| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Bei Anmeldung: ZoneAlarm-Meldung über ein Netzwerk mit anderer IP?Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
19.12.2011, 21:45
| #76 |
 |  Bei Anmeldung: ZoneAlarm-Meldung über ein Netzwerk mit anderer IP? RkUnhooker report generator v0.7 ============================================== Rootkit Unhooker kernel version: 3.7.300.501 ============================================== Windows Major Version: 5 Windows Minor Version: 1 Windows Build Number: 2600 ============================================== >SSDT State NtConnectPort Actual Address 0xBA2122F4 Hooked by: C:\WINDOWS\System32\vsdatant.sys NtCreateFile Actual Address 0xBA20C5CA Hooked by: C:\WINDOWS\System32\vsdatant.sys NtCreateKey Actual Address 0xBA22B58A Hooked by: C:\WINDOWS\System32\vsdatant.sys NtCreatePort Actual Address 0xBA212A80 Hooked by: C:\WINDOWS\System32\vsdatant.sys NtCreateProcess Actual Address 0xBA225E4E Hooked by: C:\WINDOWS\System32\vsdatant.sys NtCreateProcessEx Actual Address 0xBA22623C Hooked by: C:\WINDOWS\System32\vsdatant.sys NtCreateSection Actual Address 0xBA22F6F6 Hooked by: C:\WINDOWS\System32\vsdatant.sys NtCreateWaitablePort Actual Address 0xBA212BB6 Hooked by: C:\WINDOWS\System32\vsdatant.sys NtDeleteFile Actual Address 0xBA20D1E0 Hooked by: C:\WINDOWS\System32\vsdatant.sys NtDeleteKey Actual Address 0xBA22CE3C Hooked by: C:\WINDOWS\System32\vsdatant.sys NtDeleteValueKey Actual Address 0xBA22C7B2 Hooked by: C:\WINDOWS\System32\vsdatant.sys NtDuplicateObject Actual Address 0xBA224D8A Hooked by: C:\WINDOWS\System32\vsdatant.sys NtLoadKey Actual Address 0xBA22D794 Hooked by: C:\WINDOWS\System32\vsdatant.sys NtLoadKey2 Actual Address 0xBA22D99C Hooked by: C:\WINDOWS\System32\vsdatant.sys NtOpenFile Actual Address 0xBA20CDF2 Hooked by: C:\WINDOWS\System32\vsdatant.sys NtOpenProcess Actual Address 0xBA228160 Hooked by: C:\WINDOWS\System32\vsdatant.sys NtOpenThread Actual Address 0xBA227D8A Hooked by: C:\WINDOWS\System32\vsdatant.sys NtRenameKey Actual Address 0xBA22E72A Hooked by: C:\WINDOWS\System32\vsdatant.sys NtReplaceKey Actual Address 0xBA22E060 Hooked by: C:\WINDOWS\System32\vsdatant.sys NtRequestWaitReplyPort Actual Address 0xBA211EC4 Hooked by: C:\WINDOWS\System32\vsdatant.sys NtRestoreKey Actual Address 0xBA22F0FC Hooked by: C:\WINDOWS\System32\vsdatant.sys NtSecureConnectPort Actual Address 0xBA21259C Hooked by: C:\WINDOWS\System32\vsdatant.sys NtSetInformationFile Actual Address 0xBA20D5A4 Hooked by: C:\WINDOWS\System32\vsdatant.sys NtSetSecurityObject Actual Address 0xBA22EC6A Hooked by: C:\WINDOWS\System32\vsdatant.sys NtSetValueKey Actual Address 0xBA22BF72 Hooked by: C:\WINDOWS\System32\vsdatant.sys NtSystemDebugControl Actual Address 0xBA226EA4 Hooked by: C:\WINDOWS\System32\vsdatant.sys NtTerminateProcess Actual Address 0xBA226C20 Hooked by: C:\WINDOWS\System32\vsdatant.sys ============================================== >Shadow NtUserMessageCall Actual Address 0xBA210D66 Hooked by: C:\WINDOWS\System32\vsdatant.sys NtUserPostMessage Actual Address 0xBA210EA8 Hooked by: C:\WINDOWS\System32\vsdatant.sys NtUserPostThreadMessage Actual Address 0xBA210FE0 Hooked by: C:\WINDOWS\System32\vsdatant.sys NtUserRegisterRawInputDevices Actual Address 0xBA20E97A Hooked by: C:\WINDOWS\System32\vsdatant.sys NtUserSendInput Actual Address 0xBA2113D4 Hooked by: C:\WINDOWS\System32\vsdatant.sys ============================================== >Processes Process: System Process Id: 4 EPROCESS Address: 0x89A32BD0 Process: C:\WINDOWS\system32\wscntfy.exe Process Id: 108 EPROCESS Address: 0x89167A20 Process: C:\Programme\CheckPoint\ZAForceField\ForceField.exe Process Id: 140 EPROCESS Address: 0x896C6C08 Process: C:\WINDOWS\system32\alg.exe Process Id: 240 EPROCESS Address: 0x89603870 Process: C:\WINDOWS\system32\smss.exe Process Id: 356 EPROCESS Address: 0x897F6DA0 Process: C:\Programme\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe Process Id: 440 EPROCESS Address: 0x89133020 Process: C:\WINDOWS\system32\ctfmon.exe Process Id: 524 EPROCESS Address: 0x89122730 Process: C:\WINDOWS\system32\csrss.exe Process Id: 572 EPROCESS Address: 0x897EA158 Process: C:\WINDOWS\system32\winlogon.exe Process Id: 596 EPROCESS Address: 0x89888910 Process: C:\WINDOWS\system32\services.exe Process Id: 640 EPROCESS Address: 0x897C1580 Process: C:\WINDOWS\system32\lsass.exe Process Id: 652 EPROCESS Address: 0x895C5858 Process: C:\WINDOWS\system32\svchost.exe Process Id: 812 EPROCESS Address: 0x897B43B8 Process: C:\WINDOWS\system32\svchost.exe Process Id: 900 EPROCESS Address: 0x89805860 Process: C:\WINDOWS\system32\svchost.exe Process Id: 940 EPROCESS Address: 0x89896868 Process: C:\WINDOWS\system32\svchost.exe Process Id: 1028 EPROCESS Address: 0x897B63C8 Process: C:\WINDOWS\system32\svchost.exe Process Id: 1056 EPROCESS Address: 0x89641860 Process: C:\WINDOWS\system32\wbem\wmiprvse.exe Process Id: 1256 EPROCESS Address: 0x890FEBE0 Process: C:\WINDOWS\explorer.exe Process Id: 1300 EPROCESS Address: 0x89830BE0 Process: C:\Programme\CheckPoint\ZAForceField\ISWSVC.exe Process Id: 1508 EPROCESS Address: 0x8961E860 Process: C:\WINDOWS\system32\spoolsv.exe Process Id: 1564 EPROCESS Address: 0x8961F5D0 Process: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe Process Id: 1660 EPROCESS Address: 0x898CE8B0 Process: C:\Programme\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe Process Id: 1772 EPROCESS Address: 0x8961C6F0 Process: C:\Programme\Internet Explorer\iexplore.exe Process Id: 2420 EPROCESS Address: 0x89631860 Process: C:\WINDOWS\system32\wuauclt.exe Process Id: 2504 EPROCESS Address: 0x898B7020 Process: C:\WINDOWS\system32\wpabaln.exe Process Id: 3328 EPROCESS Address: 0x8913F508 Process: C:\Programme\CheckPoint\ZoneAlarm\zatray.exe Process Id: 452 EPROCESS Address: 0x891374E0 Process: C:\Programme\CheckPoint\ZoneAlarm\vsmon.exe Process Id: 1104 EPROCESS Address: 0x895C0AB8 Process: C:\Dokumente und Einstellungen\Rich\Desktop\RkUnhooker\ne2Jr8N2.exe Process Id: 1844 EPROCESS Address: 0x88CC6B28 ============================================== >Drivers Driver: C:\WINDOWS\system32\ntkrnlpa.exe Address: 0x804D7000 Size: 2154496 bytes Driver: PnpManager Address: 0x804D7000 Size: 2154496 bytes Driver: RAW Address: 0x804D7000 Size: 2154496 bytes Driver: WMIxWDM Address: 0x804D7000 Size: 2154496 bytes Driver: Win32k Address: 0xBF800000 Size: 1847296 bytes Driver: C:\WINDOWS\System32\win32k.sys Address: 0xBF800000 Size: 1847296 bytes Driver: Ntfs.sys Address: 0xBA65A000 Size: 577536 bytes Driver: C:\WINDOWS\System32\vsdatant.sys Address: 0xBA1F1000 Size: 520192 bytes Driver: C:\WINDOWS\System32\Drivers\wdf01000.sys Address: 0xBA470000 Size: 507904 bytes Driver: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys Address: 0xBA10C000 Size: 458752 bytes Driver: C:\WINDOWS\system32\DRIVERS\update.sys Address: 0xBA4FE000 Size: 385024 bytes Driver: C:\WINDOWS\system32\DRIVERS\tcpip.sys Address: 0xBA2BE000 Size: 364544 bytes Driver: C:\WINDOWS\system32\DRIVERS\srv.sys Address: 0xB9670000 Size: 335872 bytes Driver: C:\WINDOWS\System32\Drivers\HTTP.sys Address: 0xB93AF000 Size: 266240 bytes Driver: ACPI.sys Address: 0xBA778000 Size: 192512 bytes Driver: C:\WINDOWS\system32\DRIVERS\mrxdav.sys Address: 0xB97DA000 Size: 184320 bytes Driver: NDIS.sys Address: 0xBA62D000 Size: 184320 bytes Driver: C:\WINDOWS\system32\DRIVERS\rdbss.sys Address: 0xBA17C000 Size: 176128 bytes Driver: C:\WINDOWS\system32\DRIVERS\netbt.sys Address: 0xBA270000 Size: 163840 bytes Driver: C:\WINDOWS\system32\DRIVERS\ipnat.sys Address: 0xBA298000 Size: 155648 bytes Driver: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS Address: 0xBA5A7000 Size: 147456 bytes Driver: C:\WINDOWS\system32\DRIVERS\ks.sys Address: 0xBA584000 Size: 143360 bytes Driver: C:\WINDOWS\System32\drivers\afd.sys Address: 0xBA1A7000 Size: 139264 bytes Driver: ACPI_HAL Address: 0x806E5000 Size: 134400 bytes Driver: C:\WINDOWS\system32\hal.dll Address: 0x806E5000 Size: 134400 bytes Driver: fltmgr.sys Address: 0xBA710000 Size: 131072 bytes Driver: ftdisk.sys Address: 0xBA748000 Size: 126976 bytes Driver: Mup.sys Address: 0xBA613000 Size: 106496 bytes Driver: atapi.sys Address: 0xBA730000 Size: 98304 bytes Driver: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xBA0DF000 Size: 98304 bytes Driver: KSecDD.sys Address: 0xBA6E7000 Size: 94208 bytes Driver: C:\WINDOWS\system32\DRIVERS\ndiswan.sys Address: 0xBA56D000 Size: 94208 bytes Driver: C:\WINDOWS\system32\DRIVERS\ew_jucdcacm.sys Address: 0xBA0F7000 Size: 86016 bytes Driver: C:\WINDOWS\System32\drivers\VIDEOPRT.SYS Address: 0xBA34A000 Size: 81920 bytes Driver: C:\WINDOWS\system32\DRIVERS\ipsec.sys Address: 0xBA317000 Size: 77824 bytes Driver: C:\WINDOWS\System32\drivers\dxg.sys Address: 0xBF9C3000 Size: 73728 bytes Driver: C:\WINDOWS\system32\DRIVERS\ew_jubusenum.sys Address: 0xBA4EC000 Size: 73728 bytes Driver: sr.sys Address: 0xBA6FE000 Size: 73728 bytes Driver: pci.sys Address: 0xBA767000 Size: 69632 bytes Driver: C:\WINDOWS\system32\DRIVERS\psched.sys Address: 0xBA55C000 Size: 69632 bytes Driver: C:\WINDOWS\System32\Drivers\Cdfs.SYS Address: 0xBAA88000 Size: 65536 bytes Driver: C:\WINDOWS\system32\DRIVERS\cdrom.sys Address: 0xBA998000 Size: 65536 bytes Driver: C:\WINDOWS\system32\DRIVERS\redbook.sys Address: 0xBA9A8000 Size: 61440 bytes Driver: C:\WINDOWS\system32\DRIVERS\usbhub.sys Address: 0xBAA28000 Size: 61440 bytes Driver: VolSnap.sys Address: 0xBA8C8000 Size: 57344 bytes Driver: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS Address: 0xBA8E8000 Size: 53248 bytes Driver: C:\WINDOWS\system32\DRIVERS\ew_jucdcecm.sys Address: 0xBAA98000 Size: 53248 bytes Driver: C:\WINDOWS\system32\DRIVERS\i8042prt.sys Address: 0xBA978000 Size: 53248 bytes Driver: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys Address: 0xBA9B8000 Size: 53248 bytes Driver: C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS Address: 0xBAA08000 Size: 53248 bytes Driver: C:\WINDOWS\system32\DRIVERS\raspptp.sys Address: 0xBA9D8000 Size: 49152 bytes Driver: C:\WINDOWS\System32\Drivers\Fips.SYS Address: 0xBAA58000 Size: 45056 bytes Driver: C:\WINDOWS\system32\DRIVERS\imapi.sys Address: 0xBA988000 Size: 45056 bytes Driver: MountMgr.sys Address: 0xBA8B8000 Size: 45056 bytes Driver: C:\WINDOWS\system32\DRIVERS\raspppoe.sys Address: 0xBA9C8000 Size: 45056 bytes Driver: C:\WINDOWS\system32\DRIVERS\intelppm.sys Address: 0xBA968000 Size: 40960 bytes Driver: isapnp.sys Address: 0xBA8A8000 Size: 40960 bytes Driver: C:\WINDOWS\System32\Drivers\NDProxy.SYS Address: 0xBAA18000 Size: 40960 bytes Driver: C:\WINDOWS\system32\DRIVERS\termdd.sys Address: 0xBA9F8000 Size: 40960 bytes Driver: disk.sys Address: 0xBA8D8000 Size: 36864 bytes Driver: C:\WINDOWS\system32\DRIVERS\msgpc.sys Address: 0xBA9E8000 Size: 36864 bytes Driver: C:\WINDOWS\system32\DRIVERS\netbios.sys Address: 0xBAA48000 Size: 36864 bytes Driver: C:\WINDOWS\system32\DRIVERS\wanarp.sys Address: 0xBAA38000 Size: 36864 bytes Driver: C:\Programme\CheckPoint\ZAForceField\ISWKL.sys Address: 0xBAC10000 Size: 32768 bytes Driver: C:\WINDOWS\System32\Drivers\Modem.SYS Address: 0xBAC20000 Size: 32768 bytes Driver: C:\WINDOWS\System32\Drivers\Npfs.SYS Address: 0xBABF0000 Size: 32768 bytes Driver: C:\WINDOWS\system32\DRIVERS\usbccgp.sys Address: 0xBAC00000 Size: 32768 bytes Driver: C:\WINDOWS\system32\DRIVERS\usbehci.sys Address: 0xBAB98000 Size: 32768 bytes Driver: C:\WINDOWS\system32\DRIVERS\ew_juextctrl.sys Address: 0xBAC28000 Size: 28672 bytes Driver: C:\WINDOWS\system32\DRIVERS\kbdclass.sys Address: 0xBABA0000 Size: 28672 bytes Driver: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Address: 0xBAB28000 Size: 28672 bytes Driver: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS Address: 0xBAC08000 Size: 28672 bytes Driver: C:\WINDOWS\system32\DRIVERS\mouclass.sys Address: 0xBABA8000 Size: 24576 bytes Driver: C:\WINDOWS\System32\Drivers\rkhdrv40.SYS Address: 0xBAC60000 Size: 24576 bytes Driver: C:\WINDOWS\system32\DRIVERS\usbuhci.sys Address: 0xBAB90000 Size: 24576 bytes Driver: C:\WINDOWS\System32\drivers\vga.sys Address: 0xBABE0000 Size: 24576 bytes Driver: C:\WINDOWS\System32\Drivers\Msfs.SYS Address: 0xBABE8000 Size: 20480 bytes Driver: PartMgr.sys Address: 0xBAB30000 Size: 20480 bytes Driver: C:\WINDOWS\system32\DRIVERS\ptilink.sys Address: 0xBABB8000 Size: 20480 bytes Driver: C:\WINDOWS\system32\DRIVERS\raspti.sys Address: 0xBABC0000 Size: 20480 bytes Driver: C:\WINDOWS\system32\DRIVERS\TDI.SYS Address: 0xBABB0000 Size: 20480 bytes Driver: C:\WINDOWS\System32\watchdog.sys Address: 0xBAC30000 Size: 20480 bytes Driver: C:\WINDOWS\system32\DRIVERS\mssmbios.sys Address: 0xBAD48000 Size: 16384 bytes Driver: C:\WINDOWS\system32\DRIVERS\ndisuio.sys Address: 0xB9BBF000 Size: 16384 bytes Driver: C:\WINDOWS\system32\BOOTVID.dll Address: 0xBACB8000 Size: 12288 bytes Driver: C:\WINDOWS\System32\drivers\Dxapi.sys Address: 0xBA5D3000 Size: 12288 bytes Driver: C:\WINDOWS\system32\DRIVERS\ew_usbenumfilter.sys Address: 0xBAD88000 Size: 12288 bytes Driver: C:\WINDOWS\System32\framebuf.dll Address: 0xBFF70000 Size: 12288 bytes Driver: C:\WINDOWS\system32\DRIVERS\ndistapi.sys Address: 0xBAD40000 Size: 12288 bytes Driver: C:\WINDOWS\system32\DRIVERS\rasacd.sys Address: 0xBAD74000 Size: 12288 bytes Driver: C:\WINDOWS\System32\Drivers\Beep.SYS Address: 0xBADB6000 Size: 8192 bytes Driver: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xBADBC000 Size: 8192 bytes Driver: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS Address: 0xBADB4000 Size: 8192 bytes Driver: C:\WINDOWS\system32\KDCOM.DLL Address: 0xBADA8000 Size: 8192 bytes Driver: C:\WINDOWS\System32\Drivers\mnmdd.SYS Address: 0xBADB8000 Size: 8192 bytes Driver: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys Address: 0xBADBA000 Size: 8192 bytes Driver: C:\WINDOWS\system32\DRIVERS\swenum.sys Address: 0xBADB0000 Size: 8192 bytes Driver: C:\WINDOWS\system32\DRIVERS\USBD.SYS Address: 0xBADB2000 Size: 8192 bytes Driver: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS Address: 0xBADAA000 Size: 8192 bytes Driver: C:\WINDOWS\system32\DRIVERS\audstub.sys Address: 0xBAECA000 Size: 4096 bytes Driver: C:\WINDOWS\System32\drivers\dxgthk.sys Address: 0xBAEFF000 Size: 4096 bytes Driver: C:\WINDOWS\System32\Drivers\Null.SYS Address: 0xBAF3D000 Size: 4096 bytes Driver: pciide.sys Address: 0xBAE70000 Size: 4096 bytes ============================================== >Stealth ============================================== >Files ============================================== >Hooks tcpip.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification at address 0xBA2FD3A8 hook handler located in [vsdatant.sys] tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification at address 0xBA2FD3D4 hook handler located in [vsdatant.sys] tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xBA2FD3E0 hook handler located in [vsdatant.sys] wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification at address 0xBAA3DB4C hook handler located in [vsdatant.sys] wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification at address 0xBAA3DB1C hook handler located in [vsdatant.sys] wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification at address 0xBAA3DB3C hook handler located in [vsdatant.sys] wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xBAA3DB28 hook handler located in [vsdatant.sys] [1028]svchost.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump at address 0x77DA7416 hook handler located in [ISWSHEX.dll] [1028]svchost.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump at address 0x77DAF183 hook handler located in [ISWSHEX.dll] [1028]svchost.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309D1 hook handler located in [ISWSHEX.dll] [1028]svchost.exe-->ntdll.dll-->NtAccessCheckAndAuditAlarm, Type: Inline - RelativeJump at address 0x7C91CE70 hook handler located in [ISWSHEX.dll] [1028]svchost.exe-->ntdll.dll-->NtImpersonateAnonymousToken, Type: Inline - RelativeJump at address 0x7C91D3E0 hook handler located in [ISWSHEX.dll] [1028]svchost.exe-->ntdll.dll-->NtSetInformationObject, Type: Inline - RelativeJump at address 0x7C91DC80 hook handler located in [ISWSHEX.dll] [1028]svchost.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump at address 0x7E3782E1 hook handler located in [ISWSHEX.dll] [1028]svchost.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump at address 0x7E37C9C3 hook handler located in [ISWSHEX.dll] [1056]svchost.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump at address 0x77DA7416 hook handler located in [ISWSHEX.dll] [1056]svchost.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump at address 0x77DAF183 hook handler located in [ISWSHEX.dll] [1056]svchost.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309D1 hook handler located in [ISWSHEX.dll] [1056]svchost.exe-->ntdll.dll-->NtAccessCheckAndAuditAlarm, Type: Inline - RelativeJump at address 0x7C91CE70 hook handler located in [ISWSHEX.dll] [1056]svchost.exe-->ntdll.dll-->NtImpersonateAnonymousToken, Type: Inline - RelativeJump at address 0x7C91D3E0 hook handler located in [ISWSHEX.dll] [1056]svchost.exe-->ntdll.dll-->NtSetInformationObject, Type: Inline - RelativeJump at address 0x7C91DC80 hook handler located in [ISWSHEX.dll] [1056]svchost.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump at address 0x7E3782E1 hook handler located in [ISWSHEX.dll] [1056]svchost.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump at address 0x7E37C9C3 hook handler located in [ISWSHEX.dll] [108]wscntfy.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump at address 0x77DA7416 hook handler located in [ISWSHEX.dll] [108]wscntfy.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump at address 0x77DAF183 hook handler located in [ISWSHEX.dll] [108]wscntfy.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309D1 hook handler located in [ISWSHEX.dll] [108]wscntfy.exe-->ntdll.dll-->NtAccessCheckAndAuditAlarm, Type: Inline - RelativeJump at address 0x7C91CE70 hook handler located in [ISWSHEX.dll] [108]wscntfy.exe-->ntdll.dll-->NtImpersonateAnonymousToken, Type: Inline - RelativeJump at address 0x7C91D3E0 hook handler located in [ISWSHEX.dll] [108]wscntfy.exe-->ntdll.dll-->NtSetInformationObject, Type: Inline - RelativeJump at address 0x7C91DC80 hook handler located in [ISWSHEX.dll] [108]wscntfy.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump at address 0x7E3782E1 hook handler located in [ISWSHEX.dll] [108]wscntfy.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump at address 0x7E37C9C3 hook handler located in [ISWSHEX.dll] [1256]wmiprvse.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump at address 0x77DA7416 hook handler located in [ISWSHEX.dll] [1256]wmiprvse.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump at address 0x77DAF183 hook handler located in [ISWSHEX.dll] [1256]wmiprvse.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309D1 hook handler located in [ISWSHEX.dll] [1256]wmiprvse.exe-->ntdll.dll-->NtAccessCheckAndAuditAlarm, Type: Inline - RelativeJump at address 0x7C91CE70 hook handler located in [ISWSHEX.dll] [1256]wmiprvse.exe-->ntdll.dll-->NtImpersonateAnonymousToken, Type: Inline - RelativeJump at address 0x7C91D3E0 hook handler located in [ISWSHEX.dll] [1256]wmiprvse.exe-->ntdll.dll-->NtSetInformationObject, Type: Inline - RelativeJump at address 0x7C91DC80 hook handler located in [ISWSHEX.dll] [1256]wmiprvse.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump at address 0x7E3782E1 hook handler located in [ISWSHEX.dll] [1256]wmiprvse.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump at address 0x7E37C9C3 hook handler located in [ISWSHEX.dll] [1300]explorer.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump at address 0x77DA7416 hook handler located in [ISWSHEX.dll] [1300]explorer.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump at address 0x77DAF183 hook handler located in [ISWSHEX.dll] [1300]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001268 hook handler located in [shimeng.dll] [1300]explorer.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309D1 hook handler located in [ISWSHEX.dll] [1300]explorer.exe-->ntdll.dll-->NtAccessCheckAndAuditAlarm, Type: Inline - RelativeJump at address 0x7C91CE70 hook handler located in [ISWSHEX.dll] [1300]explorer.exe-->ntdll.dll-->NtImpersonateAnonymousToken, Type: Inline - RelativeJump at address 0x7C91D3E0 hook handler located in [ISWSHEX.dll] [1300]explorer.exe-->ntdll.dll-->NtSetInformationObject, Type: Inline - RelativeJump at address 0x7C91DC80 hook handler located in [ISWSHEX.dll] [1300]explorer.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump at address 0x7E3782E1 hook handler located in [ISWSHEX.dll] [1300]explorer.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump at address 0x7E37C9C3 hook handler located in [ISWSHEX.dll] [140]ForceField.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump at address 0x77DA7416 hook handler located in [ISWSHEX.dll] [140]ForceField.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump at address 0x77DAF183 hook handler located in [ISWSHEX.dll] [140]ForceField.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309D1 hook handler located in [ISWSHEX.dll] [140]ForceField.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: Inline - RelativeJump at address 0x7C8449FD hook handler located in [ISWDMP.dll] [140]ForceField.exe-->ntdll.dll-->NtAccessCheckAndAuditAlarm, Type: Inline - RelativeJump at address 0x7C91CE70 hook handler located in [ISWSHEX.dll] [140]ForceField.exe-->ntdll.dll-->NtImpersonateAnonymousToken, Type: Inline - RelativeJump at address 0x7C91D3E0 hook handler located in [ISWSHEX.dll] [140]ForceField.exe-->ntdll.dll-->NtSetInformationObject, Type: Inline - RelativeJump at address 0x7C91DC80 hook handler located in [ISWSHEX.dll] [140]ForceField.exe-->user32.dll+0x000142A8, Type: Inline - RelativeJump at address 0x7E3742A8 hook handler located in [ISWSHEX.dll] [1508]ISWSVC.exe-->kernel32.dll+0x00002C2C, Type: Inline - SEH at address 0x7C802C2C hook handler located in [unknown_code_page] [1508]ISWSVC.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309D1 hook handler located in [ISWSHEX.dll] [1508]ISWSVC.exe-->user32.dll+0x000142A8, Type: Inline - RelativeJump at address 0x7E3742A8 hook handler located in [ISWSHEX.dll] [1564]spoolsv.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump at address 0x77DA7416 hook handler located in [ISWSHEX.dll] [1564]spoolsv.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump at address 0x77DAF183 hook handler located in [ISWSHEX.dll] [1564]spoolsv.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309D1 hook handler located in [ISWSHEX.dll] [1564]spoolsv.exe-->ntdll.dll-->NtAccessCheckAndAuditAlarm, Type: Inline - RelativeJump at address 0x7C91CE70 hook handler located in [ISWSHEX.dll] [1564]spoolsv.exe-->ntdll.dll-->NtImpersonateAnonymousToken, Type: Inline - RelativeJump at address 0x7C91D3E0 hook handler located in [ISWSHEX.dll] [1564]spoolsv.exe-->ntdll.dll-->NtSetInformationObject, Type: Inline - RelativeJump at address 0x7C91DC80 hook handler located in [ISWSHEX.dll] [1564]spoolsv.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump at address 0x7E3782E1 hook handler located in [ISWSHEX.dll] [1564]spoolsv.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump at address 0x7E37C9C3 hook handler located in [ISWSHEX.dll] [1660]mscorsvw.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump at address 0x77DA7416 hook handler located in [ISWSHEX.dll] [1660]mscorsvw.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump at address 0x77DAF183 hook handler located in [ISWSHEX.dll] [1660]mscorsvw.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309D1 hook handler located in [ISWSHEX.dll] [1660]mscorsvw.exe-->ntdll.dll-->NtAccessCheckAndAuditAlarm, Type: Inline - RelativeJump at address 0x7C91CE70 hook handler located in [ISWSHEX.dll] [1660]mscorsvw.exe-->ntdll.dll-->NtImpersonateAnonymousToken, Type: Inline - RelativeJump at address 0x7C91D3E0 hook handler located in [ISWSHEX.dll] [1660]mscorsvw.exe-->ntdll.dll-->NtSetInformationObject, Type: Inline - RelativeJump at address 0x7C91DC80 hook handler located in [ISWSHEX.dll] [1660]mscorsvw.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump at address 0x7E3782E1 hook handler located in [ISWSHEX.dll] [1660]mscorsvw.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump at address 0x7E37C9C3 hook handler located in [ISWSHEX.dll] [1772]VmbService.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump at address 0x77DA7416 hook handler located in [ISWSHEX.dll] [1772]VmbService.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump at address 0x77DAF183 hook handler located in [ISWSHEX.dll] [1772]VmbService.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309D1 hook handler located in [ISWSHEX.dll] [1772]VmbService.exe-->ntdll.dll-->NtAccessCheckAndAuditAlarm, Type: Inline - RelativeJump at address 0x7C91CE70 hook handler located in [ISWSHEX.dll] [1772]VmbService.exe-->ntdll.dll-->NtImpersonateAnonymousToken, Type: Inline - RelativeJump at address 0x7C91D3E0 hook handler located in [ISWSHEX.dll] [1772]VmbService.exe-->ntdll.dll-->NtSetInformationObject, Type: Inline - RelativeJump at address 0x7C91DC80 hook handler located in [ISWSHEX.dll] [1772]VmbService.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump at address 0x7E3782E1 hook handler located in [ISWSHEX.dll] [1772]VmbService.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump at address 0x7E37C9C3 hook handler located in [ISWSHEX.dll] [240]alg.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump at address 0x77DA7416 hook handler located in [ISWSHEX.dll] [240]alg.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump at address 0x77DAF183 hook handler located in [ISWSHEX.dll] [240]alg.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309D1 hook handler located in [ISWSHEX.dll] [240]alg.exe-->ntdll.dll-->NtAccessCheckAndAuditAlarm, Type: Inline - RelativeJump at address 0x7C91CE70 hook handler located in [ISWSHEX.dll] [240]alg.exe-->ntdll.dll-->NtImpersonateAnonymousToken, Type: Inline - RelativeJump at address 0x7C91D3E0 hook handler located in [ISWSHEX.dll] [240]alg.exe-->ntdll.dll-->NtSetInformationObject, Type: Inline - RelativeJump at address 0x7C91DC80 hook handler located in [ISWSHEX.dll] [240]alg.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump at address 0x7E3782E1 hook handler located in [ISWSHEX.dll] [240]alg.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump at address 0x7E37C9C3 hook handler located in [ISWSHEX.dll] [2504]wuauclt.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump at address 0x77DA7416 hook handler located in [ISWSHEX.dll] [2504]wuauclt.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump at address 0x77DAF183 hook handler located in [ISWSHEX.dll] [2504]wuauclt.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309D1 hook handler located in [ISWSHEX.dll] [2504]wuauclt.exe-->ntdll.dll-->NtAccessCheckAndAuditAlarm, Type: Inline - RelativeJump at address 0x7C91CE70 hook handler located in [ISWSHEX.dll] [2504]wuauclt.exe-->ntdll.dll-->NtImpersonateAnonymousToken, Type: Inline - RelativeJump at address 0x7C91D3E0 hook handler located in [ISWSHEX.dll] [2504]wuauclt.exe-->ntdll.dll-->NtSetInformationObject, Type: Inline - RelativeJump at address 0x7C91DC80 hook handler located in [ISWSHEX.dll] [2504]wuauclt.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump at address 0x7E3782E1 hook handler located in [ISWSHEX.dll] [2504]wuauclt.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump at address 0x7E37C9C3 hook handler located in [ISWSHEX.dll] [3328]wpabaln.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump at address 0x77DA7416 hook handler located in [ISWSHEX.dll] [3328]wpabaln.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump at address 0x77DAF183 hook handler located in [ISWSHEX.dll] [3328]wpabaln.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309D1 hook handler located in [ISWSHEX.dll] [3328]wpabaln.exe-->ntdll.dll-->NtAccessCheckAndAuditAlarm, Type: Inline - RelativeJump at address 0x7C91CE70 hook handler located in [ISWSHEX.dll] [3328]wpabaln.exe-->ntdll.dll-->NtImpersonateAnonymousToken, Type: Inline - RelativeJump at address 0x7C91D3E0 hook handler located in [ISWSHEX.dll] [3328]wpabaln.exe-->ntdll.dll-->NtSetInformationObject, Type: Inline - RelativeJump at address 0x7C91DC80 hook handler located in [ISWSHEX.dll] [3328]wpabaln.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump at address 0x7E3782E1 hook handler located in [ISWSHEX.dll] [3328]wpabaln.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump at address 0x7E37C9C3 hook handler located in [ISWSHEX.dll] [440]MobileBroadband.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump at address 0x77DA7416 hook handler located in [ISWSHEX.dll] [440]MobileBroadband.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump at address 0x77DAF183 hook handler located in [ISWSHEX.dll] [440]MobileBroadband.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309D1 hook handler located in [ISWSHEX.dll] [440]MobileBroadband.exe-->ntdll.dll-->NtAccessCheckAndAuditAlarm, Type: Inline - RelativeJump at address 0x7C91CE70 hook handler located in [ISWSHEX.dll] [440]MobileBroadband.exe-->ntdll.dll-->NtImpersonateAnonymousToken, Type: Inline - RelativeJump at address 0x7C91D3E0 hook handler located in [ISWSHEX.dll] [440]MobileBroadband.exe-->ntdll.dll-->NtSetInformationObject, Type: Inline - RelativeJump at address 0x7C91DC80 hook handler located in [ISWSHEX.dll] [440]MobileBroadband.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump at address 0x7E3782E1 hook handler located in [ISWSHEX.dll] [440]MobileBroadband.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump at address 0x7E37C9C3 hook handler located in [ISWSHEX.dll] [524]ctfmon.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump at address 0x77DA7416 hook handler located in [ISWSHEX.dll] [524]ctfmon.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump at address 0x77DAF183 hook handler located in [ISWSHEX.dll] [524]ctfmon.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309D1 hook handler located in [ISWSHEX.dll] [524]ctfmon.exe-->ntdll.dll-->NtAccessCheckAndAuditAlarm, Type: Inline - RelativeJump at address 0x7C91CE70 hook handler located in [ISWSHEX.dll] [524]ctfmon.exe-->ntdll.dll-->NtImpersonateAnonymousToken, Type: Inline - RelativeJump at address 0x7C91D3E0 hook handler located in [ISWSHEX.dll] [524]ctfmon.exe-->ntdll.dll-->NtSetInformationObject, Type: Inline - RelativeJump at address 0x7C91DC80 hook handler located in [ISWSHEX.dll] [524]ctfmon.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump at address 0x7E3782E1 hook handler located in [ISWSHEX.dll] [524]ctfmon.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump at address 0x7E37C9C3 hook handler located in [ISWSHEX.dll] [596]winlogon.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump at address 0x77DA7416 hook handler located in [ISWSHEX.dll] [596]winlogon.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump at address 0x77DAF183 hook handler located in [ISWSHEX.dll] [596]winlogon.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309D1 hook handler located in [ISWSHEX.dll] [596]winlogon.exe-->ntdll.dll-->NtAccessCheckAndAuditAlarm, Type: Inline - RelativeJump at address 0x7C91CE70 hook handler located in [ISWSHEX.dll] [596]winlogon.exe-->ntdll.dll-->NtImpersonateAnonymousToken, Type: Inline - RelativeJump at address 0x7C91D3E0 hook handler located in [ISWSHEX.dll] [596]winlogon.exe-->ntdll.dll-->NtSetInformationObject, Type: Inline - RelativeJump at address 0x7C91DC80 hook handler located in [ISWSHEX.dll] [596]winlogon.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump at address 0x7E3782E1 hook handler located in [ISWSHEX.dll] [596]winlogon.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump at address 0x7E37C9C3 hook handler located in [ISWSHEX.dll] [640]services.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump at address 0x77DA7416 hook handler located in [ISWSHEX.dll] [640]services.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump at address 0x77DAF183 hook handler located in [ISWSHEX.dll] [640]services.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309D1 hook handler located in [ISWSHEX.dll] [640]services.exe-->ntdll.dll-->NtAccessCheckAndAuditAlarm, Type: Inline - RelativeJump at address 0x7C91CE70 hook handler located in [ISWSHEX.dll] [640]services.exe-->ntdll.dll-->NtImpersonateAnonymousToken, Type: Inline - RelativeJump at address 0x7C91D3E0 hook handler located in [ISWSHEX.dll] [640]services.exe-->ntdll.dll-->NtSetInformationObject, Type: Inline - RelativeJump at address 0x7C91DC80 hook handler located in [ISWSHEX.dll] [640]services.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump at address 0x7E3782E1 hook handler located in [ISWSHEX.dll] [640]services.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump at address 0x7E37C9C3 hook handler located in [ISWSHEX.dll] [652]lsass.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump at address 0x77DA7416 hook handler located in [ISWSHEX.dll] [652]lsass.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump at address 0x77DAF183 hook handler located in [ISWSHEX.dll] [652]lsass.exe-->ntdll.dll-->NtAccessCheckAndAuditAlarm, Type: Inline - RelativeJump at address 0x7C91CE70 hook handler located in [ISWSHEX.dll] [652]lsass.exe-->ntdll.dll-->NtImpersonateAnonymousToken, Type: Inline - RelativeJump at address 0x7C91D3E0 hook handler located in [ISWSHEX.dll] [652]lsass.exe-->ntdll.dll-->NtSetInformationObject, Type: Inline - RelativeJump at address 0x7C91DC80 hook handler located in [ISWSHEX.dll] [652]lsass.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump at address 0x7E3782E1 hook handler located in [ISWSHEX.dll] [652]lsass.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump at address 0x7E37C9C3 hook handler located in [ISWSHEX.dll] [812]svchost.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump at address 0x77DA7416 hook handler located in [ISWSHEX.dll] [812]svchost.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump at address 0x77DAF183 hook handler located in [ISWSHEX.dll] [812]svchost.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309D1 hook handler located in [ISWSHEX.dll] [812]svchost.exe-->ntdll.dll-->NtAccessCheckAndAuditAlarm, Type: Inline - RelativeJump at address 0x7C91CE70 hook handler located in [ISWSHEX.dll] [812]svchost.exe-->ntdll.dll-->NtImpersonateAnonymousToken, Type: Inline - RelativeJump at address 0x7C91D3E0 hook handler located in [ISWSHEX.dll] [812]svchost.exe-->ntdll.dll-->NtSetInformationObject, Type: Inline - RelativeJump at address 0x7C91DC80 hook handler located in [ISWSHEX.dll] [812]svchost.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump at address 0x7E3782E1 hook handler located in [ISWSHEX.dll] [812]svchost.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump at address 0x7E37C9C3 hook handler located in [ISWSHEX.dll] [900]svchost.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump at address 0x77DA7416 hook handler located in [ISWSHEX.dll] [900]svchost.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump at address 0x77DAF183 hook handler located in [ISWSHEX.dll] [900]svchost.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309D1 hook handler located in [ISWSHEX.dll] [900]svchost.exe-->ntdll.dll-->NtAccessCheckAndAuditAlarm, Type: Inline - RelativeJump at address 0x7C91CE70 hook handler located in [ISWSHEX.dll] [900]svchost.exe-->ntdll.dll-->NtImpersonateAnonymousToken, Type: Inline - RelativeJump at address 0x7C91D3E0 hook handler located in [ISWSHEX.dll] [900]svchost.exe-->ntdll.dll-->NtSetInformationObject, Type: Inline - RelativeJump at address 0x7C91DC80 hook handler located in [ISWSHEX.dll] [900]svchost.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump at address 0x7E3782E1 hook handler located in [ISWSHEX.dll] [900]svchost.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump at address 0x7E37C9C3 hook handler located in [ISWSHEX.dll] [940]svchost.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump at address 0x77DA7416 hook handler located in [ISWSHEX.dll] [940]svchost.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump at address 0x77DAF183 hook handler located in [ISWSHEX.dll] [940]svchost.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309D1 hook handler located in [ISWSHEX.dll] [940]svchost.exe-->ntdll.dll-->NtAccessCheckAndAuditAlarm, Type: Inline - RelativeJump at address 0x7C91CE70 hook handler located in [ISWSHEX.dll] [940]svchost.exe-->ntdll.dll-->NtImpersonateAnonymousToken, Type: Inline - RelativeJump at address 0x7C91D3E0 hook handler located in [ISWSHEX.dll] [940]svchost.exe-->ntdll.dll-->NtSetInformationObject, Type: Inline - RelativeJump at address 0x7C91DC80 hook handler located in [ISWSHEX.dll] [940]svchost.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump at address 0x7E3782E1 hook handler located in [ISWSHEX.dll] [940]svchost.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump at address 0x7E37C9C3 hook handler located in [ISWSHEX.dll] |
|
19.12.2011, 21:48
| #77 |
| | Bei Anmeldung: ZoneAlarm-Meldung über ein Netzwerk mit anderer IP? das kann doch aber nicht sein ...
__________________ich schmeiss den pc weg und kauf mir nen neuen .. kann es sein, dass die sich so tief reingesetzt hat, dass es nicht mal mit Neuaufsetzen klappt, sie rauszuwerfen? .. sag |
|
20.12.2011, 12:50
| #78 |
| /// Malware-holic   | Bei Anmeldung: ZoneAlarm-Meldung über ein Netzwerk mit anderer IP? warum denn wer soll "sie" denn sein, das meiste sind funktion die von deiner firewall verwendet werden
__________________vsdatant.sys ist teil deiner firewall. wie lautet denn die genaue meldung gibts ne ip dazu? die logs sind alle sauber dein pc ist formatiert und damit ebenfalls ok oder sind noch auffälligkeiten festzustellen... bitte weiter mit der absicherung
__________________ |
|
20.12.2011, 15:12
| #79 |
| | Bei Anmeldung: ZoneAlarm-Meldung über ein Netzwerk mit anderer IP? na toll .. "sie" ist die person, die zugang zu meinem rechner hatte wenn sie sich im master boot record eingenistet hat, ist sie mit formatieren nicht draussen - warum sonst habe ich die gleichen meldungen wie vorher? warum meldet mir zonealarm ein netzwerk mit einer abweichenden ip von meiner? warum hab ich immer noch die meldung von unhooker nach einem scan, dass "rootkit activity possible" ist und als warnung angegeben wird mit 27 ausrufezeichen? die HD komplett formatieren und mit eine Special- Tool die MBR über ein Fly-on system restaurieren ... das wäre eine möglichkeit, die ich aber allein nicht durchziehen kann .. mist ist na klar, dass sie freien zugang zu meinem pc hatte und theoretisch auch alles mögliche in der hardware veranstaltet hat .. kann ich das irgendwie rauskriegen? und ja - es gibt jedesmal eine ip .. wie gesagt, minimal abweichend von meiner, es handelt sich jeweils um die letzten zwei oder drei ziffern ich werde dann noch nachsehen, ob wieder eine fb-meldung vorliegt, dass sich jemand eingeloggt hat in meiner abwesenheit - ansonsten .. ich hatte noch nie! vorher diese netzwerkmeldungen von zonealarm und ich arbeite schon immer mit zonealarm wenn ich es ignoriere, hängt alles und nichts geht mehr .. ich habe zwei optionen.... die eine sagt (ich sags jetzt mal aus dem kopf, hab ja den text nicht original grad vor mir) ... ich kann gemeinsame ressourcen zulassen oder aber unabhängig und für andere aus dem netzwerk nicht sichtbar sein .. klar klicke ich immer das letztere an - sonst kann ich gar nichts mehr machen am pc .. das andere gefällt mir schon mal gar nicht gestern hatte ich zonealarm installiert .. heute wars nicht mehr in der startleiste .. habe die exe nochmal gestartet und bekam eine meldung, dass sich möglicherweise schädliche software auf meinem pc befindet, die eine installation von zonealarm verhindern möchte - ich habe dann zugestimmt, diese software deinstallieren zu lassen (aber was heisst das schon) und somit ist es wieder da ... im moment wenigstens |
|
20.12.2011, 15:19
| #80 |
| | Bei Anmeldung: ZoneAlarm-Meldung über ein Netzwerk mit anderer IP? nein - fb-meldungen habe ich heute nicht, aber vielleicht hält sie ja auch nur die füsse still im moment Markus ... habe ich eine möglichkeit, festzustellen, ob alles nur "komische" meldungen sind oder wirklich noch ein problem da ist... wie kann ich das testen? |
|
20.12.2011, 15:28
| #81 |
| /// Malware-holic | Bei Anmeldung: ZoneAlarm-Meldung über ein Netzwerk mit anderer IP? der mbr ist sauber den haben wir ja geprüft aber von mir aus können wir noch mal formatieren mit mbr bereinigung. nimm die windows cd, lege sie ein starte neu. am anfang drücke die taste r um in die reperatur konsole zu kommen, dort wähle die windows instalation, meistens ist das mit drücken der taste 1 möglich. falls du ein passwort eingeben sollst, überspringe das mit enter. dann schreibe: fixmbr enter y bzw j zum bestätigen. danach: fixboot enter y bzw j drücken zum bestätigen dann: format c: enter j bzw y zum bestätigen. abwarten dann exit neustarten und windows neu instalieren dann gleich mit den updates los legen und emsisoft instalieren, noch keine der gesicherten daten auf den pc kopieren. wenn emsisoft drauf ist weiter mit dem rest der anleitung.
__________________ --> Bei Anmeldung: ZoneAlarm-Meldung über ein Netzwerk mit anderer IP? |
|
| Themen zu Bei Anmeldung: ZoneAlarm-Meldung über ein Netzwerk mit anderer IP? |
| andere, anderen, anderer, angemeldet, anmeldung, antwort, computer, interne, internet, internetstick, kein netzwerk, mail, melde, meldung, netzwerk, niemals, spanisch, stelle, stick, stimmen, suche, täglich, verändert, wirklich, überwachen, zonealarm, zugang |
Linear-Darstellung
