|
Windows friert ein, Firefox öffnet willkürlich Fenster ( in Flensburg) Moin Moin aus Flensburg! Bin neu hier und natürlich weil ich ein Problem habe, genaugenommen zwei: 1. Mein PC startet Win XP Prof SP3 und dann friert der Desktop ein. Das Phänomen tritt nicht bei jedem Einschalten/Start auf, sondern willkürlkich. Ich kann ihn dann nur abwürgen, indem ich den Einschaltknopf dauerhaft drücke, vom Stromnetz trenne und erneut starte. 2. Firefox 3.6.8. öffnet ungewollt irgendwelche Fenster/Tabs oder andere als z.B. gegoogled und dann angeklickt werden. Da sich dann manchmal die Java-Aktualisierung meldete habe ich Java deinstalliert und in Firefox deaktiviert. Mit BitDefender, Malwarebytes, Spybot und STOPzilla wurden in den letzten zwei Tagen immer wieder neu auftauchende Malware entfernt: z.B. Cleensweep.exe, Extensions.exe, ein sog. Trojan.Dropper, ein Rootkit.Patches.TDSS.Gen und gestern fand sich ein Trojan.Script.43992 Jetzt erbitte ich Hilfe und poste erstmal den aktuellen Hijackthis-Scan: Viele Grüße, Gerhard "Schmerlen-Otto" HiJackthis Logfile: Code: Logfile of Trend Micro HijackThis v2.0.4 |
download malwarebytes: Malwarebytes instaliere es, öffne es, klicke die registerkarte aktualisierung, spiele das update ein. dann schalte alles an laufenden programmen ab, auch antivirus, trenne die internetverbindung, in dem du wlan abschaltest, bzw das lankabel ziehst. malwarebytes, komplett scan, funde löschen, evtl. wenn malwarebytes auffordert, pc neu starten, antivirus + internet ein, log posten. wenn du ältere logs hast, schaue malwarebytes, logdateien und posten. ootl: Systemscan mit OTL download otl: http://filepony.de/download-otl/ Doppelklick auf die OTL.exe (user von Windows 7 und Vista: Rechtsklick als Administrator ausführen) 1. Oben findest Du ein Kästchen mit Output. Wähle bitte Minimal Output 2. Hake an "scan all users" 3. Unter "Extra Registry wähle: "Use Safelist" "LOP Check" "Purity Check" 4. Kopiere in die Textbox: netsvcs msconfig safebootminimal safebootnetwork activex drivers32 %ALLUSERSPROFILE%\Application Data\*. %ALLUSERSPROFILE%\Application Data\*.exe /s %APPDATA%\*. %APPDATA%\*.exe /s %SYSTEMDRIVE%\*.exe /md5start userinit.exe eventlog.dll scecli.dll netlogon.dll cngaudit.dll ws2ifsl.sys sceclt.dll ntelogon.dll winlogon.exe logevent.dll user32.DLL iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys /md5stop %systemroot%\system32\drivers\*.sys /lockedfiles %systemroot%\System32\config\*.sav %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles CREATERESTOREPOINT 5. Klicke "Scan" 6. 2 reporte werden erstellt: OTL.Txt Extras.Txt poste beide. |
Hallo MarcusG, vielen Dank, dass du versuchen willst mir zu helfen. Der Scan mit Malwarebytes hat ein bisschen gedauert (4 HDs mit je 500 MB, jeweils ca. ein Drittel bis halb voll). Hier ist das Log: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Datenbank Version: 4387 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 04.08.2010 14:14:17 mbam-log-2010-08-04 (14-14-17).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|F:\|G:\|) Durchsuchte Objekte: 408848 Laufzeit: 1 Stunde(n), 26 Minute(n), 26 Sekunde(n) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 0 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: (Keine bösartigen Objekte gefunden) Mache jetzt gleich den Systemscan mit OTL. Bis gleich (Hoffentlich). Grüße aus Flensburg, Gerhard "SchmerlenOtto" |
Windows friert ein, Firefox öffnet willkürlich Fenster ( in Flensburg) OTL.txt ist nach Rückmeldung des Boards zu lang. Es wird dauernd der Server zurückgesetzt, wenn ich etwas antworten will. Ich versuche es gleich nochmal. Stelle die beiden Dateien Extras.TXT und OTL.Txt hier zum Download: www.sach-fach.de/fordownloads/Extras.Txt www.sach-fach.de/fordownloads/OTL.Txt Vielleicht geht es so. |
wenns zu lang ist musst du es eben aufteilen |
Gut, ich versuche es nochmal mit der Datei Extras.txt (die ist 11 Seiten mit 29.828 Zeichen lang und ich bekomme immer die Meldung, dass der Server zurückgesetzt wird): Teil 1 (S. 1-3) OTL Extras logfile created on: 04.08.2010 14:41:57 - Run 1 OTL by OldTimer - Version 3.2.9.1 Folder = D:\Downloads Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 64,00% Memory free 4,00 Gb Paging File | 3,00 Gb Available in Paging File | 86,00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme Drive C: | 255,32 Gb Total Space | 216,72 Gb Free Space | 84,88% Space Free | Partition Type: NTFS Drive D: | 465,76 Gb Total Space | 418,36 Gb Free Space | 89,82% Space Free | Partition Type: NTFS Drive E: | 465,76 Gb Total Space | 202,18 Gb Free Space | 43,41% Space Free | Partition Type: NTFS Drive F: | 312,61 Gb Total Space | 113,07 Gb Free Space | 36,17% Space Free | Partition Type: NTFS Drive G: | 465,76 Gb Total Space | 214,40 Gb Free Space | 46,03% Space Free | Partition Type: NTFS H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: xxx Current User Name: xxx Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation) .js [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found [HKEY_USERS\S-1-5-21-3495212690-2977224712-3179768257-1006\SOFTWARE\Classes\<extension>] .exe [@ = exefile] -- Reg Error: Key error. File not found .html [@ = FirefoxHTML] -- C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* htmlfile [edit] -- "C:\Programme\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation) http [open] -- "C:\Programme\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation) https [open] -- "C:\Programme\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation) jsfile [edit] -- Reg Error: Key error. piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DoNotAllowExceptions" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "3703:TCP" = 3703:TCP:*:Enabled:Adobe Version Cue CS3 Server "3704:TCP" = 3704:TCP:*:Enabled:Adobe Version Cue CS3 Server "50900:TCP" = 50900:TCP:*:Enabled:Adobe Version Cue CS3 Server "50901:TCP" = 50901:TCP:*:Enabled:Adobe Version Cue CS3 Server "1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008 "5985:TCP" = 5985:TCP:*:Disabled:Windows-Remoteverwaltung "80:TCP" = 80:TCP:*:Disabled:Windows-Remoteverwaltung - Kompatibilitätsmodus (HTTP eingehend) ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Programme\Gemeinsame Dateien\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" = C:\Programme\Gemeinsame Dateien\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server -- (Adobe Systems Incorporated) "C:\Programme\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe" = C:\Programme\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe:*:Enabled:Adobe Dreamweaver CS3 -- (Adobe Systems, Inc.) "C:\WINDOWS\system32\lxdfcoms.exe" = C:\WINDOWS\system32\lxdfcoms.exe:*:Enabled:Lexmark Communications System -- ( ) "C:\Programme\Lexmark 6500 Series\lxdfamon.exe" = C:\Programme\Lexmark 6500 Series\lxdfamon.exe:*:Enabled:Lexmark Device Monitor -- () "C:\Programme\Lexmark 6500 Series\frun.exe" = C:\Programme\Lexmark 6500 Series\frun.exe:*:Enabled:Lexmark Productivity Studio -- () "C:\Programme\Gemeinsame Dateien\Ahead\Nero Web\SetupX.exe" = C:\Programme\Gemeinsame Dateien\Ahead\Nero Web\SetupX.exe:*:Enabled:Nero ProductSetup -- (Nero AG) "C:\Programme\SnagIt\SnagItEditor.exe" = C:\Programme\SnagIt\SnagItEditor.exe:*:Enabled:SnagIt Editor 9 -- (TechSmith Corporation) "C:\Programme\Lexmark 6500 Series\lxdfmon.exe" = C:\Programme\Lexmark 6500 Series\lxdfmon.exe:*:Enabled:Printer Device Monitor -- () "C:\WINDOWS\system32\lxdfcfg.exe" = C:\WINDOWS\system32\lxdfcfg.exe:*:Enabled:Printer Communication System -- ( ) "C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdfpswx.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdfpswx.exe:*:Enabled:Printer Status Window Interface -- () |
Extras.txt Teil 2(S.4-6): "C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdftime.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdftime.exe:*:Enabled:Lexmark Connect Time Executable -- (Lexmark International, Inc.) "C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdfjswx.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdfjswx.exe:*:Enabled:Job Status Window Interface -- () "C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdfwbgw.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdfwbgw.exe:*:Enabled:Lexmark Web Gateway -- () "C:\Programme\Lexmark 6500 Series\Wireless\lxdfwpss.exe" = C:\Programme\Lexmark 6500 Series\Wireless\lxdfwpss.exe:*:Enabled: -- () "C:\Programme\Tools\PhraseExpress\phraseexpress.exe" = C:\Programme\Tools\PhraseExpress\phraseexpress.exe:*:Enabled:PhraseExpress -- (Bartels Media) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{010C0B4A-DC93-4BB4-893B-BDDE95355A3E}" = Freeware PDF Unlocker "{0180F30F-52A8-4414-8E3B-931917211845}" = AquaSoft DiaShow Studio 6 "{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3 "{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu "{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting "{094C28D2-3FE2-417C-AF0B-425FE891F04A}" = Motorola Phone Tools "{0F9196C6-58B4-445B-B56E-B1200FECC151}" = Microsoft Bootvis "{11AB5846-9F34-434A-9721-ED0247F538D9}" = 3Dconnexion Plug-In for 3ds max 6 - 8 "{143B0CE5-5A84-4537-94A2-F9B12F0A20B1}" = 3Dconnexion Plug-In for Maya 6.5 "{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin "{1A986F4A-5DBA-4A6F-8CE3-973066C2587C}" = 3Dconnexion Plug-in for QuickTime VR "{1D58229F-C505-45CA-8223-F35F3A34B963}" = Adobe Version Cue CS3 Server {ko_KR} "{22DC3166-47B6-4B9E-A163-AB0F50C91829}" = Matrox PowerDesk-SE "{2368AFF7-A26E-40B5-96EE-86CD00F0CDAB}" = 3Dconnexion Plug-In for 3ds Max 9 "{248057F8-58C8-4E44-9182-9AF85DF787FC}" = Adobe Setup "{24D20EF7-2066-42A8-91DB-952636384E42}" = AquaSoft PhotoKalender "{253292FA-59C1-4750-B12F-37E21B412885}" = StarMoney 6.0 S-Edition "{26988F1A-810A-4CE1-BBD7-3DF471E03BD0}" = 3Dconnexion Plug-In for NX "{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3 "{2C0BC353-B261-44D5-83F1-C8BDCF8FD9F9}" = STOPzilla "{2DEFAFFC-CED3-4D54-A558-34B55F0E4C93}" = 3Dconnexion Plug-In for Maya 7 "{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{3598B8A9-091B-40A2-AF10-D132E861C0D2}" = 3Dconnexion Add-In for Solid Edge "{36B107C0-F8AD-42D5-B0CD-58035C5A4B47}" = Duden Korrektor PLUS Update "{3734D369-234D-44A1-923E-CECDC1151359}" = MemoMaster 3 "{37C8899D-FD70-481F-94AA-1F1B08765E22}" = Acronis True Image Home "{3A521923-1EDC-4EAC-83CF-4B2EAE132E84}_is1" = Duden Korrektor für OpenOffice.org "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile "{411E0CC3-587A-468C-B461-95FAFD05E4DE}" = Adobe InDesign CS3 "{45E14793-139A-446D-8E84-84CBD528803A}" = The Big Box of Art 350.000 "{46653DF9-CF76-4127-9FC6-B3E43EBD83CE}" = 3Dconnexion Picture Viewer "{47879FA7-BC8F-4D7F-8057-86D0416579FA}" = StarMoney "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{4AA5B8A5-BEEF-4AD8-B11D-4443A042EA4F}" = Adobe Dreamweaver CS3 "{4ECC923E-B46B-4ECB-8EC8-35630C8912E4}" = 3Dconnexion Add-In for SolidWorks "{4ECD8140-C581-401F-8EF5-209DA0F5EC98}" = 3Dconnexion Plug-In for Maya 6 "{531BC138-F1F7-496B-879C-F039ECEF438D}" = Adobe Photoshop Lightroom 2 "{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3 "{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml "{5C47C8B6-77FF-4FC7-A388-66FCF9CFC24C}" = Snagit 9.1.3 "{5C81B189-5456-40C4-9313-7FE6FA6DD64C}" = Office-Bibliothek "{5D1F9026-6255-4F18-BBDF-F2B424D0DD04}" = 3Dconnexion Add-In for AutoCAD 2007 "{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}" = Adobe Setup "{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All "{6B708481-748A-4EB4-97C1-CD386244FF77}" = Adobe MotionPicture Color Files "{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}" = AHV content for Acrobat and Flash "{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}" = Adobe Color Common Settings "{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}" = QuickTime "{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3 "{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{73B5D990-04EA-4751-B10F-5534770B91F2}" = Adobe Color EU Recommended Settings "{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel(R) PRO Network Connections 12.1.12.0 "{77D2A9D3-5800-43E3-B274-87841BC87DB2}" = Adobe ExtendScript Toolkit 2 "{782F20EF-AEB4-4062-9614-750FE8FD2542}" = Vokabeltrainer-Update 3.0.32 "{7930CFCA-A2B4-43F0-B8A4-80885A48DB4B}" = 3Dconnexion Plug-In for Photoshop CS3 "{7A734F47-83B8-4035-B819-FDABCED660A1}" = 3Dconnexion Add-In for Inventor "{7D386596-0E80-4808-8AAE-C1DDA8212F7F}" = Adobe Setup "{7E0F42A8-AC7D-4557-8D8F-49918C543ABF}" = BitDefender Antivirus 2009 "{7EC19307-7C22-47A8-922B-3FA965291260}" = OpenOffice.org 3.0 "{7EE873AF-46BB-4B5D-BA6F-CFE4B0566E22}" = TuneUp Utilities Language Pack (de-DE) "{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3 "{80F884E1-C9F3-40C0-8A2A-7C5EDE5A9924}" = 3Dconnexion Plug-In for Pro/ENGINEER "{86D399FB-05FC-4EED-A5B1-A33FE72FA498}" = 3Dconnexion Add-In for AutoCAD 2008 "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8AE03988-8C8C-40EE-BDC7-76781BEF1B1D}" = Adobe Setup "{8AEBFD30-B94F-4A49-8106-03039708BDD4}" = Duden Korrektor Patch 012009 "{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3 "{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support "{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system "{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3 "{90A455A7-0FC8-4508-B7FA-8F135B8F041A}" = DSL-Manager "{91110407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003 "{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3 "{9ED38F62-7A50-4145-8C5D-0FCFFBF10A7B}" = Visual C++ CRT 9.0 "{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps "{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{A38048C6-89D1-44EC-BC95-E95DD4A19B5E}" = QuarkXPress 7.1 "{A3979C7E-4E11-4E74-B4B0-F88B9788CEAF}" = 3Dconnexion Plug-in for Acrobat 3D "{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio "{A92A4DB0-CD37-42D1-BE1D-603D53C24328}" = Intel(R) Programm für Prozessor-IDs "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{AABF76CA-D460-42F0-BB2C-80DF44E8850F}" = Adobe Creative Suite 3 Design Standard "{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings "{AC76BA86-1033-F400-7760-000000000003}" = Adobe Acrobat 8 Professional - English, Français, Deutsch "{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0 "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy "{B49673F8-7AB6-4A14-8213-C8A7BE370010}" = UltraMon "{B60BC366-98BF-448F-9981-617FE8BEB30B}" = AquaSoft Barbecue "{B671CBFD-4109-4D35-9252-3062D3CCB7B2}" = Adobe SING CS3 "{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}" = Adobe BridgeTalk Plugin CS3 "{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3 "{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation "{BAFCA6AC-8B37-405B-B57E-C1D45DE70ACC}" = 3Dconnexion 3DxSoftware (Personal Edition) "{BB904413-1FED-4EDA-A1CC-CA5DD703378B}" = 3Dconnexion Add-On for XSI "{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}" = Adobe Flash Player 9 ActiveX "{BE5F3842-8309-4754-92D5-83E02E6077A3}" = Adobe Extension Manager CS3 "{BFFE230A-8520-423D-8A22-DB82C9922925}" = Das Interaktive Kartenwerk. Deutschland "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{C2C284D2-6BD7-3B34-B0C5-B2CAED168DF7}" = Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - DEU "{C314CE45-3392-3B73-B4E1-139CD41CA933}" = Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - DEU "{C5BD220A-EFE8-48A5-B70E-9503D535FACE}" = Adobe WAS CS3 "{C8BB4912-12D9-42AE-B571-E580D8CD1B5B}" = TuneUp Utilities 2007 "{C8D7A672-F697-4572-AC62-C856053A8DBC}" = Adobe Illustrator CS3 "{C96F2228-0163-4782-95AF-816BC1692F31}" = Langenscheidt Vokabeltrainer 3.0 Englisch (OEM) "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CD40F045-2D59-41FF-8664-BA53A2C41342}" = 3Dconnexion Plug-In for Maya 8 "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{CF097717-F174-4144-954A-FBC4BF301031}" = Nero 7 Premium "{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client "{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files "{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}" = TuneUp Utilities "{D3C605D8-3A5E-4BAD-965D-2C61441BF2AC}" = Adobe Photoshop CS3 "{DA0BF7AB-88EB-4675-8FA1-531EAD938821}" = SnagIt 8 "{DB5C0B0D-6FC9-4072-BB43-4CFD70506CF6}" = 3Dconnexion Extension for SketchUp "{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings "{DF74C7BA-5C9F-4F17-8B6F-5ECE08280F34}" = ScanSoft OmniPage 16 "{E48AE8E5-8B5A-465C-95E5-47725448DA57}" = 3Dconnexion 3DxWare "{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3 "{E78BFA60-5393-4C38-82AB-E8019E464EB4}" = Microsoft .NET Framework 1.1 German Language Pack "{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}" = Adobe InDesign CS3 Icon Handler "{F676F3E6-15C7-47AC-8FAE-46891D00F1AF}" = Schleswig-Holstein Hamburg 2.0 "{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth "{F996076C-BED5-45D6-9C10-39BC7B005F77}" = 3Dconnexion Plug-In for Photoshop CS2 "{F9C0F8DE-FDFE-4A59-B91D-D8D4F23B5F46}" = 3Dconnexion Plug-In for Maya 8.5 "{FF0B0792-F6E7-4627-B820-EA50617E223B}" = QuarkXPress 6.5 "{FF29A7E2-FF40-4D07-B7E4-2093DE59E10A}" = Adobe Color NA Extra Settings "1PasswordPro" = 1Password Pro "ac'tivAid" = ac'tivAid v1.3.1 "Adobe Acrobat 8 Professional - English, Français, Deutsch_815" = Adobe Acrobat 8.1.5 - CPSID_49013 "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Adobe Streamline 4.0" = Adobe Streamline 4.0 "Adobe Type Manager 4.1" = Adobe Type Manager 4.1 "Adobe_25db75244653b42cb93dc27939d1c0e" = Adobe Dreamweaver CS3 "Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2 "Adobe_6c8e2cb4fd241c55406016127a6ab2e" = Adobe Color Common Settings "Adobe_c5cbed37a01f242ac41d8f4528b7a0d" = Adobe Creative Suite 3 Design Standard hinzufügen oder entfernen "AnyDVD" = AnyDVD "AquaSoft DiaShow Studio 6" = AquaSoft DiaShow Studio 6 "AutoHotkey" = AutoHotkey 1.0.47.06 "Bibliographix 8_is1" = Bibliographix 8 "CCleaner" = CCleaner "CloneCD" = CloneCD "CloneDVD2" = CloneDVD2 "ConversionsPlus6.05" = Conversions Plus 6.05 |
Extras Teil 3 (S.7) "Dexpot" = Dexpot "DFÜ-Speed" = DFÜ-Speed "Dia" = Dia (nur entfernen) "DPF-1.2.0.822_is1" = Duden Proof Factory 1.2.0.822 "DYMO Label Software" = DYMO Label Software "eminecMYmap" = eminec MYmap v.5 "EPSON Scanner" = EPSON Scan "Extended Clipboard_is1" = Extended Clipboard v. Extended Clipboard v. 1.4.24 "Farbwähler_is1" = Farbwähler 3.00 "FileZilla" = FileZilla (remove only) "FLV Player" = FLV Player 2.0 (build 25) "Free Download Manager_is1" = Free Download Manager 2.5 Video Conversion plugin "Free Video to Flash Converter_is1" = Free Video to Flash Converter version 4.1 "FRITZ! 2.0" = AVM FRITZ! "HECI" = Intel(R) Management Engine Interface "Helicon Filter_is1" = Helicon Filter 4.93.2 "iColorFolder" = iColorFolder "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs "ie8" = Windows Internet Explorer 8 "InstallShield_{45E14793-139A-446D-8E84-84CBD528803A}" = The Big Box of Art 350.000 "Lexmark 6500 Series" = Lexmark 6500 Series "LimanPro1" = Liman Pro 1.0 "magicolor 2300 DL" = magicolor 2300 DL "MAGIX Music Cleaning Lab 2008 deluxe D" = MAGIX Music Cleaning Lab 2008 deluxe 9.0.0.0 (D) "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "MapCreator 2" = MapCreator 2 "Matrox Parhelia Driver Uninstaller" = Matrox Driver "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "MOBackup-DatensicherungfürOutlook" = MOBackup - Datensicherung für Outlook (Vollversion) "MozBackup_is1" = MozBackup 1.4.7 "Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8) "Mozilla Thunderbird (3.0.6)" = Mozilla Thunderbird (3.0.6) "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs "Photomatix Pro_is1" = Photomatix Pro version 2.5.2 "PhotoZoom Pro 2" = BenVista PhotoZoom Pro 2.2.8 "PhraseExpress_is1" = PhraseExpress v6.0.158 "Portrait Professional 6_is1" = Portrait Professional 6.3 "PPTminimizer 2006_is1" = PPTminimizer 2006 "SilverFast Epson" = SilverFast Epson 6.6.1r4a "simple2_is1" = Tone Mapping Plug-In 1.1.2 "SpeedCommander 13" = SpeedCommander 13 "Stickies 6.5a" = Stickies 6.5a "SUPER ©" = SUPER © Version 2008.bld.33 (Sep 2, 2008) "Synchredible_is1" = Synchredible v1.3 "TomTom HOME" = TomTom HOME 2.7.5.2014 "TuneUp Utilities" = TuneUp Utilities "Typograf" = Typograf4.8f "Unlocker" = Unlocker 1.8.7 "VILAUS" = VILAUS "VTrain (Vokabeltrainer)_is1" = VTrain (Vokabeltrainer) 4.5 "VTrain_is1" = VTrain (Vokabeltrainer) 5.2 "Wacom Tablet Driver" = Wacom Tablett |
Jetzt geht's nicht mal mehr seitenweise die Extras.txt einzustellen. Dauern kommt die Meldung, der Server wurde zurückgesetzt (dabei ich andere Webseiten [auch andere vom trojaner-board] problemlos aufrufen). Ich versuch's weiter. |
Extras.txt 8a "Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 "Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7 "WIC" = Windows Imaging Component "Windows Media Format Runtime" = Windows Media Format 11 runtime "Windows Media Player" = Windows Media Player 11 "Windows XP Service Pack" = Windows XP Service Pack 3 "WMFDist11" = Windows Media Format 11 runtime "wmp11" = Windows Media Player 11 "WritePro Fiction" = WritePro Fiction "WritePro FictionMaster" = WritePro FictionMaster "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0 "XpsEPSC" = XML Paper Specification Shared Components Pack 1.0 "XPSEPSCLP" = XML Paper Specification Shared Components Language Pack 1.0 ========== HKEY_USERS Uninstall List ========== [HKEY_USERS\S-1-5-21-3495212690-2977224712-3179768257-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "Dexpot" = Dexpot ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 03.08.2010 06:21:33 | Computer Name = SACHFACH | Source = Virtual CD v5 Security service | ID = 2 Description = Error - 03.08.2010 06:24:13 | Computer Name = SACHFACH | Source = Virtual CD v5 Security service | ID = 2 Description = |
Extras.txt 8b |
Extras.txt 8b Error - 03.08.2010 10:49:05 | Computer Name = SACHFACH | Source = Application Error | ID = 1000 Description = Fehlgeschlagene Anwendung svchost.exe, Version 5.1.2600.5512, fehlgeschlagenes Modul unknown, Version 0.0.0.0, Fehleradresse 0x001a3b57. |
Error - 03.08.2010 12:26:46 | Computer Name = SACHFACH | Source = Application Error | ID = 1000 Description = Fehlgeschlagene Anwendung svchost.exe, Version 5.1.2600.5512, fehlgeschlagenes Modul urlmon.dll, Version 8.0.6001.18923, Fehleradresse 0x0002df76. Error - 03.08.2010 12:26:53 | Computer Name = SACHFACH | Source = Application Error | ID = 1001 Description = Fehlerhafter Speicherbereich 1908539146. |
jetzt scheint's nur noch zeilenweise zu gehen. |
Error - 03.08.2010 13:50:22 | Computer Name = SACHFACH | Source = crypt32 | ID = 131083 |
Description = Die Extrahierung der Drittanbieterstammlisten aus der automatischen |
Die Extras.txt habe ich bei Anhänge verwalten hochgeladen. Geht das so? |
bitte erstelle und poste ein combofix log. Ein Leitfaden und Tutorium zur Nutzung von ComboFix |
Ich habe die OTL.txt geZIPt, weil die Textdatei etwas mehr als 1MB mit 146 Seiten hat. Geht das so. Oder muss ich die aufteilen in 10 Textdateien? |
So, hier nun das CombofixLog: Combofix Logfile: Code: ComboFix 10-08-03.04 - Gerhard Ott 04.08.2010 18:25:45.1.2 - x86 |
ok, der teatimer könnte malwarebytes scan verfälscht haben, bitte deinstaliere spybot und starte den pc neu, dann nach update den malwarebytes scan wie auf seite 1 beschrieben erneut ausführen, log posten |
Hallo markusg, Spybot habe ich deinstalliert und Malwarebytes' Anti-Malware einen Komplettscan durchführen lassen. Während des Scans erschien ein Fenster mit der Meldung: "Generic Host Process for Win32Service hat ein Problem festgestellt und muss beendet werden". Ich habe nur mit Ok bestätigt und keine Sendung veranlasst. Hier das Ergebnis von Malwarebytes' Anti-Malware: Malwarebytes' Anti-Malware 1.46 Malwarebytes Datenbank Version: 4390 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 04.08.2010 21:57:15 mbam-log-2010-08-04 (21-57-15).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|F:\|G:\|) Durchsuchte Objekte: 407815 Laufzeit: 1 Stunde(n), 28 Minute(n), 41 Sekunde(n) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 0 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: (Keine bösartigen Objekte gefunden) |
Sorry, vergaß mitzuteilen, dass ich STOPzilla auch deaktiviert habe, weil dieser Dateien von der Combofix-Installation löschen wollte. |
poste einen gmer report http://www.trojaner-board.de/74908-a...t-scanner.html |
Melde mich kurz mal von meinem Netbook: GMER läuft auf dem betroffenen Desktop-PC-System seit heute Mittag/Nachmittag. Nach Combofix ist das Einfrieren nach dem Start des Desktop offensichtlich verschwunden. Für diese Hilfe schon mal herzlichen Dank! Was geblieben ist, ist das selbständige Öffnen von Fenstern in Firefox mit dubiosem Inhalt (manchmal ist das Fenster auch einfach leer und die angewählte URL ist "burkinafas*** irgendwas" oder Werbeinhalt. Wie gesagt, der GMER-Scan (bisher nur auf C) läuft noch. Ich poste den GMER-Scan sowie er fertig ist. Vielen Dank für die Hilfe bis hierher. Herzliche Grüße, Gerhard "SchmerlenOtto" |
c: reicht auch, die andern laufwerke brauchst net |
Moin aus Südskandinavien, "brauchst net" klingt net(t) nach Süddeutschland... ... wie gesagt in Norddeutschland dauert's alles "a bißl" länger, offensichtlich auch der GMER-Scan (der ist jetzt irgendwo in der Registry, soweit ich die Meldungen als Laie interpretieren kann). Auf jeden Fall finde ich deine Hilfe auf diesem Board schon mal super! Dazu kommt später bestimmt noch was von mir. Würde mich freuen, wenn der "Rest" auch noch zu "reparieren" wäre. GMERScanEndeabwartende Grüße, Gerhard "SchmerlenOtto" |
ist die internet verbindung an diesem pc getrennt und alle laufenden programme abgeschalten. ne um genau zu sein bin ich n "ossi" :-) |
Nett, irgendwie bin ich dann auch 'n "Ossi" (meine Eltern stammen aus dem Sudentenland, die über Augs- und Duisburg "'rübergemacht" haben ... ... nun gut, das ist hier nicht das Thema *auch wenn|s die Computerwelt ein bisschen menschlicher macht. Also> der kranke PC ist definitiv offline, weil ich das CATKabel abgetrennt habe. |
Nu`' seh ich gerade im Augenwinkel, dass GMER einen schwarzen Bildschild liefert und der PC abgestürzt ist. Neustart klappte und ich starte einen neuen GMER Scan. Der hat hat dann Zeit bis morgen früh. ... Denkste, nun sagt: u47786.exe (der Random Name von GMER) hat ein Problem und muss beendet werden (bla bla Meldung an MS natürlich: nein) Versuche neuen Download. Beste Grüße, Gerhard |
So, nun scannte er wieder und hängte sich dann bei "\bxipptp" auf. Maus stoppt, WIn stopp! SHIFT-ALT-ENTF geht nicht Mache: ON-Schalter bis AUS... |
Ich bin jetzt mal kurz angebunden, aber bitte nicht unhöflich verstehen: Neustart und nach besten Wissen alle Programme beendet (auch über SHIFT-ALT-ENTF) GMER 1.0.15.15281 scannt. Ich muss jetzt erstmal was essen, bei dem ganzen Stress. Bis dann! Gerhard "Schmerlenotto" |
So, nun hat GMER über Nacht den Scan durchgeführt. Wegen der Länge kommt das Log in drei Teilen (auch als drei .txt-files hochgeladen): GMER Teil 1: GMER 1.0.15.15281 - hxxp://www.gmer.net Rootkit scan 2010-08-06 06:19:44 Windows 5.1.2600 Service Pack 3 Running: u4jf7786.exe; Driver: C:\DOKUME~1\GERHAR~1\LOKALE~1\Temp\pxlyypow.sys ---- System - GMER 1.0.15 ---- SSDT spjb.sys ZwCreateKey [0xB9EA80E0] SSDT spjb.sys ZwEnumerateKey [0xB9EC6CA2] SSDT spjb.sys ZwEnumerateValueKey [0xB9EC7030] SSDT spjb.sys ZwOpenKey [0xB9EA80C0] SSDT \??\C:\Programme\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenProcess [0xA3426C90] SSDT \??\C:\Programme\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenThread [0xA3426D7E] SSDT spjb.sys ZwQueryKey [0xB9EC7108] SSDT spjb.sys ZwQueryValueKey [0xB9EC6F88] SSDT spjb.sys ZwSetValueKey [0xB9EC719A] SSDT \??\C:\Programme\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwTerminateProcess [0xA3426BF4] SSDT \??\C:\Programme\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwTerminateThread [0xA3426EC4] INT 0x74 ? 8A8F0BF8 INT 0x83 ? 8A8F0BF8 INT 0x94 ? 8A8FEBF8 INT 0x94 ? 8A8FEBF8 INT 0x94 ? 8A8FEBF8 INT 0x94 ? 8A8FEBF8 INT 0x94 ? 8A8F0BF8 INT 0x94 ? 8A8FEBF8 INT 0xB4 ? 8A8FEBF8 INT 0xB4 ? 8A8FEBF8 INT 0xB4 ? 8A8F0BF8 INT 0xB4 ? 8A8F0BF8 INT 0xB4 ? 8A8FEBF8 ---- Kernel code sections - GMER 1.0.15 ---- PAGE ntkrnlpa.exe!NtSetInformationThread + 138 805CC200 23 Bytes [EC, 8B, 00, 8B, 00, 89, 45, ...] PAGE ntkrnlpa.exe!NtSetInformationThread + 150 805CC218 2 Bytes [85, 9D] PAGE ntkrnlpa.exe!NtSetInformationThread + 155 805CC21D 5 Bytes [C7, 45, FC, 03, 00] PAGE ntkrnlpa.exe!NtSetInformationThread + 15B 805CC223 42 Bytes [00, 8A, 06, 88, 45, A0, 89, ...] PAGE ntkrnlpa.exe!NtSetInformationThread + 186 805CC24E 22 Bytes [75, A0, FF, 75, CC, E8, 8C, ...] PAGE ... PAGE ntkrnlpa.exe!PsEstablishWin32Callouts + 1 805CC94F 96 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...] PAGE ntkrnlpa.exe!PsEstablishWin32Callouts + 62 805CC9B0 8 Bytes [48, 28, 89, 0D, 04, 4C, 56, ...] PAGE ntkrnlpa.exe!PsEstablishWin32Callouts + 6B 805CC9B9 8 Bytes [48, 2C, 89, 0D, 08, 4C, 56, ...] {DEC EAX; SUB AL, 0x89; OR EAX, 0x80564c08} PAGE ntkrnlpa.exe!PsEstablishWin32Callouts + 74 805CC9C2 33 Bytes [48, 30, 89, 0D, 14, 4C, 56, ...] PAGE ntkrnlpa.exe!PsEstablishWin32Callouts + 96 805CC9E4 77 Bytes [5D, C2, 04, 00, CC, CC, CC, ...] PAGE ntkrnlpa.exe!PsSetProcessPriorityByClass + 44 805CCA32 45 Bytes [00, 74, 11, 8B, 80, D0, 00, ...] PAGE ntkrnlpa.exe!PsSetProcessPriorityByClass + 72 805CCA60 64 Bytes CALL 805AFF63 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!PsSetProcessPriorityByClass + B3 805CCAA1 33 Bytes [0A, B8, 22, 00, 00, C0, E9, ...] PAGE ntkrnlpa.exe!PsSetProcessPriorityByClass + D5 805CCAC3 20 Bytes [46, 44, 89, 45, E0, 38, 9E, ...] PAGE ntkrnlpa.exe!PsSetProcessPriorityByClass + EA 805CCAD8 45 Bytes CALL 80510C49 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntkrnlpa.exe!NtQueryInformationProcess + 6B 805CCFB9 178 Bytes [FC, FF, 8B, 85, 28, FF, FF, ...] PAGE ntkrnlpa.exe!NtQueryInformationProcess + 11E 805CD06C 33 Bytes [00, 8B, 45, E0, 89, 06, E9, ...] PAGE ntkrnlpa.exe!NtQueryInformationProcess + 140 805CD08E 32 Bytes JMP 805CD46C \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!NtQueryInformationProcess + 162 805CD0B0 10 Bytes CALL 805BB47F \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!NtQueryInformationProcess + 16D 805CD0BB 10 Bytes [8C, 3A, 0D, 00, 00, 8B, 3D, ...] PAGE ... PAGE ntkrnlpa.exe!NtSetInformationProcess + 57 805CDE9B 3 Bytes CALL 80614099 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!NtSetInformationProcess + 5B 805CDE9F 4 Bytes [8D, 04, 1F, 3B] PAGE ntkrnlpa.exe!NtSetInformationProcess + 60 805CDEA4 13 Bytes [72, 08, 3B, 05, 34, 21, 56, ...] PAGE ntkrnlpa.exe!NtSetInformationProcess + 6E 805CDEB2 30 Bytes [00, 83, 4D, FC, FF, 8B, 45, ...] PAGE ntkrnlpa.exe!NtSetInformationProcess + 8D 805CDED1 91 Bytes CALL 80592C59 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntkrnlpa.exe!PsDereferenceImpersonationToken + 71 805CED39 59 Bytes [75, 0C, 33, C0, 38, 46, 24, ...] PAGE ntkrnlpa.exe!PsReferencePrimaryToken + D 805CED75 26 Bytes [00, 00, 00, 8B, CB, E8, 9F, ...] PAGE ntkrnlpa.exe!PsReferencePrimaryToken + 28 805CED90 44 Bytes [8F, D4, 00, 00, 00, 83, C6, ...] PAGE ntkrnlpa.exe!PsReferencePrimaryToken + 55 805CEDBD 226 Bytes [89, 45, 08, 8D, 51, FC, 8B, ...] PAGE ntkrnlpa.exe!PsReferenceImpersonationToken + A2 805CEEA0 28 Bytes [13, 8D, 47, 34, 39, 00, 74, ...] PAGE ntkrnlpa.exe!PsReferenceImpersonationToken + BF 805CEEBD 20 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...] PAGE ntkrnlpa.exe!PsReferenceImpersonationToken + D4 805CEED2 28 Bytes [00, 08, 8B, 87, 20, 02, 00, ...] PAGE ntkrnlpa.exe!PsReferenceImpersonationToken + F3 805CEEF1 105 Bytes [8D, B7, 38, 02, 00, 00, 8B, ...] PAGE ntkrnlpa.exe!PsReferenceImpersonationToken + 15D 805CEF5B 71 Bytes [FF, 83, D4, 00, 00, 00, 0F, ...] PAGE ... PAGE ntkrnlpa.exe!PsImpersonateClient + 2B 805CF0D5 16 Bytes [8D, B3, 48, 02, 00, 00, F6, ...] PAGE ntkrnlpa.exe!PsImpersonateClient + 3C 805CF0E6 5 Bytes [00, 64, A1, 24, 01] PAGE ntkrnlpa.exe!PsImpersonateClient + 42 805CF0EC 71 Bytes [00, 8B, F8, FF, 8F, D4, 00, ...] PAGE ntkrnlpa.exe!PsImpersonateClient + 8A 805CF134 30 Bytes CALL 8060C54F \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!PsImpersonateClient + A9 805CF153 22 Bytes JMP 805CF345 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntkrnlpa.exe!PsDisableImpersonation + 68 805CF3D4 25 Bytes [8B, 43, 08, 89, 47, 08, 8A, ...] PAGE ntkrnlpa.exe!PsDisableImpersonation + 82 805CF3EE 22 Bytes [FC, 8B, 4D, 0C, 6A, 02, 33, ...] PAGE ntkrnlpa.exe!PsDisableImpersonation + 99 805CF405 145 Bytes [FF, 86, D4, 00, 00, 00, 75, ...] PAGE ntkrnlpa.exe!PsRevertToSelf + 1F 805CF497 56 Bytes [0F, B1, 0F, 85, C0, 74, 07, ...] PAGE ntkrnlpa.exe!PsRevertToSelf + 58 805CF4D0 19 Bytes CALL 8060C550 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!PsRevertToSelf + 6C 805CF4E4 7 Bytes [74, 0C, B1, 01, C6, 46, 49] PAGE ntkrnlpa.exe!PsRevertToSelf + 74 805CF4EC 53 Bytes [FF, 15, 0C, 81, 4D, 80, 85, ...] PAGE ntkrnlpa.exe!PsRevertThreadToSelf + 1A 805CF522 82 Bytes [00, 00, 8B, F8, FF, 8F, D4, ...] PAGE ntkrnlpa.exe!PsRevertThreadToSelf + 6D 805CF575 2 Bytes [87, D4] {XCHG ESP, EDX} PAGE ntkrnlpa.exe!PsRevertThreadToSelf + 71 805CF579 53 Bytes [00, 75, 13, 8D, 47, 34, 39, ...] PAGE ntkrnlpa.exe!PsRevertThreadToSelf + A7 805CF5AF 73 Bytes [08, 85, F6, 74, 3C, 57, 56, ...] PAGE ntkrnlpa.exe!PsRevertThreadToSelf + F1 805CF5F9 12 Bytes CALL 805C5DF4 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntkrnlpa.exe!PsAssignImpersonationToken + 4A 805CF75A 3 Bytes CALL 805BB483 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!PsAssignImpersonationToken + 4E 805CF75E 35 Bytes [3B, C3, 0F, 8C, D0, 00, 00, ...] PAGE ntkrnlpa.exe!PsAssignImpersonationToken + 72 805CF782 1 Byte [00] PAGE ntkrnlpa.exe!PsAssignImpersonationToken + 72 805CF782 8 Bytes [00, 00, 00, 56, E8, A3, 8A, ...] PAGE ntkrnlpa.exe!PsAssignImpersonationToken + 7B 805CF78B 22 Bytes [50, 53, 53, 56, 8B, 7D, 08, ...] PAGE ... PAGE ntkrnlpa.exe!PsSetCreateProcessNotifyRoutine + 1A 805CFC34 74 Bytes [8B, F0, 85, F6, 74, 1F, 56, ...] PAGE ntkrnlpa.exe!PsSetCreateProcessNotifyRoutine + 65 805CFC7F 49 Bytes [49, D0, 03, 00, 56, E8, 2B, ...] PAGE ntkrnlpa.exe!PsSetCreateProcessNotifyRoutine + 97 805CFCB1 14 Bytes [84, C0, 75, 1F, 83, C3, 04, ...] PAGE ntkrnlpa.exe!PsSetCreateProcessNotifyRoutine + A6 805CFCC0 9 Bytes [BF, 0D, 00, 00, C0, 56, E8, ...] PAGE ntkrnlpa.exe!PsSetCreateProcessNotifyRoutine + B0 805CFCCA 16 Bytes [00, 8B, C7, 5F, 5E, 5B, 5D, ...] PAGE ... PAGE ntkrnlpa.exe!PsSetCreateThreadNotifyRoutine + 12 805CFCFC 20 Bytes [8B, D8, 3B, DF, 75, 07, B8, ...] PAGE ntkrnlpa.exe!PsSetCreateThreadNotifyRoutine + 27 805CFD11 23 Bytes CALL 8060CAFC \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!PsSetCreateThreadNotifyRoutine + 3F 805CFD29 38 Bytes [CB, 02, 02, 00, B8, 9A, 00, ...] PAGE ntkrnlpa.exe!PsRemoveCreateThreadNotifyRoutine + 2 805CFD50 34 Bytes [55, 8B, EC, 53, 56, 57, 33, ...] PAGE ntkrnlpa.exe!PsRemoveCreateThreadNotifyRoutine + 25 805CFD73 9 Bytes [0D, 56, 6A, 00, 57, E8, 81, ...] PAGE ntkrnlpa.exe!PsRemoveCreateThreadNotifyRoutine + 2F 805CFD7D 116 Bytes [84, C0, 75, 1C, 56, 57, E8, ...] PAGE ntkrnlpa.exe!PsRemoveCreateThreadNotifyRoutine + A4 805CFDF2 18 Bytes [F6, 86, 48, 02, 00, 00, 03, ...] PAGE ntkrnlpa.exe!PsRemoveCreateThreadNotifyRoutine + B7 805CFE05 92 Bytes [08, 74, 04, C6, 45, E7, 01, ...] PAGE ... PAGE ntkrnlpa.exe!PsSetLoadImageNotifyRoutine + 4 805CFF92 34 Bytes [EC, 53, 57, 33, FF, 57, FF, ...] PAGE ntkrnlpa.exe!PsSetLoadImageNotifyRoutine + 27 805CFFB5 6 Bytes [53, 56, E8, 42, CB, 03] PAGE ntkrnlpa.exe!PsSetLoadImageNotifyRoutine + 2E 805CFFBC 1 Byte [84] PAGE ntkrnlpa.exe!PsSetLoadImageNotifyRoutine + 2E 805CFFBC 32 Bytes [84, C0, 75, 1D, 83, C7, 04, ...] PAGE ntkrnlpa.exe!PsSetLoadImageNotifyRoutine + 4F 805CFFDD 49 Bytes [33, C9, B8, C8, 39, 56, 80, ...] PAGE ntkrnlpa.exe!PsRemoveLoadImageNotifyRoutine + 15 805D000F 43 Bytes [8B, F0, 85, F6, 74, 1F, 56, ...] PAGE ntkrnlpa.exe!PsRemoveLoadImageNotifyRoutine + 41 805D003B 18 Bytes [72, CC, B8, 7A, 00, 00, C0, ...] PAGE ntkrnlpa.exe!PsRemoveLoadImageNotifyRoutine + 54 805D004E 53 Bytes [83, C9, FF, F0, 0F, C1, 08, ...] PAGE ntkrnlpa.exe!PsRemoveLoadImageNotifyRoutine + 8A 805D0084 28 Bytes [74, 38, 53, 56, 57, 6A, 08, ...] PAGE ntkrnlpa.exe!PsRemoveLoadImageNotifyRoutine + A7 805D00A1 38 Bytes [03, 00, FF, 75, 10, FF, 75, ...] PAGE ... PAGE ntkrnlpa.exe!ZwCreateThread + C 805D0FDE 25 Bytes [83, 65, FC, 00, 64, A1, 24, ...] PAGE ntkrnlpa.exe!ZwCreateThread + 26 805D0FF8 16 Bytes [A1, 34, 21, 56, 80, 8B, 4D, ...] PAGE ntkrnlpa.exe!ZwCreateThread + 38 805D100A 24 Bytes [8B, 01, 89, 01, 8B, 5D, 18, ...] PAGE ntkrnlpa.exe!ZwCreateThread + 51 805D1023 96 Bytes [00, F6, C3, 03, 74, 05, E8, ...] PAGE ntkrnlpa.exe!ZwCreateThread + B2 805D1084 52 Bytes [C0, EB, 63, 8B, 5D, 20, 8B, ...] PAGE ... PAGE ntkrnlpa.exe!PsCreateSystemThread + 37 805D112F 11 Bytes [CC, CC, CC, CC, CC, 6A, 0C, ...] PAGE ntkrnlpa.exe!ZwCreateProcessEx + 7 805D113B 88 Bytes CALL 8053BBA0 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwCreateProcessEx + 60 805D1194 21 Bytes [75, 20, FF, 75, 1C, FF, 75, ...] PAGE ntkrnlpa.exe!ZwCreateProcessEx + 76 805D11AA 5 Bytes [FF, EB, 05, B8, 0D] PAGE ntkrnlpa.exe!ZwCreateProcessEx + 7D 805D11B1 182 Bytes CALL 8053BBDA \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwQueueApcThread + 38 805D1268 2 Bytes [45, 08] PAGE ntkrnlpa.exe!ZwQueueApcThread + 3B 805D126B 95 Bytes [DB, F6, 80, 48, 02, 00, 00, ...] PAGE ntkrnlpa.exe!ZwQueueApcThread + 9C 805D12CC 11 Bytes [C0, 5F, 8B, 4D, 08, E8, C4, ...] PAGE ntkrnlpa.exe!ZwQueueApcThread + A8 805D12D8 104 Bytes [C3, 5B, C9, C2, 14, 00, CC, ...] PAGE ntkrnlpa.exe!PsGetContextThread + 5D 805D1341 16 Bytes [8B, 95, C8, FC, FF, FF, A1, ...] PAGE ntkrnlpa.exe!PsGetContextThread + 6E 805D1352 36 Bytes [8B, 0A, 89, 8D, B0, FC, FF, ...] PAGE ntkrnlpa.exe!PsGetContextThread + 93 805D1377 116 Bytes [CC, 00, 00, 00, 83, 4D, FC, ...] PAGE ntkrnlpa.exe!PsGetContextThread + 108 805D13EC 33 Bytes [00, 8A, 8D, CF, FC, FF, FF, ...] PAGE ntkrnlpa.exe!PsGetContextThread + 12A 805D140E 56 Bytes [FF, 33, C0, 40, C3, 8B, 85, ...] PAGE ... PAGE ntkrnlpa.exe!ZwGetContextThread + A 805D14EE 27 Bytes [01, 00, 00, 8A, 80, 40, 01, ...] PAGE ntkrnlpa.exe!ZwGetContextThread + 26 805D150A 173 Bytes CALL 805BB47E \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!PsSetContextThread + 68 805D15B8 26 Bytes [CA, B8, 20, 00, 01, 00, 23, ...] PAGE ntkrnlpa.exe!PsSetContextThread + 83 805D15D3 16 Bytes [FF, 8B, F3, 8D, BD, 14, FD, ...] PAGE ntkrnlpa.exe!PsSetContextThread + 94 805D15E4 43 Bytes [C8, 83, E1, 03, F3, A4, 83, ...] PAGE ntkrnlpa.exe!PsSetContextThread + C0 805D1610 10 Bytes [89, 85, 0C, FD, FF, FF, 89, ...] PAGE ntkrnlpa.exe!PsSetContextThread + CB 805D161B 21 Bytes [FF, 8A, 45, 10, 88, 85, 00, ...] PAGE ... PAGE ntkrnlpa.exe!ZwSetContextThread + 2F 805D1723 24 Bytes [8B, F0, 85, F6, 7C, 2A, 57, ...] PAGE ntkrnlpa.exe!ZwSetContextThread + 48 805D173C 76 Bytes CALL 805D154F \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!PsGetProcessExitProcessCalled + D 805D1789 59 Bytes CALL DD5E3B90 PAGE ntkrnlpa.exe!PsSetJobUIRestrictionsClass + 11 805D17C5 3 Bytes [5D, C2, 08] PAGE ntkrnlpa.exe!PsSetJobUIRestrictionsClass + 15 805D17C9 5 Bytes [CC, CC, CC, CC, CC] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 } PAGE ntkrnlpa.exe!PsSetProcessPriorityClass + 1 805D17CF 2 Bytes [FF, 55] PAGE ntkrnlpa.exe!PsSetProcessPriorityClass + 4 805D17D2 49 Bytes [EC, 8A, 45, 0C, 8B, 4D, 08, ...] PAGE ntkrnlpa.exe!PsSetThreadWin32Thread + 2 805D1804 82 Bytes [55, 8B, EC, 8B, 45, 0C, 85, ...] PAGE ntkrnlpa.exe!PsSetProcessSecurityPort + 9 805D1857 140 Bytes [4D, 08, 89, 81, 98, 01, 00, ...] PAGE ntkrnlpa.exe!PsSetProcessWin32Process + 2 805D18E4 16 Bytes [55, 8B, EC, 51, 83, 65, FC, ...] PAGE ntkrnlpa.exe!PsSetProcessWin32Process + 13 805D18F5 70 Bytes [8B, 7D, 08, 8B, F0, FF, 8E, ...] PAGE ntkrnlpa.exe!PsSetProcessWin32Process + 5A 805D193C 12 Bytes [C0, EB, 19, 81, C7, 30, 01, ...] PAGE ntkrnlpa.exe!PsSetProcessWin32Process + 67 805D1949 62 Bytes [10, 75, 05, 83, 27, 00, EB, ...] PAGE ntkrnlpa.exe!PsSetProcessWin32Process + A6 805D1988 9 Bytes [8B, 45, FC, 5F, 5E, 5B, C9, ...] PAGE ... PAGE ntkrnlpa.exe!PsSetLegoNotifyRoutine + D 805D19A5 47 Bytes [B8, D0, 00, 00, 00, 5D, C2, ...] PAGE ntkrnlpa.exe!PsSetLegoNotifyRoutine + 3D 805D19D5 23 Bytes CALL 805D7ABA \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!PsSetLegoNotifyRoutine + 55 805D19ED 3 Bytes CALL 805264CB \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!PsSetLegoNotifyRoutine + 59 805D19F1 238 Bytes CALL 805D78CB \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!PsSetLegoNotifyRoutine + 148 805D1AE0 34 Bytes [08, 00, 00, 00, 56, E8, E0, ...] PAGE ... PAGE ntkrnlpa.exe!PsGetProcessExitTime + 66 805D1F80 6 Bytes [EC, 83, EC, 0C, 83, 4D] PAGE ntkrnlpa.exe!PsGetProcessExitTime + 6D 805D1F87 31 Bytes [FF, 53, 56, 57, 33, FF, C7, ...] PAGE ntkrnlpa.exe!PsGetProcessExitTime + 8E 805D1FA8 49 Bytes [74, 11, F6, 86, 48, 02, 00, ...] PAGE ntkrnlpa.exe!PsGetProcessExitTime + C1 805D1FDB 1 Byte [8D] PAGE ntkrnlpa.exe!PsGetProcessExitTime + C1 805D1FDB 164 Bytes [8D, 45, F4, 50, 57, 57, 57, ...] PAGE ... PAGE ntkrnlpa.exe!ZwRegisterThreadTerminatePort + 2 805D273A 142 Bytes [55, 8B, EC, 51, 56, 64, A1, ...] PAGE ntkrnlpa.exe!ZwRegisterThreadTerminatePort + 91 805D27C9 3 Bytes CALL 805D206B \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwRegisterThreadTerminatePort + 95 805D27CD 21 Bytes [5D, C2, 14, 00, CC, CC, CC, ...] PAGE ntkrnlpa.exe!ZwRegisterThreadTerminatePort + AB 805D27E3 12 Bytes [FF, 75, 08, 8B, 7D, 0C, 6A, ...] PAGE ntkrnlpa.exe!ZwRegisterThreadTerminatePort + B8 805D27F0 4 Bytes [68, F8, FF, 5E] PAGE ... PAGE ntkrnlpa.exe!ZwTerminateProcess + 2 805D2984 5 Bytes [55, 8B, EC, 83, EC] PAGE ntkrnlpa.exe!ZwTerminateProcess + 8 805D298A 31 Bytes [53, 56, 57, 64, A1, 24, 01, ...] PAGE ntkrnlpa.exe!ZwTerminateProcess + 28 805D29AA 30 Bytes [FF, C6, 45, FF, 00, 8A, 87, ...] PAGE ntkrnlpa.exe!ZwTerminateProcess + 47 805D29C9 20 Bytes CALL 805BB47F \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwTerminateProcess + 5C 805D29DE 4 Bytes [8D, 86, 48, 02] PAGE ... PAGE ntkrnlpa.exe!ZwTerminateThread + 21 805D2B9D 6 Bytes [01, 75, 43, B8, DB, 00] PAGE ntkrnlpa.exe!ZwTerminateThread + 28 805D2BA4 62 Bytes [C0, EB, 5B, 83, 7D, 08, FE, ...] PAGE ntkrnlpa.exe!ZwTerminateThread + 67 805D2BE3 18 Bytes CALL 805D2856 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwTerminateThread + 7A 805D2BF6 1 Byte [FF] PAGE ntkrnlpa.exe!ZwTerminateThread + 7A 805D2BF6 51 Bytes [FF, 8B, CB, 8B, F8, E8, 9A, ...] PAGE ntkrnlpa.exe!PsTerminateSystemThread + 1C 805D2C2A 7 Bytes [75, 08, 50, E8, 28, FC, FF] PAGE ntkrnlpa.exe!PsTerminateSystemThread + 24 805D2C32 20 Bytes [5D, C2, 04, 00, CC, CC, CC, ...] PAGE ntkrnlpa.exe!PsTerminateSystemThread + 39 805D2C47 96 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...] PAGE ntkrnlpa.exe!PsTerminateSystemThread + 9A 805D2CA8 60 Bytes [00, 3B, 35, B4, 39, 56, 80, ...] PAGE ntkrnlpa.exe!PsTerminateSystemThread + D7 805D2CE5 6 Bytes CALL 805264C9 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntkrnlpa.exe!PsLookupProcessThreadByCid + 4B 805D3051 13 Bytes [86, D4, 00, 00, 00, 75, 13, ...] PAGE ntkrnlpa.exe!PsLookupProcessThreadByCid + 59 805D305F 16 Bytes [B1, 01, C6, 46, 49, 01, FF, ...] PAGE ntkrnlpa.exe!PsLookupProcessThreadByCid + 6A 805D3070 36 Bytes [00, C0, 74, 3F, 80, 3F, 06, ...] PAGE ntkrnlpa.exe!PsLookupProcessThreadByCid + 8F 805D3095 11 Bytes [45, 0C, 85, C0, 74, 0D, 8B, ...] PAGE ntkrnlpa.exe!PsLookupProcessThreadByCid + 9B 805D30A1 57 Bytes CALL 805264C8 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!PsLookupProcessByProcessId + 19 805D30DB 61 Bytes [35, C0, 39, 56, 80, E8, A7, ...] PAGE ntkrnlpa.exe!PsLookupProcessByProcessId + 57 805D3119 4 Bytes [35, C0, 39, 56] PAGE ntkrnlpa.exe!PsLookupProcessByProcessId + 5C 805D311E 62 Bytes CALL 8060D8A4 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!PsLookupThreadByThreadId + F 805D315D 1 Byte [08] PAGE ntkrnlpa.exe!PsLookupThreadByThreadId + F 805D315D 9 Bytes [08, 8B, F0, FF, 8E, D4, 00, ...] PAGE ntkrnlpa.exe!PsLookupThreadByThreadId + 19 805D3167 71 Bytes [35, C0, 39, 56, 80, E8, 1B, ...] PAGE ntkrnlpa.exe!PsLookupThreadByThreadId + 61 805D31AF 5 Bytes [5F, FF, 86, D4, 00] PAGE ntkrnlpa.exe!PsLookupThreadByThreadId + 68 805D31B6 6 Bytes [75, 13, 8D, 46, 34, 39] PAGE ... PAGE ntkrnlpa.exe!ZwSetLdtEntries + B 805D38AF 33 Bytes [CC, CC, CC, CC, CC, 6A, 34, ...] PAGE ntkrnlpa.exe!ZwSetLdtEntries + 2D 805D38D1 30 Bytes [7D, 0C, 10, 73, 0A, B8, 04, ...] PAGE ntkrnlpa.exe!ZwSetLdtEntries + 4C 805D38F0 11 Bytes [D8, 89, 5D, D8, 85, DB, 75, ...] PAGE ntkrnlpa.exe!ZwSetLdtEntries + 58 805D38FC 28 Bytes JMP 805D3B84 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwSetLdtEntries + 75 805D3919 16 Bytes [E1, 03, F3, A4, 83, 4D, FC, ...] PAGE ... PAGE ntkrnlpa.exe!ZwSuspendThread + 7 805D489B 1 Byte [E8] PAGE ntkrnlpa.exe!ZwSuspendThread + 7 805D489B 43 Bytes CALL 8053BBA0 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwSuspendThread + 33 805D48C7 147 Bytes [3B, F0, 72, 02, 89, 18, 8B, ...] PAGE ntkrnlpa.exe!ZwResumeThread + 1 805D495B 5 Bytes [20, 68, 18, AA, 4D] {AND [EAX+0x18], CH; STOSB ; DEC EBP} PAGE ntkrnlpa.exe!ZwResumeThread + 7 805D4961 249 Bytes CALL 8053BBA0 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwSuspendProcess + 3A 805D4A5C 21 Bytes CALL 805D4841 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwSuspendProcess + 50 805D4A72 7 Bytes [00, CC, CC, CC, CC, CC, 8B] PAGE ntkrnlpa.exe!ZwResumeProcess + 2 805D4A7A 54 Bytes [55, 8B, EC, 51, 56, 64, A1, ...] PAGE ntkrnlpa.exe!ZwResumeProcess + 3A 805D4AB2 28 Bytes CALL 805D46F3 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwAlertThread + 1 805D4ACF 9 Bytes [FF, 55, 8B, EC, 51, 64, A1, ...] PAGE ntkrnlpa.exe!ZwAlertThread + B 805D4AD9 29 Bytes [00, 8A, 80, 40, 01, 00, 00, ...] PAGE ntkrnlpa.exe!ZwAlertThread + 29 805D4AF7 28 Bytes CALL 805BB482 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwAlertThread + 47 805D4B15 59 Bytes [C9, C2, 04, 00, CC, CC, CC, ...] PAGE ntkrnlpa.exe!ZwAlertResumeThread + 33 805D4B51 31 Bytes [3B, F0, 72, 02, 89, 18, 8B, ...] PAGE ntkrnlpa.exe!ZwAlertResumeThread + 53 805D4B71 29 Bytes CALL 805BB481 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwAlertResumeThread + 71 805D4B8F 35 Bytes [FC, 01, 00, 00, 00, 3B, F3, ...] PAGE ntkrnlpa.exe!ZwAlertResumeThread + 95 805D4BB3 4 Bytes CALL 8059993B \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwAlertResumeThread + 9A 805D4BB8 132 Bytes [45, DC, EB, 18, 8B, 45, EC, ...] PAGE ntkrnlpa.exe!ZwTestAlert + 5B 805D4C3D 18 Bytes [00, 00, 10, 53, 74, 60, 64, ...] PAGE ntkrnlpa.exe!ZwTestAlert + 6F 805D4C51 54 Bytes [6A, 02, 8D, 4E, 6C, 5A, 33, ...] PAGE ntkrnlpa.exe!ZwTestAlert + A6 805D4C88 26 Bytes [FF, 83, D4, 00, 00, 00, 75, ...] PAGE ntkrnlpa.exe!ZwTestAlert + C1 805D4CA3 40 Bytes [F6, 87, 98, 00, 00, 00, 01, ...] PAGE ntkrnlpa.exe!ZwTestAlert + EB 805D4CCD 93 Bytes [00, 01, 74, 0E, 8B, 87, 38, ...] PAGE ... PAGE ntkrnlpa.exe!ZwIsProcessInJob + 11 805D51B3 51 Bytes [00, 6A, 00, 88, 45, FC, 8D, ...] PAGE ntkrnlpa.exe!ZwIsProcessInJob + 46 805D51E8 49 Bytes [8B, 87, 34, 01, 00, 00, 85, ...] PAGE ntkrnlpa.exe!ZwIsProcessInJob + 78 805D521A 17 Bytes [6A, 00, 8D, 45, FC, 50, FF, ...] {PUSH 0x0; LEA EAX, [EBP-0x4]; PUSH EAX; PUSH DWORD [EBP-0x4]; PUSH DWORD [0x80563940]; PUSH 0x4} PAGE ntkrnlpa.exe!ZwIsProcessInJob + 8A 805D522C 34 Bytes CALL 805BB480 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwIsProcessInJob + AD 805D524F 40 Bytes [75, 13, 8B, 75, 08, 8B, CE, ...] PAGE ... PAGE ntkrnlpa.exe!ZwCreateJobSet + 5A 805D5338 6 Bytes [00, 8A, 80, 40, 01, 00] {ADD [EDX+0x14080], CL} PAGE ntkrnlpa.exe!ZwCreateJobSet + 61 805D533F 48 Bytes [88, 45, D8, 89, 5D, FC, 3C, ...] PAGE ntkrnlpa.exe!ZwCreateJobSet + 92 805D5370 64 Bytes [CE, 8B, 75, 0C, 8B, C1, C1, ...] PAGE ntkrnlpa.exe!ZwCreateJobSet + D3 805D53B1 114 Bytes [35, 40, 39, 56, 80, 6A, 04, ...] PAGE ntkrnlpa.exe!ZwCreateJobSet + 148 805D5426 109 Bytes [75, 40, 3B, DE, 74, 21, 3B, ...] PAGE ... PAGE ntkrnlpa.exe!ZwCreateJobObject + 11 805D55B7 38 Bytes [00, 89, 45, D8, 8A, 80, 40, ...] PAGE ntkrnlpa.exe!ZwCreateJobObject + 38 805D55DE 32 Bytes [01, 89, 19, 83, 4D, FC, FF, ...] PAGE ntkrnlpa.exe!ZwCreateJobObject + 59 805D55FF 86 Bytes CALL 805C135F \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwCreateJobObject + B0 805D5656 55 Bytes [01, 00, 00, 01, C6, 86, 5A, ...] PAGE ntkrnlpa.exe!ZwCreateJobObject + E8 805D568E 23 Bytes CALL 80535705 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntkrnlpa.exe!ZwOpenJobObject + 3A 805D5766 108 Bytes [EB, 16, 8B, 45, EC, 8B, 00, ...] PAGE ntkrnlpa.exe!ZwOpenJobObject + A7 805D57D3 22 Bytes [FF, 55, 8B, EC, 83, EC, 20, ...] PAGE ntkrnlpa.exe!ZwOpenJobObject + BE 805D57EA 54 Bytes [8B, D8, FF, 8B, D4, 00, 00, ...] PAGE ntkrnlpa.exe!ZwOpenJobObject + F6 805D5822 4 Bytes [F6, 86, 98, 00] PAGE ntkrnlpa.exe!ZwOpenJobObject + FC 805D5828 38 Bytes [08, 8B, 86, 80, 00, 00, 00, ...] PAGE ... PAGE ntkrnlpa.exe!ZwQueryInformationJobObject + 4 805D5C02 30 Bytes [00, 68, 98, AA, 4D, 80, E8, ...] PAGE ntkrnlpa.exe!ZwQueryInformationJobObject + 23 805D5C21 13 Bytes [4D, 0C, 83, F9, 0B, 0F, 8D, ...] {DEC EBP; OR AL, 0x83; STC ; OR ECX, [EDI]; LEA EAX, [EBP+0x3b000008]; RETF } PAGE ntkrnlpa.exe!ZwQueryInformationJobObject + 31 805D5C2F 64 Bytes [8E, 7D, 08, 00, 00, 8B, 04, ...] PAGE ntkrnlpa.exe!ZwQueryInformationJobObject + 72 805D5C70 12 Bytes [88, 85, 20, FF, FF, FF, 84, ...] PAGE ntkrnlpa.exe!ZwQueryInformationJobObject + 7F 805D5C7D 27 Bytes [52, 57, 8B, 7D, 10, 57, E8, ...] PAGE ... PAGE ntkrnlpa.exe!ZwAssignProcessToJobObject + 66 805D6648 48 Bytes [00, 0D, 01, 01, 00, 00, 50, ...] PAGE ntkrnlpa.exe!ZwAssignProcessToJobObject + 97 805D6679 25 Bytes [8D, 87, CC, 00, 00, 00, 53, ...] PAGE ntkrnlpa.exe!ZwAssignProcessToJobObject + B3 805D6695 28 Bytes CALL 805CED64 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwAssignProcessToJobObject + D0 805D66B2 122 Bytes CALL 805C5EA9 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwAssignProcessToJobObject + 14B 805D672D 46 Bytes CALL 80526697 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntkrnlpa.exe!ZwSetInformationJobObject + 3D 805D6949 46 Bytes [8D, BD, 7C, FF, FF, FF, AB, ...] PAGE ntkrnlpa.exe!ZwSetInformationJobObject + 6D 805D6979 16 Bytes [8B, 04, 9D, C0, F0, 67, 80, ...] PAGE ntkrnlpa.exe!ZwSetInformationJobObject + 7E 805D698A 44 Bytes [64, A1, 24, 01, 00, 00, 8B, ...] PAGE ntkrnlpa.exe!ZwSetInformationJobObject + AB 805D69B7 36 Bytes [8B, 45, 14, 03, C6, 3B, C6, ...] PAGE ntkrnlpa.exe!ZwSetInformationJobObject + D1 805D69DD 4 Bytes JMP 805D7491 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntkrnlpa.exe!ZwTerminateJobObject + 17 805D74B7 58 Bytes [88, 45, FC, 8D, 45, 08, 50, ...] PAGE ntkrnlpa.exe!ZwTerminateJobObject + 52 805D74F2 197 Bytes CALL 805D656A \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!ZwTerminateJobObject + 118 805D75B8 28 Bytes [8D, 9F, 44, 02, 00, 00, 8B, ...] PAGE ntkrnlpa.exe!ZwTerminateJobObject + 136 805D75D6 33 Bytes [00, 02, 74, 6A, 3B, 96, 8C, ...] PAGE ntkrnlpa.exe!ZwTerminateJobObject + 158 805D75F8 14 Bytes CALL 805D2AFA \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntkrnlpa.exe!ZwImpersonateThread + 43 805D77E5 55 Bytes [00, A1, 34, 21, 56, 80, 3B, ...] PAGE ntkrnlpa.exe!ZwImpersonateThread + 7B 805D781D 40 Bytes [85, C0, 0F, 8C, 91, 00, 00, ...] PAGE ntkrnlpa.exe!ZwImpersonateThread + A4 805D7846 35 Bytes [F0, EB, 47, 8D, 45, A8, 50, ...] PAGE ntkrnlpa.exe!ZwImpersonateThread + C8 805D786A 114 Bytes [F2, 01, 00, 8B, F0, FF, 75, ...] PAGE ntkrnlpa.exe!IoDeleteController + 11 805D78DD 44 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...] PAGE ntkrnlpa.exe!IoDeleteController + 3F 805D790B 55 Bytes CALL 8052665B \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!IoDeleteController + 77 805D7943 47 Bytes [65, FC, 00, 53, 56, 57, 64, ...] PAGE ntkrnlpa.exe!IoDeleteController + A7 805D7973 31 Bytes CALL 8052665B \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!IoDeleteController + C7 805D7993 47 Bytes [B1, 01, C6, 46, 49, 01, FF, ...] PAGE ... PAGE ntkrnlpa.exe!LdrEnumResources + A 805D8B4E 52 Bytes [33, FF, 39, 7D, 18, 89, 7D, ...] PAGE ntkrnlpa.exe!LdrEnumResources + 40 805D8B84 44 Bytes JMP 805D8D7B \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!LdrEnumResources + 6D 805D8BB1 12 Bytes [00, 83, 7D, 10, 00, 76, 14, ...] {ADD [EBX+0x7600107d], AL; ADC AL, 0x8b; INC EBP; OR AL, 0x53; PUSH ESI} PAGE ntkrnlpa.exe!LdrEnumResources + 7A 805D8BBE 47 Bytes CALL 805D87B3 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!LdrEnumResources + AA 805D8BEE 46 Bytes [FF, FF, 7F, 23, CB, 03, CE, ...] PAGE ... PAGE ntkrnlpa.exe!LdrFindResource_U + 14 805D8DB2 3 Bytes CALL 805D8825 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!LdrFindResource_U + 18 805D8DB6 2 Bytes [5D, C2] PAGE ntkrnlpa.exe!LdrFindResource_U + 1B 805D8DB9 7 Bytes [00, CC, CC, CC, CC, CC, CC] {ADD AH, CL; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 } PAGE ntkrnlpa.exe!LdrFindResourceDirectory_U + 1 805D8DC1 21 Bytes [FF, 55, 8B, EC, FF, 75, 14, ...] PAGE ntkrnlpa.exe!LdrFindResourceDirectory_U + 17 805D8DD7 4 Bytes [FF, 5D, C2, 10] PAGE ntkrnlpa.exe!LdrFindResourceDirectory_U + 1C 805D8DDC 24 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...] PAGE ntkrnlpa.exe!RtlMultiByteToUnicodeN + 13 805D8DF5 5 Bytes [00, 0F, 85, D2, 01] PAGE ntkrnlpa.exe!RtlMultiByteToUnicodeN + 1B 805D8DFD 210 Bytes [5D, 18, 3B, FB, 73, 02, 8B, ...] PAGE ntkrnlpa.exe!RtlMultiByteToUnicodeN + EE 805D8ED0 203 Bytes [34, 71, 66, 89, 70, 26, 0F, ...] PAGE ntkrnlpa.exe!RtlMultiByteToUnicodeN + 1BA 805D8F9C 126 Bytes [34, 71, 66, 89, 70, 04, 0F, ...] PAGE ntkrnlpa.exe!RtlMultiByteToUnicodeN + 239 805D901B 59 Bytes [35, 04, C5, 67, 80, 66, 8B, ...] PAGE ... PAGE ntkrnlpa.exe!RtlOemToUnicodeN + 69 805D9139 7 Bytes [59, 1A, 0F, B6, 58, 0C, 66] {POP ECX; SBB CL, [EDI]; MOV DH, 0x58; OR AL, 0x66} PAGE ntkrnlpa.exe!RtlOemToUnicodeN + 71 805D9141 95 Bytes [1C, 5A, 66, 89, 59, 18, 0F, ...] PAGE ntkrnlpa.exe!RtlOemToUnicodeN + D1 805D91A1 15 Bytes [1C, 5A, 66, 89, 59, 08, 0F, ...] PAGE ntkrnlpa.exe!RtlOemToUnicodeN + E1 805D91B1 183 Bytes [59, 06, 0F, B6, 58, 02, 66, ...] PAGE ntkrnlpa.exe!RtlOemToUnicodeN + 199 805D9269 282 Bytes [18, 5F, 1B, C0, 5E, 25, 05, ...] PAGE ntkrnlpa.exe!RtlUnicodeToMultiByteN + 22 805D9384 1 Byte [D6] PAGE ntkrnlpa.exe!RtlUnicodeToMultiByteN + 22 805D9384 222 Bytes [D6, 8B, 45, 10, 85, C0, 74, ...] PAGE ntkrnlpa.exe!RtlUnicodeToMultiByteN + 101 805D9463 78 Bytes [FF, FF, EB, 4E, 85, F6, 8B, ...] PAGE ntkrnlpa.exe!RtlUnicodeToMultiByteN + 150 805D94B2 11 Bytes [08, 89, 01, 5F, 5E, 33, C0, ...] PAGE ntkrnlpa.exe!RtlUnicodeToMultiByteN + 15C 805D94BE 19 Bytes [5A, 94, 5D, 80, 50, 94, 5D, ...] {POP EDX; XCHG ESP, EAX; POP EBP; ADC BYTE [EAX-0x6c], 0x5d; ADD BYTE [ESI-0x6c], 0x5d; CMP BYTE [ESP+EDX*4], 0x5d; XOR BYTE [EDX], 0x94; POP EBP} PAGE ... PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToMultiByteN + 29 805D952D 48 Bytes [45, 10, 85, C0, 89, 4D, 0C, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToMultiByteN + 5A 805D955E 217 Bytes [01, 8B, 15, 04, C5, 67, 80, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToMultiByteN + 134 805D9638 69 Bytes [B7, 4F, E4, 0F, B6, 0C, 01, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToMultiByteN + 17A 805D967E 45 Bytes [83, E3, 0F, 03, F3, 0F, B7, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToMultiByteN + 1A8 805D96AC 33 Bytes [C5, 67, 80, 0F, B7, 0C, 4A, ...] PAGE ... PAGE ntkrnlpa.exe!RtlUnicodeToOemN + 11 805D9D61 19 Bytes [56, 57, 89, 55, 18, 0F, 85, ...] {PUSH ESI; PUSH EDI; MOV [EBP+0x18], EDX; JNZ 0xf7; CMP EDX, [EBP+0xc]; JB 0x13; MOV EDX, [EBP+0xc]} PAGE ntkrnlpa.exe!RtlUnicodeToOemN + 25 805D9D75 38 Bytes [45, 10, 85, C0, 74, 02, 89, ...] PAGE ntkrnlpa.exe!RtlUnicodeToOemN + 4C 805D9D9C 18 Bytes [0F, 77, 07, FF, 24, BD, BD, ...] PAGE ntkrnlpa.exe!RtlUnicodeToOemN + 5F 805D9DAF 65 Bytes [20, 83, C1, 10, 88, 59, FF, ...] PAGE ntkrnlpa.exe!RtlUnicodeToOemN + A1 805D9DF1 79 Bytes [B7, 58, 0C, 8A, 1C, 33, 88, ...] PAGE ... PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToOemN + 29 805D9F2B 9 Bytes [45, 10, 85, C0, 89, 4D, FC, ...] {INC EBP; ADC [EBP-0x3b27640], AL; JZ 0xb} PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToOemN + 33 805D9F35 32 Bytes [08, 8B, 55, 14, A1, 20, C7, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToOemN + 54 805D9F56 67 Bytes [0F, B7, 0F, 0F, B6, 0C, 01, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToOemN + 98 805D9F9A 161 Bytes [B7, D6, 8B, FA, C1, EF, 08, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToOemN + 13A 805DA03C 17 Bytes [01, 8B, 15, 1C, C7, 67, 80, ...] PAGE ... PAGE ntkrnlpa.exe!RtlCustomCPToUnicodeN + 4 805DA840 88 Bytes [EC, 53, 8B, 5D, 08, 56, 57, ...] PAGE ntkrnlpa.exe!RtlCustomCPToUnicodeN + 5D 805DA899 45 Bytes [0F, B6, 58, 0D, 66, 8B, 1C, ...] PAGE ntkrnlpa.exe!RtlCustomCPToUnicodeN + 8B 805DA8C7 83 Bytes [59, 14, 0F, B6, 58, 09, 66, ...] PAGE ntkrnlpa.exe!RtlCustomCPToUnicodeN + DF 805DA91B 7 Bytes [59, 06, 0F, B6, 58, 02, 66] PAGE ntkrnlpa.exe!RtlCustomCPToUnicodeN + E7 805DA923 187 Bytes [1C, 5A, 66, 89, 59, 04, 0F, ...] PAGE ... PAGE ntkrnlpa.exe!RtlUnicodeToCustomCPN + 49 805DAA69 26 Bytes [FF, 0F, 77, 07, FF, 24, BD, ...] PAGE ntkrnlpa.exe!RtlUnicodeToCustomCPN + 64 805DAA84 54 Bytes [0F, B7, 18, 8A, 1C, 33, 88, ...] PAGE ntkrnlpa.exe!RtlUnicodeToCustomCPN + 9B 805DAABB 53 Bytes [88, 59, 05, 0F, B7, 58, 0C, ...] PAGE ntkrnlpa.exe!RtlUnicodeToCustomCPN + D1 805DAAF1 63 Bytes [B7, 58, 16, 8A, 1C, 33, 88, ...] PAGE ntkrnlpa.exe!RtlUnicodeToCustomCPN + 111 805DAB31 8 Bytes [74, 38, 83, 7D, 10, 00, 74, ...] {JZ 0x3a; CMP DWORD [EBP+0x10], 0x0; JZ 0x3a} PAGE ... PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToCustomCPN + 2 805DABD2 40 Bytes [55, 8B, EC, 83, EC, 0C, 8B, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToCustomCPN + 2C 805DABFC 54 Bytes [14, 85, C0, 89, 55, 08, 74, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToCustomCPN + 63 805DAC33 45 Bytes [45, 0C, 10, 83, C1, 20, 66, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToCustomCPN + 91 |
GMER Teil 2: 805DAC61 3 Bytes [DF, C1, EB] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToCustomCPN + 95 805DAC65 417 Bytes [0F, B7, 1C, 5A, 89, 7D, 18, ...] PAGE ... PAGE ntkrnlpa.exe!RtlInitCodePageTable + 61 805DB4A1 63 Bytes [33, F6, 66, 39, 32, 74, 08, ...] PAGE ntkrnlpa.exe!RtlInitCodePageTable + A1 805DB4E1 56 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...] PAGE ntkrnlpa.exe!RtlInitCodePageTable + DA 805DB51A 8 Bytes [14, 8D, 46, 2C, 50, FF, 75, ...] {ADC AL, 0x8d; INC ESI; SUB AL, 0x50; PUSH DWORD [EBP+0x8]} PAGE ntkrnlpa.exe!RtlInitCodePageTable + E3 805DB523 34 Bytes [19, FF, FF, FF, 56, FF, 75, ...] PAGE ntkrnlpa.exe!RtlInitCodePageTable + 106 805DB546 105 Bytes [55, 8B, EC, 53, 56, 8B, 75, ...] PAGE ... PAGE ntkrnlpa.exe!RtlGetDefaultCodePage + 26 805DB672 14 Bytes [CC, CC, 8B, FF, 55, 8B, EC, ...] PAGE ntkrnlpa.exe!PfxInitialize + D 805DB681 118 Bytes [66, C7, 00, 00, 02, 89, 40, ...] PAGE ntkrnlpa.exe!PfxRemovePrefix + 66 805DB6F8 35 Bytes [01, 02, 89, 41, 04, 8B, 4E, ...] PAGE ntkrnlpa.exe!PfxRemovePrefix + 8A 805DB71C 138 Bytes [57, 8B, 7D, 08, 0F, B7, 17, ...] PAGE ntkrnlpa.exe!PfxRemovePrefix + 115 805DB7A7 169 Bytes [D8, 0F, B7, D1, 89, 5D, F0, ...] PAGE ntkrnlpa.exe!PfxRemovePrefix + 1BF 805DB851 25 Bytes [F8, 72, E1, 8B, 7D, 0C, 39, ...] PAGE ntkrnlpa.exe!PfxRemovePrefix + 1D9 805DB86B 1 Byte [85] PAGE ... PAGE ntkrnlpa.exe!RtlInitializeUnicodePrefix + 2 805DB8DC 20 Bytes [55, 8B, EC, 8B, 45, 08, 66, ...] PAGE ntkrnlpa.exe!RtlInitializeUnicodePrefix + 17 805DB8F1 46 Bytes [40, 04, 5D, C2, 04, 00, CC, ...] PAGE ntkrnlpa.exe!RtlRemoveUnicodePrefix + 25 805DB921 142 Bytes [7E, 23, 81, F9, 03, 08, 00, ...] PAGE ntkrnlpa.exe!RtlRemoveUnicodePrefix + B4 805DB9B0 2 Bytes [19, EB] {SBB EBX, EBP} PAGE ntkrnlpa.exe!RtlRemoveUnicodePrefix + B7 805DB9B3 57 Bytes [83, C0, 0C, 8B, F0, EB, 02, ...] PAGE ntkrnlpa.exe!RtlRemoveUnicodePrefix + F1 805DB9ED 20 Bytes [83, C0, F4, EB, 03, 8B, 49, ...] PAGE ntkrnlpa.exe!RtlRemoveUnicodePrefix + 106 805DBA02 113 Bytes [8B, 4E, 04, 89, 48, 04, 83, ...] PAGE ntkrnlpa.exe!RtlNextUnicodePrefix + 58 805DBA74 45 Bytes [F7, EB, 18, 8B, 46, 04, 66, ...] PAGE ntkrnlpa.exe!RtlNextUnicodePrefix + 86 805DBAA2 212 Bytes [55, 8B, EC, 8B, 55, 08, 0F, ...] PAGE ntkrnlpa.exe!RtlNextUnicodePrefix + 15B 805DBB77 45 Bytes [00, 00, A1, F0, C2, 67, 80, ...] PAGE ntkrnlpa.exe!RtlNextUnicodePrefix + 189 805DBBA5 240 Bytes [75, 10, EB, 3A, 66, 83, 7D, ...] PAGE ntkrnlpa.exe!RtlNextUnicodePrefix + 27A 805DBC96 42 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...] PAGE ntkrnlpa.exe!PfxInsertPrefix + 25 805DBCC1 395 Bytes [83, 66, 08, 00, 89, 36, 8B, ...] PAGE ntkrnlpa.exe!RtlInsertUnicodePrefix + 2D 805DBE4D 109 Bytes [59, 04, 89, 4D, FC, EB, 06, ...] PAGE ntkrnlpa.exe!RtlInsertUnicodePrefix + 9B 805DBEBB 19 Bytes [83, F8, 02, 75, C4, 8B, 7D, ...] {CMP EAX, 0x2; JNZ 0xffffffffffffffc9; MOV EDI, [EBP+0x10]; MOV [EBP+0x8], EDI; MOV EAX, [EBP+0x8]; PUSH -0x1; PUSH DWORD [EBP+0xc]} PAGE ntkrnlpa.exe!RtlInsertUnicodePrefix + AF 805DBECF 107 Bytes CALL 805DBACA \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlInsertUnicodePrefix + 11B 805DBF3B 19 Bytes CALL 8052D134 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlInsertUnicodePrefix + 12F 805DBF4F 47 Bytes [70, 04, B0, 01, 5F, 5E, 5B, ...] PAGE ntkrnlpa.exe!RtlFindUnicodePrefix + 1F 805DBF7F 29 Bytes [76, 04, 66, 39, 46, 02, 7F, ...] PAGE ntkrnlpa.exe!RtlFindUnicodePrefix + 3D 805DBF9D 4 Bytes [FF, 83, F8, 03] PAGE ntkrnlpa.exe!RtlFindUnicodePrefix + 42 805DBFA2 1 Byte [05] PAGE ntkrnlpa.exe!RtlFindUnicodePrefix + 42 805DBFA2 39 Bytes [05, 8B, 5B, 04, EB, 07, 85, ...] PAGE ntkrnlpa.exe!RtlFindUnicodePrefix + 6A 805DBFCA 25 Bytes [FF, 83, F8, 02, 74, 55, 83, ...] PAGE ... PAGE ntkrnlpa.exe!RtlSelfRelativeToAbsoluteSD + 15 805DC1C5 75 Bytes JMP 805DC301 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlSelfRelativeToAbsoluteSD + 61 805DC211 27 Bytes [00, 00, 8B, 7D, 18, 8B, 5D, ...] PAGE ntkrnlpa.exe!RtlSelfRelativeToAbsoluteSD + 7D 805DC22D 65 Bytes [00, 00, 8B, 7D, FC, 3B, 3A, ...] PAGE ntkrnlpa.exe!RtlSelfRelativeToAbsoluteSD + BF 805DC26F 34 Bytes [00, 00, 51, 50, 57, E8, 37, ...] PAGE ntkrnlpa.exe!RtlSelfRelativeToAbsoluteSD + E3 805DC293 105 Bytes CALL 8053A8AC \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntkrnlpa.exe!RtlAbsoluteToSelfRelativeSD + 11 805DC43B 126 Bytes [00, C0, EB, 0C, FF, 75, 10, ...] PAGE ntkrnlpa.exe!RtlCreateAcl + 66 805DC4BA 4 Bytes [C6, 45, E7, 02] {MOV BYTE [EBP-0x19], 0x2} PAGE ntkrnlpa.exe!RtlCreateAcl + 6B 805DC4BF 10 Bytes [7D, 08, 8A, 07, 3C, 02, 0F, ...] PAGE ntkrnlpa.exe!RtlCreateAcl + 77 805DC4CB 76 Bytes [3C, 04, 0F, 87, E3, 01, 00, ...] PAGE ntkrnlpa.exe!RtlCreateAcl + C4 805DC518 104 Bytes [83, 99, 01, 00, 00, 8D, 48, ...] PAGE ntkrnlpa.exe!RtlCreateAcl + 12D 805DC581 31 Bytes [B6, C0, 8D, 04, 85, 10, 00, ...] PAGE ... PAGE ntkrnlpa.exe!RtlGetAce + 4 805DC6CE 97 Bytes [EC, 8B, 4D, 08, 8A, 01, 3C, ...] PAGE ntkrnlpa.exe!RtlGetAce + 66 805DC730 227 Bytes [00, CC, CC, CC, CC, CC, 8B, ...] PAGE ntkrnlpa.exe!RtlGetAce + 14C 805DC816 60 Bytes [8B, FF, 55, 8B, EC, 56, 8B, ...] PAGE ntkrnlpa.exe!RtlGetAce + 189 805DC853 199 Bytes [3F, 0F, B7, 4E, 04, 8B, 45, ...] PAGE ntkrnlpa.exe!RtlAddAce + 7B 805DC91D 63 Bytes [85, C0, 74, 52, 0F, B7, 4E, ...] PAGE ntkrnlpa.exe!RtlAddAce + BB 805DC95D 24 Bytes [45, 0C, 66, 01, 46, 04, 8A, ...] PAGE ntkrnlpa.exe!RtlAddAce + D4 805DC976 24 Bytes [00, C0, 5F, 5B, 5E, C9, C2, ...] PAGE ntkrnlpa.exe!RtlDeleteAce + B 805DC98F 25 Bytes [17, FB, FF, FF, 84, C0, 74, ...] PAGE ntkrnlpa.exe!RtlDeleteAce + 25 805DC9A9 110 Bytes [FF, 84, C0, 75, 07, B8, 0D, ...] PAGE ntkrnlpa.exe!RtlDeleteAce + 94 805DCA18 31 Bytes [4D, 0C, 83, F9, 04, 0F, 87, ...] PAGE ntkrnlpa.exe!RtlDeleteAce + B4 805DCA38 6 Bytes [02, 75, 05, 25, 3F, FF] PAGE ntkrnlpa.exe!RtlDeleteAce + BB 805DCA3F 51 Bytes [FF, 85, C0, 74, 0A, B8, 0D, ...] PAGE ... PAGE ntkrnlpa.exe!RtlAddAccessAllowedAce + 1D 805DCAFD 40 Bytes [00, CC, CC, CC, CC, CC, CC, ...] PAGE ntkrnlpa.exe!RtlAddAccessAllowedAceEx + 24 805DCB28 110 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...] PAGE ntkrnlpa.exe!RtlAddAccessAllowedAceEx + 93 805DCB97 140 Bytes [88, D4, 00, 00, 00, 6A, 02, ...] PAGE ntkrnlpa.exe!RtlAddAccessAllowedAceEx + 120 805DCC24 47 Bytes [B0, 01, EB, 02, 32, C0, 5D, ...] PAGE ntkrnlpa.exe!RtlAddAccessAllowedAceEx + 150 805DCC54 76 Bytes [EC, 8B, 45, 0C, 56, 8B, 75, ...] PAGE ntkrnlpa.exe!RtlAddAccessAllowedAceEx + 19D 805DCCA1 18 Bytes [70, 08, 89, 75, F8, E8, 7F, ...] PAGE ... PAGE ntkrnlpa.exe!RtlCreateAtomTable + 55 805DCD61 21 Bytes [F3, AA, 56, 89, 5E, 0C, E8, ...] PAGE ntkrnlpa.exe!RtlCreateAtomTable + 6B 805DCD77 96 Bytes [C7, 06, 41, 74, 6F, 6D, 89, ...] PAGE ntkrnlpa.exe!RtlDestroyAtomTable + 3A 805DCDD8 35 Bytes [37, 89, 75, D8, 83, 27, 00, ...] PAGE ntkrnlpa.exe!RtlDestroyAtomTable + 5E 805DCDFC 58 Bytes [EB, E7, FF, 45, E4, EB, CC, ...] PAGE ntkrnlpa.exe!RtlDestroyAtomTable + 99 805DCE37 17 Bytes [89, 45, E0, 83, 4D, FC, FF, ...] PAGE ntkrnlpa.exe!RtlDestroyAtomTable + AB 805DCE49 51 Bytes [CC, CC, CC, CC, CC, 6A, 20, ...] PAGE ntkrnlpa.exe!RtlEmptyAtomTable + 2F 805DCE7D 1 Byte [75] PAGE ntkrnlpa.exe!RtlEmptyAtomTable + 2F 805DCE7D 10 Bytes [75, E0, 8B, 45, E0, 3B, 43, ...] {JNZ 0xffffffffffffffe2; MOV EAX, [EBP-0x20]; CMP EAX, [EBX+0xc]; JAE 0x4b} PAGE ntkrnlpa.exe!RtlEmptyAtomTable + 3A 805DCE88 2 Bytes [7D, E4] {JGE 0xffffffffffffffe6} PAGE ntkrnlpa.exe!RtlEmptyAtomTable + 3D 805DCE8B 8 Bytes [7D, D8, 83, 45, E4, 04, 8B, ...] {JGE 0xffffffffffffffda; ADD DWORD [EBP-0x1c], 0x4; MOV ESI, [EDI]} PAGE ntkrnlpa.exe!RtlEmptyAtomTable + 46 805DCE94 22 Bytes [75, D0, 85, F6, 74, 29, 80, ...] PAGE ... PAGE ntkrnlpa.exe!RtlAddAtomToAtomTable + 13 805DD095 42 Bytes [FF, 84, C0, 75, 0A, B8, 0D, ...] PAGE ntkrnlpa.exe!RtlAddAtomToAtomTable + 3E 805DD0C0 22 Bytes [72, 0C, 89, 7D, E0, C7, 45, ...] PAGE ntkrnlpa.exe!RtlAddAtomToAtomTable + 55 805DD0D7 28 Bytes [84, 26, 01, 00, 00, 66, 8B, ...] PAGE ntkrnlpa.exe!RtlAddAtomToAtomTable + 72 805DD0F4 5 Bytes JMP 805DD202 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlAddAtomToAtomTable + 78 805DD0FA 26 Bytes [45, DC, 50, 8D, 45, D8, 50, ...] PAGE ... PAGE ntkrnlpa.exe!RtlLookupAtomInAtomTable + 30 805DD24E 3 Bytes CALL 805DCEFD \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlLookupAtomInAtomTable + 34 805DD252 21 Bytes [84, C0, 74, 27, 66, 81, 7D, ...] PAGE ntkrnlpa.exe!RtlLookupAtomInAtomTable + 4A 805DD268 80 Bytes [EB, 03, 89, 7D, E4, 8B, 45, ...] PAGE ntkrnlpa.exe!RtlLookupAtomInAtomTable + 9B 805DD2B9 179 Bytes [89, 7D, E4, 8B, 45, 10, 3B, ...] PAGE ntkrnlpa.exe!RtlDeleteAtomFromAtomTable + 67 805DD36D 3 Bytes [FF, 48, 08] {DEC DWORD [EAX+0x8]} PAGE ntkrnlpa.exe!RtlDeleteAtomFromAtomTable + 6B 805DD371 59 Bytes [39, 58, 08, 75, 53, 53, 8D, ...] PAGE ntkrnlpa.exe!RtlDeleteAtomFromAtomTable + A7 805DD3AD 9 Bytes [89, 5D, E4, EB, 17, 8B, 45, ...] PAGE ntkrnlpa.exe!RtlDeleteAtomFromAtomTable + B2 805DD3B8 39 Bytes [00, 89, 45, D8, 33, C0, 40, ...] PAGE ntkrnlpa.exe!RtlDeleteAtomFromAtomTable + DA 805DD3E0 25 Bytes [CC, CC, CC, CC, CC, CC, 6A, ...] PAGE ntkrnlpa.exe!RtlPinAtomInAtomTable + 14 805DD3FA 38 Bytes [84, C0, 75, 07, B8, 0D, 00, ...] PAGE ntkrnlpa.exe!RtlPinAtomInAtomTable + 3B 805DD421 10 Bytes [00, 50, FF, 75, 08, E8, 25, ...] {ADD [EAX-0x1], DL; JNZ 0xd; CALL 0xfffffffffffff82f} PAGE ntkrnlpa.exe!RtlPinAtomInAtomTable + 46 805DD42C 40 Bytes [45, DC, 3B, C7, 74, 35, 66, ...] PAGE ntkrnlpa.exe!RtlPinAtomInAtomTable + 6F 805DD455 12 Bytes [8B, 00, 89, 45, E0, 33, C0, ...] {MOV EAX, [EAX]; MOV [EBP-0x20], EAX; XOR EAX, EAX; INC EAX; RET ; MOV ESP, [EBP-0x18]} PAGE ntkrnlpa.exe!RtlPinAtomInAtomTable + 7C 805DD462 31 Bytes [45, E0, 89, 45, E4, 83, 4D, ...] PAGE ... PAGE ntkrnlpa.exe!RtlQueryAtomInAtomTable + 4F 805DD4DB 6 Bytes [85, C0, 75, 0C, C7, 45] PAGE ntkrnlpa.exe!RtlQueryAtomInAtomTable + 56 805DD4E2 22 Bytes JMP 805DD614 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlQueryAtomInAtomTable + 6D 805DD4F9 14 Bytes [85, FF, 74, 06, C7, 07, 01, ...] PAGE ntkrnlpa.exe!RtlQueryAtomInAtomTable + 7C 805DD508 324 Bytes [0F, 84, 0A, 01, 00, 00, 0F, ...] PAGE ntkrnlpa.exe!RtlQueryAtomInAtomTable + 1C1 805DD64D 199 Bytes CALL 805DCB7A \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlInitializeRangeList + 33 805DD715 30 Bytes [56, 57, 8B, 7D, 08, 8D, 77, ...] PAGE ntkrnlpa.exe!RtlInitializeRangeList + 53 805DD735 93 Bytes [00, 8B, 50, 04, 3B, 51, 04, ...] PAGE ntkrnlpa.exe!RtlInitializeRangeList + B1 805DD793 114 Bytes [55, FC, 85, D2, 75, 16, 8B, ...] PAGE ntkrnlpa.exe!RtlInitializeRangeList + 124 805DD806 200 Bytes [05, 89, 37, 89, 47, 04, 8B, ...] PAGE ntkrnlpa.exe!RtlInitializeRangeList + 1ED 805DD8CF 23 Bytes [8B, 55, 08, 5F, 5E, 52, 53, ...] PAGE ntkrnlpa.exe!RtlFreeRangeList + 1 805DD8E7 6 Bytes [FF, 55, 8B, EC, 56, 57] {CALL [EBP-0x75]; IN AL, DX ; PUSH ESI; PUSH EDI} PAGE ntkrnlpa.exe!RtlFreeRangeList + 8 805DD8EE 1 Byte [7D] PAGE ntkrnlpa.exe!RtlFreeRangeList + 8 805DD8EE 7 Bytes [7D, 08, 8B, 0F, 83, 67, 08] PAGE ntkrnlpa.exe!RtlFreeRangeList + 10 805DD8F6 27 Bytes [83, 67, 0C, 00, 83, E9, 1C, ...] PAGE ntkrnlpa.exe!RtlFreeRangeList + 2C 805DD912 40 Bytes [8B, CE, 8D, 46, 1C, 8B, 30, ...] PAGE ntkrnlpa.exe!RtlGetFirstRange + F 805DD93B 164 Bytes [72, 10, 89, 71, 0C, 8B, 32, ...] PAGE ntkrnlpa.exe!RtlGetFirstRange + B4 805DD9E0 111 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...] PAGE ntkrnlpa.exe!RtlGetNextRange + 6A 805DDA50 176 Bytes [14, 8B, 45, 0C, 89, 59, 08, ...] PAGE ntkrnlpa.exe!RtlGetNextRange + 11B 805DDB01 77 Bytes [01, 89, 43, 04, 8B, 45, 08, ...] PAGE ntkrnlpa.exe!RtlCopyRangeList + 1B 805DDB4F 53 Bytes [43, 08, 89, 46, 08, 8B, 43, ...] PAGE ntkrnlpa.exe!RtlCopyRangeList + 51 805DDB85 14 Bytes [78, 1C, 3B, DF, 75, DA, 33, ...] PAGE ntkrnlpa.exe!RtlCopyRangeList + 60 805DDB94 25 Bytes CALL 805DD8E5 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlCopyRangeList + 7A 805DDBAE 121 Bytes [08, 8B, 46, 08, 85, C0, 57, ...] PAGE ntkrnlpa.exe!RtlCopyRangeList + F4 805DDC28 55 Bytes [48, 08, 3B, 4D, 0C, 72, 2F, ...] PAGE ... PAGE ntkrnlpa.exe!RtlFindRange + 12 805DDC9A 25 Bytes [7D, 14, 48, 33, C9, 2B, F8, ...] PAGE ntkrnlpa.exe!RtlFindRange + 2C 805DDCB4 37 Bytes [1B, DA, 8B, 55, 10, 3B, D6, ...] PAGE ntkrnlpa.exe!RtlFindRange + 52 805DDCDA 18 Bytes [F1, 0F, 82, 0C, 01, 00, 00, ...] PAGE ntkrnlpa.exe!RtlFindRange + 65 805DDCED 19 Bytes [00, 00, 8B, 4D, 20, 03, 4D, ...] PAGE ntkrnlpa.exe!RtlFindRange + 79 805DDD01 29 Bytes [00, 77, 09, 3B, 4D, 0C, 0F, ...] PAGE ... PAGE ntkrnlpa.exe!RtlIsRangeAvailable + 2 805DE006 7 Bytes [55, 8B, EC, 83, EC, 10, 8D] PAGE ntkrnlpa.exe!RtlIsRangeAvailable + B 805DE00F 35 Bytes [50, 8D, 45, F0, 50, FF, 75, ...] PAGE ntkrnlpa.exe!RtlIsRangeAvailable + 2F 805DE033 46 Bytes [45, 1C, FF, 75, 24, 33, C9, ...] PAGE ntkrnlpa.exe!RtlIsRangeAvailable + 5E 805DE062 163 Bytes [FF, 8B, 4D, 2C, 88, 01, 33, ...] PAGE ntkrnlpa.exe!RtlIsRangeAvailable + 102 805DE106 69 Bytes [8B, 49, 20, 8B, 39, 8D, 72, ...] PAGE ... PAGE ntkrnlpa.exe!RtlMergeRangeLists + 1 805DE225 2 Bytes [FF, 55] PAGE ntkrnlpa.exe!RtlMergeRangeLists + 4 805DE228 157 Bytes [EC, 51, 53, 56, 57, FF, 75, ...] PAGE ntkrnlpa.exe!RtlMergeRangeLists + A2 805DE2C6 88 Bytes [FF, 85, C0, 74, 25, F6, 46, ...] PAGE ntkrnlpa.exe!RtlAddRange + 1B 805DE31F 123 Bytes [C0, EB, 5B, 56, FF, 75, 28, ...] PAGE ntkrnlpa.exe!RtlDeleteRange + 15 805DE39B 7 Bytes [32, 83, EE, 1C, 3B, DA, C7] PAGE ntkrnlpa.exe!RtlDeleteRange + 1D 805DE3A3 15 Bytes [F8, 8C, 02, 00, C0, 89, 75, ...] {CLC ; MOV WORD [EDX], ES; ADD AL, AL; MOV [EBP-0x4], ESI; JZ 0xf7; PUSH EDI} PAGE ntkrnlpa.exe!RtlDeleteRange + 2D 805DE3B3 1 Byte [03] PAGE ntkrnlpa.exe!RtlDeleteRange + 30 805DE3B6 15 Bytes [FC, 8B, 51, 04, 8B, 7D, 18, ...] PAGE ntkrnlpa.exe!RtlDeleteRange + 40 805DE3C6 119 Bytes [00, 77, 09, 39, 45, 14, 0F, ...] PAGE ... PAGE ntkrnlpa.exe!RtlDeleteOwnersRanges + 51 805DE509 21 Bytes [CF, 8B, 7F, 1C, EB, C0, 8B, ...] PAGE ntkrnlpa.exe!RtlDeleteOwnersRanges + 67 805DE51F 51 Bytes [68, 80, 65, 55, 80, 89, 50, ...] PAGE ntkrnlpa.exe!RtlDeleteOwnersRanges + 9B 805DE553 62 Bytes [FC, 5F, 5E, 5B, C9, C2, 08, ...] PAGE ntkrnlpa.exe!RtlInvertRangeList + 32 805DE592 100 Bytes [6A, 00, 83, C2, FF, 83, D3, ...] PAGE ntkrnlpa.exe!RtlInvertRangeList + 97 805DE5F7 81 Bytes [CC, CC, CC, CC, CC, 6A, 30, ...] PAGE ntkrnlpa.exe!RtlZeroHeap + 4D 805DE649 23 Bytes [8B, 45, D8, 8B, 4D, DC, 8B, ...] PAGE ntkrnlpa.exe!RtlZeroHeap + 65 805DE661 10 Bytes [77, 20, 89, 75, E0, 3B, 77, ...] {JA 0x22; MOV [EBP-0x20], ESI; CMP ESI, [EDI+0x24]; JAE 0x6f} PAGE ntkrnlpa.exe!RtlZeroHeap + 71 805DE66D 142 Bytes [06, C1, E0, 03, 89, 45, C4, ...] PAGE ntkrnlpa.exe!RtlZeroHeap + 101 805DE6FD 38 Bytes CALL 8053BBD9 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlZeroHeap + 128 805DE724 85 Bytes [55, 8B, EC, 83, EC, 0C, 56, ...] PAGE ... PAGE ntkrnlpa.exe!RtlDestroyHeap + 16 805DF1A2 91 Bytes JMP 805DF235 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlDestroyHeap + 72 805DF1FE 51 Bytes [00, 8D, 45, 08, 50, 8D, 45, ...] PAGE ntkrnlpa.exe!RtlDestroyHeap + A6 805DF232 52 Bytes [FF, 4E, 75, EE, 5E, 5B, 33, ...] PAGE ntkrnlpa.exe!RtlSizeHeap + 23 805DF267 47 Bytes [0F, B7, 41, F8, 0F, B6, 49, ...] PAGE ntkrnlpa.exe!RtlSizeHeap + 53 805DF297 88 Bytes [65, 6E, 74, 20, 28, 25, 78, ...] PAGE ntkrnlpa.exe!RtlSizeHeap + AC 805DF2F0 38 Bytes [03, 89, 45, F4, 8D, 47, 08, ...] PAGE ntkrnlpa.exe!RtlSizeHeap + D3 805DF317 5 Bytes [8D, 45, 1C, 50, 6A] PAGE ntkrnlpa.exe!RtlSizeHeap + D9 805DF31D 143 Bytes CALL 804FFE90 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntkrnlpa.exe!RtlCreateHeap + 19 805DF985 104 Bytes [89, 45, D8, F6, 45, 0B, 10, ...] PAGE ntkrnlpa.exe!RtlCreateHeap + 82 805DF9EE 15 Bytes [C0, 40, C3, 8B, 65, E8, 8B, ...] PAGE ntkrnlpa.exe!RtlCreateHeap + 92 805DF9FE 85 Bytes [D3, 0F, 8C, AE, 03, 00, 00, ...] PAGE ntkrnlpa.exe!RtlCreateHeap + E8 805DFA54 57 Bytes [89, 45, B4, 53, 6A, 2C, 8D, ...] PAGE ntkrnlpa.exe!RtlCreateHeap + 122 805DFA8E 19 Bytes [76, 07, C7, 45, BC, 00, F0, ...] PAGE ... PAGE ntkrnlpa.exe!RtlAllocateHeap + 45 805E0CE1 50 Bytes [01, 41, 83, C1, 0F, 83, E1, ...] PAGE ntkrnlpa.exe!RtlAllocateHeap + 78 805E0D14 12 Bytes [83, 3B, 02, 00, 00, 8D, 84, ...] {CMP DWORD [EBX], 0x2; ADD [EAX], AL; LEA EAX, [ESI+EDI*8+0x178]} PAGE ntkrnlpa.exe!RtlAllocateHeap + 86 805E0D22 46 Bytes [D4, 39, 00, 0F, 84, DA, 00, ...] PAGE ntkrnlpa.exe!RtlAllocateHeap + B5 805E0D51 65 Bytes [F9, 8B, 4D, A8, 75, 08, 8B, ...] PAGE ntkrnlpa.exe!RtlAllocateHeap + F7 805E0D93 30 Bytes [0F, 8B, 4D, DC, 29, 4E, 28, ...] PAGE ... PAGE ntkrnlpa.exe!RtlFreeHeap + 5C 805E15CC 16 Bytes [00, 80, 7B, 07, 40, 0F, 83, ...] {ADD [EAX+0xf40077b], AL; CMP DWORD [EBX-0x7cffffff], 0x4d; CLD ; PUSH DWORD [EBX]} PAGE ntkrnlpa.exe!RtlFreeHeap + 6D 805E15DD 37 Bytes [40, 89, 45, FC, 84, C8, 75, ...] PAGE ntkrnlpa.exe!RtlFreeHeap + 93 805E1603 152 Bytes [45, E0, 57, 8D, 45, E0, 50, ...] PAGE ntkrnlpa.exe!RtlFreeHeap + 12C 805E169C 82 Bytes [00, 00, 81, F9, 00, FE, 00, ...] PAGE ntkrnlpa.exe!RtlFreeHeap + 17F 805E16EF 23 Bytes [08, 89, 50, 04, 89, 02, 89, ...] PAGE ... PAGE ntkrnlpa.exe!RtlAnsiCharToUnicodeChar + C 805E17B2 76 Bytes [53, 56, 8B, 75, 08, 8B, 06, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeString + 9 805E17FF 26 Bytes [56, 8B, 75, 0C, 66, 8B, 06, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeString + 24 805E181A 30 Bytes [85, C0, 89, 47, 04, 75, 1A, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeString + 43 805E1839 106 Bytes [00, 00, 0F, B7, 16, 6A, 00, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeString + AE 805E18A4 83 Bytes [B7, C0, 8B, 5F, 04, 66, 89, ...] PAGE ntkrnlpa.exe!RtlDowncaseUnicodeString + 2E 805E18F8 5 Bytes [00, C0, E9, 93, 00] PAGE ntkrnlpa.exe!RtlDowncaseUnicodeString + 34 805E18FE 21 Bytes [00, 66, 3B, 47, 02, 76, 0A, ...] PAGE ntkrnlpa.exe!RtlDowncaseUnicodeString + 4A 805E1914 28 Bytes JMP 08558959 PAGE ntkrnlpa.exe!RtlDowncaseUnicodeString + 67 805E1931 343 Bytes [77, 08, 0F, B7, C0, 83, C0, ...] PAGE ntkrnlpa.exe!RtlFreeOemString + 9 805E1A89 12 Bytes [40, 04, 85, C0, 74, 07, 50, ...] PAGE ntkrnlpa.exe!RtlFreeOemString + 16 805E1A96 34 Bytes [5D, C2, 04, 00, CC, CC, CC, ...] PAGE ntkrnlpa.exe!RtlUnicodeStringToAnsiSize + 19 805E1AB9 13 Bytes [45, 08, 40, 5D, C2, 04, 00, ...] {INC EBP; OR [EAX+0x5d], AL; RET 0x4; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 } PAGE ntkrnlpa.exe!RtlAnsiStringToUnicodeSize + 1 805E1AC7 23 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...] PAGE ntkrnlpa.exe!RtlAnsiStringToUnicodeSize + 19 805E1ADF 8 Bytes [45, 08, 83, C0, 02, 5D, C2, ...] PAGE ntkrnlpa.exe!RtlAnsiStringToUnicodeSize + 22 805E1AE8 45 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...] PAGE ntkrnlpa.exe!RtlCompareUnicodeString + 28 805E1B16 7 Bytes [C1, 03, C6, 80, 7D, 10, 00] {ROL DWORD [EBX], 0xc6; CMP BYTE [EBP+0x10], 0x0} PAGE ntkrnlpa.exe!RtlCompareUnicodeString + 30 805E1B1E 23 Bytes [45, FC, 0F, 84, FE, 00, 00, ...] PAGE ntkrnlpa.exe!RtlCompareUnicodeString + 48 805E1B36 283 Bytes [3A, 33, C0, 66, 8B, 06, 46, ...] PAGE ntkrnlpa.exe!RtlEqualUnicodeString + 18 805E1C52 32 Bytes [EE, 00, 00, 00, 8B, 71, 04, ...] PAGE ntkrnlpa.exe!RtlEqualUnicodeString + 39 805E1C73 3 Bytes [83, B3, 00] PAGE ntkrnlpa.exe!RtlEqualUnicodeString + 3E 805E1C78 4 Bytes [A1, F0, C2, 67] PAGE ntkrnlpa.exe!RtlEqualUnicodeString + 43 805E1C7D 19 Bytes [66, 8B, 16, 33, C9, 66, 8B, ...] PAGE ntkrnlpa.exe!RtlEqualUnicodeString + 58 805E1C92 63 Bytes [0F, 84, 8A, 00, 00, 00, 66, ...] PAGE ... PAGE ntkrnlpa.exe!RtlPrefixUnicodeString + 5C 805E1DAE 132 Bytes [FA, 61, 73, 05, 0F, B7, D2, ...] PAGE ntkrnlpa.exe!RtlPrefixUnicodeString + E1 805E1E33 1 Byte [5D] PAGE ntkrnlpa.exe!RtlPrefixUnicodeString + E1 805E1E33 15 Bytes [5D, 0C, FF, 4D, 08, 0F, 85, ...] PAGE ntkrnlpa.exe!RtlPrefixUnicodeString + F1 805E1E43 10 Bytes [1B, 85, D2, 74, 15, 8B, C3, ...] PAGE ntkrnlpa.exe!RtlPrefixUnicodeString + FC 805E1E4E 60 Bytes [0F, 66, 8B, 34, 38, 47, 47, ...] PAGE ntkrnlpa.exe!RtlCreateUnicodeString + 1F 805E1E8B 126 Bytes [55, 08, 89, 42, 04, 74, 22, ...] PAGE ntkrnlpa.exe!RtlHashUnicodeString + 48 805E1F0A 133 Bytes [53, 66, 8B, 16, 46, 46, 66, ...] PAGE ntkrnlpa.exe!RtlHashUnicodeString + CE 805E1F90 42 Bytes [55, 8B, EC, 83, EC, 64, A1, ...] PAGE ntkrnlpa.exe!RtlHashUnicodeString + FA 805E1FBC 13 Bytes [FF, 0F, 85, A6, 02, 00, 00, ...] PAGE ntkrnlpa.exe!RtlHashUnicodeString + 108 805E1FCA 34 Bytes CALL 8052BB49 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlHashUnicodeString + 12B 805E1FED 43 Bytes [56, 04, 8B, 4D, 08, 33, C0, ...] PAGE ... PAGE ntkrnlpa.exe!RtlAnsiStringToUnicodeString + 1F 805E22A1 123 Bytes [8D, 44, 00, 02, 3D, FF, FF, ...] PAGE ntkrnlpa.exe!RtlAnsiStringToUnicodeString + 9B 805E231D 110 Bytes CALL C17AAC88 PAGE ntkrnlpa.exe!RtlUnicodeStringToAnsiString + 58 805E238C 90 Bytes [27, B8, 17, 00, 00, C0, EB, ...] PAGE ntkrnlpa.exe!RtlUnicodeStringToAnsiString + B3 805E23E7 146 Bytes [46, 04, 8B, 4D, 0C, 88, 1C, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToAnsiString + 7C 805E247A 136 Bytes [FF, 8B, F8, 3B, FB, 7D, 15, ...] PAGE ntkrnlpa.exe!RtlOemStringToUnicodeString + 55 805E2503 206 Bytes [00, C0, EB, 4D, 66, 3B, 4E, ...] PAGE ntkrnlpa.exe!RtlUnicodeStringToOemString + 72 805E25D2 65 Bytes [B7, 06, 50, FF, 76, 04, E8, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToOemString + 4 805E2614 38 Bytes [EC, 80, 3D, 28, C7, 67, 80, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToOemString + 2B 805E263B 120 Bytes JMP 805E26CD \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToOemString + A4 805E26B4 36 Bytes [15, 24, FC, 67, 80, 83, 66, ...] PAGE ntkrnlpa.exe!RtlOemStringToCountedUnicodeString 805E26DA 25 Bytes [8B, FF, 55, 8B, EC, 53, 33, ...] PAGE ntkrnlpa.exe!RtlOemStringToCountedUnicodeString + 1A 805E26F4 8 Bytes [EB, 07, 0F, B7, 07, 8D, 44, ...] PAGE ntkrnlpa.exe!RtlOemStringToCountedUnicodeString + 23 805E26FD 146 Bytes [83, C0, FE, 3B, C3, 75, 11, ...] PAGE ntkrnlpa.exe!RtlOemStringToCountedUnicodeString + B6 805E2790 7 Bytes [CC, CC, CC, CC, CC, CC, 8B] PAGE ntkrnlpa.exe!RtlUnicodeStringToCountedOemString + 2 805E2798 9 Bytes [55, 8B, EC, 80, 3D, 28, C7, ...] PAGE ntkrnlpa.exe!RtlUnicodeStringToCountedOemString + C 805E27A2 196 Bytes [53, 57, 8B, 7D, 0C, 74, 08, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToCountedOemString 805E286A 60 Bytes [8B, FF, 55, 8B, EC, 80, 3D, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToCountedOemString + 3D 805E28A7 17 Bytes [3D, FF, FF, 00, 00, 76, 07, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToCountedOemString + 4F 805E28B9 177 Bytes [56, 8B, 75, 08, 66, 89, 06, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToCountedOemString + 101 805E296B 95 Bytes [3C, 50, 2E, 74, 07, 42, 3B, ...] PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToCountedOemString + 161 805E29CB 60 Bytes [C0, EB, 13, FF, 75, 10, 8D, ...] PAGE ntkrnlpa.exe!RtlUpperChar + 14 805E2A08 1 Byte [00] PAGE ntkrnlpa.exe!RtlUpperChar + 14 805E2A08 7 Bytes [00, 00, 83, F0, 20, E9, F6] PAGE ntkrnlpa.exe!RtlUpperChar + 1E 805E2A12 5 Bytes [80, 3D, 10, C5, 67] PAGE ntkrnlpa.exe!RtlUpperChar + 24 805E2A18 10 Bytes [00, 56, 57, 75, 67, 8B, 0D, ...] PAGE ntkrnlpa.exe!RtlUpperChar + 2F 805E2A23 80 Bytes [0F, B6, C0, 0F, B7, 04, 41, ...] PAGE ... PAGE ntkrnlpa.exe!RtlCompareString + 26 805E2B38 4 Bytes [C1, 80, 7D, 10] PAGE ntkrnlpa.exe!RtlCompareString + 2B 805E2B3D 303 Bytes [8D, 1C, 30, 74, 4E, EB, 28, ...] PAGE ntkrnlpa.exe!RtlUpperString + 9 805E2C6D 1 Byte [4D] PAGE ntkrnlpa.exe!RtlUpperString + 9 805E2C6D 117 Bytes [4D, 08, 66, 8B, 51, 02, 56, ...] PAGE ntkrnlpa.exe!RtlAppendAsciizToString + 35 805E2CE3 174 Bytes [00, C0, EB, 17, 51, 8B, 4E, ...] PAGE ntkrnlpa.exe!RtlValidSid + 34 805E2D92 45 Bytes CALL 805A7B1A \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlValidSid + 62 805E2DC0 104 Bytes [02, 75, 58, 8A, 50, 03, 3A, ...] PAGE ntkrnlpa.exe!RtlLengthRequiredSid + 1 805E2E29 78 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...] PAGE ntkrnlpa.exe!RtlSubAuthoritySid + 2 805E2E78 45 Bytes [55, 8B, EC, 8B, 45, 0C, 8B, ...] PAGE ntkrnlpa.exe!RtlLengthSid + 6 805E2EA6 78 Bytes [45, 08, 0F, B6, 40, 01, 8D, ...] PAGE ntkrnlpa.exe!RtlCopySid + 39 805E2EF5 160 Bytes [FF, 55, 8B, EC, 51, 83, 65, ...] PAGE ntkrnlpa.exe!RtlCopySid + DA 805E2F96 21 Bytes [FF, 3C, 01, 74, 07, B8, 78, ...] PAGE ntkrnlpa.exe!RtlCopySid + F0 805E2FAC 33 Bytes [75, 04, 6A, 0A, EB, 02, 6A, ...] PAGE ntkrnlpa.exe!RtlCopySid + 112 805E2FCE 3 Bytes [53, 00, 2D] PAGE ntkrnlpa.exe!RtlCopySid + 116 805E2FD2 1 Byte [31] PAGE ... PAGE ntkrnlpa.exe!RtlConvertSidToUnicodeString + 16 805E2FF4 32 Bytes [FC, 8B, 45, 08, 56, 89, 85, ...] PAGE ntkrnlpa.exe!RtlConvertSidToUnicodeString + 37 805E3015 182 Bytes [00, 57, 8D, 85, FC, FD, FF, ...] PAGE ntkrnlpa.exe!RtlConvertSidToUnicodeString + EE 805E30CC 80 Bytes [76, 4A, EB, 09, 8D, 45, FA, ...] PAGE ntkrnlpa.exe!RtlConvertSidToUnicodeString + 13F 805E311D 47 Bytes [2B, 8D, 85, FC, FD, FF, FF, ...] PAGE ntkrnlpa.exe!RtlConvertSidToUnicodeString + 16F 805E314D 44 Bytes [75, F1, 8D, 85, FC, FD, FF, ...] PAGE ... PAGE ntkrnlpa.exe!RtlCopyLuid + B 805E31E5 94 Bytes [4D, 08, 89, 11, 8B, 40, 04, ...] PAGE ntkrnlpa.exe!RtlCreateSecurityDescriptor + 1C 805E3244 51 Bytes [C0, 5F, EB, 05, B8, 58, 00, ...] PAGE ntkrnlpa.exe!RtlValidSecurityDescriptor + 22 805E3278 105 Bytes [46, 04, 66, 85, 7E, 02, 74, ...] PAGE ntkrnlpa.exe!RtlValidSecurityDescriptor + 8C 805E32E2 9 Bytes [84, C0, 74, 3F, 66, 8B, 46, ...] PAGE ntkrnlpa.exe!RtlValidSecurityDescriptor + 96 805E32EC 70 Bytes [75, 04, 33, F6, EB, 13, 66, ...] PAGE ntkrnlpa.exe!RtlValidSecurityDescriptor + DD 805E3333 158 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...] PAGE ntkrnlpa.exe!RtlLengthSecurityDescriptor + 9A 805E33D2 19 Bytes [74, 0C, 0F, B7, 49, 02, 83, ...] PAGE ntkrnlpa.exe!RtlLengthSecurityDescriptor + AE 805E33E6 135 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...] PAGE ntkrnlpa.exe!RtlGetDaclSecurityDescriptor + 1A 805E346E 18 Bytes [80, E1, 04, 80, F9, 04, 0F, ...] PAGE ntkrnlpa.exe!RtlGetDaclSecurityDescriptor + 2D 805E3481 43 Bytes [F6, C1, 04, 75, 04, 33, C9, ...] PAGE ntkrnlpa.exe!RtlGetDaclSecurityDescriptor + 59 805E34AD 155 Bytes [5D, C2, 10, 00, CC, CC, CC, ...] PAGE ntkrnlpa.exe!RtlGetSaclSecurityDescriptor + 2B 805E3549 60 Bytes [48, 02, F6, C1, 10, 75, 04, ...] PAGE ntkrnlpa.exe!RtlSetOwnerSecurityDescriptor + 6 805E3586 15 Bytes [45, 08, 80, 38, 01, 74, 07, ...] PAGE ntkrnlpa.exe!RtlSetOwnerSecurityDescriptor + 16 805E3596 46 Bytes [48, 02, 84, ED, 79, 07, B8, ...] PAGE ntkrnlpa.exe!RtlSetOwnerSecurityDescriptor + 46 805E35C6 17 Bytes [48, 02, 33, C0, 5D, C2, 0C, ...] {DEC EAX; ADD DH, [EBX]; RCR BYTE [EBP-0x3e], 0xc; ADD AH, CL; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; MOV EDI, EDI; PUSH EBP} PAGE ntkrnlpa.exe!RtlGetOwnerSecurityDescriptor + 4 805E35D8 14 Bytes [EC, 8B, 45, 08, 80, 38, 01, ...] {IN AL, DX ; MOV EAX, [EBP+0x8]; CMP BYTE [EAX], 0x1; JZ 0x10; MOV EAX, 0xc0000058} PAGE ntkrnlpa.exe!RtlGetOwnerSecurityDescriptor + 13 805E35E7 3 Bytes [28, F6, 40] {SUB DH, DH; INC EAX} PAGE ntkrnlpa.exe!RtlGetOwnerSecurityDescriptor + 17 805E35EB 47 Bytes [80, 8B, 48, 04, 74, 06, 85, ...] PAGE ntkrnlpa.exe!RtlSetGroupSecurityDescriptor + 1 805E361B 34 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...] PAGE ntkrnlpa.exe!RtlSetGroupSecurityDescriptor + 24 805E363E 12 Bytes [55, 0C, 83, 60, 08, 00, 85, ...] PAGE ntkrnlpa.exe!RtlSetGroupSecurityDescriptor + 31 805E364B 9 Bytes [81, E1, FD, FF, 00, 00, 80, ...] PAGE ntkrnlpa.exe!RtlSetGroupSecurityDescriptor + 3B 805E3655 60 Bytes [66, 89, 48, 02, 74, 07, 83, ...] PAGE ntkrnlpa.exe!RtlGetGroupSecurityDescriptor + 24 805E3692 24 Bytes [55, 0C, 89, 0A, 8A, 40, 02, ...] PAGE ntkrnlpa.exe!RtlGetGroupSecurityDescriptor + 3D 805E36AB 16 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...] PAGE ntkrnlpa.exe!RtlAreAllAccessesGranted + C 805E36BC 91 Bytes [0C, F7, D8, 1A, C0, FE, C0, ...] PAGE ntkrnlpa.exe!RtlMapGenericMask + 34 805E3718 38 Bytes [71, 08, 0B, F2, 89, 30, 8B, ...] PAGE ntkrnlpa.exe!RtlMapGenericMask + 5B 805E373F 82 Bytes [FF, 55, 8B, EC, 53, 8B, 5D, ...] PAGE ntkrnlpa.exe!RtlMapGenericMask + AE 805E3792 8 Bytes [01, EB, 06, 8B, 45, 0C, 8B, ...] PAGE ntkrnlpa.exe!RtlMapGenericMask + B7 805E379B 92 Bytes [21, 07, 0F, B7, 46, 02, FF, ...] PAGE ntkrnlpa.exe!RtlMapGenericMask + 114 805E37F8 67 Bytes [00, 00, 76, 4E, 89, 45, FC, ...] PAGE ... PAGE ntkrnlpa.exe!RtlValidRelativeSecurityDescriptor + 60 805E3A3C 2 Bytes [75, DE] {JNZ 0xffffffffffffffe0} PAGE ntkrnlpa.exe!RtlValidRelativeSecurityDescriptor + 63 805E3A3F 15 Bytes [40, 01, 3C, 0F, 77, D7, 0F, ...] PAGE ntkrnlpa.exe!RtlValidRelativeSecurityDescriptor + 73 805E3A4F 5 Bytes [39, 45, 08, 72, C8] {CMP [EBP+0x8], EAX; JB 0xffffffffffffffcd} PAGE ntkrnlpa.exe!RtlValidRelativeSecurityDescriptor + 79 805E3A55 68 Bytes [7E, 08, 85, FF, 75, 08, F6, ...] PAGE ntkrnlpa.exe!RtlValidRelativeSecurityDescriptor + BE 805E3A9A 43 Bytes [7E, 10, 85, FF, 74, 35, 8D, ...] PAGE ... PAGE ntkrnlpa.exe!RtlEqualSid + 1 805E3B5F 59 Bytes [FF, 55, 8B, EC, 56, 8B, 75, ...] PAGE ntkrnlpa.exe!RtlEqualSid + 3D 805E3B9B 107 Bytes [FF, 55, 8B, EC, 81, EC, A0, ...] PAGE ntkrnlpa.exe!RtlEqualSid + A9 805E3C07 16 Bytes [C6, 45, D5, 00, C6, 45, D6, ...] {MOV BYTE [EBP-0x2b], 0x0; MOV BYTE [EBP-0x2a], 0x0; MOV BYTE [EBP-0x29], 0x0; MOV BYTE [EBP-0x28], 0x0} PAGE ntkrnlpa.exe!RtlEqualSid + BA 805E3C18 76 Bytes CALL 805E2E3D \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlEqualSid + 107 805E3C65 42 Bytes [87, 76, 03, 00, 00, 83, 65, ...] PAGE ... PAGE ntkrnlpa.exe!RtlInitializeBitMap + C 805E5F28 42 Bytes [08, 8B, 4D, 0C, 89, 48, 04, ...] PAGE ntkrnlpa.exe!RtlIntegerToChar + 1B 805E5F53 112 Bytes CALL C888D358 PAGE ntkrnlpa.exe!RtlIntegerToChar + 8C 805E5FC4 54 Bytes [88, 0E, 85, C0, 75, E0, 8D, ...] PAGE ntkrnlpa.exe!RtlIntegerToChar + C3 805E5FFB 79 Bytes [7D, BC, 8B, D9, C1, E9, 02, ...] PAGE ntkrnlpa.exe!RtlIntegerToChar + 113 805E604B 13 Bytes [CC, 6A, 0C, 68, 60, B1, 4D, ...] {INT 3 ; PUSH 0xc; PUSH 0x804db160; CALL 0xfffffffffff55b55} PAGE ntkrnlpa.exe!RtlCharToInteger + D 805E6059 26 Bytes [75, 08, 8A, 1E, EB, 09, 46, ...] PAGE ntkrnlpa.exe!RtlCharToInteger + 28 805E6074 9 Bytes [05, 80, FB, 2B, 75, 03, 8A, ...] PAGE ntkrnlpa.exe!RtlCharToInteger + 32 805E607E 91 Bytes [7D, 0C, 85, FF, 75, 38, 6A, ...] PAGE ntkrnlpa.exe!RtlCharToInteger + 8E 805E60DA 80 Bytes [6A, 04, EB, 06, 33, C9, EB, ...] PAGE ntkrnlpa.exe!RtlCharToInteger + DF 805E612B 30 Bytes [D3, E2, 0B, D0, 8A, 06, 46, ...] PAGE ... PAGE ntkrnlpa.exe!RtlUnicodeStringToInteger + 7 805E617B 15 Bytes CALL 8053BBA0 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlUnicodeStringToInteger + 17 805E618B 80 Bytes [5E, D1, EF, 74, 1A, 4F, 33, ...] PAGE ntkrnlpa.exe!RtlUnicodeStringToInteger + 68 805E61DC 65 Bytes [75, 7A, 85, FF, 74, 46, 4F, ...] PAGE ntkrnlpa.exe!RtlUnicodeStringToInteger + AA 805E621E 213 Bytes [74, 08, 4F, 66, 8B, 02, 03, ...] PAGE ntkrnlpa.exe!RtlUnicodeStringToInteger + 180 805E62F4 37 Bytes [CC, CC, CC, CC, CC, CC, 6A, ...] PAGE ntkrnlpa.exe!RtlIntegerToUnicode + 20 805E631A 23 Bytes [74, 2A, 48, 48, 74, 21, 83, ...] PAGE ntkrnlpa.exe!RtlIntegerToUnicode + 38 805E6332 3 Bytes JMP 805E6409 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlIntegerToUnicode + 3C 805E6336 1 Byte [00] PAGE ntkrnlpa.exe!RtlIntegerToUnicode + 3C 805E6336 20 Bytes [00, 00, 6A, 04, EB, 02, 6A, ...] PAGE ntkrnlpa.exe!RtlIntegerToUnicode + 52 805E634C 29 Bytes [00, 33, FF, 85, FF, 74, 0C, ...] PAGE ... PAGE ntkrnlpa.exe!RtlIntegerToUnicodeString + D 805E642D 72 Bytes [56, 8B, 75, 10, 89, 45, FC, ...] PAGE ntkrnlpa.exe!RtlIntegerToUnicodeString + 56 805E6476 3 Bytes CALL 804EE1C9 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlIntegerToUnicodeString + 5A 805E647A 75 Bytes [C9, C2, 0C, 00, CC, CC, CC, ...] PAGE ntkrnlpa.exe!RtlIntegerToUnicodeString + A6 805E64C6 47 Bytes JMP 805E6633 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlIntegerToUnicodeString + D6 805E64F6 91 Bytes [8B, BD, 7C, FF, FF, FF, 3B, ...] PAGE ... PAGE ntkrnlpa.exe!RtlInt64ToUnicodeString + 18 805E6838 18 Bytes [0C, 56, 8B, 75, 14, 89, 45, ...] PAGE ntkrnlpa.exe!RtlInt64ToUnicodeString + 2B 805E684B 37 Bytes CALL 805E6482 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlInt64ToUnicodeString + 51 805E6871 17 Bytes [D4, 6A, 00, 8D, 45, D4, 50, ...] {AAM 0x6a; ADD [EBP+0x5650d445], CL; CALL 0xffffffffffffba11; MOV ECX, [EBP-0x4]; POP ESI} PAGE ntkrnlpa.exe!RtlInt64ToUnicodeString + 63 805E6883 3 Bytes CALL 804EE1C9 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlInt64ToUnicodeString + 67 805E6887 124 Bytes [C9, C2, 10, 00, CC, CC, CC, ...] PAGE ... PAGE ntkrnlpa.exe!RtlGetNtGlobalFlags + A 805E6B06 17 Bytes [45, 00, 47, 00, 49, 00, 53, ...] {INC EBP; ADD [EDI+0x0], AL; DEC ECX; ADD [EBX+0x0], DL; PUSH ESP; ADD [EDX+0x0], DL; POP ECX; ADD [EAX+EAX+0x55], BL} PAGE ntkrnlpa.exe!RtlGetNtGlobalFlags + 1C 805E6B18 7 Bytes [53, 00, 45, 00, 52, 00, 5C] PAGE ntkrnlpa.exe!RtlGetNtGlobalFlags + 24 805E6B20 61 Bytes [00, 00, CC, CC, CC, CC, CC, ...] PAGE ntkrnlpa.exe!RtlFormatCurrentUserKeyPath + 37 805E6B5F 4 Bytes [C0, 0F, 85, B7] PAGE ntkrnlpa.exe!RtlFormatCurrentUserKeyPath + 3C 805E6B64 54 Bytes [00, 00, 8D, 45, A8, 50, 53, ...] PAGE ntkrnlpa.exe!RtlFormatCurrentUserKeyPath + 73 805E6B9B 68 Bytes [3B, DF, 7C, 7C, 8D, 45, A4, ...] PAGE ntkrnlpa.exe!RtlFormatCurrentUserKeyPath + B8 805E6BE0 15 Bytes [8B, 45, A4, 8B, 4E, 04, 66, ...] {MOV EAX, [EBP-0x5c]; MOV ECX, [ESI+0x4]; MOV [EBP-0x62], AX; MOVZX EAX, [ESI]; SHR EAX, 0x1} PAGE ntkrnlpa.exe!RtlFormatCurrentUserKeyPath + C9 805E6BF1 66 Bytes [41, 57, FF, 75, AC, 89, 45, ...] PAGE ... PAGE ntkrnlpa.exe!RtlQueryRegistryValues + 1 805E73A5 37 Bytes [FF, 55, 8B, EC, 83, EC, 3C, ...] PAGE ntkrnlpa.exe!RtlQueryRegistryValues + 27 805E73CB 151 Bytes [00, 89, 75, EC, 81, 65, EC, ...] PAGE ntkrnlpa.exe!RtlQueryRegistryValues + BF 805E7463 141 Bytes [3B, 45, F0, 74, 0C, 50, E8, ...] PAGE ntkrnlpa.exe!RtlQueryRegistryValues + 14D 805E74F1 29 Bytes CALL 805002EE \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlQueryRegistryValues + 16B 805E750F 82 Bytes [80, 0F, 84, ED, 01, 00, 00, ...] PAGE |
GMER Teil 3: ... PAGE ntkrnlpa.exe!RtlWriteRegistryValue + 37 805E77B5 27 Bytes CALL 80501084 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlWriteRegistryValue + 53 805E77D1 1 Byte [C9] PAGE ntkrnlpa.exe!RtlWriteRegistryValue + 53 805E77D1 3 Bytes [C9, C2, 18] PAGE ntkrnlpa.exe!RtlCheckRegistryKey + 5 805E77DF 1 Byte [8D] PAGE ntkrnlpa.exe!RtlCheckRegistryKey + 8 805E77E2 9 Bytes [50, 6A, 00, FF, 75, 0C, FF, ...] {PUSH EAX; PUSH 0x0; PUSH DWORD [EBP+0xc]; PUSH DWORD [EBP+0x8]} PAGE ntkrnlpa.exe!RtlCheckRegistryKey + 12 805E77EC 22 Bytes [E4, F4, FF, FF, 85, C0, 7C, ...] PAGE ntkrnlpa.exe!RtlCheckRegistryKey + 2A 805E7804 139 Bytes [CC, CC, CC, CC, 8B, FF, 55, ...] PAGE ntkrnlpa.exe!RtlDeleteRegistryValue + 54 805E7890 9 Bytes [5A, 00, 6F, 00, 6E, 00, 65, ...] {POP EDX; ADD [EDI+0x0], CH; OUTSB ; ADD [EBP+0x0], AH; DEC ECX} PAGE ntkrnlpa.exe!RtlDeleteRegistryValue + 5E 805E789A 7 Bytes [6E, 00, 66, 00, 6F, 00, 72] PAGE ntkrnlpa.exe!RtlDeleteRegistryValue + 66 805E78A2 28 Bytes [6D, 00, 61, 00, 74, 00, 69, ...] PAGE ntkrnlpa.exe!RtlDeleteRegistryValue + 83 805E78BF 24 Bytes [75, 08, 68, 88, 78, 5E, 80, ...] PAGE ntkrnlpa.exe!RtlQueryTimeZoneInformation + 2 805E78D8 6 Bytes [55, 8B, EC, 81, EC, F4] PAGE ntkrnlpa.exe!RtlQueryTimeZoneInformation + B 805E78E1 21 Bytes [53, 8D, 45, FC, 50, 33, DB, ...] PAGE ntkrnlpa.exe!RtlQueryTimeZoneInformation + 21 805E78F7 49 Bytes [55, 08, 56, 57, 6A, 2B, 59, ...] PAGE ntkrnlpa.exe!RtlQueryTimeZoneInformation + 53 805E7929 38 Bytes [50, FF, FF, FF, 8D, 4A, 44, ...] PAGE ntkrnlpa.exe!RtlQueryTimeZoneInformation + 7A 805E7950 46 Bytes [48, FF, FF, FF, 89, 85, 64, ...] PAGE ... PAGE ntkrnlpa.exe!RtlSetTimeZoneInformation + 5 805E7A03 1 Byte [51] PAGE ntkrnlpa.exe!RtlSetTimeZoneInformation + A 805E7A08 13 Bytes CALL 805E78B4 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlSetTimeZoneInformation + 18 805E7A16 22 Bytes [00, 53, 56, 57, 8B, 7D, 08, ...] PAGE ntkrnlpa.exe!RtlSetTimeZoneInformation + 2F 805E7A2D 41 Bytes CALL 805E777B \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlSetTimeZoneInformation + 59 805E7A57 6 Bytes [75, FC, 56, E8, 1F, FD] PAGE ... PAGE ntkrnlpa.exe!RtlDecompressBuffer + 35 805E7C13 36 Bytes [14, 85, 78, F1, 67, 80, EB, ...] PAGE ntkrnlpa.exe!RtlDecompressFragment + F 805E7C39 5 Bytes [74, 32, 66, 3D, 01] PAGE ntkrnlpa.exe!RtlDecompressFragment + 15 805E7C3F 133 Bytes [74, 2C, A8, F0, 74, 07, B8, ...] PAGE ntkrnlpa.exe!RtlReserveChunk + 1 805E7CC5 13 Bytes [FF, 55, 8B, EC, 33, C0, 8A, ...] PAGE ntkrnlpa.exe!RtlReserveChunk + F 805E7CD3 153 Bytes [74, 29, 66, 3D, 01, 00, 74, ...] PAGE ntkrnlpa.exe!RtlDecompressChunks + 61 805E7D6D 53 Bytes [00, 00, 8B, 45, 08, 8B, 75, ...] PAGE ntkrnlpa.exe!RtlDecompressChunks + 97 805E7DA3 52 Bytes [83, E1, 03, 83, 65, 1C, 00, ...] PAGE ntkrnlpa.exe!RtlDecompressChunks + CC 805E7DD8 80 Bytes [00, 8B, 45, 08, 53, FF, 75, ...] PAGE ntkrnlpa.exe!RtlDecompressChunks + 11D 805E7E29 13 Bytes CALL 805E7BDD \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlDecompressChunks + 12B 805E7E37 83 Bytes [8B, 55, F0, 8B, 4D, 14, 3B, ...] PAGE ... PAGE ntkrnlpa.exe!RtlCompressChunks + 16 805E7EE6 73 Bytes CALL AC4651EF PAGE ntkrnlpa.exe!RtlCompressChunks + 60 805E7F30 23 Bytes [75, 06, 83, 65, FC, 00, EB, ...] PAGE ntkrnlpa.exe!RtlCompressChunks + 78 805E7F48 52 Bytes JMP 0C04724F PAGE ntkrnlpa.exe!RtlCompressChunks + AD 805E7F7D 12 Bytes [75, FC, 8B, 75, 14, 8B, 4D, ...] PAGE ntkrnlpa.exe!RtlCompressChunks + BA 805E7F8A 52 Bytes [F8, 04, 89, 0A, 8B, 4D, 18, ...] PAGE ... PAGE ntkrnlpa.exe!RtlCreateSystemVolumeInformationFolder + 18 805E83E2 1 Byte [5D] PAGE ntkrnlpa.exe!RtlCreateSystemVolumeInformationFolder + 18 805E83E2 46 Bytes CALL 0BC5441A PAGE ntkrnlpa.exe!RtlCreateSystemVolumeInformationFolder + 47 805E8411 29 Bytes [8B, 45, F0, 83, C0, 02, 66, ...] PAGE ntkrnlpa.exe!RtlCreateSystemVolumeInformationFolder + 65 805E842F 31 Bytes JMP 805E857E \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlCreateSystemVolumeInformationFolder + 85 805E844F 82 Bytes [F3, A4, 66, 8B, 1B, 66, 89, ...] PAGE ... PAGE ntkrnlpa.exe!RtlFindMessage + 2 805E858C 43 Bytes [55, 8B, EC, 83, EC, 0C, 8B, ...] PAGE ntkrnlpa.exe!RtlFindMessage + 2F 805E85B9 13 Bytes [85, C0, 7C, 3C, 6A, 00, 8D, ...] {TEST EAX, EAX; JL 0x40; PUSH 0x0; LEA EAX, [EBP+0x10]; PUSH EAX; PUSH DWORD [EBP+0xc]} PAGE ntkrnlpa.exe!RtlFindMessage + 3D 805E85C7 20 Bytes CALL 805D8D8C \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlFindMessage + 52 805E85DC 65 Bytes [04, 74, 14, 8B, 55, 14, 49, ...] PAGE ntkrnlpa.exe!RtlStringFromGUID + 2 805E861E 252 Bytes [55, 8B, EC, 56, 8B, 75, 0C, ...] PAGE ntkrnlpa.exe!RtlStringFromGUID + FF 805E871B 84 Bytes [EB, 53, 4E, 83, 7D, 08, 00, ...] PAGE ntkrnlpa.exe!RtlStringFromGUID + 154 805E8770 237 Bytes [85, F6, 75, A9, 83, 45, FC, ...] PAGE ntkrnlpa.exe!RtlIsValidOemCharacter + C 805E885E 122 Bytes [00, 8B, 45, 08, 0F, B7, 00, ...] PAGE ntkrnlpa.exe!RtlIsValidOemCharacter + 88 805E88DA 30 Bytes [00, 8B, 35, 24, C7, 67, 80, ...] PAGE ntkrnlpa.exe!RtlIsValidOemCharacter + A7 805E88F9 10 Bytes [10, 0F, B7, C9, 03, C8, A1, ...] PAGE ntkrnlpa.exe!RtlIsValidOemCharacter + B2 805E8904 11 Bytes [0F, B7, 04, 48, EB, 0A, 8B, ...] PAGE ntkrnlpa.exe!RtlIsValidOemCharacter + BE 805E8910 54 Bytes [0F, B7, 04, 41, 66, 8B, D0, ...] PAGE ... PAGE ntkrnlpa.exe!RtlIsNameLegalDOS8Dot3 + D 805E8AB9 47 Bytes [56, 8B, 75, 0C, 89, 45, FC, ...] PAGE ntkrnlpa.exe!RtlIsNameLegalDOS8Dot3 + 3D 805E8AE9 50 Bytes [8D, 75, E0, 89, 4D, E4, 66, ...] PAGE ntkrnlpa.exe!RtlIsNameLegalDOS8Dot3 + 70 805E8B1C 10 Bytes [F9, 02, 75, 1C, 8B, 46, 04, ...] {STC ; ADD DH, [EBP+0x1c]; MOV EAX, [ESI+0x4]; CMP BYTE [EAX], 0x2e} PAGE ntkrnlpa.exe!RtlIsNameLegalDOS8Dot3 + 7B 805E8B27 94 Bytes [14, 80, 78, 01, 2E, 75, 0E, ...] PAGE ntkrnlpa.exe!RtlIsNameLegalDOS8Dot3 + DA 805E8B86 168 Bytes [43, EB, 61, 80, F9, 80, 73, ...] PAGE ntkrnlpa.exe!RtlGenerate8dot3Name + 1 805E8C2F 15 Bytes [FF, 55, 8B, EC, 83, EC, 30, ...] PAGE ntkrnlpa.exe!RtlGenerate8dot3Name + 11 805E8C3F 33 Bytes [53, 8B, 5D, 10, 56, 89, 45, ...] PAGE ntkrnlpa.exe!RtlGenerate8dot3Name + 33 805E8C61 18 Bytes [C6, 45, EB, 01, 75, 04, C6, ...] PAGE ntkrnlpa.exe!RtlGenerate8dot3Name + 47 805E8C75 36 Bytes [66, 8B, 37, 83, 4D, E4, FF, ...] PAGE ntkrnlpa.exe!RtlGenerate8dot3Name + 6C 805E8C9A 168 Bytes [75, D0, EB, 11, 66, 3D, 2E, ...] PAGE ... PAGE ntkrnlpa.exe!RtlLockBootStatusData + 19 805E9073 33 Bytes [00, 56, 89, 45, FC, 8D, 85, ...] PAGE ntkrnlpa.exe!RtlLockBootStatusData + 3B 805E9095 13 Bytes [2B, F0, 56, 8D, 85, F8, FD, ...] PAGE ntkrnlpa.exe!RtlLockBootStatusData + 49 805E90A3 21 Bytes CALL 8053B928 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlLockBootStatusData + 5F 805E90B9 21 Bytes CALL 8052E787 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlLockBootStatusData + 75 805E90CF 6 Bytes [56, 8D, 85, CC, FD, FF] PAGE ... PAGE ntkrnlpa.exe!RtlUnlockBootStatusData + 2 805E913A 28 Bytes [55, 8B, EC, 83, EC, 0C, 33, ...] PAGE ntkrnlpa.exe!RtlUnlockBootStatusData + 1F 805E9157 40 Bytes [75, 08, 89, 45, FC, E8, 6B, ...] PAGE ntkrnlpa.exe!RtlGetSetBootStatusData + 2 805E9180 201 Bytes [55, 8B, EC, 83, EC, 44, 53, ...] PAGE ntkrnlpa.exe!RtlGetSetBootStatusData + CC 805E924A 38 Bytes CALL 80500B84 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlGetSetBootStatusData + F3 805E9271 6 Bytes [CC, CC, CC, CC, CC, 8B] PAGE ntkrnlpa.exe!RtlGetVersion + 2 805E9278 7 Bytes [55, 8B, EC, A1, 98, A8, 55] PAGE ntkrnlpa.exe!RtlGetVersion + A 805E9280 19 Bytes [56, 8B, 75, 08, 89, 46, 04, ...] PAGE ntkrnlpa.exe!RtlGetVersion + 1E 805E9294 67 Bytes [25, FF, 3F, 00, 00, 81, 3E, ...] PAGE ntkrnlpa.exe!RtlGetVersion + 62 805E92D8 84 Bytes CALL 805EAD8D \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntkrnlpa.exe!RtlNtStatusToDosError + 2D 805E932D 26 Bytes [4D, FC, FF, FF, 75, 08, E8, ...] PAGE ntkrnlpa.exe!RtlRandom + 2 805E9348 13 Bytes [55, 8B, EC, 53, 56, 8B, 75, ...] PAGE ntkrnlpa.exe!RtlRandom + 10 805E9356 86 Bytes [FF, 7F, 57, B9, C3, FF, FF, ...] PAGE ntkrnlpa.exe!RtlTimeToElapsedTimeFields + 15 805E93AD 145 Bytes [2F, 71, F4, FF, 8B, 45, 08, ...] PAGE ntkrnlpa.exe!RtlTimeToElapsedTimeFields + A9 805E9441 5 Bytes [8B, 07, 3B, 03, 0F] PAGE ntkrnlpa.exe!RtlTimeToElapsedTimeFields + AF 805E9447 32 Bytes [66, 01, 00, 00, B0, 01, E9, ...] PAGE ntkrnlpa.exe!RtlTimeToElapsedTimeFields + D0 805E9468 30 Bytes [0F, 84, 43, 01, 00, 00, 66, ...] PAGE ntkrnlpa.exe!RtlTimeToElapsedTimeFields + EF 805E9487 7 Bytes [89, 45, F0, 0F, 85, D7, 00] PAGE ... PAGE ntkrnlpa.exe!NtAdjustPrivilegesToken + 4B 805EBB61 8 Bytes [5D, FC, 80, 7D, 0C, 00, 75, ...] {POP EBP; CLD ; CMP BYTE [EBP+0xc], 0x0; JNZ 0x56} PAGE ntkrnlpa.exe!NtAdjustPrivilegesToken + 54 805EBB6A 29 Bytes [75, D0, 83, 65, D0, 03, 74, ...] PAGE ntkrnlpa.exe!NtAdjustPrivilegesToken + 72 805EBB88 27 Bytes [7C, 5B, FD, 8D, 3C, BD, 10, ...] PAGE ntkrnlpa.exe!NtAdjustPrivilegesToken + 8E 805EBBA4 41 Bytes [03, FE, 3B, FE, 72, 08, 3B, ...] PAGE ntkrnlpa.exe!NtAdjustPrivilegesToken + B8 805EBBCE 1 Byte [39] PAGE ... PAGE ntkrnlpa.exe!ZwAdjustGroupsToken + 66 805EBF24 41 Bytes [FE, 74, 1D, 6A, 04, FF, 75, ...] PAGE ntkrnlpa.exe!ZwAdjustGroupsToken + 91 805EBF4F 4 Bytes [8B, 00, 89, 45] PAGE ntkrnlpa.exe!ZwAdjustGroupsToken + 96 805EBF54 61 Bytes [33, C0, 40, C3, 8B, 65, E8, ...] PAGE ntkrnlpa.exe!ZwAdjustGroupsToken + D4 805EBF92 73 Bytes [00, 89, 45, C4, 3B, C6, 0F, ...] PAGE ntkrnlpa.exe!ZwAdjustGroupsToken + 11E 805EBFDC 10 Bytes [89, 45, BC, 33, C0, 40, C3, ...] {MOV [EBP-0x44], EAX; XOR EAX, EAX; INC EAX; RET ; MOV ESP, [EBP-0x18]} PAGE ... ? spjb.sys Das System kann die angegebene Datei nicht finden. ! .text USBPORT.SYS!DllUnload B8A368AC 5 Bytes JMP 8A8F01D8 .rsrc C:\WINDOWS\system32\DRIVERS\serial.sys entry point in ".rsrc" section [0xBA0D5094] .text win32k.sys!EngSetLastError + 34D5 BF81FE00 3 Bytes JMP BF81FECE \SystemRoot\System32\win32k.sys (Mehrbenutzer-Win32-Treiber/Microsoft Corporation) .text win32k.sys!EngSetLastError + 34D9 BF81FE04 1 Byte [00] .text win32k.sys!EngSetLastError + 34D9 BF81FE04 18 Bytes [00, 00, 8B, 45, 08, F6, 40, ...] .text win32k.sys!EngSetLastError + 34EC BF81FE17 5 Bytes [50, E8, 12, D4, 04] .text win32k.sys!EngSetLastError + 34F2 BF81FE1D 209 Bytes [0F, B7, C0, EB, 20, 90, 90, ...] .text ... .text win32k.sys!CLIPOBJ_bEnum + 51 BF824343 11 Bytes JMP 8D3A8B04 .text win32k.sys!CLIPOBJ_bEnum + 5D BF82434F 88 Bytes [00, 00, 2B, D7, 8B, 7A, 04, ...] .text win32k.sys!CLIPOBJ_bEnum + B6 BF8243A8 61 Bytes [8B, 51, 30, A5, A5, A5, A5, ...] .text win32k.sys!CLIPOBJ_bEnum + F4 BF8243E6 81 Bytes [3E, 89, 51, 44, EB, E8, 8B, ...] .text win32k.sys!CLIPOBJ_bEnum + 146 BF824438 43 Bytes [C1, EB, ED, 83, C0, FC, 8B, ...] .text ... .text win32k.sys!EngLpkInstalled + 1 BF825866 12 Bytes [0D, BC, 7B, 9A, BF, 33, C0, ...] .text win32k.sys!EngLpkInstalled + E BF825873 20 Bytes [0F, 95, C0, C3, 90, 90, 90, ...] .text win32k.sys!EngLpkInstalled + 23 BF825888 137 Bytes [91, B0, 00, 00, 00, 89, 10, ...] .text win32k.sys!EngLpkInstalled + AD BF825912 27 Bytes [81, F9, FF, 00, 00, 00, 74, ...] .text win32k.sys!EngLpkInstalled + C9 BF82592E 32 Bytes [40, EB, F9, 90, 90, 90, 90, ...] .text ... .text win32k.sys!EngBitBlt + 42 BF827284 101 Bytes [47, 1C, 52, 52, 51, 8D, 4D, ...] .text win32k.sys!EngBitBlt + A8 BF8272EA 38 Bytes [3D, 55, 55, 00, 00, 0F, 84, ...] .text win32k.sys!EngBitBlt + CF BF827311 8 Bytes [FF, 75, 1C, 57, E8, 3C, 1D, ...] .text win32k.sys!EngBitBlt + D8 BF82731A 27 Bytes [33, C0, 40, 5F, 5E, 5B, C9, ...] .text win32k.sys!EngBitBlt + F4 BF827336 2 Bytes [45, 1C] .text ... .text win32k.sys!EngPaint + 2 BF8281DD 78 Bytes [55, 8B, EC, 8B, 45, 18, 8B, ...] .text win32k.sys!EngPaint + 51 BF82822C 5 Bytes [90, 90, 90, 90, 90] {NOP ; NOP ; NOP ; NOP ; NOP } .text win32k.sys!EngPaint + 57 BF828232 62 Bytes [FF, 55, 8B, EC, 56, 8B, F1, ...] .text win32k.sys!EngPaint + 96 BF828271 9 Bytes [8B, F0, 85, F6, 74, 24, 83, ...] .text win32k.sys!EngPaint + A0 BF82827B 69 Bytes [74, CF, FF, 75, 08, 56, E8, ...] .text ... .text win32k.sys!EngCopyBits + 1 BF838873 63 Bytes [FF, 55, 8B, EC, 81, EC, FC, ...] .text win32k.sys!EngCopyBits + 41 BF8388B3 20 Bytes [83, 65, 0C, 00, F6, 40, 4A, ...] .text win32k.sys!EngCopyBits + 56 BF8388C8 11 Bytes [75, 1C, FF, 75, 18, 57, FF, ...] {JNZ 0x1e; PUSH DWORD [EBP+0x18]; PUSH EDI; PUSH DWORD [EBP+0x10]; PUSH EBX; PUSH ESI} .text win32k.sys!EngCopyBits + 62 BF8388D4 11 Bytes [55, 08, 8B, D8, 8D, 4D, 0C, ...] .text win32k.sys!EngCopyBits + 6E BF8388E0 39 Bytes [8B, C3, 5F, 5E, 5B, C9, C2, ...] .text ... .text win32k.sys!EngLockSurface + 1 BF8393CA 11 Bytes [FF, 55, 8B, EC, 51, 83, 65, ...] .text win32k.sys!EngLockSurface + D BF8393D6 9 Bytes CALL BF8137EF \SystemRoot\System32\win32k.sys (Mehrbenutzer-Win32-Treiber/Microsoft Corporation) .text win32k.sys!EngLockSurface + 17 BF8393E0 44 Bytes [75, FC, 85, F6, 74, 1A, 57, ...] .text win32k.sys!EngLockSurface + 44 BF83940D 59 Bytes [EC, 8B, 55, 14, 53, 8B, 5D, ...] .text win32k.sys!EngLockSurface + 80 BF839449 73 Bytes [D1, 85, C0, 74, 12, 50, E8, ...] .text ... .text win32k.sys!EngMapFontFileFD + 22 BF83CA6E 33 Bytes [EC, 8B, 45, 08, 85, C0, 74, ...] .text win32k.sys!EngMapFontFileFD + 44 BF83CA90 3 Bytes [F8, 89, 7D] .text win32k.sys!EngMapFontFileFD + 48 BF83CA94 31 Bytes JMP BF83CB5C \SystemRoot\System32\win32k.sys (Mehrbenutzer-Win32-Treiber/Microsoft Corporation) .text win32k.sys!EngMapFontFileFD + 68 BF83CAB4 233 Bytes [6A, 02, 8D, 4D, 08, 51, 8D, ...] .text win32k.sys!EngMapFontFileFD + 152 BF83CB9E 58 Bytes [FF, 6A, 02, 68, 00, 00, 40, ...] .text ... .text win32k.sys!EngUnmapFontFileFD + 4 BF83CC6B 59 Bytes [EC, 83, EC, 20, 53, FF, 35, ...] .text win32k.sys!EngUnmapFontFileFD + 40 BF83CCA7 8 Bytes [8D, 45, E0, 50, E8, 78, 85, ...] .text win32k.sys!EngUnmapFontFileFD + 49 BF83CCB0 8 Bytes [EB, F1, 85, C9, 0F, 84, 2E, ...] .text win32k.sys!EngUnmapFontFileFD + 53 BF83CCBA 64 Bytes [F6, C1, 01, 0F, 85, 25, 03, ...] .text win32k.sys!EngUnmapFontFileFD + 94 BF83CCFB 53 Bytes [4D, 0C, 85, C9, 0F, 84, A5, ...] .text ... .text win32k.sys!EngCreateBitmap + 1B BF83DA49 72 Bytes CALL BF814219 \SystemRoot\System32\win32k.sys (Mehrbenutzer-Win32-Treiber/Microsoft Corporation) .text win32k.sys!EngCreateBitmap + 64 BF83DA92 89 Bytes [1D, 8B, 55, 10, 8B, 4D, 0C, ...] .text win32k.sys!EngCreateBitmap + BE BF83DAEC 140 Bytes CALL BF83D997 \SystemRoot\System32\win32k.sys (Mehrbenutzer-Win32-Treiber/Microsoft Corporation) .text win32k.sys!EngCreateBitmap + 14B BF83DB79 28 Bytes [55, 8B, EC, 83, EC, 14, 53, ...] .text win32k.sys!EngCreateBitmap + 168 BF83DB96 17 Bytes [00, 00, 39, 43, 0C, 0F, 85, ...] .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\System32\svchost.exe[644] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 009A000A .text C:\WINDOWS\System32\svchost.exe[644] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 009B000A .text C:\WINDOWS\System32\svchost.exe[644] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 0099000C .text C:\WINDOWS\System32\svchost.exe[644] ole32.dll!CoCreateInstance 774D057E 5 Bytes JMP 00E5000A .text C:\WINDOWS\Explorer.EXE[1744] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 00B7000A .text C:\WINDOWS\Explorer.EXE[1744] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 00C1000A .text C:\WINDOWS\Explorer.EXE[1744] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 00B6000C .text C:\WINDOWS\system32\wuauclt.exe[3208] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 009A000A .text C:\WINDOWS\system32\wuauclt.exe[3208] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 009B000A .text C:\WINDOWS\system32\wuauclt.exe[3208] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 0099000C ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA9040] spjb.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA913C] spjb.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA90BE] spjb.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA97FC] spjb.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA96D2] spjb.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8A93B1F8 AttachedDevice \FileSystem\Ntfs \Ntfs szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.) Device \FileSystem\MacOpen \MacOpenCd 8A8CE1F8 Device \FileSystem\MacOpen \MacOpen 8A8CE1F8 Device \Driver\usbstor \Device\0000009b 89D91388 Device \Driver\usbstor \Device\0000009c 89D91388 AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC) Device \Driver\usbstor \Device\0000009d 89D91388 Device \Driver\usbstor \Device\0000009e 89D91388 Device \Driver\usbuhci \Device\USBPDO-0 8A6491F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A8C31F8 Device \Driver\dmio \Device\DmControl\DmConfig 8A8C31F8 Device \Driver\dmio \Device\DmControl\DmPnP 8A8C31F8 Device \Driver\dmio \Device\DmControl\DmInfo 8A8C31F8 Device \Driver\usbuhci \Device\USBPDO-1 8A6491F8 Device \Driver\usbuhci \Device\USBPDO-2 8A6491F8 Device \Driver\usbehci \Device\USBPDO-3 8A6021F8 Device \Driver\usbuhci \Device\USBPDO-4 8A6491F8 AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC) Device \Driver\usbuhci \Device\USBPDO-5 8A6491F8 Device \Driver\usbuhci \Device\USBPDO-6 8A6491F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 8A8A41F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis) Device \Driver\usbehci \Device\USBPDO-7 8A6021F8 Device \Driver\Cdrom \Device\CdRom0 8A4FC1F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8A8A41F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation) Device \Driver\Ftdisk \Device\HarddiskVolume3 8A8A41F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation) Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-2f [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-10 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort4 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort5 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-1c [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP3T1L0-24 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP5T0L0-3a [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Ftdisk \Device\HarddiskVolume4 8A8A41F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation) Device \Driver\Ftdisk \Device\HarddiskVolume5 8A8A41F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation) Device \Driver\Ftdisk \Device\HarddiskVolume6 8A8A41F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation) Device \Driver\NetBT \Device\NetBt_Wins_Export 89EBD500 Device \Driver\NetBT \Device\NetbiosSmb 89EBD500 AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC) AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC) Device \Driver\NetBT \Device\NetBT_Tcpip_{69F97877-8014-439F-9E28-C81CEEA5E4DA} 89EBD500 Device \Driver\usbuhci \Device\USBFDO-0 8A6491F8 Device \Driver\usbstor \Device\00000099 89D91388 Device \Driver\usbuhci \Device\USBFDO-1 8A6491F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89E27500 Device \Driver\usbuhci \Device\USBFDO-2 8A6491F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 89E27500 Device \Driver\usbehci \Device\USBFDO-3 8A6021F8 Device \Driver\usbuhci \Device\USBFDO-4 8A6491F8 Device \Driver\Ftdisk \Device\FtControl 8A8A41F8 Device \Driver\usbuhci \Device\USBFDO-5 8A6491F8 Device \Driver\usbuhci \Device\USBFDO-6 8A6491F8 Device \Driver\usbehci \Device\USBFDO-7 8A6021F8 Device \Driver\usbstor \Device\0000009a 89D91388 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation) Device \FileSystem\Fastfat \Fat 874A71F8 Device \FileSystem\Fastfat \Fat A258C297 AttachedDevice \FileSystem\Fastfat \Fat szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 89E37500 Device -> \Driver\atapi \Device\Harddisk0\DR0 8A530EC5 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@LicenseKey H5D0-56B3-DA23-009B Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@NumberOfcdroms 3 Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@ServiceBinary C:\WINDOWS\system32\drivers\vbev5mp.sys Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@Group SCSI Miniport Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@ImagePath System32\Drivers\vbev5mp.sys Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@Start 1 Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@Type 1 Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@Tag 66 Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\DrvInstaller (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\DrvInstaller\Error (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\DrvInstaller\Error@ Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\DrvInstaller\Result (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\DrvInstaller\Result@ 0 Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\Enum (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\Enum@0 ROOT\SCSIADAPTER\0000 Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\Enum@Count 1 Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\Enum@NextInstance 1 Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\parameters\pnpinterface (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\parameters\pnpinterface@1 1 Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@LicenseKey H5D0-56B3-DA23-009B Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@NumberOfcdroms 3 Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@ServiceBinary C:\WINDOWS\system32\drivers\vbev5mp.sys Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@Group SCSI Miniport Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@ImagePath System32\Drivers\vbev5mp.sys Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@Start 1 Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@Type 1 Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@Tag 66 Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\DrvInstaller (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\DrvInstaller\Error (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\DrvInstaller\Error@ Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\DrvInstaller\Result (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\DrvInstaller\Result@ 0 Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\Enum (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\Enum@0 ROOT\SCSIADAPTER\0000 Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\Enum@Count 1 Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\Enum@NextInstance 1 Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\parameters\pnpinterface (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\parameters\pnpinterface@1 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 6F2A49C98638B9D2D727ECDED6EB32A8B0FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7F D869164D67949DB7CE019D40AA5CBA7FD869164D6794A8566D9058DD216FD032E9B997302F064346536927F9F0C8B26EA11AF4556B30999138D2DAE70ACEB58A33404FD65731EB1D816263 3E7DCE68FAD64217C39E101E5DE142F8B572DA892B5EF09136C53ECB2A6CFCADFCB29C93CDC22762A3BD6F538724D0FA86389FCDB0B3189F2FF3E16A7D897DD858452B5E0727A460F75DB4 29E0AD9542DEEA0BD73EEC244CE80EB320A83F4D4E39A05EC94AB83AAC09C42863BC9E4ABE09CF6E5078B8267D4CF8AD9B436A758AC8E378263EA010F9E26EF818F48E4BF692DC80B289BA D73009C62FDD68D9A81E7760A29B107B6C8ED68B3636E5081C86CBC15DD01F8A13F211437DBDB4D2B8ACF71DE8A36D5ABD40F77E567AEF866299C9DD81506A325669196A3F64CC8C9EEDC1 54BB0F0CC293001E5F34F9F6FEE6F4E5C450A8A032C4CA1D6FFECE56B476AF10F56FFEA1AD24CD66780B9CE455196CBD400FA5FD7C25615936ACCFFB6900D06123BCEA6B88473EAFCA7C1D 26650A6CB14DE9EA3C77620DD1D81D0D6D3F1DC6F933BF9DA8B37AFA9F898F8D2BFBEFF1679AEDEAA0FE8BC14BA40580DB3FD897DFAE78369C045E411E1 ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\DRIVERS\serial.sys suspicious modification File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification ---- EOF - GMER 1.0.15 ---- |
Noch eine Frage: Kann/darf ich ComboFix wieder deinstallieren? |
noch nicht, machen wir zum schluss so und nu gehts los :-) kaspersky tdss killer Wie werden Schadprogramme der Familie Rootkit.Win32.TDSS bekämpft? ausführen, log posten |
Ok. Mit der Voreinstellung "cure" nehme ich an!? |
ja, genau. |
Nun hier der TDSKiller Report: 2010/08/06 13:06:04.0765 TDSS rootkit removing tool 2.4.1.0 Aug 4 2010 15:06:41 2010/08/06 13:06:04.0765 ================================================================================ 2010/08/06 13:06:04.0765 SystemInfo: 2010/08/06 13:06:04.0765 2010/08/06 13:06:04.0765 OS Version: 5.1.2600 ServicePack: 3.0 2010/08/06 13:06:04.0765 Product type: Workstation 2010/08/06 13:06:04.0765 ComputerName: XXXXXXX 2010/08/06 13:06:04.0765 UserName: xxxxxxx xxx 2010/08/06 13:06:04.0765 Windows directory: C:\WINDOWS 2010/08/06 13:06:04.0765 System windows directory: C:\WINDOWS 2010/08/06 13:06:04.0765 Processor architecture: Intel x86 2010/08/06 13:06:04.0765 Number of processors: 2 2010/08/06 13:06:04.0765 Page size: 0x1000 2010/08/06 13:06:04.0765 Boot type: Normal boot 2010/08/06 13:06:04.0765 ================================================================================ 2010/08/06 13:06:05.0625 Initialize success 2010/08/06 13:06:15.0171 ================================================================================ 2010/08/06 13:06:15.0171 Scan started 2010/08/06 13:06:15.0171 Mode: Manual; 2010/08/06 13:06:15.0171 ================================================================================ 2010/08/06 13:06:16.0265 ACPI (ac407f1a62c3a300b4f2b5a9f1d55b2c) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2010/08/06 13:06:16.0328 ACPIEC (9e1ca3160dafb159ca14f83b1e317f75) C:\WINDOWS\system32\drivers\ACPIEC.sys 2010/08/06 13:06:16.0421 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2010/08/06 13:06:16.0468 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys 2010/08/06 13:06:16.0703 AnyDVD (82ce157ff3701ab50769b2654d0b0215) C:\WINDOWS\system32\Drivers\AnyDVD.sys 2010/08/06 13:06:16.0750 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 2010/08/06 13:06:16.0890 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2010/08/06 13:06:16.0937 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 2010/08/06 13:06:17.0015 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2010/08/06 13:06:17.0093 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2010/08/06 13:06:17.0125 AVMCOWAN (0bcb6b3df2e248c8e8f2ffc6f58d1341) C:\WINDOWS\system32\DRIVERS\AVMCOWAN.sys 2010/08/06 13:06:17.0156 AVMWAN (c997af59c54d69232fb7bbea4dad86e2) C:\WINDOWS\system32\DRIVERS\avmwan.sys 2010/08/06 13:06:17.0171 bdfm (ced6717bd8b67284afcf692b9316b464) C:\WINDOWS\system32\drivers\bdfm.sys 2010/08/06 13:06:17.0234 bdfsfltr (70975049e22b2efec260816cf505e6e7) C:\WINDOWS\system32\drivers\bdfsfltr.sys 2010/08/06 13:06:17.0343 bdftdif (a7bdb1958d9b8245a0ba83f46abb630c) C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Firewall\bdftdif.sys 2010/08/06 13:06:17.0359 BDSelfPr (5eaf583c0b1cc2499761ea3b065f5db2) C:\Programme\BitDefender\BitDefender 2009\bdselfpr.sys 2010/08/06 13:06:17.0421 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2010/08/06 13:06:17.0484 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2010/08/06 13:06:17.0562 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2010/08/06 13:06:17.0625 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2010/08/06 13:06:17.0687 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2010/08/06 13:06:17.0906 cxbu0wdm (ee1d91022fc0df4f0434ec11c65e6649) C:\WINDOWS\system32\DRIVERS\cxbu0wdm.sys 2010/08/06 13:06:18.0015 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 2010/08/06 13:06:18.0078 dmboot (0dcfc8395a99fecbb1ef771cec7fe4ea) C:\WINDOWS\system32\drivers\dmboot.sys 2010/08/06 13:06:18.0156 dmio (53720ab12b48719d00e327da470a619a) C:\WINDOWS\system32\drivers\dmio.sys 2010/08/06 13:06:18.0187 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2010/08/06 13:06:18.0281 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 2010/08/06 13:06:18.0343 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 2010/08/06 13:06:18.0390 dsltestSp5 (c6b2e10cfe79169c72f0269087b9a603) C:\WINDOWS\system32\Drivers\dsltestSp5.sys 2010/08/06 13:06:18.0437 E1000 (4de4bae4accb5a49fa85801d4f226355) C:\WINDOWS\system32\DRIVERS\e1000325.sys 2010/08/06 13:06:18.0484 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys 2010/08/06 13:06:18.0531 ElbyCDFL (ce37e3d51912e59c80c6d84337c0b4cd) C:\WINDOWS\system32\Drivers\ElbyCDFL.sys 2010/08/06 13:06:18.0578 ElbyCDIO (309ac30471a0f1c3a89dee1c81230576) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys 2010/08/06 13:06:18.0625 ENUM1394 (80d1b490b60e74e002dc116ec5d41748) C:\WINDOWS\system32\DRIVERS\enum1394.sys 2010/08/06 13:06:18.0687 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 2010/08/06 13:06:18.0718 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys 2010/08/06 13:06:18.0781 Fips (b0678a548587c5f1967b0d70bacad6c1) C:\WINDOWS\system32\drivers\Fips.sys 2010/08/06 13:06:18.0828 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys 2010/08/06 13:06:18.0875 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 2010/08/06 13:06:18.0953 fpcibase (25baa9e7e21ca204b3202637c4f0d44e) C:\WINDOWS\system32\DRIVERS\fpcibase.sys 2010/08/06 13:06:19.0000 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2010/08/06 13:06:19.0046 Ftdisk (8f1955ce42e1484714b542f341647778) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2010/08/06 13:06:19.0140 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2010/08/06 13:06:19.0171 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 2010/08/06 13:06:19.0218 HECI (cc2c8c23417cc7ddf5eddb17e60a14db) C:\WINDOWS\system32\DRIVERS\HECI.sys 2010/08/06 13:06:19.0281 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2010/08/06 13:06:19.0406 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 2010/08/06 13:06:19.0562 i8042prt (e283b97cfbeb86c1d86baed5f7846a92) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2010/08/06 13:06:19.0625 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 2010/08/06 13:06:19.0781 intelppm (4c7d2750158ed6e7ad642d97bffae351) C:\WINDOWS\system32\DRIVERS\intelppm.sys 2010/08/06 13:06:19.0828 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 2010/08/06 13:06:19.0875 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2010/08/06 13:06:19.0921 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2010/08/06 13:06:19.0968 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2010/08/06 13:06:20.0000 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2010/08/06 13:06:20.0046 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys 2010/08/06 13:06:20.0078 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 2010/08/06 13:06:20.0156 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys 2010/08/06 13:06:20.0203 is3srv (8fe4ecc7877fcfe4e59414708898073d) C:\WINDOWS\system32\drivers\is3srv.sys 2010/08/06 13:06:20.0281 isapnp (6dfb88f64135c525433e87648bda30de) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2010/08/06 13:06:20.0328 Kbdclass (1704d8c4c8807b889e43c649b478a452) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2010/08/06 13:06:20.0375 kbdhid (b6d6c117d771c98130497265f26d1882) C:\WINDOWS\system32\DRIVERS\kbdhid.sys 2010/08/06 13:06:20.0437 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 2010/08/06 13:06:20.0468 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 2010/08/06 13:06:20.0562 MacOpen (f1d23f78dcd65c8132c908b1e72e9143) C:\WINDOWS\system32\drivers\MacOpen.sys 2010/08/06 13:06:20.0625 MagicTune (f627e9da4d3d8dc05a15b68944302f14) C:\WINDOWS\system32\drivers\MTiCtwl.sys 2010/08/06 13:06:20.0687 MaxtorFrontPanel1 (dad2801f46631b625fb4fb37265fbe6e) C:\WINDOWS\system32\DRIVERS\mxofwfp.sys 2010/08/06 13:06:20.0750 MLPTDR_B (124aaf5d2a58e00c05019b0fb77c0966) C:\WINDOWS\system32\MLPTDR_B.sys 2010/08/06 13:06:20.0812 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2010/08/06 13:06:20.0875 Modem (6fb74ebd4ec57a6f1781de3852cc3362) C:\WINDOWS\system32\drivers\Modem.sys 2010/08/06 13:06:20.0937 motmodem (54fee02961c70fd9d4d7e2f87afa23fa) C:\WINDOWS\system32\DRIVERS\motmodem.sys 2010/08/06 13:06:20.0984 Mouclass (b24ce8005deab254c0251e15cb71d802) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2010/08/06 13:06:21.0015 mouhid (66a6f73c74e1791464160a7065ce711a) C:\WINDOWS\system32\DRIVERS\mouhid.sys 2010/08/06 13:06:21.0062 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 2010/08/06 13:06:21.0156 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2010/08/06 13:06:21.0203 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2010/08/06 13:06:21.0265 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 2010/08/06 13:06:21.0312 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2010/08/06 13:06:21.0375 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2010/08/06 13:06:21.0421 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 2010/08/06 13:06:21.0500 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2010/08/06 13:06:21.0562 MTXPAR (0f83a76c82d5b9f672b33923759b2b12) C:\WINDOWS\system32\DRIVERS\MTXPARM.sys 2010/08/06 13:06:21.0703 MTXPARH (6dda78a0be692b61b668fab860f276cf) C:\WINDOWS\system32\DRIVERS\MTXPARHM.sys 2010/08/06 13:06:21.0734 Mtxparmx (a9948d5ed30db457ff92239802d97e34) C:\WINDOWS\system32\DRIVERS\Mtxparmx.sys 2010/08/06 13:06:21.0765 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys 2010/08/06 13:06:21.0812 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 2010/08/06 13:06:21.0859 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2010/08/06 13:06:21.0890 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2010/08/06 13:06:21.0921 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2010/08/06 13:06:21.0968 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys 2010/08/06 13:06:22.0000 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 2010/08/06 13:06:22.0046 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 2010/08/06 13:06:22.0093 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys 2010/08/06 13:06:22.0140 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 2010/08/06 13:06:22.0187 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 2010/08/06 13:06:22.0265 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2010/08/06 13:06:22.0312 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2010/08/06 13:06:22.0359 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2010/08/06 13:06:22.0390 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 2010/08/06 13:06:22.0437 Parport (f84785660305b9b903fb3bca8ba29837) C:\WINDOWS\system32\drivers\Parport.sys 2010/08/06 13:06:22.0468 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 2010/08/06 13:06:22.0531 ParVdm (c2bf987829099a3eaa2ca6a0a90ecb4f) C:\WINDOWS\system32\drivers\ParVdm.sys 2010/08/06 13:06:22.0593 PCANDIS5 (d0084a9ade989fe703e4f22171f4e4dc) C:\PROGRA~1\GEMEIN~1\T-Com\DSLCheck\PCANDIS5.SYS 2010/08/06 13:06:22.0640 PCI (387e8dedc343aa2d1efbc30580273acd) C:\WINDOWS\system32\DRIVERS\pci.sys 2010/08/06 13:06:22.0718 PCIIde (59ba86d9a61cbcf4df8e598c331f5b82) C:\WINDOWS\system32\DRIVERS\pciide.sys 2010/08/06 13:06:22.0781 Pcmcia (a2a966b77d61847d61a3051df87c8c97) C:\WINDOWS\system32\drivers\Pcmcia.sys 2010/08/06 13:06:23.0171 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2010/08/06 13:06:23.0203 Processor (2cb55427c58679f49ad600fccba76360) C:\WINDOWS\system32\DRIVERS\processr.sys 2010/08/06 13:06:23.0265 Profos (1bfe86c679a43994e36e623fb6898cdb) C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Threat Scanner\profos.sys 2010/08/06 13:06:23.0312 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 2010/08/06 13:06:23.0343 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2010/08/06 13:06:23.0421 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys 2010/08/06 13:06:23.0703 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2010/08/06 13:06:23.0750 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys 2010/08/06 13:06:23.0796 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2010/08/06 13:06:23.0843 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2010/08/06 13:06:23.0906 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2010/08/06 13:06:23.0968 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2010/08/06 13:06:24.0000 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2010/08/06 13:06:24.0078 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 2010/08/06 13:06:24.0156 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 2010/08/06 13:06:24.0234 redbook (ed761d453856f795a7fe056e42c36365) C:\WINDOWS\system32\DRIVERS\redbook.sys 2010/08/06 13:06:24.0312 sbp2port (b244960e5a1db8e9d5d17086de37c1e4) C:\WINDOWS\system32\DRIVERS\sbp2port.sys 2010/08/06 13:06:24.0359 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2010/08/06 13:06:24.0406 Sentinel (7e5c2c58fc4e3862e7bf88bfb809a9b0) C:\WINDOWS\System32\Drivers\SENTINEL.SYS 2010/08/06 13:06:24.0484 serenum (5944622925d74268228222298e14dcaa) C:\WINDOWS\system32\DRIVERS\serenum.sys 2010/08/06 13:06:24.0546 Serial (ab6aa911ad51766e28c1339464809699) C:\WINDOWS\system32\DRIVERS\serial.sys 2010/08/06 13:06:24.0546 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\serial.sys. Real md5: ab6aa911ad51766e28c1339464809699, Fake md5: cf24eb4f0412c82bcd1f4f35a025e31d 2010/08/06 13:06:24.0546 Serial - detected Rootkit.Win32.TDSS.tdl3 (0) 2010/08/06 13:06:24.0609 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys 2010/08/06 13:06:24.0656 sfng32 (76bd55922b3179fa7b5bd528839e6fb4) C:\WINDOWS\system32\drivers\sfng32.sys 2010/08/06 13:06:24.0718 snapman380 (5ce1cf27620b144e212d407cdb14d339) C:\WINDOWS\system32\DRIVERS\snman380.sys 2010/08/06 13:06:24.0828 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 2010/08/06 13:06:24.0875 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\system32\Drivers\sptd.sys 2010/08/06 13:06:24.0875 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 71e276f6d189413266ea22171806597b 2010/08/06 13:06:24.0875 sptd - detected Locked file (1) 2010/08/06 13:06:24.0906 sr (50fa898f8c032796d3b1b9951bb5a90f) C:\WINDOWS\system32\DRIVERS\sr.sys 2010/08/06 13:06:24.0937 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys 2010/08/06 13:06:25.0062 STHDA (527fd7d6919734c2a61c8aa3d5740e61) C:\WINDOWS\system32\drivers\sthda.sys 2010/08/06 13:06:25.0140 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 2010/08/06 13:06:25.0187 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 2010/08/06 13:06:25.0437 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 2010/08/06 13:06:25.0500 szkg5 (8fe4ecc7877fcfe4e59414708898073d) C:\WINDOWS\system32\DRIVERS\szkg.sys 2010/08/06 13:06:25.0546 szkgfs (410a02a920fa9daeec56364e839597c1) C:\WINDOWS\system32\drivers\szkgfs.sys 2010/08/06 13:06:25.0593 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2010/08/06 13:06:25.0671 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 2010/08/06 13:06:25.0718 tdrpman147 (be7b1a73272648622b39be3c610e3ca0) C:\WINDOWS\system32\DRIVERS\tdrpm147.sys 2010/08/06 13:06:25.0765 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 2010/08/06 13:06:25.0828 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 2010/08/06 13:06:25.0906 tifsfilter (6dcb8ddb481cd3c40fa68593723b4d89) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys 2010/08/06 13:06:25.0953 timounter (394fc70b88b7958fa85798bbc76d140a) C:\WINDOWS\system32\DRIVERS\timntr.sys 2010/08/06 13:06:26.0078 Trufos (b16d66a71de03285e14e9f165b59eda4) C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Threat Scanner\trufos.sys 2010/08/06 13:06:26.0125 TSMPacket (7c1367bff5587cf49c0ed2e664f6eac0) C:\WINDOWS\system32\DRIVERS\tsmpkt.sys 2010/08/06 13:06:26.0187 TuneUpUtilitiesDrv (f2107c9d85ec0df116939ccce06ae697) C:\Programme\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys 2010/08/06 13:06:26.0234 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 2010/08/06 13:06:26.0343 UltraMonUtility (5a5bd0f66e84eb039cb227520d49908c) C:\Programme\Gemeinsame Dateien\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys 2010/08/06 13:06:26.0390 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 2010/08/06 13:06:26.0437 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 2010/08/06 13:06:26.0468 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2010/08/06 13:06:26.0500 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2010/08/06 13:06:26.0546 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys 2010/08/06 13:06:26.0578 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys 2010/08/06 13:06:26.0625 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 2010/08/06 13:06:26.0703 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\DRIVERS\usbser.sys 2010/08/06 13:06:26.0734 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2010/08/06 13:06:26.0812 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2010/08/06 13:06:26.0859 VClone (9bf2ea54e5ed5acdf96f1dec84c117c4) C:\WINDOWS\system32\DRIVERS\VClone.sys 2010/08/06 13:06:26.0937 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 2010/08/06 13:06:27.0046 VolSnap (a5a712f4e880874a477af790b5186e1d) C:\WINDOWS\system32\drivers\VolSnap.sys 2010/08/06 13:06:27.0093 wacommousefilter (427a8bc96f16c40df81c2d2f4edd32dd) C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys 2010/08/06 13:06:27.0140 wacomvhid (73e6f16a1f187d71fb26af308551e54a) C:\WINDOWS\system32\DRIVERS\wacomvhid.sys 2010/08/06 13:06:27.0156 WacomVKHid (889459833432b161cb99cfdf84a1a9bb) C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys 2010/08/06 13:06:27.0250 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2010/08/06 13:06:27.0296 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 2010/08/06 13:06:27.0390 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 2010/08/06 13:06:27.0437 WinDriver6 (2c7d830e86b378771af5dafeae428a09) C:\WINDOWS\system32\drivers\windrvr6.sys 2010/08/06 13:06:27.0531 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys 2010/08/06 13:06:27.0593 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys 2010/08/06 13:06:27.0843 ================================================================================ 2010/08/06 13:06:27.0843 Scan finished 2010/08/06 13:06:27.0843 ================================================================================ 2010/08/06 13:06:27.0859 Detected object count: 2 2010/08/06 13:07:53.0906 Serial (ab6aa911ad51766e28c1339464809699) C:\WINDOWS\system32\DRIVERS\serial.sys 2010/08/06 13:07:53.0906 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\serial.sys. Real md5: ab6aa911ad51766e28c1339464809699, Fake md5: cf24eb4f0412c82bcd1f4f35a025e31d 2010/08/06 13:07:55.0125 Backup copy found, using it.. 2010/08/06 13:07:55.0140 C:\WINDOWS\system32\DRIVERS\serial.sys - will be cured after reboot 2010/08/06 13:07:55.0140 Rootkit.Win32.TDSS.tdl3(Serial) - User select action: Cure 2010/08/06 13:07:55.0140 Locked file(sptd) - User select action: Skip |
Gerade hat Firefox unerwünscht/automatisch eine Seite namens "texasboy" aufgerufen ... Neustart noch nicht durchgeführt. Soll ich jetzt? |
ja außer natürlich dir gefällt die werbung so gut das du sie gar nicht mehr los werden willst *g* |
Mach' ich – ich bin doch nicht :balla: Bis gleich. |
Neustart durchgeführt. Lauere, was der Feuerfuchs jetzt tut ... |
Liste der Anhänge anzeigen (Anzahl: 1) Bei dem Scan hatte Kaspersky's TDSS-Killer ein Objekt identifiziert, welches immer noch moniert wird: [IMG]www.sach-fach.de/fordownloads/Screenshot%20Kasp1.jpg[/IMG] |
dann versuch mal den norman tdss cleaner und poste das ergebniss, sollte n log erstellt werden |
Also ich habe noch nicht versucht, das von Kaspersky als "suspicious object" sptd.sys zu beseitigen. Die Voreinstellung hier ist "skip". Soll da mal cure oder kill wählen. Ich wollte auf deine Expertenmeinung hören, bevor ich etwas falsch mache und mehr Schaden als Nutzen anrichte. |
Oups, war das TBB überlastet ... nun geht's wieder: Habe mit Kaspersky nichts mehr entfernt. Soll ich die Datei sptd.sys lassen oder muss mit der noch etwas gemacht werden. Hier der Report von Norman TDSS Cleaner Version 1.9.3 Copyright © 1990 - 2010, Norman ASA. Built 2010/05/25 11:56:03 Norman Scanner Engine Version: 6.04.08 Nvcbin.def Version: 6.04.00, Date: 2010/05/25 11:56:03, Variants: 57644 Scan started: 2010/08/06 14:12:39 Running pre-scan cleanup routine: Operating System: Microsoft Windows XP Professional 5.1.2600 Service Pack 3 Logged on user: xxxxxxx\xxxxxxxx Removed registry key: HKCR\.exe -> shell Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLS = -> "" Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000 Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000 Running anti-TDSS module: No TDSS infection detected TDSS scan complete. Will now scan for related malware Scanning bootsectors... Number of sectors found: 5 Number of sectors scanned: 5 Number of sectors not scanned: 0 Number of infections found: 0 Number of infections removed: 0 Total scanning time: 0s 125ms Scanning running processes and process memory... Number of processes/threads found: 4448 Number of processes/threads scanned: 4448 Number of processes/threads not scanned: 0 Number of infected processes/threads terminated: 0 Total scanning time: 31s Scanning file system... Scanning: prescan Scanning: C:\WINDOWS\system32\drivers\* Scanning: postscan Running post-scan cleanup routine: Removed registry key: HKCR\.exe -> shell Number of files found: 346 Number of archives unpacked: 0 Number of files scanned: 346 Number of files not scanned: 0 Number of files skipped due to exclude list: 0 Number of infected files found: 0 Number of infected files repaired/deleted: 0 Number of infections removed: 0 Total scanning time: 7s |
ok, wir versuchen mal folgendes Du hast CD-Emulatoren wie Alcohol, DaemonTools oder ähnliche auf diesem Computer installiert. Da diese Emulatoren mit Rootkit-Technik arbeiten, können sie die Fahndung nach bösartigen Rootkits verfälschen und erschweren. Lade http://filepony.de/download-defogger/ herunter und speichere es auf Deinem Desktop. Doppelklicke DeFogger, um das Tool zu starten. • Es öffnet sich das Programm-Fenster des Tools. • Klick auf den Button Disable, um die CD- Emulation-Treiber zu deaktivieren. • Klicke Ja, um fortzufahren. • Wenn die Nachricht 'Finished!' erscheint, • klicke OK. • DeFogger wird nun einen Reboot erfragen - klicke OK • Poste mir das defogger_disable.log hier in den Thread. Keinesfalls die Treiber reaktivieren, bevor es angewiesen wird. neustart, nun noch mal kaspersky tdss killer nutzen und das log posten. |
Auf diesem Rechner hatte ich mal Virtual CD Ver. 5 installiert (im Rahmen der Fehlersuche vor der Zeit hier auf dem Trojanerboard seitdem deinstalliert). Auf einem anderen Rechner hat Kaspersky tatsächlich eine Datei namens vbev5mp.sys als verdächtig eingestuft. In diesem Fall weiß ich, dass die zu Virtual CD gehört. Ich mache jetzt die empfohlene Defogger-Aufgabe. Übrigens: Bis jetzt hat Firefox keine ungewollten Aktionen gestartet. |
defogger_disable by jpshortstuff (23.02.10.1) Log created at 14:40 on 06/08/2010 (xxx name) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. Checking for services/drivers... Unable to read sptd.sys SPTD -> Disabled (Service running -> reboot required) -=E.O.F=- |
Keinesfalls die Treiber reaktivieren, bevor es angewiesen wird. Verstanden. neustart, nun noch mal kaspersky tdss killer nutzen und das log posten. Mach ich jetzt. |
2010/08/06 15:00:41.0671 TDSS rootkit removing tool 2.4.1.0 Aug 4 2010 15:06:41 2010/08/06 15:00:41.0671 ================================================================================ 2010/08/06 15:00:41.0671 SystemInfo: 2010/08/06 15:00:41.0671 2010/08/06 15:00:41.0671 OS Version: 5.1.2600 ServicePack: 3.0 2010/08/06 15:00:41.0671 Product type: Workstation 2010/08/06 15:00:41.0671 ComputerName: SACHFACH 2010/08/06 15:00:41.0671 UserName: Gerhard Ott 2010/08/06 15:00:41.0671 Windows directory: C:\WINDOWS 2010/08/06 15:00:41.0671 System windows directory: C:\WINDOWS 2010/08/06 15:00:41.0671 Processor architecture: Intel x86 2010/08/06 15:00:41.0671 Number of processors: 2 2010/08/06 15:00:41.0671 Page size: 0x1000 2010/08/06 15:00:41.0671 Boot type: Normal boot 2010/08/06 15:00:41.0671 ================================================================================ 2010/08/06 15:00:42.0421 Initialize success 2010/08/06 15:00:45.0031 ================================================================================ 2010/08/06 15:00:45.0031 Scan started 2010/08/06 15:00:45.0031 Mode: Manual; 2010/08/06 15:00:45.0031 ================================================================================ 2010/08/06 15:00:45.0546 ACPI (ac407f1a62c3a300b4f2b5a9f1d55b2c) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2010/08/06 15:00:45.0593 ACPIEC (9e1ca3160dafb159ca14f83b1e317f75) C:\WINDOWS\system32\drivers\ACPIEC.sys 2010/08/06 15:00:45.0656 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2010/08/06 15:00:45.0703 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys 2010/08/06 15:00:45.0906 AnyDVD (82ce157ff3701ab50769b2654d0b0215) C:\WINDOWS\system32\Drivers\AnyDVD.sys 2010/08/06 15:00:45.0937 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 2010/08/06 15:00:46.0078 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2010/08/06 15:00:46.0140 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 2010/08/06 15:00:46.0218 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2010/08/06 15:00:46.0296 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2010/08/06 15:00:46.0328 AVMCOWAN (0bcb6b3df2e248c8e8f2ffc6f58d1341) C:\WINDOWS\system32\DRIVERS\AVMCOWAN.sys 2010/08/06 15:00:46.0390 AVMWAN (c997af59c54d69232fb7bbea4dad86e2) C:\WINDOWS\system32\DRIVERS\avmwan.sys 2010/08/06 15:00:46.0437 bdfm (ced6717bd8b67284afcf692b9316b464) C:\WINDOWS\system32\drivers\bdfm.sys 2010/08/06 15:00:46.0484 bdfsfltr (70975049e22b2efec260816cf505e6e7) C:\WINDOWS\system32\drivers\bdfsfltr.sys 2010/08/06 15:00:46.0578 bdftdif (a7bdb1958d9b8245a0ba83f46abb630c) C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Firewall\bdftdif.sys 2010/08/06 15:00:46.0609 BDSelfPr (5eaf583c0b1cc2499761ea3b065f5db2) C:\Programme\BitDefender\BitDefender 2009\bdselfpr.sys 2010/08/06 15:00:46.0671 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2010/08/06 15:00:46.0734 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2010/08/06 15:00:46.0796 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2010/08/06 15:00:46.0843 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2010/08/06 15:00:46.0890 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2010/08/06 15:00:47.0125 cxbu0wdm (ee1d91022fc0df4f0434ec11c65e6649) C:\WINDOWS\system32\DRIVERS\cxbu0wdm.sys 2010/08/06 15:00:47.0234 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 2010/08/06 15:00:47.0312 dmboot (0dcfc8395a99fecbb1ef771cec7fe4ea) C:\WINDOWS\system32\drivers\dmboot.sys 2010/08/06 15:00:47.0375 dmio (53720ab12b48719d00e327da470a619a) C:\WINDOWS\system32\drivers\dmio.sys 2010/08/06 15:00:47.0421 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2010/08/06 15:00:47.0468 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 2010/08/06 15:00:47.0578 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 2010/08/06 15:00:47.0625 dsltestSp5 (c6b2e10cfe79169c72f0269087b9a603) C:\WINDOWS\system32\Drivers\dsltestSp5.sys 2010/08/06 15:00:47.0671 E1000 (4de4bae4accb5a49fa85801d4f226355) C:\WINDOWS\system32\DRIVERS\e1000325.sys 2010/08/06 15:00:47.0718 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys 2010/08/06 15:00:47.0765 ElbyCDFL (ce37e3d51912e59c80c6d84337c0b4cd) C:\WINDOWS\system32\Drivers\ElbyCDFL.sys 2010/08/06 15:00:47.0812 ElbyCDIO (309ac30471a0f1c3a89dee1c81230576) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys 2010/08/06 15:00:47.0859 ENUM1394 (80d1b490b60e74e002dc116ec5d41748) C:\WINDOWS\system32\DRIVERS\enum1394.sys 2010/08/06 15:00:47.0937 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 2010/08/06 15:00:47.0984 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys 2010/08/06 15:00:48.0015 Fips (b0678a548587c5f1967b0d70bacad6c1) C:\WINDOWS\system32\drivers\Fips.sys 2010/08/06 15:00:48.0078 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys 2010/08/06 15:00:48.0125 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 2010/08/06 15:00:48.0187 fpcibase (25baa9e7e21ca204b3202637c4f0d44e) C:\WINDOWS\system32\DRIVERS\fpcibase.sys 2010/08/06 15:00:48.0234 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2010/08/06 15:00:48.0281 Ftdisk (8f1955ce42e1484714b542f341647778) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2010/08/06 15:00:48.0359 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2010/08/06 15:00:48.0406 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 2010/08/06 15:00:48.0453 HECI (cc2c8c23417cc7ddf5eddb17e60a14db) C:\WINDOWS\system32\DRIVERS\HECI.sys 2010/08/06 15:00:48.0515 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2010/08/06 15:00:48.0609 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 2010/08/06 15:00:48.0750 i8042prt (e283b97cfbeb86c1d86baed5f7846a92) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2010/08/06 15:00:48.0796 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 2010/08/06 15:00:48.0968 intelppm (4c7d2750158ed6e7ad642d97bffae351) C:\WINDOWS\system32\DRIVERS\intelppm.sys 2010/08/06 15:00:49.0015 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 2010/08/06 15:00:49.0046 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2010/08/06 15:00:49.0093 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2010/08/06 15:00:49.0140 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2010/08/06 15:00:49.0187 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2010/08/06 15:00:49.0234 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys 2010/08/06 15:00:49.0281 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 2010/08/06 15:00:49.0343 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys 2010/08/06 15:00:49.0390 is3srv (8fe4ecc7877fcfe4e59414708898073d) C:\WINDOWS\system32\drivers\is3srv.sys 2010/08/06 15:00:49.0468 isapnp (6dfb88f64135c525433e87648bda30de) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2010/08/06 15:00:49.0531 Kbdclass (1704d8c4c8807b889e43c649b478a452) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2010/08/06 15:00:49.0609 kbdhid (b6d6c117d771c98130497265f26d1882) C:\WINDOWS\system32\DRIVERS\kbdhid.sys 2010/08/06 15:00:49.0671 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 2010/08/06 15:00:49.0703 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 2010/08/06 15:00:49.0843 MacOpen (f1d23f78dcd65c8132c908b1e72e9143) C:\WINDOWS\system32\drivers\MacOpen.sys 2010/08/06 15:00:49.0921 MagicTune (f627e9da4d3d8dc05a15b68944302f14) C:\WINDOWS\system32\drivers\MTiCtwl.sys 2010/08/06 15:00:49.0984 MaxtorFrontPanel1 (dad2801f46631b625fb4fb37265fbe6e) C:\WINDOWS\system32\DRIVERS\mxofwfp.sys 2010/08/06 15:00:50.0046 MLPTDR_B (124aaf5d2a58e00c05019b0fb77c0966) C:\WINDOWS\system32\MLPTDR_B.sys 2010/08/06 15:00:50.0140 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2010/08/06 15:00:50.0187 Modem (6fb74ebd4ec57a6f1781de3852cc3362) C:\WINDOWS\system32\drivers\Modem.sys 2010/08/06 15:00:50.0234 motmodem (54fee02961c70fd9d4d7e2f87afa23fa) C:\WINDOWS\system32\DRIVERS\motmodem.sys 2010/08/06 15:00:50.0281 Mouclass (b24ce8005deab254c0251e15cb71d802) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2010/08/06 15:00:50.0328 mouhid (66a6f73c74e1791464160a7065ce711a) C:\WINDOWS\system32\DRIVERS\mouhid.sys 2010/08/06 15:00:50.0359 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 2010/08/06 15:00:50.0468 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2010/08/06 15:00:50.0515 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2010/08/06 15:00:50.0593 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 2010/08/06 15:00:50.0625 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2010/08/06 15:00:50.0687 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2010/08/06 15:00:50.0734 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 2010/08/06 15:00:50.0796 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2010/08/06 15:00:50.0875 MTXPAR (0f83a76c82d5b9f672b33923759b2b12) C:\WINDOWS\system32\DRIVERS\MTXPARM.sys 2010/08/06 15:00:51.0000 MTXPARH (6dda78a0be692b61b668fab860f276cf) C:\WINDOWS\system32\DRIVERS\MTXPARHM.sys 2010/08/06 15:00:51.0062 Mtxparmx (a9948d5ed30db457ff92239802d97e34) C:\WINDOWS\system32\DRIVERS\Mtxparmx.sys 2010/08/06 15:00:51.0109 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys 2010/08/06 15:00:51.0156 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 2010/08/06 15:00:51.0203 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2010/08/06 15:00:51.0250 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2010/08/06 15:00:51.0296 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2010/08/06 15:00:51.0328 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys 2010/08/06 15:00:51.0343 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 2010/08/06 15:00:51.0390 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 2010/08/06 15:00:51.0453 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys 2010/08/06 15:00:51.0500 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 2010/08/06 15:00:51.0562 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 2010/08/06 15:00:51.0625 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2010/08/06 15:00:51.0671 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2010/08/06 15:00:51.0718 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2010/08/06 15:00:51.0765 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 2010/08/06 15:00:51.0828 Parport (f84785660305b9b903fb3bca8ba29837) C:\WINDOWS\system32\drivers\Parport.sys 2010/08/06 15:00:51.0859 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 2010/08/06 15:00:51.0921 ParVdm (c2bf987829099a3eaa2ca6a0a90ecb4f) C:\WINDOWS\system32\drivers\ParVdm.sys 2010/08/06 15:00:51.0968 PCANDIS5 (d0084a9ade989fe703e4f22171f4e4dc) C:\PROGRA~1\GEMEIN~1\T-Com\DSLCheck\PCANDIS5.SYS 2010/08/06 15:00:52.0000 PCI (387e8dedc343aa2d1efbc30580273acd) C:\WINDOWS\system32\DRIVERS\pci.sys 2010/08/06 15:00:52.0093 PCIIde (59ba86d9a61cbcf4df8e598c331f5b82) C:\WINDOWS\system32\DRIVERS\pciide.sys 2010/08/06 15:00:52.0156 Pcmcia (a2a966b77d61847d61a3051df87c8c97) C:\WINDOWS\system32\drivers\Pcmcia.sys 2010/08/06 15:00:52.0406 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2010/08/06 15:00:52.0453 Processor (2cb55427c58679f49ad600fccba76360) C:\WINDOWS\system32\DRIVERS\processr.sys 2010/08/06 15:00:52.0500 Profos (1bfe86c679a43994e36e623fb6898cdb) C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Threat Scanner\profos.sys 2010/08/06 15:00:52.0562 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 2010/08/06 15:00:52.0609 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2010/08/06 15:00:52.0656 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys 2010/08/06 15:00:52.0890 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2010/08/06 15:00:52.0937 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys 2010/08/06 15:00:52.0984 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2010/08/06 15:00:53.0046 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2010/08/06 15:00:53.0109 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2010/08/06 15:00:53.0156 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2010/08/06 15:00:53.0203 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2010/08/06 15:00:53.0265 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 2010/08/06 15:00:53.0328 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 2010/08/06 15:00:53.0421 redbook (ed761d453856f795a7fe056e42c36365) C:\WINDOWS\system32\DRIVERS\redbook.sys 2010/08/06 15:00:53.0500 sbp2port (b244960e5a1db8e9d5d17086de37c1e4) C:\WINDOWS\system32\DRIVERS\sbp2port.sys 2010/08/06 15:00:53.0578 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2010/08/06 15:00:53.0625 Sentinel (7e5c2c58fc4e3862e7bf88bfb809a9b0) C:\WINDOWS\System32\Drivers\SENTINEL.SYS 2010/08/06 15:00:53.0703 serenum (5944622925d74268228222298e14dcaa) C:\WINDOWS\system32\DRIVERS\serenum.sys 2010/08/06 15:00:53.0796 Serial (cf24eb4f0412c82bcd1f4f35a025e31d) C:\WINDOWS\system32\DRIVERS\serial.sys 2010/08/06 15:00:53.0859 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys 2010/08/06 15:00:53.0906 sfng32 (76bd55922b3179fa7b5bd528839e6fb4) C:\WINDOWS\system32\drivers\sfng32.sys 2010/08/06 15:00:54.0015 snapman380 (5ce1cf27620b144e212d407cdb14d339) C:\WINDOWS\system32\DRIVERS\snman380.sys 2010/08/06 15:00:54.0109 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 2010/08/06 15:00:54.0171 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\System32\Drivers\sptd.sys 2010/08/06 15:00:54.0203 sr (50fa898f8c032796d3b1b9951bb5a90f) C:\WINDOWS\system32\DRIVERS\sr.sys 2010/08/06 15:00:54.0250 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys 2010/08/06 15:00:54.0343 STHDA (527fd7d6919734c2a61c8aa3d5740e61) C:\WINDOWS\system32\drivers\sthda.sys 2010/08/06 15:00:54.0437 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 2010/08/06 15:00:54.0468 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 2010/08/06 15:00:54.0640 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 2010/08/06 15:00:54.0703 szkg5 (8fe4ecc7877fcfe4e59414708898073d) C:\WINDOWS\system32\DRIVERS\szkg.sys 2010/08/06 15:00:54.0750 szkgfs (410a02a920fa9daeec56364e839597c1) C:\WINDOWS\system32\drivers\szkgfs.sys 2010/08/06 15:00:54.0828 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2010/08/06 15:00:54.0890 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 2010/08/06 15:00:54.0937 tdrpman147 (be7b1a73272648622b39be3c610e3ca0) C:\WINDOWS\system32\DRIVERS\tdrpm147.sys 2010/08/06 15:00:54.0984 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 2010/08/06 15:00:55.0031 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 2010/08/06 15:00:55.0093 tifsfilter (6dcb8ddb481cd3c40fa68593723b4d89) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys 2010/08/06 15:00:55.0140 timounter (394fc70b88b7958fa85798bbc76d140a) C:\WINDOWS\system32\DRIVERS\timntr.sys 2010/08/06 15:00:55.0296 Trufos (b16d66a71de03285e14e9f165b59eda4) C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Threat Scanner\trufos.sys 2010/08/06 15:00:55.0343 TSMPacket (7c1367bff5587cf49c0ed2e664f6eac0) C:\WINDOWS\system32\DRIVERS\tsmpkt.sys 2010/08/06 15:00:55.0421 TuneUpUtilitiesDrv (f2107c9d85ec0df116939ccce06ae697) C:\Programme\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys 2010/08/06 15:00:55.0484 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 2010/08/06 15:00:55.0625 UltraMonUtility (5a5bd0f66e84eb039cb227520d49908c) C:\Programme\Gemeinsame Dateien\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys 2010/08/06 15:00:55.0671 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 2010/08/06 15:00:55.0718 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 2010/08/06 15:00:55.0750 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2010/08/06 15:00:55.0796 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2010/08/06 15:00:55.0843 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys 2010/08/06 15:00:55.0906 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys 2010/08/06 15:00:55.0953 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 2010/08/06 15:00:56.0000 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\DRIVERS\usbser.sys 2010/08/06 15:00:56.0015 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2010/08/06 15:00:56.0093 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2010/08/06 15:00:56.0140 VClone (9bf2ea54e5ed5acdf96f1dec84c117c4) C:\WINDOWS\system32\DRIVERS\VClone.sys 2010/08/06 15:00:56.0218 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 2010/08/06 15:00:56.0328 VolSnap (a5a712f4e880874a477af790b5186e1d) C:\WINDOWS\system32\drivers\VolSnap.sys 2010/08/06 15:00:56.0390 wacommousefilter (427a8bc96f16c40df81c2d2f4edd32dd) C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys 2010/08/06 15:00:56.0437 wacomvhid (73e6f16a1f187d71fb26af308551e54a) C:\WINDOWS\system32\DRIVERS\wacomvhid.sys 2010/08/06 15:00:56.0484 WacomVKHid (889459833432b161cb99cfdf84a1a9bb) C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys 2010/08/06 15:00:56.0562 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2010/08/06 15:00:56.0609 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 2010/08/06 15:00:56.0734 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 2010/08/06 15:00:56.0781 WinDriver6 (2c7d830e86b378771af5dafeae428a09) C:\WINDOWS\system32\drivers\windrvr6.sys 2010/08/06 15:00:56.0875 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys 2010/08/06 15:00:56.0890 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys 2010/08/06 15:00:57.0000 ================================================================================ 2010/08/06 15:00:57.0000 Scan finished 2010/08/06 15:00:57.0000 ================================================================================ |
irgendwie fehlt da das ergebniss, sehe nicht ob er was gefunden hatt, ists immernoch langsam? wenn ja müssen wir die dateien eben anders austauschen |
Hallo MarkusG, also die Geschwindigkeit des Computers kommt wir vor wie ein frisch installiertes Windows (selbst wenn ich meine üblichen Autostartprogramme für meine Arbeit einschalte) und eingefroren ist er nach dem Combofix-Lauf nicht mehr (hatte ich oben auch kurz erwähnt). Lange braucht STOPzilla bis es nach Erscheinen des Desktop meldet; aber ich kann bereits arbeiten, d.h. andere Programme aufrufen. STOPzilla meckert natürlich immer noch irgendwas an, was vmtl. mit den GMER, OTF u.a. Installationen zu tun hat. Bisher hat auch Firefox kein weiteres Fenster ungewollt geöffnet. Können/müssen wir noch irgendwas tun? Beste Grüße, Gerhard |
wenn du mir noch sagst was "irgendwas" ist, kann ich dir vllt sagen ob alles io ist. also was genau meckert stopzilla an |
Hallo, das würde ich gerne! Aber: :nixda: ALARM: Ich starte den Desktop PC gerade und was ist: Eingefroren! Somit auch kein Zugang zu STOPzilla. Während unseres gesamten Kontakts hier ist das nach dem Combofix-Lauf nicht einmal aufgetreten. Ich muss jetzt wieder über den On-Schalter einen Hardware Reset machen, weil auch SHIFT-ALT-ENT keinen Taskmanager aufruft. Jetzt steht mir aber langsam der Angstschweiß auf der Stirn. |
wir könnten auch ne saubere neu instalation machen wenn du willst, ich zeig dir dann, wie du den pc ohne viel aufwand absicherst, da ist malware freiheit schon fast garantiert :-) |
Davor habe ich mich schon seit mehr als einer Woche gefürchtet. Es ist nicht die Neuinstallation an sich, sondern die vielen individuellen Programme, Geräte, Anschlüsse und Einstellungen danach. Gibt es wirklich keine andere Möglichkeit? Verzweifelte Grüße, Gerhard |
So nun habe ich wieder neu gestartet und DesktopPC tut wieder so als wär nix gewesen. STOPzilla meldet z.B. als erste von 55 "Infections": GASF Type: Trojan Element: File Location: C:\combofix\mbr.cfxxe und weiteres. Ich mach mal screenshots davon, denn eine Reportmöglichkeit gibt's offensichtlich nicht. Soll ich Combofix, Hijack usw mal deinstallieren, um zu sehen ob STOPzilla dann Ruhe gibt oder soll ich STOPzilla deinstallieren und lieber Malwarebytes' Antimalware-Vollversion benutzen? |
deinstaliere mal stop zilla und instaliere es neu. reinige mit otcleanit: http://oldtimer.geekstogo.com/OTM.exe Klicke cleanup! dein pc wird evtl. neu starten programm löscht sich selbst, + die verwendeten tools rechtsklick arbeitsplatz, eigenschaften, systemwiederherstellung, auf allen laufwerken deaktivieren, übernehmen, ok 5 min warten, wieder einschalten, zeigt stopzilla noch was an? |
Hier das Eventlog von STOzilla: Block/Extraction NT Service enforcer 2010-08-06 20:20:58 Disabled service: messenger - Information Internet ExplorerSiteguard 2010-08-06 20:20:57 Inspecting registered Internet Explorer toolbars Block/Extraction Registry enforcer 2010-08-06 20:20:57 Deleting WinLogon registry Information Registry enforcer 2010-08-06 20:20:57 Inspecting registered Explorer bars Information Registry enforcer 2010-08-06 20:20:50 Inspecting WinLogon notification handlers and modules loaded by WinLogon Information Registry enforcer 2010-08-06 20:20:50 Inspecting WinSock registry (LSP Chain) Information Registry enforcer 2010-08-06 20:20:49 Inspecting registered Browser Helper Objects (BHOs) Information Home page protection 2010-08-06 20:20:44 Checking homepage... OK Block/Extraction NT Service enforcer 2010-08-06 20:20:41 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 20:20:38 Disabled service: messenger - Information Process enforcer 2010-08-06 20:20:36 Starting process watcher Block/Extraction NT Service enforcer 2010-08-06 18:31:42 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 18:31:25 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 18:31:25 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 17:43:10 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 17:43:10 Disabled service: messenger - Information Home page protection 2010-08-06 17:41:27 Checking homepage... OK Block/Extraction NT Service enforcer 2010-08-06 17:41:21 Disabled service: messenger - Block/Extraction Registry enforcer 2010-08-06 17:41:20 Deleting WinLogon registry Information Internet ExplorerSiteguard 2010-08-06 17:41:19 Inspecting registered Internet Explorer toolbars Information Registry enforcer 2010-08-06 17:41:19 Inspecting registered Explorer bars Information Registry enforcer 2010-08-06 17:41:12 Inspecting WinLogon notification handlers and modules loaded by WinLogon Information Registry enforcer 2010-08-06 17:41:11 Inspecting WinSock registry (LSP Chain) Information Registry enforcer 2010-08-06 17:41:11 Inspecting registered Browser Helper Objects (BHOs) Block/Extraction NT Service enforcer 2010-08-06 17:41:05 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 17:41:01 Disabled service: messenger - Information Process enforcer 2010-08-06 17:41:00 Starting process watcher Block/Extraction NT Service enforcer 2010-08-06 15:36:32 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 15:36:15 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 15:36:15 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 15:03:16 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 15:03:16 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 15:03:16 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 15:03:16 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 15:00:42 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 15:00:41 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 15:00:39 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 15:00:39 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:58:47 Disabled service: messenger - Block/Extraction Registry enforcer 2010-08-06 14:58:44 Deleting WinLogon registry Information Internet ExplorerSiteguard 2010-08-06 14:58:44 Inspecting registered Internet Explorer toolbars Information Registry enforcer 2010-08-06 14:58:44 Inspecting registered Explorer bars Information Registry enforcer 2010-08-06 14:58:39 Inspecting WinLogon notification handlers and modules loaded by WinLogon Information Registry enforcer 2010-08-06 14:58:39 Inspecting WinSock registry (LSP Chain) Information Registry enforcer 2010-08-06 14:58:38 Inspecting registered Browser Helper Objects (BHOs) Information Home page protection 2010-08-06 14:58:38 Checking homepage... OK Block/Extraction NT Service enforcer 2010-08-06 14:58:27 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:58:21 Disabled service: messenger - Information Process enforcer 2010-08-06 14:58:21 Starting process watcher Block/Extraction NT Service enforcer 2010-08-06 14:56:09 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:52:41 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:52:41 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:45:54 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:45:54 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:44:16 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:44:16 Disabled service: messenger - Information Home page protection 2010-08-06 14:43:56 Checking homepage... OK Block/Extraction NT Service enforcer 2010-08-06 14:43:53 Disabled service: messenger - Information Internet ExplorerSiteguard 2010-08-06 14:43:49 Inspecting registered Internet Explorer toolbars Information Registry enforcer 2010-08-06 14:43:49 Inspecting registered Explorer bars Block/Extraction Registry enforcer 2010-08-06 14:43:49 Deleting WinLogon registry Information Registry enforcer 2010-08-06 14:43:42 Inspecting WinLogon notification handlers and modules loaded by WinLogon Information Registry enforcer 2010-08-06 14:43:42 Inspecting WinSock registry (LSP Chain) Information Registry enforcer 2010-08-06 14:43:42 Inspecting registered Browser Helper Objects (BHOs) Block/Extraction NT Service enforcer 2010-08-06 14:43:32 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:43:28 Disabled service: messenger - Information Process enforcer 2010-08-06 14:43:28 Starting process watcher Block/Extraction NT Service enforcer 2010-08-06 14:41:12 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:41:11 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:40:18 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:40:18 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:39:03 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:39:02 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:24:39 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:24:39 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:23:57 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:23:57 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:12:40 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:12:39 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:12:24 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:12:24 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:07:11 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:07:11 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:03:12 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 14:03:12 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:50:55 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:50:55 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:47:57 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:47:57 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:47:56 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:47:56 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:47:02 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:47:02 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:46:20 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:46:20 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:46:19 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:46:19 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:43:26 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:43:26 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:40:16 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:40:16 Disabled service: messenger - Information Home page protection 2010-08-06 13:38:18 Checking homepage... OK Block/Extraction NT Service enforcer 2010-08-06 13:38:14 Disabled service: messenger - Block/Extraction Registry enforcer 2010-08-06 13:38:11 Deleting WinLogon registry Information Internet ExplorerSiteguard 2010-08-06 13:38:10 Inspecting registered Internet Explorer toolbars Information Registry enforcer 2010-08-06 13:38:10 Inspecting registered Explorer bars Information Registry enforcer 2010-08-06 13:38:00 Inspecting WinLogon notification handlers and modules loaded by WinLogon Information Registry enforcer 2010-08-06 13:37:59 Inspecting WinSock registry (LSP Chain) Information Registry enforcer 2010-08-06 13:37:59 Inspecting registered Browser Helper Objects (BHOs) Block/Extraction NT Service enforcer 2010-08-06 13:37:50 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:37:45 Disabled service: messenger - Information Process enforcer 2010-08-06 13:37:44 Starting process watcher Block/Extraction NT Service enforcer 2010-08-06 13:35:36 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:35:36 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:34:11 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:34:11 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:33:42 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:33:42 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:32:48 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:32:48 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:32:46 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:32:46 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:32:09 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:32:09 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:31:44 Disabled service: messenger - Block/Extraction Registry enforcer 2010-08-06 13:31:40 Deleting WinLogon registry Information Internet ExplorerSiteguard 2010-08-06 13:31:40 Inspecting registered Internet Explorer toolbars Information Registry enforcer 2010-08-06 13:31:40 Inspecting registered Explorer bars Information Registry enforcer 2010-08-06 13:31:33 Inspecting WinLogon notification handlers and modules loaded by WinLogon Information Registry enforcer 2010-08-06 13:31:33 Inspecting WinSock registry (LSP Chain) Information Registry enforcer 2010-08-06 13:31:32 Inspecting registered Browser Helper Objects (BHOs) Information Home page protection 2010-08-06 13:31:28 Checking homepage... OK Block/Extraction NT Service enforcer 2010-08-06 13:31:23 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:31:20 Disabled service: messenger - Information Process enforcer 2010-08-06 13:31:19 Starting process watcher Block/Extraction NT Service enforcer 2010-08-06 13:28:48 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:28:47 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:28:29 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:28:29 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:28:26 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:28:26 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:28:14 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:28:13 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:08:07 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:08:07 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:07:55 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:07:55 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:06:05 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:06:05 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:01:25 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:01:25 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:00:27 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 13:00:27 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 12:54:44 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 12:54:43 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 12:51:15 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 12:51:15 Disabled service: messenger - Information Home page protection 2010-08-06 12:48:20 Checking homepage... OK Block/Extraction NT Service enforcer 2010-08-06 12:48:17 Disabled service: messenger - Block/Extraction Registry enforcer 2010-08-06 12:48:12 Deleting WinLogon registry Information Internet ExplorerSiteguard 2010-08-06 12:48:11 Inspecting registered Internet Explorer toolbars Information Registry enforcer 2010-08-06 12:48:11 Inspecting registered Explorer bars Block/Extraction NT Service enforcer 2010-08-06 12:48:03 Disabled service: messenger - Information Registry enforcer 2010-08-06 12:47:57 Inspecting WinSock registry (LSP Chain) Information Registry enforcer 2010-08-06 12:47:57 Inspecting WinLogon notification handlers and modules loaded by WinLogon Information Registry enforcer 2010-08-06 12:47:57 Inspecting registered Browser Helper Objects (BHOs) Block/Extraction NT Service enforcer 2010-08-06 12:47:41 Disabled service: messenger - Information Process enforcer 2010-08-06 12:47:40 Starting process watcher Block/Extraction NT Service enforcer 2010-08-06 10:57:55 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 10:57:54 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 09:23:48 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 09:23:48 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 08:50:18 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 08:50:18 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 08:49:06 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 08:49:06 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 08:42:24 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 08:42:24 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 08:40:00 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 08:40:00 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 08:34:59 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 08:34:59 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 08:34:04 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 08:34:04 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 08:32:04 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 08:32:04 Disabled service: messenger - Information Home page protection 2010-08-06 08:30:28 Checking homepage... OK Block/Extraction NT Service enforcer 2010-08-06 08:30:20 Disabled service: messenger - Block/Extraction Registry enforcer 2010-08-06 08:30:18 Deleting WinLogon registry Information Internet ExplorerSiteguard 2010-08-06 08:30:18 Inspecting registered Internet Explorer toolbars Information Registry enforcer 2010-08-06 08:30:18 Inspecting registered Explorer bars Information Registry enforcer 2010-08-06 08:30:14 Inspecting WinLogon notification handlers and modules loaded by WinLogon Information Registry enforcer 2010-08-06 08:30:11 Inspecting WinSock registry (LSP Chain) Information Registry enforcer 2010-08-06 08:30:11 Inspecting registered Browser Helper Objects (BHOs) Block/Extraction NT Service enforcer 2010-08-06 08:30:03 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 08:29:58 Disabled service: messenger - Information Process enforcer 2010-08-06 08:29:57 Starting process watcher Block/Extraction NT Service enforcer 2010-08-06 08:27:28 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 08:27:28 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 08:27:25 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 08:27:25 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 08:27:11 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 08:27:11 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 08:18:48 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 08:18:48 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 08:16:53 Disabled service: messenger - Block/Extraction Registry enforcer 2010-08-06 08:16:51 Deleting WinLogon registry Information Internet ExplorerSiteguard 2010-08-06 08:16:50 Inspecting registered Internet Explorer toolbars Information Registry enforcer 2010-08-06 08:16:50 Inspecting registered Explorer bars Information Registry enforcer 2010-08-06 08:16:46 Inspecting WinLogon notification handlers and modules loaded by WinLogon Information Registry enforcer 2010-08-06 08:16:46 Inspecting WinSock registry (LSP Chain) Information Registry enforcer 2010-08-06 08:16:46 Inspecting registered Browser Helper Objects (BHOs) Information Home page protection 2010-08-06 08:16:46 Checking homepage... OK Block/Extraction NT Service enforcer 2010-08-06 08:16:36 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 08:16:32 Disabled service: messenger - Information Process enforcer 2010-08-06 08:16:31 Starting process watcher Block/Extraction NT Service enforcer 2010-08-06 06:22:56 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 06:22:31 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 06:16:54 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 06:14:15 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 22:54:16 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 22:54:16 Disabled service: messenger - Information Home page protection 2010-08-05 22:50:33 Checking homepage... OK Block/Extraction NT Service enforcer 2010-08-05 22:50:31 Disabled service: messenger - Block/Extraction Registry enforcer 2010-08-05 22:50:29 Deleting WinLogon registry Information Internet ExplorerSiteguard 2010-08-05 22:50:28 Inspecting registered Internet Explorer toolbars Information Registry enforcer 2010-08-05 22:50:28 Inspecting registered Explorer bars Information Registry enforcer 2010-08-05 22:50:22 Inspecting WinLogon notification handlers and modules loaded by WinLogon Information Registry enforcer 2010-08-05 22:50:21 Inspecting WinSock registry (LSP Chain) Information Registry enforcer 2010-08-05 22:50:21 Inspecting registered Browser Helper Objects (BHOs) Block/Extraction NT Service enforcer 2010-08-05 22:50:16 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 22:50:13 Disabled service: messenger - Information Process enforcer 2010-08-05 22:50:12 Starting process watcher Block/Extraction NT Service enforcer 2010-08-05 22:33:39 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 22:33:39 Disabled service: messenger - Block/Extraction File enforcer 2010-08-05 22:32:45 Deleted file: c:\dokume~1\gerhar~1\lokale~1\temp\pxlyypow.sys Block/Extraction NT Service enforcer 2010-08-05 22:32:44 Disabled service: messenger - Block/Extraction File enforcer 2010-08-05 22:32:43 Suppressed file: c:\dokume~1\gerhar~1\lokale~1\temp\pxlyypow.sys Block/Extraction NT Service enforcer 2010-08-05 22:32:43 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 22:31:14 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 22:31:14 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 22:31:10 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 22:31:10 Disabled service: messenger - Block/Extraction Registry enforcer 2010-08-05 22:29:27 Deleting WinLogon registry Information Internet ExplorerSiteguard 2010-08-05 22:29:27 Inspecting registered Internet Explorer toolbars Information Registry enforcer 2010-08-05 22:29:27 Inspecting registered Explorer bars Information Registry enforcer 2010-08-05 22:29:21 Inspecting WinLogon notification handlers and modules loaded by WinLogon Information Registry enforcer 2010-08-05 22:29:21 Inspecting WinSock registry (LSP Chain) Information Registry enforcer 2010-08-05 22:29:21 Inspecting registered Browser Helper Objects (BHOs) Block/Extraction NT Service enforcer 2010-08-05 22:29:18 Disabled service: messenger - Information Home page protection 2010-08-05 22:29:16 Checking homepage... OK Block/Extraction NT Service enforcer 2010-08-05 22:29:10 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 22:29:10 Disabled service: messenger - Information Process enforcer 2010-08-05 22:29:08 Starting process watcher Block/Extraction NT Service enforcer 2010-08-05 14:30:23 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 14:29:17 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 14:29:16 Removed service: pxlyypow - Block/Extraction Registry enforcer 2010-08-05 14:29:14 Extracted registry key HKLM\SYSTEM\CurrentControlSet\Services\pxlyypow Block/Extraction File enforcer 2010-08-05 14:29:13 Deleted file: c:\dokume~1\gerhar~1\lokale~1\temp\pxlyypow.sys Block/Extraction Registry enforcer 2010-08-05 14:29:11 Extracted registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PXLYYPOW Block/Extraction NT Service enforcer 2010-08-05 14:29:11 Disabled service: messenger - Block/Extraction File enforcer 2010-08-05 14:29:11 Quarantined file: c:\dokume~1\gerhar~1\lokale~1\temp\pxlyypow.sys Block/Extraction NT Service enforcer 2010-08-05 14:27:27 Disabled service: messenger - Block/Extraction Registry enforcer 2010-08-05 14:27:26 Deleting WinLogon registry Information Internet ExplorerSiteguard 2010-08-05 14:27:26 Inspecting registered Internet Explorer toolbars Information Registry enforcer 2010-08-05 14:27:26 Inspecting registered Explorer bars Information Registry enforcer 2010-08-05 14:27:18 Inspecting WinLogon notification handlers and modules loaded by WinLogon Information Registry enforcer 2010-08-05 14:27:18 Inspecting WinSock registry (LSP Chain) Information Registry enforcer 2010-08-05 14:27:18 Inspecting registered Browser Helper Objects (BHOs) Information Home page protection 2010-08-05 14:27:18 Checking homepage... OK Block/Extraction NT Service enforcer 2010-08-05 14:26:56 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 14:26:51 Disabled service: messenger - Information Process enforcer 2010-08-05 14:26:49 Starting process watcher Block/Extraction NT Service enforcer 2010-08-05 14:23:41 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 14:23:41 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 14:23:28 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 14:23:28 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 14:22:49 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 14:22:49 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 14:16:54 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 14:16:54 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 14:15:00 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 14:15:00 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 14:11:04 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 14:11:04 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 14:10:28 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 14:10:28 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 14:10:10 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 14:10:10 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 14:07:42 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 14:07:42 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 14:05:08 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 14:05:08 Disabled service: messenger - Information Internet ExplorerSiteguard 2010-08-05 14:03:21 Inspecting registered Internet Explorer toolbars Block/Extraction Registry enforcer 2010-08-05 14:03:21 Deleting WinLogon registry Information Registry enforcer 2010-08-05 14:03:21 Inspecting registered Explorer bars Block/Extraction NT Service enforcer 2010-08-05 14:03:18 Disabled service: messenger - Information Registry enforcer 2010-08-05 14:03:17 Inspecting WinLogon notification handlers and modules loaded by WinLogon Information Registry enforcer 2010-08-05 14:03:17 Inspecting WinSock registry (LSP Chain) Information Registry enforcer 2010-08-05 14:03:16 Inspecting registered Browser Helper Objects (BHOs) Information Home page protection 2010-08-05 14:03:11 Checking homepage... OK Block/Extraction NT Service enforcer 2010-08-05 14:03:07 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 14:03:03 Disabled service: messenger - Information Process enforcer 2010-08-05 14:03:03 Starting process watcher Block/Extraction NT Service enforcer 2010-08-05 10:32:17 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 10:32:17 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 10:31:56 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 10:31:56 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 10:29:04 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 10:29:04 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-05 10:27:12 Disabled service: messenger - Block/Extraction Home page protection 2010-08-05 10:27:07 Resetting Homepage back to www.sach-fach.de Block/Extraction Registry enforcer 2010-08-05 10:27:02 Deleting WinLogon registry Information Internet ExplorerSiteguard 2010-08-05 10:27:02 Inspecting registered Internet Explorer toolbars Information Registry enforcer 2010-08-05 10:27:02 Inspecting registered Explorer bars Block/Extraction NT Service enforcer 2010-08-05 10:27:01 Disabled service: messenger - Information Registry enforcer 2010-08-05 10:26:55 Inspecting WinLogon notification handlers and modules loaded by WinLogon Information Registry enforcer 2010-08-05 10:26:55 Inspecting WinSock registry (LSP Chain) Information Registry enforcer 2010-08-05 10:26:54 Inspecting registered Browser Helper Objects (BHOs) Block/Extraction NT Service enforcer 2010-08-05 10:26:44 Disabled service: messenger - Information Process enforcer 2010-08-05 10:26:43 Starting process watcher Block/Extraction NT Service enforcer 2010-08-04 23:35:37 Disabled service: messenger - Information Registry enforcer 2010-08-04 23:23:01 Inspecting WinSock registry (LSP Chain) Information Registry enforcer 2010-08-04 23:23:00 Inspecting WinSock registry (LSP Chain) Information Internet ExplorerSiteguard 2010-08-04 23:23:00 Inspecting registered Internet Explorer toolbars Information Registry enforcer 2010-08-04 23:23:00 Inspecting registered Explorer bars Information Registry enforcer 2010-08-04 23:23:00 Inspecting WinSock registry (LSP Chain) Information Registry enforcer 2010-08-04 23:23:00 Inspecting registered Browser Helper Objects (BHOs) Block/Extraction NT Service enforcer 2010-08-04 23:22:56 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 23:22:56 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 23:22:55 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 23:22:55 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 23:22:54 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 23:22:52 Disabled service: messenger - Information General 2010-08-04 23:22:52 Anti-Virus definition update 12.62.3.0 successfully applied. Information General 2010-08-04 23:22:50 Request to update definitions completed successfully. Information General 2010-08-04 23:22:46 Anti-Spyware Incremental definition update 5.0.71.9 successfully applied. Information General 2010-08-04 23:22:45 Anti-Spyware Incremental definition update 5.0.71.8 successfully applied. Block/Extraction NT Service enforcer 2010-08-04 23:04:09 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 23:04:09 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 22:57:45 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 22:57:33 Disabled service: messenger - Block/Extraction Registry enforcer 2010-08-04 22:57:32 Deleting WinLogon registry Information Internet ExplorerSiteguard 2010-08-04 22:57:32 Inspecting registered Internet Explorer toolbars Information Registry enforcer 2010-08-04 22:57:32 Inspecting registered Explorer bars Information Registry enforcer 2010-08-04 22:57:27 Inspecting WinLogon notification handlers and modules loaded by WinLogon Information Registry enforcer 2010-08-04 22:57:26 Inspecting WinSock registry (LSP Chain) Information Registry enforcer 2010-08-04 22:57:26 Inspecting registered Browser Helper Objects (BHOs) Block/Extraction NT Service enforcer 2010-08-04 22:57:15 Disabled service: messenger - Information Process enforcer 2010-08-04 22:57:14 Starting process watcher Block/Extraction NT Service enforcer 2010-08-04 22:23:55 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 22:23:55 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 22:23:42 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 22:23:42 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 22:16:28 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 22:16:28 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 21:58:10 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 21:58:10 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 21:57:16 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 21:57:16 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 21:36:09 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 21:36:09 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 20:30:03 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 20:30:03 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 20:28:38 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 20:28:38 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 20:28:17 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 20:28:17 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 20:28:01 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 20:28:01 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 20:24:58 Disabled service: messenger - Block/Extraction Registry enforcer 2010-08-04 20:24:50 Deleting WinLogon registry Information Internet ExplorerSiteguard 2010-08-04 20:24:49 Inspecting registered Internet Explorer toolbars Information Registry enforcer 2010-08-04 20:24:49 Inspecting registered Explorer bars Block/Extraction NT Service enforcer 2010-08-04 20:24:48 Disabled service: messenger - Information Registry enforcer 2010-08-04 20:24:45 Inspecting WinLogon notification handlers and modules loaded by WinLogon Information Registry enforcer 2010-08-04 20:24:45 Inspecting WinSock registry (LSP Chain) Information Registry enforcer 2010-08-04 20:24:44 Inspecting registered Browser Helper Objects (BHOs) Block/Extraction NT Service enforcer 2010-08-04 20:24:33 Disabled service: messenger - Information Process enforcer 2010-08-04 20:24:32 Starting process watcher Block/Extraction NT Service enforcer 2010-08-04 20:22:08 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 20:22:06 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 20:18:01 Removed driver: c:\dokumente und einstellungen\gerhard ott\lokale einstellungen\temp\catchme.sys Block/Extraction NT Service enforcer 2010-08-04 20:18:01 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 20:18:01 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 20:17:59 Removed driver: c:\dokumente und einstellungen\gerhard ott\lokale einstellungen\temp\catchme.sys Block/Extraction NT Service enforcer 2010-08-04 20:17:58 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 20:17:58 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 19:33:12 Removed driver: c:\dokumente und einstellungen\gerhard ott\lokale einstellungen\temp\catchme.sys Block/Extraction NT Service enforcer 2010-08-04 19:33:12 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 19:33:12 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:46:52 Removed driver: c:\dokumente und einstellungen\gerhard ott\lokale einstellungen\temp\catchme.sys Block/Extraction NT Service enforcer 2010-08-04 18:46:51 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:46:51 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:37:37 Removed driver: c:\dokumente und einstellungen\gerhard ott\lokale einstellungen\temp\catchme.sys Block/Extraction NT Service enforcer 2010-08-04 18:37:37 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:37:37 Disabled service: messenger - Block/Extraction Registry enforcer 2010-08-04 18:37:36 Deleted registry value system in hklm\software\microsoft\windows nt\currentversion\winlogon Block/Extraction Registry enforcer 2010-08-04 18:37:36 Deleted registry value DisableRegistryTools in hklm\software\microsoft\windows\currentversion\policies\system Warning/Detection COM enforcer 2010-08-04 18:37:36 Detected malicious registry entry DisableRegistryTools in hklm\software\microsoft\windows\currentversion\policies\system Block/Extraction NT Service enforcer 2010-08-04 18:37:36 Removed driver: c:\dokumente und einstellungen\gerhard ott\lokale einstellungen\temp\catchme.sys Block/Extraction NT Service enforcer 2010-08-04 18:37:36 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:37:36 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:37:19 Removed driver: c:\dokumente und einstellungen\gerhard ott\lokale einstellungen\temp\catchme.sys Block/Extraction NT Service enforcer 2010-08-04 18:37:19 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:37:19 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:32:59 Removed driver: c:\dokumente und einstellungen\gerhard ott\lokale einstellungen\temp\catchme.sys Block/Extraction NT Service enforcer 2010-08-04 18:32:59 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:32:59 Disabled service: messenger - Block/Extraction Registry enforcer 2010-08-04 18:32:58 Deleted registry value system in hklm\software\microsoft\windows nt\currentversion\winlogon Block/Extraction Registry enforcer 2010-08-04 18:32:58 Deleted registry value DisableRegistryTools in hklm\software\microsoft\windows\currentversion\policies\system Warning/Detection COM enforcer 2010-08-04 18:32:58 Detected malicious registry entry DisableRegistryTools in hklm\software\microsoft\windows\currentversion\policies\system Block/Extraction NT Service enforcer 2010-08-04 18:32:57 Removed driver: c:\dokumente und einstellungen\gerhard ott\lokale einstellungen\temp\catchme.sys Block/Extraction NT Service enforcer 2010-08-04 18:32:57 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:32:56 Disabled service: messenger - Block/Extraction File enforcer 2010-08-04 18:32:54 Deleted file: c:\windows\mbr.exe Block/Extraction Process enforcer 2010-08-04 18:32:53 Terminated process: (2548) c:\windows\mbr.exe Block/Extraction File enforcer 2010-08-04 18:32:53 Quarantined file: c:\windows\mbr.exe Block/Extraction NT Service enforcer 2010-08-04 18:32:49 Removed driver: c:\dokumente und einstellungen\gerhard ott\lokale einstellungen\temp\catchme.sys Block/Extraction NT Service enforcer 2010-08-04 18:32:49 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:32:48 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:32:42 Removed driver: c:\dokumente und einstellungen\gerhard ott\lokale einstellungen\temp\catchme.sys Block/Extraction Registry enforcer 2010-08-04 18:32:42 Deleted registry value DisableRegistryTools in hklm\software\microsoft\windows\currentversion\policies\system Warning/Detection COM enforcer 2010-08-04 18:32:42 Detected malicious registry entry DisableRegistryTools in hklm\software\microsoft\windows\currentversion\policies\system Block/Extraction Registry enforcer 2010-08-04 18:32:42 Deleted registry value system in hklm\software\microsoft\windows nt\currentversion\winlogon Block/Extraction NT Service enforcer 2010-08-04 18:32:42 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:32:41 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:32:37 Removed driver: c:\dokumente und einstellungen\gerhard ott\lokale einstellungen\temp\catchme.sys Block/Extraction NT Service enforcer 2010-08-04 18:32:37 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:32:37 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:25:43 Removed driver: c:\dokumente und einstellungen\gerhard ott\lokale einstellungen\temp\catchme.sys Block/Extraction NT Service enforcer 2010-08-04 18:25:43 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:25:43 Disabled service: messenger - Block/Extraction File enforcer 2010-08-04 18:25:42 Deleted file: c:\combofix\mbr.cfxxe Block/Extraction Process enforcer 2010-08-04 18:25:41 Terminated process: (1844) c:\combofix\mbr.cfxxe Block/Extraction File enforcer 2010-08-04 18:25:41 Quarantined file: c:\combofix\mbr.cfxxe Block/Extraction NT Service enforcer 2010-08-04 18:25:38 Removed driver: c:\dokumente und einstellungen\gerhard ott\lokale einstellungen\temp\catchme.sys Block/Extraction NT Service enforcer 2010-08-04 18:25:38 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:25:38 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:25:34 Removed driver: c:\dokumente und einstellungen\gerhard ott\lokale einstellungen\temp\catchme.sys Block/Extraction NT Service enforcer 2010-08-04 18:25:34 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:25:34 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:25:33 Removed service: catchme - Block/Extraction Registry enforcer 2010-08-04 18:25:29 Extracted registry key HKLM\SYSTEM\CurrentControlSet\Services\catchme Block/Extraction Registry enforcer 2010-08-04 18:25:27 Extracted registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME Block/Extraction NT Service enforcer 2010-08-04 18:25:26 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:25:26 Disabled service: messenger - Block/Extraction File enforcer 2010-08-04 18:19:04 Deleted file: c:\windows\pev.exe Block/Extraction File enforcer 2010-08-04 18:19:02 Quarantined file: c:\windows\pev.exe Block/Extraction File enforcer 2010-08-04 18:18:49 Deleted file: c:\windows\pev.exe Block/Extraction File enforcer 2010-08-04 18:18:46 Quarantined file: c:\windows\pev.exe Block/Extraction Registry enforcer 2010-08-04 18:18:35 Deleted registry value disableregistrytools in hkus\S-1-5-21-3495212690-2977224712-3179768257-1006\software\microsoft\windows\currentversion\policies\system Warning/Detection COM enforcer 2010-08-04 18:18:35 Detected malicious registry entry disableregistrytools in hkus\S-1-5-21-3495212690-2977224712-3179768257-1006\software\microsoft\windows\currentversion\policies\system Block/Extraction Registry enforcer 2010-08-04 18:18:31 Deleted registry value disableregistrytools in hkus\S-1-5-21-3495212690-2977224712-3179768257-1006\software\microsoft\windows\currentversion\policies\system Warning/Detection COM enforcer 2010-08-04 18:18:31 Detected malicious registry entry disableregistrytools in hkus\S-1-5-21-3495212690-2977224712-3179768257-1006\software\microsoft\windows\currentversion\policies\system Block/Extraction NT Service enforcer 2010-08-04 18:18:26 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:18:25 Disabled service: messenger - Block/Extraction Registry enforcer 2010-08-04 18:18:08 Deleted registry value disableregistrytools in hkus\S-1-5-21-3495212690-2977224712-3179768257-1006\software\microsoft\windows\currentversion\policies\system Warning/Detection COM enforcer 2010-08-04 18:18:08 Detected malicious registry entry disableregistrytools in hkus\S-1-5-21-3495212690-2977224712-3179768257-1006\software\microsoft\windows\currentversion\policies\system Block/Extraction Registry enforcer 2010-08-04 18:17:50 Deleted registry value disableregistrytools in hkus\S-1-5-21-3495212690-2977224712-3179768257-1006\software\microsoft\windows\currentversion\policies\system Warning/Detection COM enforcer 2010-08-04 18:17:50 Detected malicious registry entry disableregistrytools in hkus\S-1-5-21-3495212690-2977224712-3179768257-1006\software\microsoft\windows\currentversion\policies\system Block/Extraction Registry enforcer 2010-08-04 18:17:42 Deleted registry value disableregistrytools in hkus\S-1-5-21-3495212690-2977224712-3179768257-1006\software\microsoft\windows\currentversion\policies\system Warning/Detection COM enforcer 2010-08-04 18:17:42 Detected malicious registry entry disableregistrytools in hkus\S-1-5-21-3495212690-2977224712-3179768257-1006\software\microsoft\windows\currentversion\policies\system Block/Extraction Registry enforcer 2010-08-04 18:17:40 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-3495212690-2977224712-3179768257-1006\software\microsoft\windows\currentversion\policies\system Warning/Detection COM enforcer 2010-08-04 18:17:40 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-3495212690-2977224712-3179768257-1006\software\microsoft\windows\currentversion\policies\system Block/Extraction Registry enforcer 2010-08-04 18:17:40 Deleted registry value disableregistrytools in hkus\S-1-5-21-3495212690-2977224712-3179768257-1006\software\microsoft\windows\currentversion\policies\system Warning/Detection COM enforcer 2010-08-04 18:17:40 Detected malicious registry entry disableregistrytools in hkus\S-1-5-21-3495212690-2977224712-3179768257-1006\software\microsoft\windows\currentversion\policies\system Block/Extraction Registry enforcer 2010-08-04 18:10:57 Deleted registry value disableregistrytools in hkus\S-1-5-21-3495212690-2977224712-3179768257-1006\software\microsoft\windows\currentversion\policies\system Warning/Detection COM enforcer 2010-08-04 18:10:57 Detected malicious registry entry disableregistrytools in hkus\S-1-5-21-3495212690-2977224712-3179768257-1006\software\microsoft\windows\currentversion\policies\system Block/Extraction Registry enforcer 2010-08-04 18:08:33 Deleted registry value disableregistrytools in hkus\S-1-5-21-3495212690-2977224712-3179768257-1006\software\microsoft\windows\currentversion\policies\system Warning/Detection COM enforcer 2010-08-04 18:08:33 Detected malicious registry entry disableregistrytools in hkus\S-1-5-21-3495212690-2977224712-3179768257-1006\software\microsoft\windows\currentversion\policies\system Block/Extraction Registry enforcer 2010-08-04 18:08:26 Deleted registry value disableregistrytools in hkus\S-1-5-21-3495212690-2977224712-3179768257-1006\software\microsoft\windows\currentversion\policies\system Warning/Detection COM enforcer 2010-08-04 18:08:26 Detected malicious registry entry disableregistrytools in hkus\S-1-5-21-3495212690-2977224712-3179768257-1006\software\microsoft\windows\currentversion\policies\system Block/Extraction Registry enforcer 2010-08-04 18:08:24 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-3495212690-2977224712-3179768257-1006\software\microsoft\windows\currentversion\policies\system Warning/Detection COM enforcer 2010-08-04 18:08:24 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-3495212690-2977224712-3179768257-1006\software\microsoft\windows\currentversion\policies\system Block/Extraction NT Service enforcer 2010-08-04 18:04:07 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:04:07 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:01:16 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 18:01:16 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 17:51:11 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 17:51:11 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 17:43:01 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 17:43:01 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 17:39:04 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 17:39:04 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 17:36:54 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 17:36:54 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 17:36:31 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 17:36:31 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 17:05:25 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 17:05:25 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 17:04:41 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 17:04:41 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 16:59:07 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 16:59:07 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 14:32:36 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 14:32:36 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 14:32:33 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 14:32:33 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-04 14:32:30 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 20:30:15 Disabled service: messenger - Block/Extraction NT Service enforcer 2010-08-06 20:30:15 Disabled service: messenger - |
Liste der Anhänge anzeigen (Anzahl: 5) Habe die Screenshots hochgeladen. |
versuchs mal wie ichs beschrieben hab und dann schau mal ob noch gemeckert wird |
Zitat:
GMER und Norman TDSS Cleaner sind immer noch auf dem Desktop |
hmm aber otm hätte qoobox usw entfernen müssen kannst du die meldungen auch als text kopieren und posten? nutze außerdem den ccleaner: http://www.trojaner-board.de/51464-a...-ccleaner.html dateien + registry bereinigen. |
Sch... jetzt habe ich bei STOPzilla auf REMOVE now gedrückt, obwohl ich das ja stehen lassen sollen oder habe ich bei der Müdigkeit etwas missverstanden? Apropos Missverstehen: Bitte verstehe es nicht falsch, dass ich eine komplette Neuinstallation ablehne, ich fürchte mich bloß vor dem, was danach kommt ( du hast wahrscheinlich gesehen, dass das kein Spielzeug-PC ist sondern eine Arbeitsmaschine für einen Biologen). Wenn es keine andere Möglichkeit gibt, komme ich gerne darauf zurück, wenn ich darf. Oups gerade kommt 'ne E-Mail von dir. |
ok dann lasse stopzilla mal removen, dann ccleaner und dann neustart und schaue ob er immernoch rum jault :-) und noch ein neues otl log |
Also erstmal muss ich ein großes Lob aussprechen für dich und das Trojanerboard! Das ist auch für die Mitleser interessant - finde ich. Einfach Super: Soviel Ausdauer und Hilfe. Und gelernt habe ich auch noch eine Menge (weil ich die Möglichkeit hatte, mich parallel auf meinem Netbook oder dem PC meiner Frau zu informieren). Und dann noch das Angebot einer weiteren Hilfe zu einer (sicheren) Neuinstallation, die verlockend ist, wenn dieser "Rattenschwanz" der eigenen PC-Konfiguration nicht wäre... Ich werde mich am Ende der Prozedur erkundigen, wie ich mich dafür erkenntlich zeigen kann. Vor ein paar Jahren hatte meine Frau bei einem PC ein Problem, welches lokale "Helfer" nicht, bzw. nur unzureichend lösen könnten, dafür aber viel Geld bekamen. Ich hoffe das wird jetzt nicht als "flatratelabern" (hat der Opa heute aus der ZEitung gelernt) missverstanden... ... zurück zum Thema: STOPzilla hat nix mehr zu meckern, nachdem er alles removed hat. CCleaner ist durchgelaufen und aufgeräumt. Neustart warm und kalt haben funktioniert (obwohl ich dem Braten ja nicht traue). OTL Scan läuft. Erstmal QuickScan, wenn's Recht ist!? |
OTL Teil 1 OTL logfile created on: 06.08.2010 22:27:53 - Run 1 OTL by OldTimer - Version 3.2.9.1 Folder = D:\Downloads Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 64,00% Memory free 4,00 Gb Paging File | 3,00 Gb Available in Paging File | 86,00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme Drive C: | 255,32 Gb Total Space | 221,99 Gb Free Space | 86,94% Space Free | Partition Type: NTFS Drive D: | 465,76 Gb Total Space | 418,84 Gb Free Space | 89,93% Space Free | Partition Type: NTFS Drive E: | 465,76 Gb Total Space | 202,18 Gb Free Space | 43,41% Space Free | Partition Type: NTFS Drive F: | 312,61 Gb Total Space | 113,07 Gb Free Space | 36,17% Space Free | Partition Type: NTFS Drive G: | 465,76 Gb Total Space | 214,40 Gb Free Space | 46,03% Space Free | Partition Type: NTFS H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: SACHFACH Current User Name: Gerhard Ott Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: On Skip Microsoft Files: On File Age = 90 Days Output = Standard Quick Scan ========== Processes (SafeList) ========== PRC - [2010.08.04 12:39:57 | 000,574,976 | ---- | M] (OldTimer Tools) -- D:\Downloads\OTL.exe PRC - [2010.07.31 21:05:11 | 001,036,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2010.07.28 21:19:32 | 000,177,616 | R--- | M] (iS3, Inc.) -- C:\Programme\Tools\STOPzilla\STOPzilla.exe PRC - [2010.07.28 21:19:28 | 000,062,928 | R--- | M] (iS3, Inc.) -- C:\Programme\Gemeinsame Dateien\iS3\Anti-Spyware\SZServer.exe PRC - [2010.07.28 15:35:15 | 000,413,696 | ---- | M] (BitDefender SRL) -- C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Update Service\livesrv.exe PRC - [2010.07.28 15:35:14 | 001,638,240 | ---- | M] (BitDefender S. R. L.) -- C:\Programme\BitDefender\BitDefender 2009\vsserv.exe PRC - [2010.07.28 15:35:12 | 000,782,336 | ---- | M] (BitDefender S.R.L.) -- C:\Programme\BitDefender\BitDefender 2009\bdagent.exe PRC - [2010.07.28 15:35:11 | 000,442,368 | ---- | M] () -- C:\Programme\BitDefender\BitDefender 2009\seccenter.exe PRC - [2010.06.24 16:41:38 | 000,092,008 | ---- | M] (TomTom) -- C:\Programme\TomTom HOME\TomTom HOME 2\TomTomHOMEService.exe PRC - [2010.02.14 02:53:52 | 000,352,256 | ---- | M] (Realtime Soft Ltd) -- C:\Programme\UltraMon\UltraMonTaskbar.exe PRC - [2010.02.14 02:53:28 | 000,492,544 | ---- | M] (Realtime Soft Ltd) -- C:\Programme\UltraMon\UltraMon.exe PRC - [2009.12.03 12:17:49 | 000,604,488 | ---- | M] (TuneUp Software) -- C:\WINDOWS\system32\TUProgSt.exe PRC - [2009.11.13 09:30:50 | 000,486,216 | ---- | M] (TuneUp Software) -- C:\Programme\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe PRC - [2009.11.13 09:28:44 | 001,021,256 | ---- | M] (TuneUp Software) -- C:\Programme\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe PRC - [2008.10.15 02:03:55 | 000,045,936 | ---- | M] (Adobe Systems Incorporated) -- C:\Programme\Adobe\Acrobat 8.0\Acrobat\Acrobat_sl.exe PRC - [2008.10.13 13:16:44 | 000,554,264 | ---- | M] (Acronis) -- C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe PRC - [2008.09.19 16:21:58 | 001,262,336 | ---- | M] (Matrox Graphics Inc.) -- c:\Programme\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe PRC - [2008.09.19 16:21:32 | 000,343,296 | ---- | M] (Matrox Graphics Inc) -- c:\Programme\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe PRC - [2007.09.13 09:40:02 | 000,106,496 | ---- | M] (Bibliographisches Institut & F. A. Brockhaus AG) -- C:\Programme\Gemeinsame Dateien\DKOO\dpfserv.exe PRC - [2007.09.07 11:40:34 | 000,132,392 | ---- | M] (Wacom Technology, Corp.) -- C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe PRC - [2007.09.07 11:40:04 | 001,373,480 | ---- | M] (Wacom Technology, Corp.) -- C:\WINDOWS\system32\Wacom_Tablet.exe PRC - [2007.06.08 04:56:31 | 000,090,112 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\system32\stacsv.exe PRC - [2007.05.29 12:06:44 | 000,598,960 | ---- | M] ( ) -- C:\WINDOWS\system32\lxdfcoms.exe PRC - [2007.05.29 12:06:20 | 000,099,248 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdfserv.exe PRC - [2001.09.17 10:00:22 | 000,266,310 | ---- | M] (DataViz Inc.) -- C:\Programme\Conversions Plus\FormatM.exe ========== Modules (SafeList) ========== MOD - [2010.08.04 12:39:57 | 000,574,976 | ---- | M] (OldTimer Tools) -- D:\Downloads\OTL.exe MOD - [2010.07.31 21:04:43 | 002,843,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msi.dll MOD - [2010.07.31 21:04:43 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx MOD - [2010.02.14 02:53:56 | 000,210,432 | ---- | M] (Realtime Soft Ltd) -- C:\Programme\UltraMon\RTSUltraMonHook.dll MOD - [2010.02.14 02:52:06 | 000,325,120 | ---- | M] (Realtime Soft Ltd) -- C:\Programme\UltraMon\UltraMonResButtons.dll MOD - [2009.08.13 15:55:39 | 001,748,992 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll ========== Win32 Services (SafeList) ========== SRV - File not found [On_Demand | Stopped] -- C:\Programme\MAGIX\Common\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance) SRV - [2010.07.31 22:52:44 | 000,435,016 | ---- | M] (TuneUp Software) [On_Demand | Stopped] -- C:\Programme\TuneUp Utilities 2010\TuneUpDefragService.exe -- (TuneUp.Defrag) SRV - [2010.07.28 21:19:28 | 000,062,928 | R--- | M] (iS3, Inc.) [Auto | Running] -- C:\Programme\Gemeinsame Dateien\iS3\Anti-Spyware\SZServer.exe -- (szserver) SRV - [2010.07.28 15:35:15 | 000,413,696 | ---- | M] (BitDefender SRL) [Auto | Running] -- C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Update Service\livesrv.exe -- (LIVESRV) SRV - [2010.07.28 15:35:14 | 001,638,240 | ---- | M] (BitDefender S. R. L.) [Auto | Running] -- C:\Programme\BitDefender\BitDefender 2009\vsserv.exe -- (VSSERV) SRV - [2010.07.28 15:35:10 | 000,323,584 | ---- | M] (S.C. BitDefender S.R.L) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Threat Scanner\scan.dll -- (scan) SRV - [2010.06.24 16:41:38 | 000,092,008 | ---- | M] (TomTom) [Auto | Running] -- C:\Programme\TomTom HOME\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService) SRV - [2010.03.18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400) SRV - [2010.03.18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2009.12.03 12:17:49 | 000,604,488 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\WINDOWS\system32\TUProgSt.exe -- (TuneUp.ProgramStatisticsSvc) SRV - [2009.11.13 09:28:44 | 001,021,256 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\Programme\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe -- (TuneUp.UtilitiesSvc) SRV - [2009.11.13 09:24:42 | 000,030,024 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\WINDOWS\system32\uxtuneup.dll -- (UxTuneUp) SRV - [2009.01.20 19:16:20 | 000,172,032 | ---- | M] () [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe -- (Arrakis3) SRV - [2008.10.13 13:16:44 | 000,554,264 | ---- | M] (Acronis) [Auto | Running] -- C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc) SRV - [2008.09.19 16:21:58 | 001,262,336 | ---- | M] (Matrox Graphics Inc.) [Auto | Running] -- c:\Programme\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe -- (Matrox Centering Service) SRV - [2008.09.19 16:21:32 | 000,343,296 | ---- | M] (Matrox Graphics Inc) [Auto | Running] -- c:\Programme\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe -- (Matrox.Pdesk.ServicesHost) SRV - [2007.11.26 14:50:04 | 000,294,912 | ---- | M] (T-Systems Enterprise Services GmbH) [On_Demand | Stopped] -- C:\Programme\Tools\DSL Manager\DslMgrSvc.exe -- (TDslMgrService) SRV - [2007.10.17 14:49:46 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service) SRV - [2007.09.13 09:40:02 | 000,106,496 | ---- | M] (Bibliographisches Institut & F. A. Brockhaus AG) [Auto | Running] -- C:\Programme\Gemeinsame Dateien\DKOO\dpfserv.exe -- (DPFService) SRV - [2007.09.07 11:40:04 | 001,373,480 | ---- | M] (Wacom Technology, Corp.) [Auto | Running] -- C:\WINDOWS\system32\Wacom_Tablet.exe -- (TabletServiceWacom) SRV - [2007.06.27 20:04:00 | 000,279,848 | ---- | M] (Nero AG) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService) SRV - [2007.06.08 04:56:31 | 000,090,112 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\WINDOWS\system32\stacsv.exe -- (STacSV) SRV - [2007.05.29 12:06:44 | 000,598,960 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\lxdfcoms.exe -- (lxdf_device) SRV - [2007.05.29 12:06:20 | 000,099,248 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe -- (lxdfCATSCustConnectService) SRV - [2007.03.20 16:41:24 | 000,153,792 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3) SRV - [2005.11.14 01:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT) SRV - [2003.07.28 12:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE -- (ose) SRV - [2001.09.17 10:00:22 | 000,266,310 | ---- | M] (DataViz Inc.) [Auto | Running] -- C:\Programme\Conversions Plus\FORMATM.EXE -- (MacFormatService) SRV - [2000.05.24 15:20:36 | 000,015,360 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\WINDOWS\system32\ATMsrvc.exe -- (ATMsrvc) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\XrUsb.sys -- (X-Rite) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\UltraMonMirror.sys -- (UltraMonMirror) DRV - File not found [Kernel | On_Demand | Stopped] -- H:\MEMIO.SYS -- (DOSMEMIO) DRV - [2010.07.31 21:04:21 | 001,485,824 | ---- | M] (Matrox Graphics Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MTXPARM.sys -- (MTXPAR) DRV - [2010.07.31 21:04:21 | 001,184,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA) DRV - [2010.07.31 21:04:21 | 000,971,232 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tdrpm147.sys -- (tdrpman147) Acronis Try&Decide and Restore Points filter (build 147) DRV - [2010.07.31 21:04:21 | 000,717,296 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd) DRV - [2010.07.31 21:04:21 | 000,540,000 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter) DRV - [2010.07.31 21:04:21 | 000,256,568 | ---- | M] (Jungo) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\windrvr6.sys -- (WinDriver6) DRV - [2010.07.31 21:04:21 | 000,176,715 | ---- | M] (DataViz Inc.) [File_System | Boot | Running] -- C:\WINDOWS\System32\drivers\MacOpen.sys -- (MacOpen) DRV - [2010.07.31 21:04:21 | 000,134,272 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snman380.sys -- (snapman380) Acronis Snapshots Manager (Build 380) DRV - [2010.07.31 21:04:21 | 000,090,688 | ---- | M] (SafeNet, Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS -- (Sentinel) DRV - [2010.07.31 21:04:21 | 000,054,272 | ---- | M] (Sonic Focus, Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sfng32.sys -- (sfng32) DRV - [2010.07.31 21:04:21 | 000,044,704 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter) DRV - [2010.07.31 21:04:21 | 000,029,184 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VClone.sys -- (VClone) DRV - [2010.07.31 21:04:21 | 000,023,936 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem) DRV - [2010.07.31 21:04:21 | 000,019,712 | R--- | M] (Maxtor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxofwfp.sys -- (MaxtorFrontPanel1) DRV - [2010.07.31 21:04:21 | 000,013,824 | ---- | M] (T-Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tsmpkt.sys -- (TSMPacket) DRV - [2010.07.31 21:04:21 | 000,013,396 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MTictwl.sys -- (MagicTune) DRV - [2010.07.31 21:04:21 | 000,012,848 | ---- | M] (Wacom Technology) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wacomvhid.sys -- (wacomvhid) DRV - [2010.07.31 21:04:21 | 000,011,440 | ---- | M] (Wacom Technology) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WacomVKHid.sys -- (WacomVKHid) DRV - [2010.07.31 21:04:21 | 000,011,312 | ---- | M] (Wacom Technology) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wacommousefilter.sys -- (wacommousefilter) DRV - [2010.07.31 21:04:21 | 000,005,504 | ---- | M] (Matrox Graphics Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mtxparmx.sys -- (Mtxparmx) DRV - [2010.07.31 21:04:20 | 000,537,600 | ---- | M] (AVM Berlin) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\fpcibase.sys -- (fpcibase) DRV - [2010.07.31 21:04:20 | 000,254,872 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel(R) DRV - [2010.07.31 21:04:20 | 000,242,184 | ---- | M] (BitDefender S.R.L. Bucharest, ROMANIA) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bdfsfltr.sys -- (bdfsfltr) DRV - [2010.07.31 21:04:20 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus) DRV - [2010.07.31 21:04:20 | 000,111,112 | ---- | M] (BitDefender S.R.L. Bucharest, ROMANIA) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bdfm.sys -- (bdfm) DRV - [2010.07.31 21:04:20 | 000,106,432 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AnyDVD.sys -- (AnyDVD) DRV - [2010.07.31 21:04:20 | 000,080,384 | R--- | M] (OMNIKEY) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cxbu0wdm.sys -- (cxbu0wdm) DRV - [2010.07.31 21:04:20 | 000,053,632 | ---- | M] (AVM GmbH) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\avmcowan.sys -- (AVMCOWAN) DRV - [2010.07.31 21:04:20 | 000,044,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel(R) DRV - [2010.07.31 21:04:20 | 000,034,760 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ElbyCDFL.sys -- (ElbyCDFL) DRV - [2010.07.31 21:04:20 | 000,026,816 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DslTestSp5.sys -- (dsltestSp5) DRV - [2010.07.31 21:04:20 | 000,026,024 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO) DRV - [2010.07.31 21:04:18 | 000,018,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\irsir.sys -- (irsir) DRV - [2010.07.31 21:04:18 | 000,006,400 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\enum1394.sys -- (ENUM1394) DRV - [2010.07.31 21:04:17 | 000,037,568 | ---- | M] (AVM GmbH) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avmwan.sys -- (AVMWAN) DRV - [2010.07.28 15:35:10 | 000,137,224 | ---- | M] (BitDefender LLC) [Kernel | System | Running] -- C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Firewall\bdftdif.sys -- (bdftdif) DRV - [2010.05.12 18:01:06 | 000,059,280 | R--- | M] (iS3, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\szkgfs.sys -- (szkgfs) DRV - [2009.12.07 17:59:32 | 000,061,328 | R--- | M] (iS3 Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\szkg.sys -- (szkg5) DRV - [2009.12.07 17:59:32 | 000,061,328 | R--- | M] (iS3 Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\is3srv.sys -- (is3srv) DRV - [2009.10.14 07:24:44 | 000,010,064 | ---- | M] (TuneUp Software) [Kernel | On_Demand | Running] -- C:\Programme\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys -- (TuneUpUtilitiesDrv) DRV - [2009.04.03 17:49:38 | 000,039,808 | ---- | M] (BitDefender S.R.L.) [Kernel | On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Threat Scanner\trufos.sys -- (Trufos) DRV - [2009.01.12 12:27:58 | 000,008,832 | ---- | M] (BitDefender S.R.L.) [Kernel | On_Demand | Running] -- C:\Programme\BitDefender\BitDefender 2009\bdselfpr.sys -- (BDSelfPr) DRV - [2008.11.14 02:11:30 | 000,017,184 | ---- | M] (Realtime Soft Ltd) [Kernel | Auto | Running] -- C:\Programme\Gemeinsame Dateien\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys -- (UltraMonUtility) DRV - [2008.09.02 14:32:06 | 000,013,056 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Threat Scanner\profos.sys -- (Profos) DRV - [2008.04.13 20:40:12 | 000,015,744 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\serenum.sys -- (serenum) DRV - [2004.08.03 22:29:38 | 000,452,736 | ---- | M] (Matrox Graphics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mtxparhm.sys -- (MTXPARH) DRV - [2003.09.03 06:02:42 | 000,020,064 | ---- | M] (KONICA MINOLTA BUSINESS TECHNOLOGIES, INC.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\MLPTDR_B.SYS -- (MLPTDR_B) DRV - [2000.10.15 19:38:54 | 000,016,068 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\T-Com\DSLCheck\Pcandis5.sys -- (PCANDIS5) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.sach-fach.de IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local FF - HKLM\software\mozilla\Firefox\extensions\\FFToolbar@bitdefender.com: C:\Programme\BitDefender\BitDefender 2009\FFToolbar\ [2010.07.28 15:37:02 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.07.28 15:30:53 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2010.07.31 23:54:38 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.2\extensions\\Components: C:\Programme\Mozilla Thunderbird\components [2010.08.06 14:29:57 | 000,000,000 | ---D | M] [2010.05.13 12:48:41 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Mozilla\Extensions [2010.05.13 12:48:41 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6} [2008.05.14 18:41:54 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Mozilla\Extensions\home2@tomtom.com [2010.08.02 15:42:37 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions [2010.07.28 15:35:13 | 000,065,536 | ---- | M] () -- C:\Programme\Mozilla Firefox\components\FFComm.dll [2010.07.17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\npdeployJava1.dll [2010.01.16 03:15:29 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml [2010.01.16 03:15:29 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml [2010.01.16 03:15:29 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml [2010.01.16 03:15:29 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml [2010.01.16 03:15:29 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2004.08.04 14:00:00 | 000,000,820 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programme\SnagIt\SnagitBHO.dll (TechSmith Corporation) O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O2 - BHO: (FDMIECookiesBHO Class) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Programme\Tools\Free Download Manager\iefdm2.dll () O2 - BHO: (STOPzilla Browser Helper Object) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Programme\Tools\STOPzilla\SZIEBHO.dll (iS3, Inc.) O3 - HKLM\..\Toolbar: (BitDefender Toolbar) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Programme\BitDefender\BitDefender 2009\IEToolbar.dll (Bitdefender) O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O3 - HKLM\..\Toolbar: (Snagit) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programme\SnagIt\SnagitIEAddin.dll (TechSmith Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O4 - HKLM..\Run: [BDAgent] C:\Programme\BitDefender\BitDefender 2009\bdagent.exe (BitDefender S.R.L.) O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Acrobat - Schnellstart.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe () O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\UltraMon.lnk = C:\WINDOWS\Installer\{B49673F8-7AB6-4A14-8213-C8A7BE370010}\IcoUltraMon.ico () O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSharedDocuments = [binary data] O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O8 - Extra context menu item: An vorhandenes PDF anfügen - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: Datei mit FDM herunterladen - C:\Programme\Tools\Free Download Manager\dllink.htm () O8 - Extra context menu item: In Adobe PDF konvertieren - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: Videos mit FDM herunterladen - C:\Programme\Tools\Free Download Manager\dlfvideo.htm () O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Computer, Inc.) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool) O16 - DPF: {7030CC6C-1A88-4591-BB5A-651B9F7F0C30} file:///H:/components/wmvhdrating.ocx (WMVHDRatingCtrl Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} Reg Error: Value error. (Reg Error: Key error.) O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine) O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation) O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Programme\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2007.02.07 16:26:35 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O32 - AutoRun File - [2010.07.31 22:22:34 | 000,001,352 | ---- | M] () - D:\AutoHotkey.ahk -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O34 - HKLM BootExecute: (OODBS) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found ========== Files/Folders - Created Within 90 Days ========== [2010.08.06 22:17:09 | 000,000,000 | -HSD | C] -- C:\Dokumente und Einstellungen\Gerhard Ott\Recent [2010.08.06 21:04:12 | 000,000,000 | ---D | C] -- C:\Programme\Gemeinsame Dateien\iS3 [2010.08.06 14:11:04 | 002,661,704 | ---- | C] (Norman ASA) -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\Norman_TDSS_Cleaner.exe [2010.08.04 20:20:43 | 000,000,000 | -HSD | C] -- C:\RECYCLER [2010.08.04 18:21:47 | 000,000,000 | RHSD | C] -- C:\cmdcons [2010.08.04 09:22:51 | 000,000,000 | ---D | C] -- C:\Programme\trend micro [2010.08.03 19:11:41 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\Macromedia [2010.08.03 00:07:21 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Google [2010.08.02 20:50:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC [2010.08.02 18:57:36 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\SUPERAntiSpyware.com [2010.08.02 10:11:30 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\STOPzilla! [2010.08.01 21:23:27 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy [2010.08.01 16:53:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT [2010.08.01 16:05:06 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Malwarebytes [2010.08.01 16:04:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010.08.01 16:04:48 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010.08.01 16:04:48 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes [2010.08.01 16:04:47 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware [2010.08.01 12:37:26 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\QuickScan [2010.07.31 23:55:17 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sun [2010.07.31 22:52:46 | 000,029,512 | ---- | C] (TuneUp Software) -- C:\WINDOWS\System32\TURegOpt.exe [2010.07.31 22:52:45 | 000,030,024 | ---- | C] (TuneUp Software) -- C:\WINDOWS\System32\uxtuneup.dll [2010.07.31 22:52:14 | 000,000,000 | ---D | C] -- C:\Programme\TuneUp Utilities 2010 [2010.07.31 22:44:25 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\FileOpen [2010.07.31 22:44:18 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Adobe [2010.07.31 22:44:17 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Adobe [2010.07.31 22:37:10 | 000,000,000 | ---D | C] -- C:\Programme\UltraMon [2010.07.31 22:37:10 | 000,000,000 | ---D | C] -- C:\Programme\Gemeinsame Dateien\Realtime Soft [2010.07.31 22:37:10 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Realtime Soft [2010.07.31 21:04:20 | 000,242,184 | ---- | C] (BitDefender S.R.L. Bucharest, ROMANIA) -- C:\WINDOWS\System32\drivers\bdfsfltr.sys [2010.07.31 21:04:20 | 000,111,112 | ---- | C] (BitDefender S.R.L. Bucharest, ROMANIA) -- C:\WINDOWS\System32\drivers\bdfm.sys [2010.07.28 21:19:22 | 000,546,256 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\SZComp5.dll [2010.07.28 21:19:22 | 000,447,952 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\SZBase5.dll [2010.07.28 21:19:22 | 000,132,560 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3HTUI5.dll [2010.07.28 21:19:22 | 000,022,992 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\SZIO5.dll [2010.07.28 21:19:20 | 000,398,800 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3DBA5.dll [2010.07.28 21:19:20 | 000,099,792 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Svc5.dll [2010.07.28 21:19:20 | 000,099,792 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Inet5.dll [2010.07.28 21:19:20 | 000,067,024 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Hks5.dll [2010.07.28 21:19:20 | 000,028,624 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3XDat5.dll [2010.07.28 21:19:18 | 000,738,768 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Base5.dll [2010.07.28 21:19:18 | 000,390,608 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3UI5.dll [2010.07.28 21:19:18 | 000,230,864 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Win325.dll [2010.07.28 15:28:18 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\BitDefender [2010.07.28 15:22:32 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Desktop [2010.07.28 10:34:00 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Macromedia [2010.07.24 17:53:12 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Map Maker [2010.06.24 23:11:59 | 000,023,936 | ---- | C] (Motorola) -- C:\WINDOWS\System32\drivers\motmodem.sys [2010.06.24 22:54:07 | 000,000,000 | ---D | C] -- D:\MemoMaster [2010.06.23 16:56:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\winrm [2010.06.23 16:56:34 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$968930Uinstall_KB968930$ [2010.06.09 22:41:03 | 000,106,432 | ---- | C] (SlySoft, Inc.) -- C:\WINDOWS\System32\drivers\AnyDVD.sys [2010.05.25 11:23:13 | 000,000,000 | ---D | C] -- D:\Zwischenlager [2010.05.20 18:41:03 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Gerhard Ott\Lokale Einstellungen\Anwendungsdaten\Opera [2010.05.20 18:41:03 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Opera [2010.05.17 18:07:19 | 000,000,000 | ---D | C] -- C:\Programme\MapCreator 2 [2010.05.16 12:15:33 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\TechSmith [2010.05.12 18:01:06 | 000,059,280 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\drivers\SZKGFS.sys [2009.02.12 17:07:56 | 000,434,176 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdfhcp.dll [2009.02.12 17:07:52 | 000,356,352 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdfinpa.dll [2009.02.12 17:07:52 | 000,339,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdfiesc.dll [2009.02.12 17:07:51 | 000,950,272 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdfusb1.dll [2009.02.12 17:07:50 | 001,200,128 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdfserv.dll [2009.02.12 17:07:49 | 000,647,168 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdfpmui.dll [2009.02.12 17:07:49 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdfprox.dll [2009.02.12 17:07:48 | 000,565,248 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdflmpm.dll [2009.02.12 17:07:44 | 000,663,552 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdfhbn3.dll [2009.02.12 17:07:40 | 000,860,160 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdfcomc.dll [2009.02.12 17:07:40 | 000,364,544 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdfcomm.dll [7 C:\Dokumente und Einstellungen\All Users\*.tmp files -> C:\Dokumente und Einstellungen\All Users\*.tmp -> ] [6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [2 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ] ========== Files - Modified Within 90 Days ========== [2010.08.06 22:26:24 | 000,000,960 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg [2010.08.06 22:25:33 | 000,000,510 | ---- | M] () -- C:\WINDOWS\tasks\Automatische Problemsuche.job [2010.08.06 22:25:10 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010.08.06 22:24:44 | 000,002,283 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\UltraMon.lnk [2010.08.06 22:24:43 | 000,002,321 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Acrobat - Schnellstart.lnk [2010.08.06 22:24:41 | 000,001,084 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job [2010.08.06 22:24:41 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010.08.06 22:24:39 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010.08.06 22:23:23 | 013,893,632 | ---- | M] () -- C:\Dokumente und Einstellungen\Gerhard Ott\ntuser.dat [2010.08.06 22:23:19 | 000,000,300 | -HS- | M] () -- C:\Dokumente und Einstellungen\Gerhard Ott\ntuser.ini [2010.08.06 22:15:41 | 000,000,456 | ---- | M] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\Verknüpfung mit OTL.lnk [2010.08.06 22:11:45 | 000,081,984 | ---- | M] () -- C:\WINDOWS\System32\bdod.bin [2010.08.06 22:08:00 | 000,001,088 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job [2010.08.06 22:07:25 | 000,000,766 | ---- | M] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\CCleaner.lnk [2010.08.06 21:49:04 | 000,225,192 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2010.08.06 14:40:18 | 000,000,020 | ---- | M] () -- C:\Dokumente und Einstellungen\Gerhard Ott\defogger_reenable [2010.08.06 14:11:06 | 002,661,704 | ---- | M] (Norman ASA) -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\Norman_TDSS_Cleaner.exe [2010.08.06 10:48:50 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat [2010.08.06 10:47:23 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn [2010.08.06 10:47:23 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for [2010.08.06 10:00:20 | 000,027,005 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\lxdf [2010.08.05 14:21:24 | 000,293,376 | ---- | M] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\u4jf7786.exe [2010.08.04 22:56:37 | 000,000,121 | ---- | M] () -- C:\WINDOWS\bdagent.INI [2010.08.04 22:24:22 | 000,000,815 | ---- | M] () -- C:\rtsr_eml_sr.dat [2010.08.04 22:24:22 | 000,000,141 | ---- | M] () -- C:\dwl.dat [2010.08.04 22:24:22 | 000,000,132 | ---- | M] () -- C:\httpdwl.dat [2010.08.04 18:33:37 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini [2010.08.04 18:21:53 | 000,000,293 | RHS- | M] () -- C:\boot.ini [2010.08.03 20:00:23 | 000,000,223 | ---- | M] () -- C:\Boot.bak [2010.08.03 15:26:57 | 000,000,118 | ---- | M] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\JOTTI Online Scanner.url [2010.08.03 13:05:48 | 000,016,309 | ---- | M] () -- D:\Anschreiben.pdf [2010.08.03 12:56:39 | 000,000,036 | ---- | M] () -- C:\WINDOWS\iltwain.ini [2010.08.02 21:33:30 | 000,000,915 | ---- | M] () -- C:\WINDOWS\win.ini [2010.08.02 18:52:25 | 000,530,748 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat [2010.08.02 18:52:25 | 000,484,040 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2010.08.02 18:52:25 | 000,105,570 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat [2010.08.02 18:52:25 | 000,080,054 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2010.08.02 18:52:24 | 001,217,868 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2010.08.02 15:33:51 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini [2010.08.01 16:04:52 | 000,000,704 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010.08.01 14:54:38 | 009,699,328 | ---- | M] () -- C:\Dokumente und Einstellungen\Gerhard Ott\NTUSER.DAT_tureg_old [2010.08.01 11:15:18 | 000,000,478 | ---- | M] () -- C:\WINDOWS\System32\BDUpdateV1.xml [2010.07.31 22:22:34 | 000,001,352 | ---- | M] () -- D:\AutoHotkey.ahk [2010.07.31 21:18:05 | 000,001,024 | ---- | M] () -- C:\WINDOWS\System32\AutoPartNt.let [2010.07.31 21:16:34 | 000,117,813 | ---- | M] () -- C:\WINDOWS\System32\AutoPartNt.scr [2010.07.31 21:16:34 | 000,006,083 | ---- | M] () -- C:\WINDOWS\System32\AutoPartNt.nam [2010.07.31 21:05:15 | 000,282,624 | ---- | M] (Cinematronics) -- C:\WINDOWS\System32\dllcache\pinball.exe [2010.07.31 21:05:13 | 001,685,606 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sam.spd [2010.07.31 21:05:13 | 000,643,717 | ---- | M] () -- C:\WINDOWS\System32\dllcache\ltts1033.lxa [2010.07.31 21:05:13 | 000,605,050 | ---- | M] () -- C:\WINDOWS\System32\dllcache\r1033tts.lxa [2010.07.31 21:05:13 | 000,000,888 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sam.sdf [2010.07.31 21:05:12 | 000,094,800 | ---- | M] (Twain-Arbeitsgruppe) -- C:\WINDOWS\twain.dll [2010.07.31 21:05:12 | 000,094,800 | ---- | M] (Twain-Arbeitsgruppe) -- C:\WINDOWS\System32\dllcache\twain.dll [2010.07.31 21:05:12 | 000,050,688 | ---- | M] (Twain-Arbeitsgruppe) -- C:\WINDOWS\twain_32.dll [2010.07.31 21:05:12 | 000,050,688 | ---- | M] (Twain-Arbeitsgruppe) -- C:\WINDOWS\System32\dllcache\twain_32.dll [2010.07.31 21:05:11 | 004,399,505 | ---- | M] () -- C:\WINDOWS\System32\dllcache\nls302en.lex [2010.07.31 21:05:11 | 000,380,416 | ---- | M] () -- C:\WINDOWS\System32\dllcache\msinfo.dll [2010.07.31 21:05:10 | 003,374,597 | ---- | M] (Macromedia, Inc.) -- C:\WINDOWS\System32\dllcache\tourW.exe [2010.07.31 21:05:10 | 000,461,672 | ---- | M] () -- C:\WINDOWS\System32\dllcache\micross.ttf [2010.07.31 21:05:10 | 000,279,040 | ---- | M] () -- C:\WINDOWS\System32\dllcache\tshoot.dll [2010.07.31 21:05:10 | 000,152,844 | ---- | M] () -- C:\WINDOWS\System32\dllcache\framdit.ttf [2010.07.31 21:05:10 | 000,135,984 | ---- | M] () -- C:\WINDOWS\System32\dllcache\framd.ttf [2010.07.31 21:05:09 | 001,206,508 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb [2010.07.31 21:05:09 | 000,785,972 | ---- | M] () -- C:\WINDOWS\System32\dllcache\apph_sp.sdb [2010.07.31 21:05:09 | 000,237,160 | ---- | M] () -- C:\WINDOWS\System32\dllcache\apphelp.sdb [2010.07.31 21:05:09 | 000,204,396 | ---- | M] () -- C:\WINDOWS\System32\dllcache\msimain.sdb [2010.07.31 21:05:09 | 000,081,590 | ---- | M] () -- C:\WINDOWS\System32\dllcache\apps.chm [2010.07.31 21:05:09 | 000,034,816 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sniffpol.dll [2010.07.31 21:05:09 | 000,033,280 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sstub.dll [2010.07.31 21:05:09 | 000,009,424 | ---- | M] () -- C:\WINDOWS\System32\dllcache\drvmain.sdb [2010.07.31 21:04:57 | 000,239,616 | ---- | M] () -- C:\WINDOWS\System32\dllcache\wstrendr.ax [2010.07.31 21:04:57 | 000,239,616 | ---- | M] () -- C:\WINDOWS\System32\wstrenderer.ax [2010.07.31 21:04:57 | 000,164,352 | ---- | M] () -- C:\WINDOWS\System32\wstpager.ax [2010.07.31 21:04:57 | 000,164,352 | ---- | M] () -- C:\WINDOWS\System32\dllcache\wstpager.ax [2010.07.31 21:04:55 | 000,013,312 | ---- | M] () -- C:\WINDOWS\System32\win87em.dll [2010.07.31 21:04:55 | 000,013,312 | ---- | M] () -- C:\WINDOWS\System32\dllcache\win87em.dll [2010.07.31 21:04:54 | 000,040,448 | ---- | M] () -- C:\WINDOWS\System32\wiasf.ax [2010.07.31 21:04:54 | 000,040,448 | ---- | M] () -- C:\WINDOWS\System32\dllcache\wiasf.ax [2010.07.31 21:04:54 | 000,001,157 | ---- | M] () -- C:\WINDOWS\System32\vwipxspx.exe [2010.07.31 21:04:54 | 000,001,157 | ---- | M] () -- C:\WINDOWS\System32\dllcache\vwipxspx.exe [2010.07.31 21:04:53 | 000,089,588 | ---- | M] () -- C:\WINDOWS\System32\unicode.nls [2010.07.31 21:04:53 | 000,053,248 | ---- | M] () -- C:\WINDOWS\System32\vbicodec.ax [2010.07.31 21:04:53 | 000,053,248 | ---- | M] () -- C:\WINDOWS\System32\dllcache\vbicodec.ax [2010.07.31 21:04:53 | 000,015,360 | ---- | M] () -- C:\WINDOWS\System32\tsd32.dll [2010.07.31 21:04:53 | 000,015,360 | ---- | M] () -- C:\WINDOWS\System32\dllcache\tsd32.dll [2010.07.31 21:04:51 | 000,262,148 | ---- | M] () -- C:\WINDOWS\System32\sortkey.nls [2010.07.31 21:04:51 | 000,023,044 | ---- | M] () -- C:\WINDOWS\System32\sorttbls.nls [2010.07.31 21:04:51 | 000,003,144 | ---- | M] () -- C:\WINDOWS\System32\dllcache\srgb.icm [2010.07.31 21:04:50 | 000,000,882 | ---- | M] () -- C:\WINDOWS\System32\share.exe [2010.07.31 21:04:50 | 000,000,882 | ---- | M] () -- C:\WINDOWS\System32\dllcache\share.exe [2010.07.31 21:04:49 | 000,270,848 | ---- | M] () -- C:\WINDOWS\System32\sbe.dll [2010.07.31 21:04:49 | 000,270,848 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sbe.dll [2010.07.31 21:04:49 | 000,010,240 | ---- | M] () -- C:\WINDOWS\System32\scriptpw.dll [2010.07.31 21:04:49 | 000,010,240 | ---- | M] () -- C:\WINDOWS\System32\dllcache\scriptpw.dll [2010.07.31 21:04:49 | 000,000,984 | ---- | M] () -- C:\WINDOWS\System32\dllcache\srframe.mmf [2010.07.31 21:04:48 | 000,003,358 | ---- | M] () -- C:\WINDOWS\System32\redir.exe [2010.07.31 21:04:48 | 000,003,358 | ---- | M] () -- C:\WINDOWS\System32\dllcache\redir.exe [2010.07.31 21:04:47 | 000,733,696 | ---- | M] () -- C:\WINDOWS\System32\qedwipes.dll [2010.07.31 21:04:47 | 000,733,696 | ---- | M] () -- C:\WINDOWS\System32\dllcache\qedwipes.dll [2010.07.31 21:04:47 | 000,168,720 | ---- | M] () -- C:\WINDOWS\System32\pagefileconfig.vbs [2010.07.31 21:04:47 | 000,168,720 | ---- | M] () -- C:\WINDOWS\System32\dllcache\pagefile.vbs [2010.07.31 21:04:47 | 000,157,696 | ---- | M] () -- C:\WINDOWS\System32\paqsp.dll [2010.07.31 21:04:47 | 000,157,696 | ---- | M] () -- C:\WINDOWS\System32\dllcache\paqsp.dll [2010.07.31 21:04:47 | 000,036,045 | ---- | M] () -- C:\WINDOWS\System32\prncnfg.vbs [2010.07.31 21:04:47 | 000,036,045 | ---- | M] () -- C:\WINDOWS\System32\dllcache\prncnfg.vbs [2010.07.31 21:04:47 | 000,032,871 | ---- | M] () -- C:\WINDOWS\System32\prnmngr.vbs [2010.07.31 21:04:47 | 000,032,871 | ---- | M] () -- C:\WINDOWS\System32\dllcache\prnmngr.vbs [2010.07.31 21:04:47 | 000,029,878 | ---- | M] () -- C:\WINDOWS\System32\prnport.vbs [2010.07.31 21:04:47 | 000,029,878 | ---- | M] () -- C:\WINDOWS\System32\dllcache\prnport.vbs [2010.07.31 21:04:47 | 000,025,679 | ---- | M] () -- C:\WINDOWS\System32\prndrvr.vbs [2010.07.31 21:04:47 | 000,025,679 | ---- | M] () -- C:\WINDOWS\System32\dllcache\prndrvr.vbs [2010.07.31 21:04:47 | 000,021,806 | ---- | M] () -- C:\WINDOWS\System32\prnjobs.vbs [2010.07.31 21:04:47 | 000,021,806 | ---- | M] () -- C:\WINDOWS\System32\dllcache\prnjobs.vbs [2010.07.31 21:04:47 | 000,016,046 | ---- | M] () -- C:\WINDOWS\System32\prnqctl.vbs [2010.07.31 21:04:47 | 000,016,046 | ---- | M] () -- C:\WINDOWS\System32\dllcache\prnqctl.vbs [2010.07.31 21:04:47 | 000,003,758 | ---- | M] () -- C:\WINDOWS\System32\pubprn.vbs [2010.07.31 21:04:47 | 000,003,758 | ---- | M] () -- C:\WINDOWS\System32\dllcache\pubprn.vbs [2010.07.31 21:04:47 | 000,001,950 | ---- | M] () -- C:\WINDOWS\System32\pid.inf [2010.07.31 21:04:47 | 000,001,950 | ---- | M] () -- C:\WINDOWS\System32\dllcache\pid.inf [2010.07.31 21:04:46 | 000,003,262 | ---- | M] () -- C:\WINDOWS\System32\nw16.exe [2010.07.31 21:04:46 | 000,003,262 | ---- | M] () -- C:\WINDOWS\System32\dllcache\nw16.exe [2010.07.31 21:04:45 | 000,035,648 | ---- | M] () -- C:\WINDOWS\System32\ntio411.sys [2010.07.31 21:04:45 | 000,035,648 | ---- | M] () -- C:\WINDOWS\System32\dllcache\ntio411.sys [2010.07.31 21:04:45 | 000,035,424 | ---- | M] () -- C:\WINDOWS\System32\ntio412.sys [2010.07.31 21:04:45 | 000,035,424 | ---- | M] () -- C:\WINDOWS\System32\dllcache\ntio412.sys [2010.07.31 21:04:45 | 000,034,560 | ---- | M] () -- C:\WINDOWS\System32\ntio804.sys [2010.07.31 21:04:45 | 000,034,560 | ---- | M] () -- C:\WINDOWS\System32\dllcache\ntio804.sys [2010.07.31 21:04:45 | 000,034,560 | ---- | M] () -- C:\WINDOWS\System32\ntio404.sys [2010.07.31 21:04:45 | 000,034,560 | ---- | M] () -- C:\WINDOWS\System32\dllcache\ntio404.sys [2010.07.31 21:04:45 | 000,034,032 | ---- | M] () -- C:\WINDOWS\System32\ntio.sys [2010.07.31 21:04:45 | 000,034,032 | ---- | M] () -- C:\WINDOWS\System32\dllcache\ntio.sys [2010.07.31 21:04:45 | 000,029,370 | ---- | M] () -- C:\WINDOWS\System32\ntdos411.sys [2010.07.31 21:04:45 | 000,029,370 | ---- | M] () -- C:\WINDOWS\System32\dllcache\ntdos411.sys [2010.07.31 21:04:45 | 000,029,274 | ---- | M] () -- C:\WINDOWS\System32\ntdos412.sys [2010.07.31 21:04:45 | 000,029,274 | ---- | M] () -- C:\WINDOWS\System32\dllcache\ntdos412.sys [2010.07.31 21:04:45 | 000,029,146 | ---- | M] () -- C:\WINDOWS\System32\ntdos804.sys [2010.07.31 21:04:45 | 000,029,146 | ---- | M] () -- C:\WINDOWS\System32\dllcache\ntdos804.sys [2010.07.31 21:04:45 | 000,029,146 | ---- | M] () -- C:\WINDOWS\System32\ntdos404.sys [2010.07.31 21:04:45 | 000,029,146 | ---- | M] () -- C:\WINDOWS\System32\dllcache\ntdos404.sys [2010.07.31 21:04:45 | 000,027,914 | ---- | M] () -- C:\WINDOWS\System32\ntdos.sys [2010.07.31 21:04:45 | 000,027,914 | ---- | M] () -- C:\WINDOWS\System32\dllcache\ntdos.sys [2010.07.31 21:04:45 | 000,007,084 | ---- | M] () -- C:\WINDOWS\System32\nlsfunc.exe |
OTL Teil 2 [2010.07.31 21:04:45 | 000,007,084 | ---- | M] () -- C:\WINDOWS\System32\dllcache\nlsfunc.exe [2010.07.31 21:04:43 | 000,355,112 | ---- | M] () -- C:\WINDOWS\System32\msjetoledb40.dll [2010.07.31 21:04:43 | 000,355,112 | ---- | M] () -- C:\WINDOWS\System32\dllcache\msjetol1.dll [2010.07.31 21:04:42 | 000,014,336 | ---- | M] () -- C:\WINDOWS\System32\msdmo.dll [2010.07.31 21:04:42 | 000,014,336 | ---- | M] () -- C:\WINDOWS\System32\dllcache\msdmo.dll [2010.07.31 21:04:42 | 000,000,817 | ---- | M] () -- C:\WINDOWS\System32\mscdexnt.exe [2010.07.31 21:04:42 | 000,000,817 | ---- | M] () -- C:\WINDOWS\System32\dllcache\mscdexnt.exe [2010.07.31 21:04:41 | 000,673,088 | ---- | M] () -- C:\WINDOWS\System32\mlang.dat [2010.07.31 21:04:41 | 000,673,088 | ---- | M] () -- C:\WINDOWS\System32\dllcache\mlang.dat [2010.07.31 21:04:41 | 000,148,992 | ---- | M] () -- C:\WINDOWS\System32\mpg2splt.ax [2010.07.31 21:04:41 | 000,148,992 | ---- | M] () -- C:\WINDOWS\System32\dllcache\mpg2splt.ax [2010.07.31 21:04:41 | 000,118,272 | ---- | M] () -- C:\WINDOWS\System32\dllcache\mpg2data.ax [2010.07.31 21:04:41 | 000,118,272 | ---- | M] () -- C:\WINDOWS\System32\mpeg2data.ax [2010.07.31 21:04:40 | 000,265,948 | ---- | M] () -- C:\WINDOWS\System32\locale.nls [2010.07.31 21:04:40 | 000,039,546 | ---- | M] () -- C:\WINDOWS\System32\mem.exe [2010.07.31 21:04:40 | 000,039,546 | ---- | M] () -- C:\WINDOWS\System32\dllcache\mem.exe [2010.07.31 21:04:39 | 000,042,809 | ---- | M] () -- C:\WINDOWS\System32\key01.sys [2010.07.31 21:04:39 | 000,042,809 | ---- | M] () -- C:\WINDOWS\System32\dllcache\key01.sys [2010.07.31 21:04:39 | 000,042,537 | ---- | M] () -- C:\WINDOWS\System32\keyboard.sys [2010.07.31 21:04:39 | 000,042,537 | ---- | M] () -- C:\WINDOWS\System32\dllcache\keyboard.sys [2010.07.31 21:04:39 | 000,007,046 | ---- | M] () -- C:\WINDOWS\System32\l_intl.nls [2010.07.31 21:04:39 | 000,007,046 | ---- | M] () -- C:\WINDOWS\System32\dllcache\l_intl.nls [2010.07.31 21:04:39 | 000,000,168 | ---- | M] () -- C:\WINDOWS\System32\l_except.nls [2010.07.31 21:04:39 | 000,000,168 | ---- | M] () -- C:\WINDOWS\System32\dllcache\l_except.nls [2010.07.31 21:04:37 | 000,144,776 | ---- | M] () -- C:\WINDOWS\System32\dllcache\archvapp.inf [2010.07.31 21:04:37 | 000,004,992 | ---- | M] () -- C:\WINDOWS\System32\himem.sys [2010.07.31 21:04:37 | 000,004,992 | ---- | M] () -- C:\WINDOWS\System32\dllcache\himem.sys [2010.07.31 21:04:36 | 000,444,416 | ---- | M] (AVM GmbH) -- C:\WINDOWS\System32\fpcibase.sys [2010.07.31 21:04:36 | 000,444,416 | ---- | M] (AVM GmbH) -- C:\WINDOWS\System32\dllcache\fpcibase.sys [2010.07.31 21:04:36 | 000,024,772 | ---- | M] () -- C:\WINDOWS\System32\geo.nls [2010.07.31 21:04:36 | 000,024,772 | ---- | M] () -- C:\WINDOWS\System32\dllcache\geo.nls [2010.07.31 21:04:36 | 000,000,882 | ---- | M] () -- C:\WINDOWS\System32\fastopen.exe [2010.07.31 21:04:36 | 000,000,882 | ---- | M] () -- C:\WINDOWS\System32\dllcache\fastopen.exe [2010.07.31 21:04:35 | 000,186,880 | ---- | M] () -- C:\WINDOWS\System32\encdec.dll [2010.07.31 21:04:35 | 000,186,880 | ---- | M] () -- C:\WINDOWS\System32\dllcache\encdec.dll [2010.07.31 21:04:35 | 000,098,604 | ---- | M] () -- C:\WINDOWS\System32\dllcache\evtquery.vbs [2010.07.31 21:04:35 | 000,098,604 | ---- | M] () -- C:\WINDOWS\System32\eventquery.vbs [2010.07.31 21:04:35 | 000,057,856 | ---- | M] () -- C:\WINDOWS\System32\dvdplay.exe [2010.07.31 21:04:35 | 000,057,856 | ---- | M] () -- C:\WINDOWS\System32\dllcache\dvdplay.exe [2010.07.31 21:04:35 | 000,013,026 | ---- | M] () -- C:\WINDOWS\System32\edlin.exe [2010.07.31 21:04:35 | 000,013,026 | ---- | M] () -- C:\WINDOWS\System32\dllcache\edlin.exe [2010.07.31 21:04:35 | 000,008,584 | ---- | M] () -- C:\WINDOWS\System32\exe2bin.exe [2010.07.31 21:04:35 | 000,008,584 | ---- | M] () -- C:\WINDOWS\System32\dllcache\exe2bin.exe [2010.07.31 21:04:33 | 000,054,128 | ---- | M] () -- C:\WINDOWS\System32\dosx.exe [2010.07.31 21:04:33 | 000,054,128 | ---- | M] () -- C:\WINDOWS\System32\dllcache\dosx.exe [2010.07.31 21:04:32 | 000,021,210 | ---- | M] () -- C:\WINDOWS\System32\dllcache\debug.exe [2010.07.31 21:04:32 | 000,021,210 | ---- | M] () -- C:\WINDOWS\System32\debug.exe [2010.07.31 21:04:32 | 000,008,386 | ---- | M] () -- C:\WINDOWS\System32\ctype.nls [2010.07.31 21:04:31 | 000,027,097 | ---- | M] () -- C:\WINDOWS\System32\dllcache\country.sys [2010.07.31 21:04:31 | 000,027,097 | ---- | M] () -- C:\WINDOWS\System32\country.sys [2010.07.31 21:04:27 | 000,196,642 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_950.nls [2010.07.31 21:04:27 | 000,196,642 | ---- | M] () -- C:\WINDOWS\System32\c_950.nls [2010.07.31 21:04:27 | 000,196,642 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_949.nls [2010.07.31 21:04:27 | 000,196,642 | ---- | M] () -- C:\WINDOWS\System32\c_949.nls [2010.07.31 21:04:27 | 000,196,642 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_936.nls [2010.07.31 21:04:27 | 000,196,642 | ---- | M] () -- C:\WINDOWS\System32\c_936.nls [2010.07.31 21:04:27 | 000,162,850 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_932.nls [2010.07.31 21:04:27 | 000,162,850 | ---- | M] () -- C:\WINDOWS\System32\c_932.nls [2010.07.31 21:04:27 | 000,139,810 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_20261.nls [2010.07.31 21:04:27 | 000,139,810 | ---- | M] () -- C:\WINDOWS\System32\c_20261.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_874.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\c_874.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_869.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\c_869.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_866.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\c_866.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_865.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\c_865.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_863.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\c_863.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_861.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\c_861.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_860.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\c_860.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_857.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\c_857.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_855.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\c_855.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_852.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\c_852.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_850.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\c_850.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_775.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\c_775.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_737.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\c_737.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_437.nls [2010.07.31 21:04:27 | 000,066,594 | ---- | M] () -- C:\WINDOWS\System32\c_437.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_875.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_875.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_500.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_500.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_28605.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_28605.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_28603.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_28603.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_28599.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_28599.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_28598.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_28598.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_28597.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\C_28597.NLS [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_28595.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\C_28595.NLS [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_28594.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\C_28594.NLS [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_28593.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_28593.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_28592.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_28592.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_28591.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_28591.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_21866.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_21866.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_20905.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_20905.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_20866.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_20866.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_20127.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_20127.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_1258.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_1258.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_1257.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_1257.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_1256.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_1256.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_1255.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_1255.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_1254.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_1254.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_1253.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_1252.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_1252.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_1251.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_1250.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_1026.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_1026.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_10082.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_10082.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_10081.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_10081.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_10079.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_10079.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_10029.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_10029.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_10017.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_10017.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_10010.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_10010.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_10007.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_10007.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_10006.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_10006.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_10000.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_10000.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\dllcache\c_037.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | M] () -- C:\WINDOWS\System32\c_037.nls [2010.07.31 21:04:26 | 000,144,384 | ---- | M] (AVM GmbH) -- C:\WINDOWS\System32\dllcache\avmenum.dll [2010.07.31 21:04:26 | 000,144,384 | ---- | M] (AVM GmbH) -- C:\WINDOWS\System32\avmenum.dll [2010.07.31 21:04:26 | 000,087,552 | ---- | M] (AVM GmbH) -- C:\WINDOWS\System32\dllcache\avmcoxp.dll [2010.07.31 21:04:26 | 000,087,552 | ---- | M] (AVM GmbH) -- C:\WINDOWS\System32\avmcoxp.dll [2010.07.31 21:04:25 | 000,070,656 | ---- | M] () -- C:\WINDOWS\System32\dllcache\amstream.dll [2010.07.31 21:04:25 | 000,070,656 | ---- | M] () -- C:\WINDOWS\System32\amstream.dll [2010.07.31 21:04:25 | 000,012,610 | ---- | M] () -- C:\WINDOWS\System32\dllcache\append.exe [2010.07.31 21:04:25 | 000,012,610 | ---- | M] () -- C:\WINDOWS\System32\append.exe [2010.07.31 21:04:25 | 000,009,032 | ---- | M] () -- C:\WINDOWS\System32\dllcache\ansi.sys [2010.07.31 21:04:25 | 000,009,032 | ---- | M] () -- C:\WINDOWS\System32\ansi.sys [2010.07.31 21:04:24 | 000,004,310 | ---- | M] () -- C:\WINDOWS\System32\odbcconf.rsp [2010.07.31 21:04:24 | 000,004,310 | ---- | M] () -- C:\WINDOWS\System32\dllcache\odbcconf.rsp [2010.07.31 21:04:24 | 000,002,233 | ---- | M] () -- C:\WINDOWS\System32\dllcache\12520850.cpx [2010.07.31 21:04:24 | 000,002,233 | ---- | M] () -- C:\WINDOWS\System32\12520850.cpx [2010.07.31 21:04:24 | 000,002,151 | ---- | M] () -- C:\WINDOWS\System32\dllcache\12520437.cpx [2010.07.31 21:04:24 | 000,002,151 | ---- | M] () -- C:\WINDOWS\System32\12520437.cpx [2010.07.31 21:04:23 | 013,107,200 | ---- | M] () -- C:\WINDOWS\System32\oembios.bin [2010.07.31 21:04:23 | 013,107,200 | ---- | M] () -- C:\WINDOWS\System32\dllcache\oembios.bin [2010.07.31 21:04:23 | 000,007,208 | ---- | M] () -- C:\WINDOWS\System32\secupd.sig [2010.07.31 21:04:23 | 000,007,208 | ---- | M] () -- C:\WINDOWS\System32\dllcache\secupd.sig [2010.07.31 21:04:23 | 000,006,761 | ---- | M] () -- C:\WINDOWS\System32\oembios.sig [2010.07.31 21:04:23 | 000,006,761 | ---- | M] () -- C:\WINDOWS\System32\dllcache\oembios.sig [2010.07.31 21:04:23 | 000,004,569 | ---- | M] () -- C:\WINDOWS\System32\secupd.dat [2010.07.31 21:04:23 | 000,004,569 | ---- | M] () -- C:\WINDOWS\System32\dllcache\secupd.dat [2010.07.31 21:04:23 | 000,004,461 | ---- | M] () -- C:\WINDOWS\System32\oembios.dat [2010.07.31 21:04:23 | 000,004,461 | ---- | M] () -- C:\WINDOWS\System32\dllcache\oembios.dat [2010.07.31 21:04:21 | 000,717,296 | ---- | M] (Duplex Secure Ltd.) -- C:\WINDOWS\System32\drivers\sptd.sys [2010.07.31 21:04:21 | 000,256,568 | ---- | M] (Jungo) -- C:\WINDOWS\System32\drivers\windrvr6.sys [2010.07.31 21:04:21 | 000,176,715 | ---- | M] (DataViz Inc.) -- C:\WINDOWS\System32\drivers\MacOpen.sys [2010.07.31 21:04:21 | 000,090,688 | ---- | M] (SafeNet, Inc.) -- C:\WINDOWS\System32\drivers\sentinel.sys [2010.07.31 21:04:21 | 000,054,272 | ---- | M] (Sonic Focus, Inc) -- C:\WINDOWS\System32\drivers\sfng32.sys [2010.07.31 21:04:21 | 000,029,184 | ---- | M] (Elaborate Bytes AG) -- C:\WINDOWS\System32\drivers\VClone.sys [2010.07.31 21:04:21 | 000,023,936 | ---- | M] (Motorola) -- C:\WINDOWS\System32\drivers\motmodem.sys [2010.07.31 21:04:21 | 000,019,712 | R--- | M] (Maxtor Corp.) -- C:\WINDOWS\System32\drivers\mxofwfp.sys [2010.07.31 21:04:21 | 000,013,824 | ---- | M] (T-Systems) -- C:\WINDOWS\System32\drivers\tsmpkt.sys [2010.07.31 21:04:21 | 000,013,396 | ---- | M] () -- C:\WINDOWS\System32\drivers\MTictwl.sys [2010.07.31 21:04:21 | 000,012,848 | ---- | M] (Wacom Technology) -- C:\WINDOWS\System32\drivers\wacomvhid.sys [2010.07.31 21:04:21 | 000,011,984 | ---- | M] (Elaborate Bytes AG) -- C:\WINDOWS\System32\drivers\RegKill.sys [2010.07.31 21:04:21 | 000,011,440 | ---- | M] (Wacom Technology) -- C:\WINDOWS\System32\drivers\WacomVKHid.sys [2010.07.31 21:04:21 | 000,011,312 | ---- | M] (Wacom Technology) -- C:\WINDOWS\System32\drivers\wacommousefilter.sys [2010.07.31 21:04:21 | 000,004,960 | ---- | M] () -- C:\WINDOWS\System32\drivers\ntiowp.sys [2010.07.31 21:04:20 | 000,537,600 | ---- | M] (AVM Berlin) -- C:\WINDOWS\System32\drivers\fpcibase.sys [2010.07.31 21:04:20 | 000,242,184 | ---- | M] (BitDefender S.R.L. Bucharest, ROMANIA) -- C:\WINDOWS\System32\drivers\bdfsfltr.sys [2010.07.31 21:04:20 | 000,111,112 | ---- | M] (BitDefender S.R.L. Bucharest, ROMANIA) -- C:\WINDOWS\System32\drivers\bdfm.sys [2010.07.31 21:04:20 | 000,106,432 | ---- | M] (SlySoft, Inc.) -- C:\WINDOWS\System32\drivers\AnyDVD.sys [2010.07.31 21:04:20 | 000,080,384 | R--- | M] (OMNIKEY) -- C:\WINDOWS\System32\drivers\cxbu0wdm.sys [2010.07.31 21:04:20 | 000,053,632 | ---- | M] (AVM GmbH) -- C:\WINDOWS\System32\drivers\avmcowan.sys [2010.07.31 21:04:20 | 000,034,760 | ---- | M] (SlySoft, Inc.) -- C:\WINDOWS\System32\drivers\ElbyCDFL.sys [2010.07.31 21:04:20 | 000,026,816 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\WINDOWS\System32\drivers\DslTestSp5.sys [2010.07.31 21:04:20 | 000,026,024 | ---- | M] (Elaborate Bytes AG) -- C:\WINDOWS\System32\drivers\ElbyCDIO.sys [2010.07.31 21:04:20 | 000,017,920 | ---- | M] (Aladdin Knowledge Systems) -- C:\WINDOWS\System32\drivers\aksusb.sys [2010.07.31 21:04:18 | 003,440,660 | ---- | M] () -- C:\WINDOWS\System32\drivers\gm.dls [2010.07.31 21:04:18 | 003,440,660 | ---- | M] () -- C:\WINDOWS\System32\dllcache\gm.dls [2010.07.31 21:04:17 | 000,253,440 | ---- | M] () -- C:\WINDOWS\System32\dllcache\compatui.dll [2010.07.31 21:04:17 | 000,253,440 | ---- | M] () -- C:\WINDOWS\System32\compatui.dll [2010.07.31 21:04:17 | 000,037,568 | ---- | M] (AVM GmbH) -- C:\WINDOWS\System32\drivers\avmwan.sys [2010.07.31 21:04:17 | 000,037,568 | ---- | M] (AVM GmbH) -- C:\WINDOWS\System32\dllcache\avmwan.sys [2010.07.31 21:04:16 | 000,272,128 | ---- | M] () -- C:\WINDOWS\System32\perfi009.dat [2010.07.31 21:04:16 | 000,269,480 | ---- | M] () -- C:\WINDOWS\System32\perfi007.dat [2010.07.31 21:04:16 | 000,251,712 | RHS- | M] () -- C:\ntldr [2010.07.31 21:04:16 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM [2010.07.31 21:04:16 | 000,034,478 | ---- | M] () -- C:\WINDOWS\System32\perfd007.dat [2010.07.31 21:04:16 | 000,028,626 | ---- | M] () -- C:\WINDOWS\System32\perfd009.dat [2010.07.28 21:19:22 | 000,546,256 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\SZComp5.dll [2010.07.28 21:19:22 | 000,447,952 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\SZBase5.dll [2010.07.28 21:19:22 | 000,132,560 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3HTUI5.dll [2010.07.28 21:19:22 | 000,022,992 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\SZIO5.dll [2010.07.28 21:19:20 | 000,398,800 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3DBA5.dll [2010.07.28 21:19:20 | 000,099,792 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Svc5.dll [2010.07.28 21:19:20 | 000,099,792 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Inet5.dll [2010.07.28 21:19:20 | 000,067,024 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Hks5.dll [2010.07.28 21:19:20 | 000,028,624 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3XDat5.dll [2010.07.28 21:19:18 | 000,738,768 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Base5.dll [2010.07.28 21:19:18 | 000,390,608 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3UI5.dll [2010.07.28 21:19:18 | 000,230,864 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Win325.dll [2010.07.28 15:29:06 | 003,176,030 | -H-- | M] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Lokale Einstellungen\Anwendungsdaten\IconCache.db [2010.07.24 16:08:54 | 000,000,125 | ---- | M] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\Bahasa Indonesia.url [2010.07.03 15:52:27 | 000,018,432 | ---- | M] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010.06.25 00:16:21 | 000,000,362 | ---- | M] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\Dokumente.lnk [2010.06.20 14:12:12 | 000,000,124 | ---- | M] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\Repository Naturalis NL.url [2010.06.08 21:35:07 | 000,002,181 | ---- | M] () -- C:\WINDOWS\Helicon Debug Window.ini [2010.06.08 20:20:39 | 000,000,126 | ---- | M] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\GDZ.url [2010.06.08 20:17:26 | 000,000,140 | ---- | M] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\Catfish Inventory Literatur.url [2010.06.08 20:16:05 | 000,000,182 | ---- | M] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\Am Mus Nov.url [2010.05.27 19:01:57 | 000,000,134 | ---- | M] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\Loaches Corner.url [2010.05.27 18:59:13 | 000,000,122 | ---- | M] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\Fische Asien Reiseplanung.url [2010.05.27 18:02:40 | 000,000,127 | ---- | M] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\ILC 2010.url [2010.05.22 14:05:49 | 000,000,111 | ---- | M] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\Gallica.url [2010.05.20 21:49:40 | 000,000,112 | ---- | M] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\Medikamentenpreisvergleich.url [2010.05.19 11:51:43 | 000,000,159 | ---- | M] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\DMI Südjütland.url [2010.05.19 11:50:46 | 000,000,173 | ---- | M] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\Wetter Flensburg.url [2010.05.17 18:10:49 | 001,583,019 | ---- | M] () -- C:\WINDOWS\MapCreator 2 Uninstaller.exe [2010.05.17 17:25:46 | 000,000,142 | ---- | M] () -- C:\WINDOWS\WINMAP.INI [2010.05.12 18:01:06 | 000,059,280 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\drivers\SZKGFS.sys [7 C:\Dokumente und Einstellungen\All Users\*.tmp files -> C:\Dokumente und Einstellungen\All Users\*.tmp -> ] [6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [2 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ] ========== Files Created - No Company Name ========== [2010.08.06 22:25:46 | 000,000,960 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg [2010.08.06 22:15:41 | 000,000,456 | ---- | C] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\Verknüpfung mit OTL.lnk [2010.08.06 22:07:25 | 000,000,766 | ---- | C] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\CCleaner.lnk [2010.08.06 14:40:13 | 000,000,020 | ---- | C] () -- C:\Dokumente und Einstellungen\Gerhard Ott\defogger_reenable [2010.08.06 10:47:23 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn [2010.08.06 10:47:23 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for [2010.08.05 14:21:24 | 000,293,376 | ---- | C] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\u4jf7786.exe [2010.08.04 22:24:22 | 000,000,815 | ---- | C] () -- C:\rtsr_eml_sr.dat [2010.08.04 22:24:22 | 000,000,132 | ---- | C] () -- C:\httpdwl.dat [2010.08.04 22:24:21 | 000,000,141 | ---- | C] () -- C:\dwl.dat [2010.08.04 18:21:53 | 000,000,223 | ---- | C] () -- C:\Boot.bak [2010.08.04 18:21:48 | 000,262,448 | ---- | C] () -- C:\cmldr [2010.08.03 15:26:43 | 000,000,118 | ---- | C] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\JOTTI Online Scanner.url [2010.08.03 13:05:48 | 000,016,309 | ---- | C] () -- D:\Anschreiben.pdf [2010.08.01 16:04:52 | 000,000,704 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010.08.01 14:57:07 | 000,000,000 | -H-- | C] () -- C:\Dokumente und Einstellungen\Gerhard Ott\NTUSER.DAT_tureg_new.LOG [2010.07.31 22:52:48 | 000,000,510 | ---- | C] () -- C:\WINDOWS\tasks\Automatische Problemsuche.job [2010.07.31 22:37:11 | 000,002,283 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\UltraMon.lnk [2010.07.31 22:22:34 | 000,001,352 | ---- | C] () -- D:\AutoHotkey.ahk [2010.07.31 21:16:34 | 000,117,813 | ---- | C] () -- C:\WINDOWS\System32\AutoPartNt.scr [2010.07.31 21:16:34 | 000,006,083 | ---- | C] () -- C:\WINDOWS\System32\AutoPartNt.nam [2010.07.31 21:04:53 | 000,089,588 | ---- | C] () -- C:\WINDOWS\System32\unicode.nls [2010.07.31 21:04:51 | 000,262,148 | ---- | C] () -- C:\WINDOWS\System32\sortkey.nls [2010.07.31 21:04:51 | 000,023,044 | ---- | C] () -- C:\WINDOWS\System32\sorttbls.nls [2010.07.31 21:04:40 | 000,265,948 | ---- | C] () -- C:\WINDOWS\System32\locale.nls [2010.07.31 21:04:32 | 000,008,386 | ---- | C] () -- C:\WINDOWS\System32\ctype.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_1253.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_1251.nls [2010.07.31 21:04:27 | 000,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_1250.nls [2010.07.29 16:47:43 | 013,893,632 | ---- | C] () -- C:\Dokumente und Einstellungen\Gerhard Ott\ntuser.dat [2010.07.29 16:47:43 | 009,699,328 | ---- | C] () -- C:\Dokumente und Einstellungen\Gerhard Ott\NTUSER.DAT_tureg_old [2010.07.24 16:08:44 | 000,000,125 | ---- | C] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\Bahasa Indonesia.url [2010.06.25 00:16:21 | 000,000,362 | ---- | C] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\Dokumente.lnk [2010.06.20 14:11:54 | 000,000,124 | ---- | C] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\Repository Naturalis NL.url [2010.06.08 20:20:32 | 000,000,126 | ---- | C] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\GDZ.url [2010.06.08 20:17:03 | 000,000,140 | ---- | C] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\Catfish Inventory Literatur.url [2010.06.08 20:15:34 | 000,000,182 | ---- | C] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\Am Mus Nov.url [2010.05.27 19:01:50 | 000,000,134 | ---- | C] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\Loaches Corner.url [2010.05.27 18:58:59 | 000,000,122 | ---- | C] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\Fische Asien Reiseplanung.url [2010.05.27 18:02:32 | 000,000,127 | ---- | C] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\ILC 2010.url [2010.05.22 14:05:35 | 000,000,111 | ---- | C] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\Gallica.url [2010.05.20 21:49:11 | 000,000,112 | ---- | C] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\Medikamentenpreisvergleich.url [2010.05.19 11:51:34 | 000,000,159 | ---- | C] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\DMI Südjütland.url [2010.05.19 11:50:32 | 000,000,173 | ---- | C] () -- C:\Dokumente und Einstellungen\Gerhard Ott\Desktop\Wetter Flensburg.url [2010.05.17 18:10:49 | 001,583,019 | ---- | C] () -- C:\WINDOWS\MapCreator 2 Uninstaller.exe [2010.05.17 17:25:46 | 000,000,142 | ---- | C] () -- C:\WINDOWS\WINMAP.INI [2009.12.17 12:26:40 | 000,002,181 | ---- | C] () -- C:\WINDOWS\Helicon Debug Window.ini [2009.09.23 22:08:25 | 000,008,640 | RHS- | C] () -- C:\WINDOWS\innova3.ini [2009.09.02 11:45:04 | 000,000,225 | ---- | C] () -- C:\WINDOWS\GraphicsDesk.INI [2009.03.11 18:17:48 | 000,000,121 | ---- | C] () -- C:\WINDOWS\bdagent.INI [2009.02.12 17:21:04 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxdfvs.dll [2009.02.12 17:20:54 | 000,348,160 | ---- | C] () -- C:\WINDOWS\System32\lxdfcoin.dll [2009.02.12 17:19:42 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\lxdfcaps.dll [2009.02.12 17:19:41 | 000,692,224 | ---- | C] () -- C:\WINDOWS\System32\lxdfdrs.dll [2009.02.12 17:19:40 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\lxdfcnv4.dll [2009.02.12 17:08:22 | 000,000,060 | -H-- | C] () -- C:\WINDOWS\System32\lxdfrwrd.ini [2009.02.12 17:08:00 | 000,348,160 | ---- | C] () -- C:\WINDOWS\System32\lxdfinst.dll [2009.02.12 17:07:43 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxdfgrd.dll [2008.12.01 20:09:14 | 000,000,131 | ---- | C] () -- C:\WINDOWS\EurekaLog.ini [2008.12.01 18:11:22 | 000,004,960 | ---- | C] () -- C:\WINDOWS\System32\drivers\ntiowp.sys [2008.12.01 17:12:44 | 000,761,856 | ---- | C] () -- C:\WINDOWS\System32\MtxEscape.dll [2008.11.26 19:39:23 | 000,000,034 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini [2008.11.01 16:15:40 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll [2008.10.09 16:31:54 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\txmlutil.dll [2008.05.26 22:23:36 | 000,016,834 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini [2008.05.26 22:23:34 | 000,024,188 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini [2008.05.26 22:23:32 | 000,016,568 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini [2008.01.15 04:31:00 | 000,000,530 | ---- | C] () -- C:\WINDOWS\System32\tx14_ic.ini [2007.12.22 20:28:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MusicEditor.INI [2007.12.22 19:17:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\CleaningLab.INI [2007.12.20 20:22:30 | 000,000,034 | ---- | C] () -- C:\WINDOWS\cdplayer.ini [2007.11.20 21:16:23 | 000,120,200 | ---- | C] () -- C:\WINDOWS\System32\DLLDEV32i.dll [2007.11.20 21:15:45 | 000,006,768 | ---- | C] () -- C:\WINDOWS\mgxoschk.ini [2007.11.02 18:53:01 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini [2007.10.31 18:07:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ATM.INI [2007.10.31 18:00:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\oodcnt.INI [2007.10.30 16:58:06 | 000,446,464 | ---- | C] () -- C:\WINDOWS\System32\Photomatix_jpg.dll [2007.10.30 16:58:06 | 000,266,240 | ---- | C] () -- C:\WINDOWS\System32\Photomatix25Lib.dll [2007.10.30 16:58:06 | 000,249,856 | ---- | C] () -- C:\WINDOWS\System32\Photomatix25Lib2.dll [2007.10.30 16:58:06 | 000,095,525 | ---- | C] () -- C:\WINDOWS\System32\Photomatix25Lib3.dll [2007.10.30 16:39:51 | 000,353,280 | ---- | C] () -- C:\WINDOWS\System32\pmtf2.dll [2007.10.30 16:39:51 | 000,205,824 | ---- | C] () -- C:\WINDOWS\System32\pmtf1.dll [2007.10.30 16:39:51 | 000,204,288 | ---- | C] () -- C:\WINDOWS\System32\pmtf3.dll [2007.10.30 16:39:51 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\pmexr.dll [2007.10.30 16:39:51 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmbm.dll [2007.10.30 16:39:50 | 000,266,240 | ---- | C] () -- C:\WINDOWS\System32\PhotomatixLib.dll [2007.10.30 16:39:50 | 000,229,376 | ---- | C] () -- C:\WINDOWS\System32\PhotomatixLib2.dll [2007.10.30 16:39:50 | 000,216,064 | ---- | C] () -- C:\WINDOWS\System32\pmjp.dll [2007.10.30 16:39:50 | 000,112,128 | ---- | C] () -- C:\WINDOWS\System32\PhotomatixLib3.dll [2007.10.29 11:09:26 | 000,013,396 | ---- | C] () -- C:\WINDOWS\System32\drivers\MTictwl.sys [2007.10.24 15:17:51 | 000,000,387 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI [2007.10.22 21:51:50 | 000,003,141 | ---- | C] () -- C:\WINDOWS\jhcfwg24.ini [2007.10.18 11:12:58 | 000,000,036 | ---- | C] () -- C:\WINDOWS\iltwain.ini [2007.10.18 11:12:57 | 000,009,391 | ---- | C] () -- C:\WINDOWS\System32\dymourl.ini [2007.10.18 11:12:02 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\DYMOCFG.DLL [2007.10.18 11:12:02 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\lmmonres.dll [2007.10.17 22:17:44 | 000,000,139 | ---- | C] () -- C:\WINDOWS\hbcikrnl.ini [2007.10.17 14:57:04 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll [2007.10.15 15:47:23 | 000,000,500 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2007.10.15 14:53:39 | 000,061,440 | R--- | C] () -- C:\WINDOWS\System32\chksvrn.dll [2007.10.15 14:53:39 | 000,000,143 | R--- | C] () -- C:\WINDOWS\System32\cmabout.ini [2007.10.15 14:53:38 | 000,163,840 | R--- | C] () -- C:\WINDOWS\System32\cmabout.dll [2007.10.15 14:53:38 | 000,010,090 | R--- | C] () -- C:\WINDOWS\System32\cmdiag.ini [2007.10.08 17:37:27 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini [2007.07.10 18:49:12 | 000,041,984 | ---- | C] () -- C:\WINDOWS\System32\spwini.dll [2007.01.31 14:50:32 | 000,913,408 | ---- | C] () -- C:\WINDOWS\System32\xreglib.dll [2005.11.11 12:43:28 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\libssl32.dll [2005.11.11 12:43:24 | 000,887,296 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll [2005.08.31 10:20:00 | 000,233,557 | ---- | C] () -- C:\WINDOWS\System32\esint54.dll [2004.10.07 13:50:50 | 000,072,704 | ---- | C] () -- C:\WINDOWS\System32\eminecz2.dll [2004.08.04 14:00:00 | 000,015,744 | ---- | C] () -- C:\WINDOWS\System32\drivers\serenum.sys [2004.08.04 14:00:00 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\w6gfh4u.dll [2004.08.04 14:00:00 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth2.dll [2004.08.04 14:00:00 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth1.dll [2004.08.04 14:00:00 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll [2004.08.04 14:00:00 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll [2004.08.04 14:00:00 | 000,000,336 | ---- | C] () -- C:\WINDOWS\System32\v2spu75.dll [2004.08.04 14:00:00 | 000,000,100 | ---- | C] () -- C:\WINDOWS\System32\prsgrc.dll [2004.08.04 14:00:00 | 000,000,072 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll [2004.08.04 14:00:00 | 000,000,016 | -H-- | C] () -- C:\WINDOWS\System32\z7cyb5u.dll [2003.09.03 06:03:10 | 000,018,932 | ---- | C] () -- C:\WINDOWS\MSUMLT_B.INI [2003.02.20 17:53:42 | 000,005,702 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI [2001.04.17 01:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL [1998.12.31 18:11:30 | 000,000,589 | ---- | C] () -- C:\WINDOWS\ATLI2.INI [1998.12.31 18:10:22 | 000,907,776 | ---- | C] () -- C:\WINDOWS\System32\OWL52F.DLL [1997.11.21 07:03:20 | 000,338,944 | ---- | C] () -- C:\WINDOWS\System32\LFFPX7.DLL [1997.09.30 03:30:02 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\LFKODAK.DLL ========== LOP Check ========== [2008.11.13 19:43:25 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Acronis [2009.06.14 18:06:11 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\aewc [2009.06.14 14:34:37 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\BDNM [2008.09.29 12:46:09 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\BIFAB [2009.03.11 18:06:42 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\BitDefender [2008.10.26 16:31:14 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Elaborate Bytes [2010.03.20 17:02:40 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\eminec [2008.09.28 14:41:03 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FreeDownloadManager.ORG [2009.09.23 22:08:25 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\innoplus [2007.10.29 13:32:46 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ISDNWatch [2007.12.22 19:04:24 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\MAGIX [2008.12.08 17:00:04 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Matrox [2008.12.08 16:59:56 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Matrox Graphics Inc [2009.11.24 17:26:56 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\PhraseExpress [2008.05.23 21:02:59 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Quark [2007.10.24 15:17:49 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ScanSoft [2008.10.26 17:24:12 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\SlySoft [2010.08.06 22:28:06 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\STOPzilla! [2007.11.06 17:35:48 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\T-Online [2008.10.01 20:47:05 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TechSmith [2010.06.08 21:46:20 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP [2009.12.05 18:51:36 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TuneUp Software [2007.11.20 10:48:23 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\VertusTech [2008.11.17 22:25:31 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Vokabeltrainer 3 [2009.06.11 17:51:01 | 000,000,000 | -H-D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{44C0A247-3014-411F-95CB-B1729C1B82D5} [2008.11.14 17:02:45 | 000,000,000 | -HSD | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{55A29068-F2CE-456C-9148-C869879E2357} [2009.12.05 18:51:27 | 000,000,000 | -HSD | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC} [2009.06.14 14:56:54 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\.doos [2007.10.18 11:29:53 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\3Dconnexion [2008.05.27 11:25:05 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\6500 Series [2008.11.13 19:47:24 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Acronis [2008.01.07 16:43:56 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Anthropics [2009.06.11 17:51:16 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\AquaSoft [2007.10.17 21:17:30 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Axaware [2007.10.22 16:43:10 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Barbecue [2010.07.28 15:28:18 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\BitDefender [2008.09.16 18:45:01 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\DemoPlugin [2008.06.12 16:03:56 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Dexpot [2008.05.25 14:17:05 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\DiashowManager [2007.10.30 15:54:52 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\DirPrinter [2009.11.17 18:51:09 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\DL [2009.12.08 15:23:35 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\doublecmd [2009.10.19 19:15:20 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Duden [2009.08.12 18:53:18 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\eminec [2007.11.23 19:44:47 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\EPSON [2008.09.08 20:22:14 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\FileOpen [2010.08.05 14:24:40 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Free Download Manager [2007.10.29 13:34:15 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\FRITZ! [2008.06.03 18:04:03 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\gtk-2.0 [2009.09.02 11:38:57 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Hemera [2009.09.23 22:07:26 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\innoPlus [2007.11.28 19:24:38 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Keseling [2007.11.28 20:09:02 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\KRKsoft [2010.07.28 21:01:43 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Lasersoft Imaging [2008.10.13 06:54:48 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\LearnLift [2009.02.16 18:11:55 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Lexmark Productivity Studio [2007.11.20 21:19:00 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\MAGIX [2010.07.24 17:53:12 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Map Maker [2008.11.26 22:03:04 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\MB-Ruler Pro [2010.06.10 19:39:36 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\MB-Ruler Pro special [2008.11.17 18:59:01 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Notepad++ [2009.04.09 12:16:13 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\OfficeUpdate12 [2008.11.13 22:33:02 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\OpenOffice.org [2010.05.20 18:41:03 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Opera [2009.11.24 18:01:37 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\PhraseExpress [2009.07.28 11:06:29 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\PiX-ART.com [2008.05.06 21:13:08 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\PPTminimizer [2007.10.17 23:45:41 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\qliner [2008.05.23 21:04:03 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Quark [2010.08.01 12:40:46 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\QuickScan [2007.10.24 15:23:12 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\ScanSoft [2008.02.06 12:51:16 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\SmartTools [2009.09.21 19:57:02 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Software4u [2009.11.05 13:34:06 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\SpeedProject [2008.04.29 17:57:22 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\stickies [2008.10.12 14:40:45 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\TaskCoach [2010.05.16 12:15:33 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\TechSmith [2010.05.13 12:48:38 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Thunderbird [2007.10.24 15:57:56 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\TomTom [2010.04.27 17:35:26 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Tracker Software [2007.10.17 16:56:59 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\TuneUp Software [2008.10.13 06:27:53 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\VTrain [2009.04.21 10:38:20 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Windows Desktop Search [2009.04.21 10:46:29 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Windows Search [2007.10.24 15:23:14 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Gerhard Ott\Anwendungsdaten\Zeon [2010.08.06 22:25:33 | 000,000,510 | ---- | M] () -- C:\WINDOWS\Tasks\Automatische Problemsuche.job ========== Purity Check ========== ========== Alternate Data Streams ========== @Alternate Data Stream - 96 bytes -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:20C3AB27 @Alternate Data Stream - 400 bytes -> C:\Dokumente und Einstellungen\Gerhard Ott\Lokale Einstellungen\Anwendungsdaten\desktop.ini:bf5af20ce7a419b1178ece347eddc338 @Alternate Data Stream - 253 bytes -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:1957F8A9 < End of report > |
und OTL Extras: OTL EXTRAS Logfile: Code: OTL Extras logfile created on: 06.08.2010 22:27:53 - Run 1 |
Zitat:
|
Ich lasse jetzt einen OTL-Komplettscan laufen. Bis morgen - oder so - dann, nehme ich mal an ;-) |
es geht um den ccleaner, mit dem sollst du dateien bereinigen + registry |
Guten Tag, ja habe ich gemacht: CCleaner: Cleaner-Lauf und Registry-Reinigung. Alles reinigen und beheben lassen, wie Cleaner es vorgab. STOPzilla und Malwarebytes' Anti-Maleware starten mit Systemstart und melden nichts ("meckern nicht") Soll ich noch irgerndwas machen? Gruß, Gerhard |
na das ist doch schon mal was. starte otl, klicke scan, poste den inhalt von otl.txt |
Ja, das habe ich auch gedacht. :killpc: Und nun schalte ich ihn nach zwei, drei Stunden wieder ein und wast macht Win XP Desktop: Friert ein. Ich muss ih n jetzt wieder mit einem On-Knopf-Reset abwürgen. Werde dann neu einschalten, und den OTL Scan probieren. |
naja wir investieren jetzt schon so viel zeit, in der hättest ihn wie gesagt schon neu gemacht. wenn du so wichtige arbeit damit machst, hast du doch sicher backups... |
Ja, ich glaube du hast recht. Ich muss wirklich spätestens Ende der nächsten Woche einen Vortrag und eine wissenschaftliche Publikation anfangen, sonst komme ich böse in Terminschwierigkeiten. Die Arbeitsdaten sind soweit gesichert: Der PC hat vier Platten: C: System und Programme D: Arbeitsdaten E: Sicherung System und Arbeitsdaten mit Acronis F: Sicherung der Bilder(kartei) mit Acronis E: und F: sind dann nochmal auf externen Festplatten dupliziert. Heute werden wir das Neuaufsetzen nicht mehr schaffen, weil ich weg muss. Darf ich mich morgen wieder melden? Soll oder kann ich etwas dafür vorbereiten? Vielen Dank! |
Soll ich den OTL-Scan trotzdem noch machen? |
nein dann wäre er nicht mehr von nöten. ich könnte dir tipps zur absicherung geben, damit so was möglichst nicht mehr passiert wenn du magst. |
Ja, natürlich auf deine Tipps bin ich sehr gespannt und würde deinen Rat gerne weiter in Anspruch nehmen, wenn ich darf. Ich studiere morgen früh die Hinweise hier auf dem Board zum Neuaufsetzen, bereite das vor und warte dann auf deine Anweisungen. |
ok anweisungen kann ich dir ja gleich jetzt geben. 1. ab sofort nur noch als eingeschrenkter nutzer surfen vorteil: - malware kann meist gar nicht, oder nur mit eingeschrenkten rechten (gast rechte) starten. wenn du dann nen infekt haben solltest, kannst du das konto löschen und alles ist bereinigt. 2. dep für alle prozesse aktivieren. Datenausführungsverhinderung (DEP) • "Datenausführungsverhinderung für alle Programme und Dienste mit Ausnahme der ausgewählten einschalten:". wenn es zu problemen kommen sollte, kann man die betroffenen prozesse aus der Überwachung entfernen. 3. secunia: http://www.trojaner-board.de/83959-s...ector-psi.html damit kannst du programme updaten. 4. schau dir das hier an. http://www.trojaner-board.de/74052-s...-internet.html hier werden noch interessante firefox plugins genannt, noscript und adblockplus sind auf jeden fall gut, ne extra firewall muss nicht sein. 5. um das surfen sicherer zu machen, würde ich sandboxie empfehlen. Download: Sandboxie Download anleitung: drop.io (als pdf) es ist weiterhin zu empfehlen, sich, wenn du mit dem programm auskommst, ne lizenz zu besorgen, die kostet 25 € und ist dein ganzes leben lang gültig, du kannst die weiterhin auf allen pcs in deinem haushalt einsetzen. 6. ein gutes backup programm wie true image sollte nicht fehlen. Acronis True Image 2010 - Festplatten-Backup-Software, Datei-Backup und Disk Imaging, Wiederherstellung von Anwendungseinstellungen, Backup von Musik, Videos, Fotos und Outlook-Mails nach dem formatieren passwörter endern. denke wenn du dich daran hällst kann nicht mehr viel passieren. |
Na, dann werde ich mal loslegen. Melde mich wieder, wenn das System wieder steht. Vielen Dank erstmal. Beste Grüße, Gerhard |
ok meld dich dann einfach :-) |
Ob du's glaubst oder nicht: Jetzt bin ich seit Montag dabei: Festplatte C: formatiert Win XP Prof mit viel Mühe auf dem SATA-System installiert (SATA-Treiber-Laufwerk A: Thema) Baue mir meine Programme und Anwendungen nach und nach wieder auf, wobei ja etliche Neustarts fällig sind und was macht die sch... Kiste heute: Nach einem Neustart hängt sich Desktop wieder auf: keine Task Manager, nix geht mehr. Jetzt verzweifle ich wirklich. |
evtl. ists eine deiner anwendungen? sind die denn alle aus vertrauenswürdigen quellen? |
Also irgendwelche Crackz oder so'n Sch... habe ich nicht auf dem Rechner. Das ist den ganzen Scans und Protokollen ja auch zu entnehmen. Alles kommerzielle, professionelle und/oder bezahlte Programme, die fast alle seit drei Jahren auf diesem System laufen. Hatte den PC gestern in einem Labor zur Hardware-Analyse: fehlerfrei. Mehrfacher Viren/Malwarescan: Nix negatives. Verdacht: Tune Up Utilities arbeitet nach WIN und Desktopstart ewig irgendwas ab... Tune Up Utilities deinstalliert. Ergebnis: Einfrieren weg. Jetzt nach mehr als 50 Neustarts kein Einfrieren mehr. |
ja tuneup hat ja auch nichts auf pcs zu suchen. ist nutzlos und greift zu tief ins system ein. schön das das problem damit gelöst ist, hoffe ich zumindest. |
Na ja, heute morgen muckte es schon wieder mal und bei einem Verzeichniswechsel im Datei-Explorer fror er ein. Nach dem Reset und Neustart ist dann der Prozess vsserv.exe (gehört zu bitdefender) ungewöhnlich lange mit Festplattenzugriffen und einer hohen Prozessorauslastung unterwegs. Und jetzt läuft er seit drei Stunden als ob nie was gewesen wäre. Gut über diese Programme wie TuneUp usw. streiten sich ja wohl offensichtlich auch die Gelehrten. Ich habe mir jetzt mal Autoruns von Sysinternal installiert, damit ich kontrollieren klann, was meine noch zu installierenden Anwendungsprogramme so alles installieren und starten. Meinst du, dass CCleaner der optimale Aufräumer ist? Womit sollte man die Festplatten am besten befragmentieren? |
ccleaner reicht wenn man den ab und zu verwendet, zum defragmentieren nutze ich die win eigene software. welches bitdefender hast du? die 2010 version? |
Bitdefender 2009 Versions 12.0.12.1 Lizenz läuft in 210 Tagen ab |
dann upgrade mal auf 2010. das ist die neueste, bald kommt schon 2011 raus. |
Hallo Markus, das habe ich (noch) nicht gemacht, weil ich an anderer Stelle (auch hier im Board und bei bitfender) lesen konnte, dass dort das Problem der Auslastung durch vsserv.exe auch bei bitdefender 10 aufgetreten ist). Ich war schon drauf und dran das System nochmal neu aufzusetzen oder gar auf Win 7 umzusteigen, da habe ich in der Nacht von Sonnabend auf Sonntag den Systemfilecheck (SFC \snannow mit der Installations-CD von Win XP Prof im CD-Laufwerk) laufen lassen, wobei offensichtlich still und leise einige Dateien "erneuert" wurden; ein Log gibt's da offensichtlich nicht). Danach startete Win XP erstmal nur im abgesicherten Modus und die Grafikkartentreiber waren auf "Default", also die Plug-Play-Treiber zurück gesetzt; der aktuelle Matrox-Treiber für meine Karte ließ sich installieren und – welch Wunder – seit dieser Nacht läuft das System ohne Einfrieren. Bin jetzt dabei die empfohlenen Absicherungsmaßnahmen umzusetzen (Sandboxie will leider die Thunderbird-E-Mails noch nicht aus der Sandbox lassen). Beste Grüße, Gerhard |
ist thunderbird bei closed file paths eingetragen, wenn dus dort löschst, funktionierts dann? |
Liste der Anhänge anzeigen (Anzahl: 1) Danke! Hat ein bisschen gedauert, bis ich die Einstellungen gefunden habe (Siehe ScreenShot); jetzt lässt Thunderbird E-Mails oder Bilder außerhalb speichern. Gruß, Gerhard |
ok wunderbar. |
| Alle Zeitangaben in WEZ +1. Es ist jetzt 03:44 Uhr. |
Copyright ©2000-2025, Trojaner-Board