805E26CD \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToOemString + A4 805E26B4 36 Bytes [15, 24, FC, 67, 80, 83, 66, ...] PAGE ntkrnlpa.exe!RtlOemStringToCountedUnicodeString 805E26DA 25 Bytes [8B, FF, 55, 8B, EC, 53, 33, ...] PAGE ntkrnlpa.exe!RtlOemStringToCountedUnicodeString + 1A 805E26F4 8 Bytes [EB, 07, 0F, B7, 07, 8D, 44, ...] PAGE ntkrnlpa.exe!RtlOemStringToCountedUnicodeString + 23 805E26FD 146 Bytes [83, C0, FE, 3B, C3, 75, 11, ...] PAGE ntkrnlpa.exe!RtlOemStringToCountedUnicodeString + B6 805E2790 7 Bytes [CC, CC, CC, CC, CC, CC, 8B] PAGE ntkrnlpa.exe!RtlUnicodeStringToCountedOemString + 2 805E2798 9 Bytes [55, 8B, EC, 80, 3D, 28, C7, ...] PAGE ntkrnlpa.exe!RtlUnicodeStringToCountedOemString + C 805E27A2 196 Bytes [53, 57, 8B, 7D, 0C, 74, 08, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToCountedOemString 805E286A 60 Bytes [8B, FF, 55, 8B, EC, 80, 3D, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToCountedOemString + 3D 805E28A7 17 Bytes [3D, FF, FF, 00, 00, 76, 07, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToCountedOemString + 4F 805E28B9 177 Bytes [56, 8B, 75, 08, 66, 89, 06, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToCountedOemString + 101 805E296B 95 Bytes [3C, 50, 2E, 74, 07, 42, 3B, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToCountedOemString + 161 805E29CB 60 Bytes [C0, EB, 13, FF, 75, 10, 8D, ...] PAGE ntkrnlpa.exe!RtlUpperChar + 14 805E2A08 1 Byte [00] PAGE ntkrnlpa.exe!RtlUpperChar + 14 805E2A08 7 Bytes [00, 00, 83, F0, 20, E9, F6] PAGE ntkrnlpa.exe!RtlUpperChar + 1E 805E2A12 5 Bytes [80, 3D, 10, C5, 67] PAGE ntkrnlpa.exe!RtlUpperChar + 24 805E2A18 10 Bytes [00, 56, 57, 75, 67, 8B, 0D, ...] PAGE ntkrnlpa.exe!RtlUpperChar + 2F 805E2A23 80 Bytes [0F, B6, C0, 0F, B7, 04, 41, ...] PAGE ... PAGE ntkrnlpa.exe!RtlCompareString + 26 805E2B38 4 Bytes [C1, 80, 7D, 10] PAGE ntkrnlpa.exe!RtlCompareString + 2B 805E2B3D 303 Bytes [8D, 1C, 30, 74, 4E, EB, 28, ...] PAGE ntkrnlpa.exe!RtlUpperString + 9 805E2C6D 1 Byte [4D] PAGE ntkrnlpa.exe!RtlUpperString + 9 805E2C6D 117 Bytes [4D, 08, 66, 8B, 51, 02, 56, ...] PAGE ntkrnlpa.exe!RtlAppendAsciizToString + 35 805E2CE3 174 Bytes [00, C0, EB, 17, 51, 8B, 4E, ...] PAGE ntkrnlpa.exe!RtlValidSid + 34 805E2D92 45 Bytes CALL 805A7B1A \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlValidSid + 62 805E2DC0 104 Bytes [02, 75, 58, 8A, 50, 03, 3A, ...] PAGE ntkrnlpa.exe!RtlLengthRequiredSid + 1 805E2E29 78 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...] PAGE ntkrnlpa.exe!RtlSubAuthoritySid + 2 805E2E78 45 Bytes [55, 8B, EC, 8B, 45, 0C, 8B, ...] PAGE ntkrnlpa.exe!RtlLengthSid + 6 805E2EA6 78 Bytes [45, 08, 0F, B6, 40, 01, 8D, ...] PAGE ntkrnlpa.exe!RtlCopySid + 39 805E2EF5 160 Bytes [FF, 55, 8B, EC, 51, 83, 65, ...] PAGE ntkrnlpa.exe!RtlCopySid + DA 805E2F96 21 Bytes [FF, 3C, 01, 74, 07, B8, 78, ...] PAGE ntkrnlpa.exe!RtlCopySid + F0 805E2FAC 33 Bytes [75, 04, 6A, 0A, EB, 02, 6A, ...] PAGE ntkrnlpa.exe!RtlCopySid + 112 805E2FCE 3 Bytes [53, 00, 2D] PAGE ntkrnlpa.exe!RtlCopySid + 116 805E2FD2 1 Byte [31] PAGE ... PAGE ntkrnlpa.exe!RtlConvertSidToUnicodeString + 16 805E2FF4 32 Bytes [FC, 8B, 45, 08, 56, 89, 85, ...] PAGE ntkrnlpa.exe!RtlConvertSidToUnicodeString + 37 805E3015 182 Bytes [00, 57, 8D, 85, FC, FD, FF, ...] PAGE ntkrnlpa.exe!RtlConvertSidToUnicodeString + EE 805E30CC 80 Bytes [76, 4A, EB, 09, 8D, 45, FA, ...] PAGE ntkrnlpa.exe!RtlConvertSidToUnicodeString + 13F 805E311D 47 Bytes [2B, 8D, 85, FC, FD, FF, FF, ...] PAGE ntkrnlpa.exe!RtlConvertSidToUnicodeString + 16F 805E314D 44 Bytes [75, F1, 8D, 85, FC, FD, FF, ...] PAGE ... PAGE ntkrnlpa.exe!RtlCopyLuid + B 805E31E5 94 Bytes [4D, 08, 89, 11, 8B, 40, 04, ...] PAGE ntkrnlpa.exe!RtlCreateSecurityDescriptor + 1C 805E3244 51 Bytes [C0, 5F, EB, 05, B8, 58, 00, ...] PAGE ntkrnlpa.exe!RtlValidSecurityDescriptor + 22 805E3278 105 Bytes [46, 04, 66, 85, 7E, 02, 74, ...] PAGE ntkrnlpa.exe!RtlValidSecurityDescriptor + 8C 805E32E2 9 Bytes [84, C0, 74, 3F, 66, 8B, 46, ...] PAGE ntkrnlpa.exe!RtlValidSecurityDescriptor + 96 805E32EC 70 Bytes [75, 04, 33, F6, EB, 13, 66, ...] PAGE ntkrnlpa.exe!RtlValidSecurityDescriptor + DD 805E3333 158 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...] PAGE ntkrnlpa.exe!RtlLengthSecurityDescriptor + 9A 805E33D2 19 Bytes [74, 0C, 0F, B7, 49, 02, 83, ...] PAGE ntkrnlpa.exe!RtlLengthSecurityDescriptor + AE 805E33E6 135 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...] PAGE ntkrnlpa.exe!RtlGetDaclSecurityDescriptor + 1A 805E346E 18 Bytes [80, E1, 04, 80, F9, 04, 0F, ...] PAGE ntkrnlpa.exe!RtlGetDaclSecurityDescriptor + 2D 805E3481 43 Bytes [F6, C1, 04, 75, 04, 33, C9, ...] PAGE ntkrnlpa.exe!RtlGetDaclSecurityDescriptor + 59 805E34AD 155 Bytes [5D, C2, 10, 00, CC, CC, CC, ...] PAGE ntkrnlpa.exe!RtlGetSaclSecurityDescriptor + 2B 805E3549 60 Bytes [48, 02, F6, C1, 10, 75, 04, ...] PAGE ntkrnlpa.exe!RtlSetOwnerSecurityDescriptor + 6 805E3586 15 Bytes [45, 08, 80, 38, 01, 74, 07, ...] PAGE ntkrnlpa.exe!RtlSetOwnerSecurityDescriptor + 16 805E3596 46 Bytes [48, 02, 84, ED, 79, 07, B8, ...] PAGE ntkrnlpa.exe!RtlSetOwnerSecurityDescriptor + 46 805E35C6 17 Bytes [48, 02, 33, C0, 5D, C2, 0C, ...] {DEC EAX; ADD DH, [EBX]; RCR BYTE [EBP-0x3e], 0xc; ADD AH, CL; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; MOV EDI, EDI; PUSH EBP} PAGE ntkrnlpa.exe!RtlGetOwnerSecurityDescriptor + 4 805E35D8 14 Bytes [EC, 8B, 45, 08, 80, 38, 01, ...] {IN AL, DX ; MOV EAX, [EBP+0x8]; CMP BYTE [EAX], 0x1; JZ 0x10; MOV EAX, 0xc0000058} PAGE ntkrnlpa.exe!RtlGetOwnerSecurityDescriptor + 13 805E35E7 3 Bytes [28, F6, 40] {SUB DH, DH; INC EAX} PAGE ntkrnlpa.exe!RtlGetOwnerSecurityDescriptor + 17 805E35EB 47 Bytes [80, 8B, 48, 04, 74, 06, 85, ...] PAGE ntkrnlpa.exe!RtlSetGroupSecurityDescriptor + 1 805E361B 34 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...] PAGE ntkrnlpa.exe!RtlSetGroupSecurityDescriptor + 24 805E363E 12 Bytes [55, 0C, 83, 60, 08, 00, 85, ...] PAGE ntkrnlpa.exe!RtlSetGroupSecurityDescriptor + 31 805E364B 9 Bytes [81, E1, FD, FF, 00, 00, 80, ...] PAGE ntkrnlpa.exe!RtlSetGroupSecurityDescriptor + 3B 805E3655 60 Bytes [66, 89, 48, 02, 74, 07, 83, ...] PAGE ntkrnlpa.exe!RtlGetGroupSecurityDescriptor + 24 805E3692 24 Bytes [55, 0C, 89, 0A, 8A, 40, 02, ...] PAGE ntkrnlpa.exe!RtlGetGroupSecurityDescriptor + 3D 805E36AB 16 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...] PAGE ntkrnlpa.exe!RtlAreAllAccessesGranted + C 805E36BC 91 Bytes [0C, F7, D8, 1A, C0, FE, C0, ...] PAGE ntkrnlpa.exe!RtlMapGenericMask + 34 805E3718 38 Bytes [71, 08, 0B, F2, 89, 30, 8B, ...] PAGE ntkrnlpa.exe!RtlMapGenericMask + 5B 805E373F 82 Bytes [FF, 55, 8B, EC, 53, 8B, 5D, ...] PAGE ntkrnlpa.exe!RtlMapGenericMask + AE 805E3792 8 Bytes [01, EB, 06, 8B, 45, 0C, 8B, ...] PAGE ntkrnlpa.exe!RtlMapGenericMask + B7 805E379B 92 Bytes [21, 07, 0F, B7, 46, 02, FF, ...] PAGE ntkrnlpa.exe!RtlMapGenericMask + 114 805E37F8 67 Bytes [00, 00, 76, 4E, 89, 45, FC, ...] PAGE ... PAGE ntkrnlpa.exe!RtlValidRelativeSecurityDescriptor + 60 805E3A3C 2 Bytes [75, DE] {JNZ 0xffffffffffffffe0} PAGE ntkrnlpa.exe!RtlValidRelativeSecurityDescriptor + 63 805E3A3F 15 Bytes [40, 01, 3C, 0F, 77, D7, 0F, ...] PAGE ntkrnlpa.exe!RtlValidRelativeSecurityDescriptor + 73 805E3A4F 5 Bytes [39, 45, 08, 72, C8] {CMP [EBP+0x8], EAX; JB 0xffffffffffffffcd} PAGE ntkrnlpa.exe!RtlValidRelativeSecurityDescriptor + 79 805E3A55 68 Bytes [7E, 08, 85, FF, 75, 08, F6, ...] PAGE ntkrnlpa.exe!RtlValidRelativeSecurityDescriptor + BE 805E3A9A 43 Bytes [7E, 10, 85, FF, 74, 35, 8D, ...] PAGE ... PAGE ntkrnlpa.exe!RtlEqualSid + 1 805E3B5F 59 Bytes [FF, 55, 8B, EC, 56, 8B, 75, ...] PAGE ntkrnlpa.exe!RtlEqualSid + 3D 805E3B9B 107 Bytes [FF, 55, 8B, EC, 81, EC, A0, ...] PAGE ntkrnlpa.exe!RtlEqualSid + A9 805E3C07 16 Bytes [C6, 45, D5, 00, C6, 45, D6, ...] {MOV BYTE [EBP-0x2b], 0x0; MOV BYTE [EBP-0x2a], 0x0; MOV BYTE [EBP-0x29], 0x0; MOV BYTE [EBP-0x28], 0x0} PAGE ntkrnlpa.exe!RtlEqualSid + BA 805E3C18 76 Bytes CALL 805E2E3D \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlEqualSid + 107 805E3C65 42 Bytes [87, 76, 03, 00, 00, 83, 65, ...] PAGE ... PAGE ntkrnlpa.exe!RtlInitializeBitMap + C 805E5F28 42 Bytes [08, 8B, 4D, 0C, 89, 48, 04, ...] PAGE ntkrnlpa.exe!RtlIntegerToChar + 1B 805E5F53 112 Bytes CALL C888D358 PAGE ntkrnlpa.exe!RtlIntegerToChar + 8C 805E5FC4 54 Bytes [88, 0E, 85, C0, 75, E0, 8D, ...] PAGE ntkrnlpa.exe!RtlIntegerToChar + C3 805E5FFB 79 Bytes [7D, BC, 8B, D9, C1, E9, 02, ...] PAGE ntkrnlpa.exe!RtlIntegerToChar + 113 805E604B 13 Bytes [CC, 6A, 0C, 68, 60, B1, 4D, ...] {INT 3 ; PUSH 0xc; PUSH 0x804db160; CALL 0xfffffffffff55b55} PAGE ntkrnlpa.exe!RtlCharToInteger + D 805E6059 26 Bytes [75, 08, 8A, 1E, EB, 09, 46, ...] PAGE ntkrnlpa.exe!RtlCharToInteger + 28 805E6074 9 Bytes [05, 80, FB, 2B, 75, 03, 8A, ...] PAGE ntkrnlpa.exe!RtlCharToInteger + 32 805E607E 91 Bytes [7D, 0C, 85, FF, 75, 38, 6A, ...] PAGE ntkrnlpa.exe!RtlCharToInteger + 8E 805E60DA 80 Bytes [6A, 04, EB, 06, 33, C9, EB, ...] PAGE ntkrnlpa.exe!RtlCharToInteger + DF 805E612B 30 Bytes [D3, E2, 0B, D0, 8A, 06, 46, ...] PAGE ... PAGE ntkrnlpa.exe!RtlUnicodeStringToInteger + 7 805E617B 15 Bytes CALL 8053BBA0 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlUnicodeStringToInteger + 17 805E618B 80 Bytes [5E, D1, EF, 74, 1A, 4F, 33, ...] PAGE ntkrnlpa.exe!RtlUnicodeStringToInteger + 68 805E61DC 65 Bytes [75, 7A, 85, FF, 74, 46, 4F, ...] PAGE ntkrnlpa.exe!RtlUnicodeStringToInteger + AA 805E621E 213 Bytes [74, 08, 4F, 66, 8B, 02, 03, ...] PAGE ntkrnlpa.exe!RtlUnicodeStringToInteger + 180 805E62F4 37 Bytes [CC, CC, CC, CC, CC, CC, 6A, ...] PAGE ntkrnlpa.exe!RtlIntegerToUnicode + 20 805E631A 23 Bytes [74, 2A, 48, 48, 74, 21, 83, ...] PAGE ntkrnlpa.exe!RtlIntegerToUnicode + 38 805E6332 3 Bytes JMP 805E6409 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlIntegerToUnicode + 3C 805E6336 1 Byte [00] PAGE ntkrnlpa.exe!RtlIntegerToUnicode + 3C 805E6336 20 Bytes [00, 00, 6A, 04, EB, 02, 6A, ...] PAGE ntkrnlpa.exe!RtlIntegerToUnicode + 52 805E634C 29 Bytes [00, 33, FF, 85, FF, 74, 0C, ...] PAGE ... PAGE ntkrnlpa.exe!RtlIntegerToUnicodeString + D 805E642D 72 Bytes [56, 8B, 75, 10, 89, 45, FC, ...] PAGE ntkrnlpa.exe!RtlIntegerToUnicodeString + 56 805E6476 3 Bytes CALL 804EE1C9 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlIntegerToUnicodeString + 5A 805E647A 75 Bytes [C9, C2, 0C, 00, CC, CC, CC, ...] PAGE ntkrnlpa.exe!RtlIntegerToUnicodeString + A6 805E64C6 47 Bytes JMP 805E6633 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlIntegerToUnicodeString + D6 805E64F6 91 Bytes [8B, BD, 7C, FF, FF, FF, 3B, ...] PAGE ... PAGE ntkrnlpa.exe!RtlInt64ToUnicodeString + 18 805E6838 18 Bytes [0C, 56, 8B, 75, 14, 89, 45, ...] PAGE ntkrnlpa.exe!RtlInt64ToUnicodeString + 2B 805E684B 37 Bytes CALL 805E6482 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlInt64ToUnicodeString + 51 805E6871 17 Bytes [D4, 6A, 00, 8D, 45, D4, 50, ...] {AAM 0x6a; ADD [EBP+0x5650d445], CL; CALL 0xffffffffffffba11; MOV ECX, [EBP-0x4]; POP ESI} PAGE ntkrnlpa.exe!RtlInt64ToUnicodeString + 63 805E6883 3 Bytes CALL 804EE1C9 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlInt64ToUnicodeString + 67 805E6887 124 Bytes [C9, C2, 10, 00, CC, CC, CC, ...] PAGE ... PAGE ntkrnlpa.exe!RtlGetNtGlobalFlags + A 805E6B06 17 Bytes [45, 00, 47, 00, 49, 00, 53, ...] {INC EBP; ADD [EDI+0x0], AL; DEC ECX; ADD [EBX+0x0], DL; PUSH ESP; ADD [EDX+0x0], DL; POP ECX; ADD [EAX+EAX+0x55], BL} PAGE ntkrnlpa.exe!RtlGetNtGlobalFlags + 1C 805E6B18 7 Bytes [53, 00, 45, 00, 52, 00, 5C] PAGE ntkrnlpa.exe!RtlGetNtGlobalFlags + 24 805E6B20 61 Bytes [00, 00, CC, CC, CC, CC, CC, ...] PAGE ntkrnlpa.exe!RtlFormatCurrentUserKeyPath + 37 805E6B5F 4 Bytes [C0, 0F, 85, B7] PAGE ntkrnlpa.exe!RtlFormatCurrentUserKeyPath + 3C 805E6B64 54 Bytes [00, 00, 8D, 45, A8, 50, 53, ...] PAGE ntkrnlpa.exe!RtlFormatCurrentUserKeyPath + 73 805E6B9B 68 Bytes [3B, DF, 7C, 7C, 8D, 45, A4, ...] PAGE ntkrnlpa.exe!RtlFormatCurrentUserKeyPath + B8 805E6BE0 15 Bytes [8B, 45, A4, 8B, 4E, 04, 66, ...] {MOV EAX, [EBP-0x5c]; MOV ECX, [ESI+0x4]; MOV [EBP-0x62], AX; MOVZX EAX, [ESI]; SHR EAX, 0x1} PAGE ntkrnlpa.exe!RtlFormatCurrentUserKeyPath + C9 805E6BF1 66 Bytes [41, 57, FF, 75, AC, 89, 45, ...] PAGE ... PAGE ntkrnlpa.exe!RtlQueryRegistryValues + 1 805E73A5 37 Bytes [FF, 55, 8B, EC, 83, EC, 3C, ...] PAGE ntkrnlpa.exe!RtlQueryRegistryValues + 27 805E73CB 151 Bytes [00, 89, 75, EC, 81, 65, EC, ...] PAGE ntkrnlpa.exe!RtlQueryRegistryValues + BF 805E7463 141 Bytes [3B, 45, F0, 74, 0C, 50, E8, ...] PAGE ntkrnlpa.exe!RtlQueryRegistryValues + 14D 805E74F1 29 Bytes CALL 805002EE \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlQueryRegistryValues + 16B 805E750F 82 Bytes [80, 0F, 84, ED, 01, 00, 00, ...] PAGE |
GMER Teil 3: ... PAGE ntkrnlpa.exe!RtlWriteRegistryValue + 37 805E77B5 27 Bytes CALL 80501084 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlWriteRegistryValue + 53 805E77D1 1 Byte [C9] PAGE ntkrnlpa.exe!RtlWriteRegistryValue + 53 805E77D1 3 Bytes [C9, C2, 18] PAGE ntkrnlpa.exe!RtlCheckRegistryKey + 5 805E77DF 1 Byte [8D] PAGE ntkrnlpa.exe!RtlCheckRegistryKey + 8 805E77E2 9 Bytes [50, 6A, 00, FF, 75, 0C, FF, ...] {PUSH EAX; PUSH 0x0; PUSH DWORD [EBP+0xc]; PUSH DWORD [EBP+0x8]} PAGE ntkrnlpa.exe!RtlCheckRegistryKey + 12 805E77EC 22 Bytes [E4, F4, FF, FF, 85, C0, 7C, ...] PAGE ntkrnlpa.exe!RtlCheckRegistryKey + 2A 805E7804 139 Bytes [CC, CC, CC, CC, 8B, FF, 55, ...] PAGE ntkrnlpa.exe!RtlDeleteRegistryValue + 54 805E7890 9 Bytes [5A, 00, 6F, 00, 6E, 00, 65, ...] {POP EDX; ADD [EDI+0x0], CH; OUTSB ; ADD [EBP+0x0], AH; DEC ECX} PAGE ntkrnlpa.exe!RtlDeleteRegistryValue + 5E 805E789A 7 Bytes [6E, 00, 66, 00, 6F, 00, 72] PAGE ntkrnlpa.exe!RtlDeleteRegistryValue + 66 805E78A2 28 Bytes [6D, 00, 61, 00, 74, 00, 69, ...] PAGE ntkrnlpa.exe!RtlDeleteRegistryValue + 83 805E78BF 24 Bytes [75, 08, 68, 88, 78, 5E, 80, ...] PAGE ntkrnlpa.exe!RtlQueryTimeZoneInformation + 2 805E78D8 6 Bytes [55, 8B, EC, 81, EC, F4] PAGE ntkrnlpa.exe!RtlQueryTimeZoneInformation + B 805E78E1 21 Bytes [53, 8D, 45, FC, 50, 33, DB, ...] PAGE ntkrnlpa.exe!RtlQueryTimeZoneInformation + 21 805E78F7 49 Bytes [55, 08, 56, 57, 6A, 2B, 59, ...] PAGE ntkrnlpa.exe!RtlQueryTimeZoneInformation + 53 805E7929 38 Bytes [50, FF, FF, FF, 8D, 4A, 44, ...] PAGE ntkrnlpa.exe!RtlQueryTimeZoneInformation + 7A 805E7950 46 Bytes [48, FF, FF, FF, 89, 85, 64, ...] PAGE ... PAGE ntkrnlpa.exe!RtlSetTimeZoneInformation + 5 805E7A03 1 Byte [51] PAGE ntkrnlpa.exe!RtlSetTimeZoneInformation + A 805E7A08 13 Bytes CALL 805E78B4 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlSetTimeZoneInformation + 18 805E7A16 22 Bytes [00, 53, 56, 57, 8B, 7D, 08, ...] PAGE ntkrnlpa.exe!RtlSetTimeZoneInformation + 2F 805E7A2D 41 Bytes CALL 805E777B \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlSetTimeZoneInformation + 59 805E7A57 6 Bytes [75, FC, 56, E8, 1F, FD] PAGE ... PAGE ntkrnlpa.exe!RtlDecompressBuffer + 35 805E7C13 36 Bytes [14, 85, 78, F1, 67, 80, EB, ...] PAGE ntkrnlpa.exe!RtlDecompressFragment + F 805E7C39 5 Bytes [74, 32, 66, 3D, 01] PAGE ntkrnlpa.exe!RtlDecompressFragment + 15 805E7C3F 133 Bytes [74, 2C, A8, F0, 74, 07, B8, ...] PAGE ntkrnlpa.exe!RtlReserveChunk + 1 805E7CC5 13 Bytes [FF, 55, 8B, EC, 33, C0, 8A, ...] PAGE ntkrnlpa.exe!RtlReserveChunk + F 805E7CD3 153 Bytes [74, 29, 66, 3D, 01, 00, 74, ...] PAGE ntkrnlpa.exe!RtlDecompressChunks + 61 805E7D6D 53 Bytes [00, 00, 8B, 45, 08, 8B, 75, ...] PAGE ntkrnlpa.exe!RtlDecompressChunks + 97 805E7DA3 52 Bytes [83, E1, 03, 83, 65, 1C, 00, ...] PAGE ntkrnlpa.exe!RtlDecompressChunks + CC 805E7DD8 80 Bytes [00, 8B, 45, 08, 53, FF, 75, ...] PAGE ntkrnlpa.exe!RtlDecompressChunks + 11D 805E7E29 13 Bytes CALL 805E7BDD \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlDecompressChunks + 12B 805E7E37 83 Bytes [8B, 55, F0, 8B, 4D, 14, 3B, ...] PAGE ... PAGE ntkrnlpa.exe!RtlCompressChunks + 16 805E7EE6 73 Bytes CALL AC4651EF PAGE ntkrnlpa.exe!RtlCompressChunks + 60 805E7F30 23 Bytes [75, 06, 83, 65, FC, 00, EB, ...] PAGE ntkrnlpa.exe!RtlCompressChunks + 78 805E7F48 52 Bytes JMP 0C04724F PAGE ntkrnlpa.exe!RtlCompressChunks + AD 805E7F7D 12 Bytes [75, FC, 8B, 75, 14, 8B, 4D, ...] PAGE ntkrnlpa.exe!RtlCompressChunks + BA 805E7F8A 52 Bytes [F8, 04, 89, 0A, 8B, 4D, 18, ...] PAGE ... PAGE ntkrnlpa.exe!RtlCreateSystemVolumeInformationFolder + 18 805E83E2 1 Byte [5D] PAGE ntkrnlpa.exe!RtlCreateSystemVolumeInformationFolder + 18 805E83E2 46 Bytes CALL 0BC5441A PAGE ntkrnlpa.exe!RtlCreateSystemVolumeInformationFolder + 47 805E8411 29 Bytes [8B, 45, F0, 83, C0, 02, 66, ...] PAGE ntkrnlpa.exe!RtlCreateSystemVolumeInformationFolder + 65 805E842F 31 Bytes JMP 805E857E \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlCreateSystemVolumeInformationFolder + 85 805E844F 82 Bytes [F3, A4, 66, 8B, 1B, 66, 89, ...] PAGE ... PAGE ntkrnlpa.exe!RtlFindMessage + 2 805E858C 43 Bytes [55, 8B, EC, 83, EC, 0C, 8B, ...] PAGE ntkrnlpa.exe!RtlFindMessage + 2F 805E85B9 13 Bytes [85, C0, 7C, 3C, 6A, 00, 8D, ...] {TEST EAX, EAX; JL 0x40; PUSH 0x0; LEA EAX, [EBP+0x10]; PUSH EAX; PUSH DWORD [EBP+0xc]} PAGE ntkrnlpa.exe!RtlFindMessage + 3D 805E85C7 20 Bytes CALL 805D8D8C \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlFindMessage + 52 805E85DC 65 Bytes [04, 74, 14, 8B, 55, 14, 49, ...] PAGE ntkrnlpa.exe!RtlStringFromGUID + 2 805E861E 252 Bytes [55, 8B, EC, 56, 8B, 75, 0C, ...] PAGE ntkrnlpa.exe!RtlStringFromGUID + FF 805E871B 84 Bytes [EB, 53, 4E, 83, 7D, 08, 00, ...] PAGE ntkrnlpa.exe!RtlStringFromGUID + 154 805E8770 237 Bytes [85, F6, 75, A9, 83, 45, FC, ...] PAGE ntkrnlpa.exe!RtlIsValidOemCharacter + C 805E885E 122 Bytes [00, 8B, 45, 08, 0F, B7, 00, ...] PAGE ntkrnlpa.exe!RtlIsValidOemCharacter + 88 805E88DA 30 Bytes [00, 8B, 35, 24, C7, 67, 80, ...] PAGE ntkrnlpa.exe!RtlIsValidOemCharacter + A7 805E88F9 10 Bytes [10, 0F, B7, C9, 03, C8, A1, ...] PAGE ntkrnlpa.exe!RtlIsValidOemCharacter + B2 805E8904 11 Bytes [0F, B7, 04, 48, EB, 0A, 8B, ...] PAGE ntkrnlpa.exe!RtlIsValidOemCharacter + BE 805E8910 54 Bytes [0F, B7, 04, 41, 66, 8B, D0, ...] PAGE ... PAGE ntkrnlpa.exe!RtlIsNameLegalDOS8Dot3 + D 805E8AB9 47 Bytes [56, 8B, 75, 0C, 89, 45, FC, ...] PAGE ntkrnlpa.exe!RtlIsNameLegalDOS8Dot3 + 3D 805E8AE9 50 Bytes [8D, 75, E0, 89, 4D, E4, 66, ...] PAGE ntkrnlpa.exe!RtlIsNameLegalDOS8Dot3 + 70 805E8B1C 10 Bytes [F9, 02, 75, 1C, 8B, 46, 04, ...] {STC ; ADD DH, [EBP+0x1c]; MOV EAX, [ESI+0x4]; CMP BYTE [EAX], 0x2e} PAGE ntkrnlpa.exe!RtlIsNameLegalDOS8Dot3 + 7B 805E8B27 94 Bytes [14, 80, 78, 01, 2E, 75, 0E, ...] PAGE ntkrnlpa.exe!RtlIsNameLegalDOS8Dot3 + DA 805E8B86 168 Bytes [43, EB, 61, 80, F9, 80, 73, ...] PAGE ntkrnlpa.exe!RtlGenerate8dot3Name + 1 805E8C2F 15 Bytes [FF, 55, 8B, EC, 83, EC, 30, ...] PAGE ntkrnlpa.exe!RtlGenerate8dot3Name + 11 805E8C3F 33 Bytes [53, 8B, 5D, 10, 56, 89, 45, ...] PAGE ntkrnlpa.exe!RtlGenerate8dot3Name + 33 805E8C61 18 Bytes [C6, 45, EB, 01, 75, 04, C6, ...] PAGE ntkrnlpa.exe!RtlGenerate8dot3Name + 47 805E8C75 36 Bytes [66, 8B, 37, 83, 4D, E4, FF, ...] PAGE ntkrnlpa.exe!RtlGenerate8dot3Name + 6C 805E8C9A 168 Bytes [75, D0, EB, 11, 66, 3D, 2E, ...] PAGE ... PAGE ntkrnlpa.exe!RtlLockBootStatusData + 19 805E9073 33 Bytes [00, 56, 89, 45, FC, 8D, 85, ...] PAGE ntkrnlpa.exe!RtlLockBootStatusData + 3B 805E9095 13 Bytes [2B, F0, 56, 8D, 85, F8, FD, ...] PAGE ntkrnlpa.exe!RtlLockBootStatusData + 49 805E90A3 21 Bytes CALL 8053B928 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlLockBootStatusData + 5F 805E90B9 21 Bytes CALL 8052E787 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlLockBootStatusData + 75 805E90CF 6 Bytes [56, 8D, 85, CC, FD, FF] PAGE ... PAGE ntkrnlpa.exe!RtlUnlockBootStatusData + 2 805E913A 28 Bytes [55, 8B, EC, 83, EC, 0C, 33, ...] PAGE ntkrnlpa.exe!RtlUnlockBootStatusData + 1F 805E9157 40 Bytes [75, 08, 89, 45, FC, E8, 6B, ...] PAGE ntkrnlpa.exe!RtlGetSetBootStatusData + 2 805E9180 201 Bytes [55, 8B, EC, 83, EC, 44, 53, ...] PAGE ntkrnlpa.exe!RtlGetSetBootStatusData + CC 805E924A 38 Bytes CALL 80500B84 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlGetSetBootStatusData + F3 805E9271 6 Bytes [CC, CC, CC, CC, CC, 8B] PAGE ntkrnlpa.exe!RtlGetVersion + 2 805E9278 7 Bytes [55, 8B, EC, A1, 98, A8, 55] PAGE ntkrnlpa.exe!RtlGetVersion + A 805E9280 19 Bytes [56, 8B, 75, 08, 89, 46, 04, ...] PAGE ntkrnlpa.exe!RtlGetVersion + 1E 805E9294 67 Bytes [25, FF, 3F, 00, 00, 81, 3E, ...] PAGE ntkrnlpa.exe!RtlGetVersion + 62 805E92D8 84 Bytes CALL 805EAD8D \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlNtStatusToDosError + 2D 805E932D 26 Bytes [4D, FC, FF, FF, 75, 08, E8, ...] PAGE ntkrnlpa.exe!RtlRandom + 2 805E9348 13 Bytes [55, 8B, EC, 53, 56, 8B, 75, ...] PAGE ntkrnlpa.exe!RtlRandom + 10 805E9356 86 Bytes [FF, 7F, 57, B9, C3, FF, FF, ...] PAGE ntkrnlpa.exe!RtlTimeToElapsedTimeFields + 15 805E93AD 145 Bytes [2F, 71, F4, FF, 8B, 45, 08, ...] PAGE ntkrnlpa.exe!RtlTimeToElapsedTimeFields + A9 805E9441 5 Bytes [8B, 07, 3B, 03, 0F] PAGE ntkrnlpa.exe!RtlTimeToElapsedTimeFields + AF 805E9447 32 Bytes [66, 01, 00, 00, B0, 01, E9, ...] PAGE ntkrnlpa.exe!RtlTimeToElapsedTimeFields + D0 805E9468 30 Bytes [0F, 84, 43, 01, 00, 00, 66, ...] PAGE ntkrnlpa.exe!RtlTimeToElapsedTimeFields + EF 805E9487 7 Bytes [89, 45, F0, 0F, 85, D7, 00] PAGE ... PAGE ntkrnlpa.exe!NtAdjustPrivilegesToken + 4B 805EBB61 8 Bytes [5D, FC, 80, 7D, 0C, 00, 75, ...] {POP EBP; CLD ; CMP BYTE [EBP+0xc], 0x0; JNZ 0x56} PAGE ntkrnlpa.exe!NtAdjustPrivilegesToken + 54 805EBB6A 29 Bytes [75, D0, 83, 65, D0, 03, 74, ...] PAGE ntkrnlpa.exe!NtAdjustPrivilegesToken + 72 805EBB88 27 Bytes [7C, 5B, FD, 8D, 3C, BD, 10, ...] PAGE ntkrnlpa.exe!NtAdjustPrivilegesToken + 8E 805EBBA4 41 Bytes [03, FE, 3B, FE, 72, 08, 3B, ...] PAGE ntkrnlpa.exe!NtAdjustPrivilegesToken + B8 805EBBCE 1 Byte [39] PAGE ... PAGE ntkrnlpa.exe!ZwAdjustGroupsToken + 66 805EBF24 41 Bytes [FE, 74, 1D, 6A, 04, FF, 75, ...] PAGE ntkrnlpa.exe!ZwAdjustGroupsToken + 91 805EBF4F 4 Bytes [8B, 00, 89, 45] PAGE ntkrnlpa.exe!ZwAdjustGroupsToken + 96 805EBF54 61 Bytes [33, C0, 40, C3, 8B, 65, E8, ...] PAGE ntkrnlpa.exe!ZwAdjustGroupsToken + D4 805EBF92 73 Bytes [00, 89, 45, C4, 3B, C6, 0F, ...] PAGE ntkrnlpa.exe!ZwAdjustGroupsToken + 11E 805EBFDC 10 Bytes [89, 45, BC, 33, C0, 40, C3, ...] {MOV [EBP-0x44], EAX; XOR EAX, EAX; INC EAX; RET ; MOV ESP, [EBP-0x18]} PAGE ... ? spjb.sys Das System kann die angegebene Datei nicht finden. ! .text USBPORT.SYS!DllUnload B8A368AC 5 Bytes JMP 8A8F01D8 .rsrc C:\WINDOWS\system32\DRIVERS\serial.sys entry point in ".rsrc" section [0xBA0D5094] .text win32k.sys!EngSetLastError + 34D5 BF81FE00 3 Bytes JMP BF81FECE \SystemRoot\System32\win32k.sys (Mehrbenutzer-Win32-Treiber/Microsoft Corporation) .text win32k.sys!EngSetLastError + 34D9 BF81FE04 1 Byte [00] .text win32k.sys!EngSetLastError + 34D9 BF81FE04 18 Bytes [00, 00, 8B, 45, 08, F6, 40, ...] .text win32k.sys!EngSetLastError + 34EC BF81FE17 5 Bytes [50, E8, 12, D4, 04] .text win32k.sys!EngSetLastError + 34F2 BF81FE1D 209 Bytes [0F, B7, C0, EB, 20, 90, 90, ...] .text ... .text win32k.sys!CLIPOBJ_bEnum + 51 BF824343 11 Bytes JMP 8D3A8B04 .text win32k.sys!CLIPOBJ_bEnum + 5D BF82434F 88 Bytes [00, 00, 2B, D7, 8B, 7A, 04, ...] .text win32k.sys!CLIPOBJ_bEnum + B6 BF8243A8 61 Bytes [8B, 51, 30, A5, A5, A5, A5, ...] .text win32k.sys!CLIPOBJ_bEnum + F4 BF8243E6 81 Bytes [3E, 89, 51, 44, EB, E8, 8B, ...] .text win32k.sys!CLIPOBJ_bEnum + 146 BF824438 43 Bytes [C1, EB, ED, 83, C0, FC, 8B, ...] .text ... .text win32k.sys!EngLpkInstalled + 1 BF825866 12 Bytes [0D, BC, 7B, 9A, BF, 33, C0, ...] .text win32k.sys!EngLpkInstalled + E BF825873 20 Bytes [0F, 95, C0, C3, 90, 90, 90, ...] .text win32k.sys!EngLpkInstalled + 23 BF825888 137 Bytes [91, B0, 00, 00, 00, 89, 10, ...] .text win32k.sys!EngLpkInstalled + AD BF825912 27 Bytes [81, F9, FF, 00, 00, 00, 74, ...] .text win32k.sys!EngLpkInstalled + C9 BF82592E 32 Bytes [40, EB, F9, 90, 90, 90, 90, ...] .text ... .text win32k.sys!EngBitBlt + 42 BF827284 101 Bytes [47, 1C, 52, 52, 51, 8D, 4D, ...] .text win32k.sys!EngBitBlt + A8 BF8272EA 38 Bytes [3D, 55, 55, 00, 00, 0F, 84, ...] .text win32k.sys!EngBitBlt + CF BF827311 8 Bytes [FF, 75, 1C, 57, E8, 3C, 1D, ...] .text win32k.sys!EngBitBlt + D8 BF82731A 27 Bytes [33, C0, 40, 5F, 5E, 5B, C9, ...] .text win32k.sys!EngBitBlt + F4 BF827336 2 Bytes [45, 1C] .text ... .text win32k.sys!EngPaint + 2 BF8281DD 78 Bytes [55, 8B, EC, 8B, 45, 18, 8B, ...] .text win32k.sys!EngPaint + 51 BF82822C 5 Bytes [90, 90, 90, 90, 90] {NOP ; NOP ; NOP ; NOP ; NOP } .text win32k.sys!EngPaint + 57 BF828232 62 Bytes [FF, 55, 8B, EC, 56, 8B, F1, ...] .text win32k.sys!EngPaint + 96 BF828271 9 Bytes [8B, F0, 85, F6, 74, 24, 83, ...] .text win32k.sys!EngPaint + A0 BF82827B 69 Bytes [74, CF, FF, 75, 08, 56, E8, ...] .text ... .text win32k.sys!EngCopyBits + 1 BF838873 63 Bytes [FF, 55, 8B, EC, 81, EC, FC, ...] .text win32k.sys!EngCopyBits + 41 BF8388B3 20 Bytes [83, 65, 0C, 00, F6, 40, 4A, ...] .text win32k.sys!EngCopyBits + 56 BF8388C8 11 Bytes [75, 1C, FF, 75, 18, 57, FF, ...] {JNZ 0x1e; PUSH DWORD [EBP+0x18]; PUSH EDI; PUSH DWORD [EBP+0x10]; PUSH EBX; PUSH ESI} .text win32k.sys!EngCopyBits + 62 BF8388D4 11 Bytes [55, 08, 8B, D8, 8D, 4D, 0C, ...] .text win32k.sys!EngCopyBits + 6E BF8388E0 39 Bytes [8B, C3, 5F, 5E, 5B, C9, C2, ...] .text ... .text win32k.sys!EngLockSurface + 1 BF8393CA 11 Bytes [FF, 55, 8B, EC, 51, 83, 65, ...] .text win32k.sys!EngLockSurface + D BF8393D6 9 Bytes CALL BF8137EF \SystemRoot\System32\win32k.sys (Mehrbenutzer-Win32-Treiber/Microsoft Corporation) .text win32k.sys!EngLockSurface + 17 BF8393E0 44 Bytes [75, FC, 85, F6, 74, 1A, 57, ...] .text win32k.sys!EngLockSurface + 44 BF83940D 59 Bytes [EC, 8B, 55, 14, 53, 8B, 5D, ...] .text win32k.sys!EngLockSurface + 80 BF839449 73 Bytes [D1, 85, C0, 74, 12, 50, E8, ...] .text ... .text win32k.sys!EngMapFontFileFD + 22 BF83CA6E 33 Bytes [EC, 8B, 45, 08, 85, C0, 74, ...] .text win32k.sys!EngMapFontFileFD + 44 BF83CA90 3 Bytes [F8, 89, 7D] .text win32k.sys!EngMapFontFileFD + 48 BF83CA94 31 Bytes JMP BF83CB5C \SystemRoot\System32\win32k.sys (Mehrbenutzer-Win32-Treiber/Microsoft Corporation) .text win32k.sys!EngMapFontFileFD + 68 BF83CAB4 233 Bytes [6A, 02, 8D, 4D, 08, 51, 8D, ...] .text win32k.sys!EngMapFontFileFD + 152 BF83CB9E 58 Bytes [FF, 6A, 02, 68, 00, 00, 40, ...] .text ... .text win32k.sys!EngUnmapFontFileFD + 4 BF83CC6B 59 Bytes [EC, 83, EC, 20, 53, FF, 35, ...] .text win32k.sys!EngUnmapFontFileFD + 40 BF83CCA7 8 Bytes [8D, 45, E0, 50, E8, 78, 85, ...] .text win32k.sys!EngUnmapFontFileFD + 49 BF83CCB0 8 Bytes [EB, F1, 85, C9, 0F, 84, 2E, ...] .text win32k.sys!EngUnmapFontFileFD + 53 BF83CCBA 64 Bytes [F6, C1, 01, 0F, 85, 25, 03, ...] .text win32k.sys!EngUnmapFontFileFD + 94 BF83CCFB 53 Bytes [4D, 0C, 85, C9, 0F, 84, A5, ...] .text ... .text win32k.sys!EngCreateBitmap + 1B BF83DA49 72 Bytes CALL BF814219 \SystemRoot\System32\win32k.sys (Mehrbenutzer-Win32-Treiber/Microsoft Corporation) .text win32k.sys!EngCreateBitmap + 64 BF83DA92 89 Bytes [1D, 8B, 55, 10, 8B, 4D, 0C, ...] .text win32k.sys!EngCreateBitmap + BE BF83DAEC 140 Bytes CALL BF83D997 \SystemRoot\System32\win32k.sys (Mehrbenutzer-Win32-Treiber/Microsoft Corporation) .text win32k.sys!EngCreateBitmap + 14B BF83DB79 28 Bytes [55, 8B, EC, 83, EC, 14, 53, ...] .text win32k.sys!EngCreateBitmap + 168 BF83DB96 17 Bytes [00, 00, 39, 43, 0C, 0F, 85, ...] .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\System32\svchost.exe[644] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 009A000A .text C:\WINDOWS\System32\svchost.exe[644] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 009B000A .text C:\WINDOWS\System32\svchost.exe[644] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 0099000C .text C:\WINDOWS\System32\svchost.exe[644] ole32.dll!CoCreateInstance 774D057E 5 Bytes JMP 00E5000A .text C:\WINDOWS\Explorer.EXE[1744] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 00B7000A .text C:\WINDOWS\Explorer.EXE[1744] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 00C1000A .text C:\WINDOWS\Explorer.EXE[1744] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 00B6000C .text C:\WINDOWS\system32\wuauclt.exe[3208] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 009A000A .text C:\WINDOWS\system32\wuauclt.exe[3208] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 009B000A .text C:\WINDOWS\system32\wuauclt.exe[3208] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 0099000C ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA9040] spjb.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA913C] spjb.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA90BE] spjb.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA97FC] spjb.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA96D2] spjb.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8A93B1F8 AttachedDevice \FileSystem\Ntfs \Ntfs szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.) Device \FileSystem\MacOpen \MacOpenCd 8A8CE1F8 Device \FileSystem\MacOpen \MacOpen 8A8CE1F8 Device \Driver\usbstor \Device\0000009b 89D91388 Device \Driver\usbstor \Device\0000009c 89D91388 AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC) Device \Driver\usbstor \Device\0000009d 89D91388 Device \Driver\usbstor \Device\0000009e 89D91388 Device \Driver\usbuhci \Device\USBPDO-0 8A6491F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A8C31F8 Device \Driver\dmio \Device\DmControl\DmConfig 8A8C31F8 Device \Driver\dmio \Device\DmControl\DmPnP 8A8C31F8 Device \Driver\dmio \Device\DmControl\DmInfo 8A8C31F8 Device \Driver\usbuhci \Device\USBPDO-1 8A6491F8 Device \Driver\usbuhci \Device\USBPDO-2 8A6491F8 Device \Driver\usbehci \Device\USBPDO-3 8A6021F8 Device \Driver\usbuhci \Device\USBPDO-4 8A6491F8 AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC) Device \Driver\usbuhci \Device\USBPDO-5 8A6491F8 Device \Driver\usbuhci \Device\USBPDO-6 8A6491F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 8A8A41F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis) Device \Driver\usbehci \Device\USBPDO-7 8A6021F8 Device \Driver\Cdrom \Device\CdRom0 8A4FC1F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8A8A41F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation) Device \Driver\Ftdisk \Device\HarddiskVolume3 8A8A41F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation) Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-2f [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-10 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort4 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort5 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-1c [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP3T1L0-24 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP5T0L0-3a [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Ftdisk \Device\HarddiskVolume4 8A8A41F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation) Device \Driver\Ftdisk \Device\HarddiskVolume5 8A8A41F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation) Device \Driver\Ftdisk \Device\HarddiskVolume6 8A8A41F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation) Device \Driver\NetBT \Device\NetBt_Wins_Export 89EBD500 Device \Driver\NetBT \Device\NetbiosSmb 89EBD500 AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC) AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC) Device \Driver\NetBT \Device\NetBT_Tcpip_{69F97877-8014-439F-9E28-C81CEEA5E4DA} 89EBD500 Device \Driver\usbuhci \Device\USBFDO-0 8A6491F8 Device \Driver\usbstor \Device\00000099 89D91388 Device \Driver\usbuhci \Device\USBFDO-1 8A6491F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89E27500 Device \Driver\usbuhci \Device\USBFDO-2 8A6491F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 89E27500 Device \Driver\usbehci \Device\USBFDO-3 8A6021F8 Device \Driver\usbuhci \Device\USBFDO-4 8A6491F8 Device \Driver\Ftdisk \Device\FtControl 8A8A41F8 Device \Driver\usbuhci \Device\USBFDO-5 8A6491F8 Device \Driver\usbuhci \Device\USBFDO-6 8A6491F8 Device \Driver\usbehci \Device\USBFDO-7 8A6021F8 Device \Driver\usbstor \Device\0000009a 89D91388 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation) Device \FileSystem\Fastfat \Fat 874A71F8 Device \FileSystem\Fastfat \Fat A258C297 AttachedDevice \FileSystem\Fastfat \Fat szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 89E37500 Device -> \Driver\atapi \Device\Harddisk0\DR0 8A530EC5 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@LicenseKey H5D0-56B3-DA23-009B Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@NumberOfcdroms 3 Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@ServiceBinary C:\WINDOWS\system32\drivers\vbev5mp.sys Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@Group SCSI Miniport Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@ImagePath System32\Drivers\vbev5mp.sys Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@Start 1 Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@Type 1 Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@Tag 66 Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\DrvInstaller (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\DrvInstaller\Error (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\DrvInstaller\Error@ Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\DrvInstaller\Result (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\DrvInstaller\Result@ 0 Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\Enum (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\Enum@0 ROOT\SCSIADAPTER\0000 Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\Enum@Count 1 Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\Enum@NextInstance 1 Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\parameters\pnpinterface (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\parameters\pnpinterface@1 1 Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@LicenseKey H5D0-56B3-DA23-009B Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@NumberOfcdroms 3 Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@ServiceBinary C:\WINDOWS\system32\drivers\vbev5mp.sys Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@Group SCSI Miniport Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@ImagePath System32\Drivers\vbev5mp.sys Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@Start 1 Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@Type 1 Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@Tag 66 Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\DrvInstaller (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\DrvInstaller\Error (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\DrvInstaller\Error@ Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\DrvInstaller\Result (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\DrvInstaller\Result@ 0 Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\Enum (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\Enum@0 ROOT\SCSIADAPTER\0000 Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\Enum@Count 1 Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\Enum@NextInstance 1 Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\parameters\pnpinterface (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\parameters\pnpinterface@1 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 6F2A49C98638B9D2D727ECDED6EB32A8B0FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7F D869164D67949DB7CE019D40AA5CBA7FD869164D6794A8566D9058DD216FD032E9B997302F064346536927F9F0C8B26EA11AF4556B30999138D2DAE70ACEB58A33404FD65731EB1D816263 3E7DCE68FAD64217C39E101E5DE142F8B572DA892B5EF09136C53ECB2A6CFCADFCB29C93CDC22762A3BD6F538724D0FA86389FCDB0B3189F2FF3E16A7D897DD858452B5E0727A460F75DB4 29E0AD9542DEEA0BD73EEC244CE80EB320A83F4D4E39A05EC94AB83AAC09C42863BC9E4ABE09CF6E5078B8267D4CF8AD9B436A758AC8E378263EA010F9E26EF818F48E4BF692DC80B289BA D73009C62FDD68D9A81E7760A29B107B6C8ED68B3636E5081C86CBC15DD01F8A13F211437DBDB4D2B8ACF71DE8A36D5ABD40F77E567AEF866299C9DD81506A325669196A3F64CC8C9EEDC1 54BB0F0CC293001E5F34F9F6FEE6F4E5C450A8A032C4CA1D6FFECE56B476AF10F56FFEA1AD24CD66780B9CE455196CBD400FA5FD7C25615936ACCFFB6900D06123BCEA6B88473EAFCA7C1D 26650A6CB14DE9EA3C77620DD1D81D0D6D3F1DC6F933BF9DA8B37AFA9F898F8D2BFBEFF1679AEDEAA0FE8BC14BA40580DB3FD897DFAE78369C045E411E1 ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\DRIVERS\serial.sys suspicious modification File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification ---- EOF - GMER 1.0.15 ---- |
Noch eine Frage: Kann/darf ich ComboFix wieder deinstallieren? |
noch nicht, machen wir zum schluss so und nu gehts los :-) kaspersky tdss killer Wie werden Schadprogramme der Familie Rootkit.Win32.TDSS bekämpft? ausführen, log posten |
Ok. Mit der Voreinstellung "cure" nehme ich an!? |
ja, genau. |
Nun hier der TDSKiller Report: 2010/08/06 13:06:04.0765 TDSS rootkit removing tool 2.4.1.0 Aug 4 2010 15:06:41 2010/08/06 13:06:04.0765 ================================================================================ 2010/08/06 13:06:04.0765 SystemInfo: 2010/08/06 13:06:04.0765 2010/08/06 13:06:04.0765 OS Version: 5.1.2600 ServicePack: 3.0 2010/08/06 13:06:04.0765 Product type: Workstation 2010/08/06 13:06:04.0765 ComputerName: XXXXXXX 2010/08/06 13:06:04.0765 UserName: xxxxxxx xxx 2010/08/06 13:06:04.0765 Windows directory: C:\WINDOWS 2010/08/06 13:06:04.0765 System windows directory: C:\WINDOWS 2010/08/06 13:06:04.0765 Processor architecture: Intel x86 2010/08/06 13:06:04.0765 Number of processors: 2 2010/08/06 13:06:04.0765 Page size: 0x1000 2010/08/06 13:06:04.0765 Boot type: Normal boot 2010/08/06 13:06:04.0765 ================================================================================ 2010/08/06 13:06:05.0625 Initialize success 2010/08/06 13:06:15.0171 ================================================================================ 2010/08/06 13:06:15.0171 Scan started 2010/08/06 13:06:15.0171 Mode: Manual; 2010/08/06 13:06:15.0171 ================================================================================ 2010/08/06 13:06:16.0265 ACPI (ac407f1a62c3a300b4f2b5a9f1d55b2c) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2010/08/06 13:06:16.0328 ACPIEC (9e1ca3160dafb159ca14f83b1e317f75) C:\WINDOWS\system32\drivers\ACPIEC.sys 2010/08/06 13:06:16.0421 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2010/08/06 13:06:16.0468 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys 2010/08/06 13:06:16.0703 AnyDVD (82ce157ff3701ab50769b2654d0b0215) C:\WINDOWS\system32\Drivers\AnyDVD.sys 2010/08/06 13:06:16.0750 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 2010/08/06 13:06:16.0890 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2010/08/06 13:06:16.0937 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 2010/08/06 13:06:17.0015 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2010/08/06 13:06:17.0093 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2010/08/06 13:06:17.0125 AVMCOWAN (0bcb6b3df2e248c8e8f2ffc6f58d1341) C:\WINDOWS\system32\DRIVERS\AVMCOWAN.sys 2010/08/06 13:06:17.0156 AVMWAN (c997af59c54d69232fb7bbea4dad86e2) C:\WINDOWS\system32\DRIVERS\avmwan.sys 2010/08/06 13:06:17.0171 bdfm (ced6717bd8b67284afcf692b9316b464) C:\WINDOWS\system32\drivers\bdfm.sys 2010/08/06 13:06:17.0234 bdfsfltr (70975049e22b2efec260816cf505e6e7) C:\WINDOWS\system32\drivers\bdfsfltr.sys 2010/08/06 13:06:17.0343 bdftdif (a7bdb1958d9b8245a0ba83f46abb630c) C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Firewall\bdftdif.sys 2010/08/06 13:06:17.0359 BDSelfPr (5eaf583c0b1cc2499761ea3b065f5db2) C:\Programme\BitDefender\BitDefender 2009\bdselfpr.sys 2010/08/06 13:06:17.0421 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2010/08/06 13:06:17.0484 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2010/08/06 13:06:17.0562 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2010/08/06 13:06:17.0625 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2010/08/06 13:06:17.0687 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2010/08/06 13:06:17.0906 cxbu0wdm (ee1d91022fc0df4f0434ec11c65e6649) C:\WINDOWS\system32\DRIVERS\cxbu0wdm.sys 2010/08/06 13:06:18.0015 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 2010/08/06 13:06:18.0078 dmboot (0dcfc8395a99fecbb1ef771cec7fe4ea) C:\WINDOWS\system32\drivers\dmboot.sys 2010/08/06 13:06:18.0156 dmio (53720ab12b48719d00e327da470a619a) C:\WINDOWS\system32\drivers\dmio.sys 2010/08/06 13:06:18.0187 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2010/08/06 13:06:18.0281 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 2010/08/06 13:06:18.0343 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 2010/08/06 13:06:18.0390 dsltestSp5 (c6b2e10cfe79169c72f0269087b9a603) C:\WINDOWS\system32\Drivers\dsltestSp5.sys 2010/08/06 13:06:18.0437 E1000 (4de4bae4accb5a49fa85801d4f226355) C:\WINDOWS\system32\DRIVERS\e1000325.sys 2010/08/06 13:06:18.0484 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys 2010/08/06 13:06:18.0531 ElbyCDFL (ce37e3d51912e59c80c6d84337c0b4cd) C:\WINDOWS\system32\Drivers\ElbyCDFL.sys 2010/08/06 13:06:18.0578 ElbyCDIO (309ac30471a0f1c3a89dee1c81230576) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys 2010/08/06 13:06:18.0625 ENUM1394 (80d1b490b60e74e002dc116ec5d41748) C:\WINDOWS\system32\DRIVERS\enum1394.sys 2010/08/06 13:06:18.0687 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 2010/08/06 13:06:18.0718 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys 2010/08/06 13:06:18.0781 Fips (b0678a548587c5f1967b0d70bacad6c1) C:\WINDOWS\system32\drivers\Fips.sys 2010/08/06 13:06:18.0828 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys 2010/08/06 13:06:18.0875 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 2010/08/06 13:06:18.0953 fpcibase (25baa9e7e21ca204b3202637c4f0d44e) C:\WINDOWS\system32\DRIVERS\fpcibase.sys 2010/08/06 13:06:19.0000 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2010/08/06 13:06:19.0046 Ftdisk (8f1955ce42e1484714b542f341647778) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2010/08/06 13:06:19.0140 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2010/08/06 13:06:19.0171 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 2010/08/06 13:06:19.0218 HECI (cc2c8c23417cc7ddf5eddb17e60a14db) C:\WINDOWS\system32\DRIVERS\HECI.sys 2010/08/06 13:06:19.0281 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2010/08/06 13:06:19.0406 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 2010/08/06 13:06:19.0562 i8042prt (e283b97cfbeb86c1d86baed5f7846a92) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2010/08/06 13:06:19.0625 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 2010/08/06 13:06:19.0781 intelppm (4c7d2750158ed6e7ad642d97bffae351) C:\WINDOWS\system32\DRIVERS\intelppm.sys 2010/08/06 13:06:19.0828 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 2010/08/06 13:06:19.0875 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2010/08/06 13:06:19.0921 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2010/08/06 13:06:19.0968 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2010/08/06 13:06:20.0000 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2010/08/06 13:06:20.0046 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys 2010/08/06 13:06:20.0078 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 2010/08/06 13:06:20.0156 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys 2010/08/06 13:06:20.0203 is3srv (8fe4ecc7877fcfe4e59414708898073d) C:\WINDOWS\system32\drivers\is3srv.sys 2010/08/06 13:06:20.0281 isapnp (6dfb88f64135c525433e87648bda30de) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2010/08/06 13:06:20.0328 Kbdclass (1704d8c4c8807b889e43c649b478a452) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2010/08/06 13:06:20.0375 kbdhid (b6d6c117d771c98130497265f26d1882) C:\WINDOWS\system32\DRIVERS\kbdhid.sys 2010/08/06 13:06:20.0437 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 2010/08/06 13:06:20.0468 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 2010/08/06 13:06:20.0562 MacOpen (f1d23f78dcd65c8132c908b1e72e9143) C:\WINDOWS\system32\drivers\MacOpen.sys 2010/08/06 13:06:20.0625 MagicTune (f627e9da4d3d8dc05a15b68944302f14) C:\WINDOWS\system32\drivers\MTiCtwl.sys 2010/08/06 13:06:20.0687 MaxtorFrontPanel1 (dad2801f46631b625fb4fb37265fbe6e) C:\WINDOWS\system32\DRIVERS\mxofwfp.sys 2010/08/06 13:06:20.0750 MLPTDR_B (124aaf5d2a58e00c05019b0fb77c0966) C:\WINDOWS\system32\MLPTDR_B.sys 2010/08/06 13:06:20.0812 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2010/08/06 13:06:20.0875 Modem (6fb74ebd4ec57a6f1781de3852cc3362) C:\WINDOWS\system32\drivers\Modem.sys 2010/08/06 13:06:20.0937 motmodem (54fee02961c70fd9d4d7e2f87afa23fa) C:\WINDOWS\system32\DRIVERS\motmodem.sys 2010/08/06 13:06:20.0984 Mouclass (b24ce8005deab254c0251e15cb71d802) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2010/08/06 13:06:21.0015 mouhid (66a6f73c74e1791464160a7065ce711a) C:\WINDOWS\system32\DRIVERS\mouhid.sys 2010/08/06 13:06:21.0062 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 2010/08/06 13:06:21.0156 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2010/08/06 13:06:21.0203 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2010/08/06 13:06:21.0265 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 2010/08/06 13:06:21.0312 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2010/08/06 13:06:21.0375 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2010/08/06 13:06:21.0421 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 2010/08/06 13:06:21.0500 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2010/08/06 13:06:21.0562 MTXPAR (0f83a76c82d5b9f672b33923759b2b12) C:\WINDOWS\system32\DRIVERS\MTXPARM.sys 2010/08/06 13:06:21.0703 MTXPARH (6dda78a0be692b61b668fab860f276cf) C:\WINDOWS\system32\DRIVERS\MTXPARHM.sys 2010/08/06 13:06:21.0734 Mtxparmx (a9948d5ed30db457ff92239802d97e34) C:\WINDOWS\system32\DRIVERS\Mtxparmx.sys 2010/08/06 13:06:21.0765 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys 2010/08/06 13:06:21.0812 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 2010/08/06 13:06:21.0859 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2010/08/06 13:06:21.0890 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2010/08/06 13:06:21.0921 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2010/08/06 13:06:21.0968 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys 2010/08/06 13:06:22.0000 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 2010/08/06 13:06:22.0046 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 2010/08/06 13:06:22.0093 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys 2010/08/06 13:06:22.0140 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 2010/08/06 13:06:22.0187 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 2010/08/06 13:06:22.0265 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2010/08/06 13:06:22.0312 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2010/08/06 13:06:22.0359 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2010/08/06 13:06:22.0390 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 2010/08/06 13:06:22.0437 Parport (f84785660305b9b903fb3bca8ba29837) C:\WINDOWS\system32\drivers\Parport.sys 2010/08/06 13:06:22.0468 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 2010/08/06 13:06:22.0531 ParVdm (c2bf987829099a3eaa2ca6a0a90ecb4f) C:\WINDOWS\system32\drivers\ParVdm.sys 2010/08/06 13:06:22.0593 PCANDIS5 (d0084a9ade989fe703e4f22171f4e4dc) C:\PROGRA~1\GEMEIN~1\T-Com\DSLCheck\PCANDIS5.SYS 2010/08/06 13:06:22.0640 PCI (387e8dedc343aa2d1efbc30580273acd) C:\WINDOWS\system32\DRIVERS\pci.sys 2010/08/06 13:06:22.0718 PCIIde (59ba86d9a61cbcf4df8e598c331f5b82) C:\WINDOWS\system32\DRIVERS\pciide.sys 2010/08/06 13:06:22.0781 Pcmcia (a2a966b77d61847d61a3051df87c8c97) C:\WINDOWS\system32\drivers\Pcmcia.sys 2010/08/06 13:06:23.0171 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2010/08/06 13:06:23.0203 Processor (2cb55427c58679f49ad600fccba76360) C:\WINDOWS\system32\DRIVERS\processr.sys 2010/08/06 13:06:23.0265 Profos (1bfe86c679a43994e36e623fb6898cdb) C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Threat Scanner\profos.sys 2010/08/06 13:06:23.0312 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 2010/08/06 13:06:23.0343 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2010/08/06 13:06:23.0421 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys 2010/08/06 13:06:23.0703 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2010/08/06 13:06:23.0750 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys 2010/08/06 13:06:23.0796 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2010/08/06 13:06:23.0843 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2010/08/06 13:06:23.0906 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2010/08/06 13:06:23.0968 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2010/08/06 13:06:24.0000 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2010/08/06 13:06:24.0078 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 2010/08/06 13:06:24.0156 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 2010/08/06 13:06:24.0234 redbook (ed761d453856f795a7fe056e42c36365) C:\WINDOWS\system32\DRIVERS\redbook.sys 2010/08/06 13:06:24.0312 sbp2port (b244960e5a1db8e9d5d17086de37c1e4) C:\WINDOWS\system32\DRIVERS\sbp2port.sys 2010/08/06 13:06:24.0359 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2010/08/06 13:06:24.0406 Sentinel (7e5c2c58fc4e3862e7bf88bfb809a9b0) C:\WINDOWS\System32\Drivers\SENTINEL.SYS 2010/08/06 13:06:24.0484 serenum (5944622925d74268228222298e14dcaa) C:\WINDOWS\system32\DRIVERS\serenum.sys 2010/08/06 13:06:24.0546 Serial (ab6aa911ad51766e28c1339464809699) C:\WINDOWS\system32\DRIVERS\serial.sys 2010/08/06 13:06:24.0546 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\serial.sys. Real md5: ab6aa911ad51766e28c1339464809699, Fake md5: cf24eb4f0412c82bcd1f4f35a025e31d 2010/08/06 13:06:24.0546 Serial - detected Rootkit.Win32.TDSS.tdl3 (0) 2010/08/06 13:06:24.0609 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys 2010/08/06 13:06:24.0656 sfng32 (76bd55922b3179fa7b5bd528839e6fb4) C:\WINDOWS\system32\drivers\sfng32.sys 2010/08/06 13:06:24.0718 snapman380 (5ce1cf27620b144e212d407cdb14d339) C:\WINDOWS\system32\DRIVERS\snman380.sys 2010/08/06 13:06:24.0828 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 2010/08/06 13:06:24.0875 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\system32\Drivers\sptd.sys 2010/08/06 13:06:24.0875 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 71e276f6d189413266ea22171806597b 2010/08/06 13:06:24.0875 sptd - detected Locked file (1) 2010/08/06 13:06:24.0906 sr (50fa898f8c032796d3b1b9951bb5a90f) C:\WINDOWS\system32\DRIVERS\sr.sys 2010/08/06 13:06:24.0937 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys 2010/08/06 13:06:25.0062 STHDA (527fd7d6919734c2a61c8aa3d5740e61) C:\WINDOWS\system32\drivers\sthda.sys 2010/08/06 13:06:25.0140 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 2010/08/06 13:06:25.0187 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 2010/08/06 13:06:25.0437 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 2010/08/06 13:06:25.0500 szkg5 (8fe4ecc7877fcfe4e59414708898073d) C:\WINDOWS\system32\DRIVERS\szkg.sys 2010/08/06 13:06:25.0546 szkgfs (410a02a920fa9daeec56364e839597c1) C:\WINDOWS\system32\drivers\szkgfs.sys 2010/08/06 13:06:25.0593 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2010/08/06 13:06:25.0671 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 2010/08/06 13:06:25.0718 tdrpman147 (be7b1a73272648622b39be3c610e3ca0) C:\WINDOWS\system32\DRIVERS\tdrpm147.sys 2010/08/06 13:06:25.0765 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 2010/08/06 13:06:25.0828 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 2010/08/06 13:06:25.0906 tifsfilter (6dcb8ddb481cd3c40fa68593723b4d89) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys 2010/08/06 13:06:25.0953 timounter (394fc70b88b7958fa85798bbc76d140a) C:\WINDOWS\system32\DRIVERS\timntr.sys 2010/08/06 13:06:26.0078 Trufos (b16d66a71de03285e14e9f165b59eda4) C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Threat Scanner\trufos.sys 2010/08/06 13:06:26.0125 TSMPacket (7c1367bff5587cf49c0ed2e664f6eac0) C:\WINDOWS\system32\DRIVERS\tsmpkt.sys 2010/08/06 13:06:26.0187 TuneUpUtilitiesDrv (f2107c9d85ec0df116939ccce06ae697) C:\Programme\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys 2010/08/06 13:06:26.0234 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 2010/08/06 13:06:26.0343 UltraMonUtility (5a5bd0f66e84eb039cb227520d49908c) C:\Programme\Gemeinsame Dateien\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys 2010/08/06 13:06:26.0390 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 2010/08/06 13:06:26.0437 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 2010/08/06 13:06:26.0468 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2010/08/06 13:06:26.0500 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2010/08/06 13:06:26.0546 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys 2010/08/06 13:06:26.0578 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys 2010/08/06 13:06:26.0625 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 2010/08/06 13:06:26.0703 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\DRIVERS\usbser.sys 2010/08/06 13:06:26.0734 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2010/08/06 13:06:26.0812 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2010/08/06 13:06:26.0859 VClone (9bf2ea54e5ed5acdf96f1dec84c117c4) C:\WINDOWS\system32\DRIVERS\VClone.sys 2010/08/06 13:06:26.0937 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 2010/08/06 13:06:27.0046 VolSnap (a5a712f4e880874a477af790b5186e1d) C:\WINDOWS\system32\drivers\VolSnap.sys 2010/08/06 13:06:27.0093 wacommousefilter (427a8bc96f16c40df81c2d2f4edd32dd) C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys 2010/08/06 13:06:27.0140 wacomvhid (73e6f16a1f187d71fb26af308551e54a) C:\WINDOWS\system32\DRIVERS\wacomvhid.sys 2010/08/06 13:06:27.0156 WacomVKHid (889459833432b161cb99cfdf84a1a9bb) C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys 2010/08/06 13:06:27.0250 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2010/08/06 13:06:27.0296 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 2010/08/06 13:06:27.0390 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 2010/08/06 13:06:27.0437 WinDriver6 (2c7d830e86b378771af5dafeae428a09) C:\WINDOWS\system32\drivers\windrvr6.sys 2010/08/06 13:06:27.0531 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys 2010/08/06 13:06:27.0593 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys 2010/08/06 13:06:27.0843 ================================================================================ 2010/08/06 13:06:27.0843 Scan finished 2010/08/06 13:06:27.0843 ================================================================================ 2010/08/06 13:06:27.0859 Detected object count: 2 2010/08/06 13:07:53.0906 Serial (ab6aa911ad51766e28c1339464809699) C:\WINDOWS\system32\DRIVERS\serial.sys 2010/08/06 13:07:53.0906 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\serial.sys. Real md5: ab6aa911ad51766e28c1339464809699, Fake md5: cf24eb4f0412c82bcd1f4f35a025e31d 2010/08/06 13:07:55.0125 Backup copy found, using it.. 2010/08/06 13:07:55.0140 C:\WINDOWS\system32\DRIVERS\serial.sys - will be cured after reboot 2010/08/06 13:07:55.0140 Rootkit.Win32.TDSS.tdl3(Serial) - User select action: Cure 2010/08/06 13:07:55.0140 Locked file(sptd) - User select action: Skip |
Gerade hat Firefox unerwünscht/automatisch eine Seite namens "texasboy" aufgerufen ... Neustart noch nicht durchgeführt. Soll ich jetzt? |
ja außer natürlich dir gefällt die werbung so gut das du sie gar nicht mehr los werden willst *g* |
Mach' ich – ich bin doch nicht :balla: Bis gleich. |
Neustart durchgeführt. Lauere, was der Feuerfuchs jetzt tut ... |
Liste der Anhänge anzeigen (Anzahl: 1) Bei dem Scan hatte Kaspersky's TDSS-Killer ein Objekt identifiziert, welches immer noch moniert wird: [IMG]www.sach-fach.de/fordownloads/Screenshot%20Kasp1.jpg[/IMG] |
Alle Zeitangaben in WEZ +1. Es ist jetzt 19:07 Uhr. |
Copyright ©2000-2025, Trojaner-Board