|
Plagegeister aller Art und deren Bekämpfung: Windows 7 32bit - GVU Trojaner 11.3 - Trojan.Wheelsof.genWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
01.12.2012, 10:43 | #1 |
| Windows 7 32bit - GVU Trojaner 11.3 - Trojan.Wheelsof.gen Hi, habe hier ein Win7 32bit System auf dem sich schon zum 2x mal ein GVU-Trojaner eingeschlichen hat (trotz installiertem Avast) :-( Der erste GVU-Trojaner hat sich im Juli eingeschlichen, und wurde mit Hilfe von MWAV und Malwarebytes entfernt.... Nun ist laut Bildinfo von forum.botfrei.de der GVU Trojaner 1.13 drauf (gewesen)... Habe mit Malwarebytes das Teil in Quarantäne geschickt, so dass das System ohne den Sperrbildschirm ins Netz gelangt, aber trotzdem ist das ganze System nicht wirklich clean (Anzeige Dateinamenerweiterung ist nach jedem Reboot wieder deaktiviert) Ich poste mal die Logdateien aus den verschiedenen Scans: OTL.txt - Extra.txt wurde nicht erstellt OTL Logfile: Code:
ATTFilter OTL logfile created on: 01.12.2012 09:47:37 - Run 2 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Hobbit\Desktop Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,87 Gb Total Physical Memory | 1,74 Gb Available Physical Memory | 60,65% Memory free 5,73 Gb Paging File | 4,58 Gb Available in Paging File | 79,92% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 232,79 Gb Total Space | 190,06 Gb Free Space | 81,64% Space Free | Partition Type: NTFS Drive F: | 14,84 Gb Total Space | 14,54 Gb Free Space | 98,00% Space Free | Partition Type: FAT32 Computer Name: PC | User Name: Hobbit | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012.12.01 09:09:01 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Hobbit\Desktop\OTL.exe PRC - [2012.11.30 19:51:47 | 006,527,128 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\Setup\avast.setup PRC - [2012.10.30 23:50:59 | 004,297,136 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe PRC - [2012.10.30 23:50:59 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe PRC - [2012.08.31 15:10:30 | 006,952,872 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version7\TeamViewer.exe PRC - [2012.08.31 15:10:30 | 002,759,080 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe PRC - [2012.08.31 14:55:18 | 000,106,408 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version7\tv_w32.exe PRC - [2012.08.20 18:37:58 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe PRC - [2012.04.08 23:20:52 | 000,134,416 | ---- | M] (Synaptics Incorporated) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe PRC - [2011.11.01 12:19:00 | 000,936,208 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe PRC - [2011.11.01 12:03:54 | 000,481,552 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe PRC - [2011.05.26 19:43:12 | 000,328,040 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe PRC - [2011.04.20 10:04:40 | 000,130,920 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\tphkload.exe PRC - [2011.04.19 02:52:00 | 000,143,360 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWMEWSVC.exe PRC - [2011.04.19 02:52:00 | 000,062,824 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\ThinkPad\Utilities\SCHTASK.EXE PRC - [2011.04.04 11:43:36 | 000,135,528 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\tpnumlkd.exe PRC - [2011.03.29 13:41:08 | 000,064,952 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe PRC - [2011.02.25 06:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2010.12.06 06:55:30 | 000,805,032 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe PRC - [2010.11.29 16:32:44 | 000,069,560 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe PRC - [2010.11.20 13:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe PRC - [2010.10.29 20:25:12 | 000,142,696 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\tpnumlk.exe PRC - [2009.09.05 17:29:06 | 000,385,024 | ---- | M] (shbox.de) -- C:\Program Files\FreePDF_XP\fpassist.exe ========== Modules (No Company Name) ========== MOD - [2011.04.19 02:52:00 | 000,053,248 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\GR\PWMRT32V.DLL MOD - [2011.03.16 23:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF ========== Services (SafeList) ========== SRV - [2012.10.30 23:50:59 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus) SRV - [2012.10.30 12:37:19 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2012.10.08 19:55:11 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2012.09.20 13:28:48 | 030,785,672 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service) SRV - [2012.08.31 15:10:30 | 002,759,080 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe -- (TeamViewer7) SRV - [2012.05.11 16:02:38 | 000,034,104 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\System Update\SUService.exe -- (SUService) SRV - [2012.03.10 12:41:36 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc) SRV - [2011.11.01 12:19:00 | 000,936,208 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) SRV - [2011.11.01 12:03:54 | 000,481,552 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) SRV - [2011.10.20 17:33:22 | 000,103,184 | ---- | M] (Intel(R) Corporation) [Auto | Stopped] -- C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe -- (BTHSSecurityMgr) SRV - [2011.10.19 13:24:54 | 000,510,464 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe -- (AMPPALR3) SRV - [2011.04.20 10:04:40 | 000,130,920 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\HOTKEY\tphkload.exe -- (TPHKLOAD) SRV - [2011.04.19 02:52:00 | 000,143,360 | ---- | M] () [Auto | Running] -- C:\Program Files\ThinkPad\Utilities\PWMEWSVC.exe -- (PwmEWSvc) SRV - [2011.04.19 02:52:00 | 000,083,304 | ---- | M] (Lenovo) [On_Demand | Stopped] -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe -- (Power Manager DBC Service) SRV - [2011.04.04 10:27:20 | 000,045,496 | ---- | M] (Lenovo Group Limited) [Disabled | Stopped] -- C:\Program Files\Lenovo\HOTKEY\micmute.exe -- (LENOVO.MICMUTE) SRV - [2011.03.29 13:41:08 | 000,064,952 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe -- (TPHKSVC) SRV - [2010.12.20 19:17:07 | 003,246,040 | ---- | M] (Acronis) [Disabled | Stopped] -- C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe -- (afcdpsrv) SRV - [2010.12.06 06:55:30 | 000,805,032 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc) SRV - [2010.11.06 17:29:38 | 000,008,192 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\srvany.exe -- (KMService) SRV - [2010.08.05 16:47:52 | 000,628,000 | ---- | M] (Broadcom Corporation.) [On_Demand | Stopped] -- C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe -- (btwdins) SRV - [2010.02.19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard) SRV - [2009.07.14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc) SRV - [2009.07.14 02:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc) SRV - [2009.07.14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) ========== Driver Services (SafeList) ========== DRV - [2012.10.30 23:51:58 | 000,738,504 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx) DRV - [2012.10.30 23:51:58 | 000,361,032 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP) DRV - [2012.10.30 23:51:58 | 000,054,232 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi) DRV - [2012.10.30 23:51:57 | 000,058,680 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt) DRV - [2012.10.30 23:51:56 | 000,021,256 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk) DRV - [2012.10.15 17:59:28 | 000,044,784 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr2.sys -- (aswRdr) DRV - [2011.12.28 21:48:24 | 000,129,352 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\ApsX86.sys -- (Shockprf) DRV - [2011.12.28 21:48:24 | 000,022,344 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\ApsHM86.sys -- (TPDIGIMN) DRV - [2011.12.27 02:10:35 | 000,033,080 | ---- | M] (Lenovo Information Product(ShenZhen China) Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\psadd.sys -- (psadd) DRV - [2011.12.16 16:53:28 | 000,013,304 | ---- | M] (TeamViewer GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TVMonitor.sys -- (MonitorFunction) DRV - [2011.10.31 14:56:36 | 007,522,304 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETwNs32.sys -- (NETwNs32) DRV - [2011.10.19 13:18:38 | 000,140,800 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AmpPal.sys -- (AMPPALP) DRV - [2011.10.19 13:18:38 | 000,140,800 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AmpPal.sys -- (AMPPAL) DRV - [2011.04.19 02:52:00 | 000,013,424 | ---- | M] (Lenovo Group Limited) [Kernel | System | Running] -- C:\Windows\System32\drivers\TPPWR32V.SYS -- (TPPWRIF) DRV - [2010.12.20 19:17:07 | 000,167,968 | ---- | M] (Acronis) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\afcdp.sys -- (afcdp) DRV - [2010.12.20 19:17:05 | 000,752,128 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\tdrpm273.sys -- (tdrpman273) DRV - [2010.12.20 19:17:00 | 000,600,928 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\timntr.sys -- (timounter) DRV - [2010.12.20 19:16:58 | 000,170,528 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\snapman.sys -- (snapman) DRV - [2010.12.13 10:30:50 | 000,144,472 | ---- | M] (JMicron Technology Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\jmcr.sys -- (JMCR) DRV - [2010.11.20 13:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus) DRV - [2010.11.20 13:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt) DRV - [2010.11.20 13:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc) DRV - [2010.11.20 11:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV - [2010.11.20 11:21:14 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport) DRV - [2010.11.20 10:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID) DRV - [2010.11.20 10:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap) DRV - [2010.09.07 14:09:06 | 000,013,680 | ---- | M] (Lenovo Group Limited) [Kernel | System | Running] -- C:\Windows\System32\drivers\smiif32.sys -- (lenovo.smi) DRV - [2010.08.18 10:53:42 | 000,045,736 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\btusbflt.sys -- (btusbflt) DRV - [2009.07.14 00:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp) DRV - [2009.07.10 06:44:52 | 000,122,880 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = F6 6B C5 47 B2 7D CB 01 [binary data] IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.startup.homepage: "www.google.de" FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.2 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 FF - prefs.js..network.proxy.type: 0 FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_4_402_287.dll () FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw_1167637.dll (Adobe Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.2: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN) FF - HKLM\Software\MozillaPlugins\Adobe Reader: File not found FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\Alwil Software\Avast5\WebRep\FF [2012.11.30 19:53:44 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.10.30 12:37:20 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.10.30 12:37:16 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.10.30 12:37:20 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.10.30 12:37:16 | 000,000,000 | ---D | M] [2010.11.06 15:49:29 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Hobbit\AppData\Roaming\mozilla\Extensions [2012.10.23 20:07:41 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Hobbit\AppData\Roaming\mozilla\Firefox\Profiles\7m5wtwu1.default\extensions [2012.07.30 15:03:18 | 000,741,958 | ---- | M] () (No name found) -- C:\Users\Hobbit\AppData\Roaming\mozilla\firefox\profiles\7m5wtwu1.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2012.10.30 12:37:15 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2012.10.30 12:37:20 | 000,261,600 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2010.11.06 16:02:48 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll [2012.02.11 20:02:13 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.09.22 15:03:25 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012.02.11 20:02:13 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2012.02.11 20:02:13 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2012.02.11 20:02:13 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2012.02.11 20:02:13 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2010.11.07 11:37:40 | 000,002,119 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation) O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software) O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software) O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software) O4 - HKLM..\Run: [FreePDF Assistant] C:\Program Files\FreePDF_XP\fpassist.exe (shbox.de) O4 - HKLM..\Run: [PWMTRV] C:\Program Files\ThinkPad\Utilities\PWMTR32V.DLL (Lenovo Group Limited) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 153 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInternetOpenWith = 1 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 153 O8 - Extra context menu item: Bild an &Bluetooth-Gerät senden... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm () O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation) O8 - Extra context menu item: Seite an &Bluetooth-Gerät senden... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm () O9 - Extra Button: @C:\Program Files\ThinkPad\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm () O9 - Extra 'Tools' menuitem : @C:\Program Files\ThinkPad\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm () O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22) O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22) O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C54B7CAA-A761-4993-A767-FD25B066DBBD}: DhcpNameServer = 192.168.1.100 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F97B27A2-D4C4-43B7-96EB-226448A695E0}: DhcpNameServer = 192.168.0.100 O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.06.10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O33 - MountPoints2\{39d0da97-f4a8-11df-bd4b-60eb690bc809}\Shell - "" = AutoRun O33 - MountPoints2\{39d0da97-f4a8-11df-bd4b-60eb690bc809}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a O33 - MountPoints2\{d5942036-e9b3-11df-a05e-60eb690bc809}\Shell - "" = AutoRun O33 - MountPoints2\{d5942036-e9b3-11df-a05e-60eb690bc809}\Shell\AutoRun\command - "" = E:\Set-up.exe O33 - MountPoints2\{f1152d68-ea78-11df-8668-60eb690bc809}\Shell - "" = AutoRun O33 - MountPoints2\{f1152d68-ea78-11df-8668-60eb690bc809}\Shell\AutoRun\command - "" = G:\AutoRun.exe O33 - MountPoints2\{f1152d77-ea78-11df-8668-60eb690bc809}\Shell - "" = AutoRun O33 - MountPoints2\{f1152d77-ea78-11df-8668-60eb690bc809}\Shell\AutoRun\command - "" = F:\AutoRun.exe O33 - MountPoints2\F\Shell - "" = AutoRun O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\AutoRun.exe O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2012.12.01 09:11:40 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Hobbit\Desktop\OTL.exe [2012.11.30 23:47:28 | 000,000,000 | -HSD | C] -- C:\Config.Msi [2012.11.30 22:42:02 | 000,000,000 | ---D | C] -- C:\Windows\rundll16.exe [2012.11.30 22:42:02 | 000,000,000 | ---D | C] -- C:\Windows\logo1_.exe [2012.11.30 21:26:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2012.11.30 21:26:29 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2012.11.30 21:26:28 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2012.11.13 21:22:23 | 000,000,000 | ---D | C] -- C:\ProgramData\vhpthzabkxttqln [2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ] [1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012.12.01 09:45:53 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.12.01 09:35:04 | 000,014,416 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2012.12.01 09:35:04 | 000,014,416 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2012.12.01 09:33:01 | 000,680,532 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2012.12.01 09:33:01 | 000,636,962 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2012.12.01 09:33:01 | 000,141,240 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2012.12.01 09:33:01 | 000,114,864 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2012.12.01 09:12:19 | 000,000,000 | ---- | M] () -- C:\Users\Hobbit\defogger_reenable [2012.12.01 09:09:01 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Hobbit\Desktop\OTL.exe [2012.12.01 09:08:38 | 000,050,477 | ---- | M] () -- C:\Users\Hobbit\Desktop\Defogger.exe [2012.12.01 08:54:09 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2012.12.01 07:43:17 | 003,703,568 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2012.11.30 23:40:33 | 000,037,414 | ---- | M] () -- C:\Users\Hobbit\Documents\pinfect.zip [2012.11.30 22:40:53 | 000,000,056 | ---- | M] () -- C:\Windows\Lic.xxx [2012.11.30 21:26:33 | 000,001,036 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.11.30 19:53:45 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt [2012.11.13 21:22:23 | 000,076,348 | ---- | M] () -- C:\ProgramData\qpzyugiwsiayhaj [2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ] [1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ] ========== Files Created - No Company Name ========== [2012.12.01 09:43:52 | 000,302,592 | ---- | C] () -- C:\Users\Hobbit\Desktop\gmer.exe [2012.12.01 09:12:19 | 000,000,000 | ---- | C] () -- C:\Users\Hobbit\defogger_reenable [2012.12.01 09:11:40 | 000,050,477 | ---- | C] () -- C:\Users\Hobbit\Desktop\Defogger.exe [2012.11.30 23:44:03 | 000,000,003 | ---- | C] () -- C:\Windows\System32\drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf [2012.11.30 23:43:24 | 000,000,003 | ---- | C] () -- C:\Windows\System32\drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf [2012.11.30 21:26:33 | 000,001,036 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.11.13 21:22:18 | 000,076,348 | ---- | C] () -- C:\ProgramData\qpzyugiwsiayhaj [2012.07.11 16:07:27 | 001,048,576 | ---- | C] () -- C:\Windows\System32\syndata.bin [2012.07.03 12:52:20 | 004,503,728 | ---- | C] () -- C:\ProgramData\l_u0_0.pad [2011.06.10 06:34:52 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll [2011.05.14 14:23:09 | 000,080,896 | ---- | C] () -- C:\Windows\System32\RDVGHelper.exe [2011.05.14 14:22:00 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe [2010.12.29 13:47:42 | 000,000,156 | ---- | C] () -- C:\Windows\WDP_Server.INI ========== ZeroAccess Check ========== [2009.07.14 05:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 05:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.20 13:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2009.07.14 02:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== LOP Check ========== [2010.12.20 19:17:07 | 000,000,000 | ---D | M] -- C:\Users\Hobbit\AppData\Roaming\6A30878C-029A-48A8-810A-CDEB93CC02CC [2010.12.20 19:39:35 | 000,000,000 | ---D | M] -- C:\Users\Hobbit\AppData\Roaming\Acronis [2011.05.14 16:15:08 | 000,000,000 | ---D | M] -- C:\Users\Hobbit\AppData\Roaming\PwrMgr [2012.09.29 19:42:22 | 000,000,000 | ---D | M] -- C:\Users\Hobbit\AppData\Roaming\TeamViewer [2012.07.11 17:05:19 | 000,000,000 | ---D | M] -- C:\Users\Hobbit\AppData\Roaming\TuneUp Software [2010.11.07 15:06:42 | 000,000,000 | ---D | M] -- C:\Users\Hobbit\AppData\Roaming\XnView ========== Purity Check ========== < End of report > --- --- --- defogger_disable.log Code:
ATTFilter defogger_disable by jpshortstuff (23.02.10.1) Log created at 09:44 on 01/12/2012 (Hobbit) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. Checking for services/drivers... -=E.O.F=- Code:
ATTFilter ================================================== Dump File : 120112-15771-01.dmp Crash Time : 01.12.2012 10:17:59 Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED Bug Check Code : 0x1000008e Parameter 1 : 0xc0000005 Parameter 2 : 0x82f22ee9 Parameter 3 : 0xba979a78 Parameter 4 : 0x00000000 Caused By Driver : ntkrnlpa.exe Caused By Address : ntkrnlpa.exe+121ee9 File Description : NT Kernel & System Product Name : Microsoft® Windows® Operating System Company : Microsoft Corporation File Version : 6.1.7601.17944 (win7sp1_gdr.120830-0333) Processor : 32-bit Crash Address : ntkrnlpa.exe+121ee9 Stack Address 1 : Stack Address 2 : Stack Address 3 : Computer Name : Full Path : C:\Windows\Minidump\120112-15771-01.dmp Processors Count : 2 Major Version : 15 Minor Version : 7601 Dump File Size : 146.352 ================================================== Code:
ATTFilter Malwarebytes Anti-Malware 1.62.0.1100 www.malwarebytes.org Datenbank Version: v2012.07.11.05 Windows 7 Service Pack 1 x86 NTFS Internet Explorer 9.0.8112.16421 Hobbit :: PC [Administrator] 11.07.2012 14:51:20 mbam-log-2012-07-11 (14-51-20).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 316964 Laufzeit: 1 Stunde(n), 16 Minute(n), 5 Sekunde(n) Infizierte Speicherprozesse: 1 C:\Windows\KMService.exe (RiskWare.Tool.CK) -> 2276 -> Löschen bei Neustart. Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 3 C:\Windows\KMService.exe (RiskWare.Tool.CK) -> Löschen bei Neustart. C:\Users\Hobbit\AppData\Local\Temp\0_0u_l.exe.mwt (Spyware.Zbot.DG) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Users\Hobbit\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk (Trojan.Ransom.Gen) -> Erfolgreich gelöscht und in Quarantäne gestellt. (Ende) Code:
ATTFilter Malwarebytes Anti-Malware 1.65.1.1000 www.malwarebytes.org Datenbank Version: v2012.11.26.07 Windows 7 Service Pack 1 x86 NTFS Internet Explorer 9.0.8112.16421 Hobbit :: PC [Administrator] 30.11.2012 21:28:14 mbam-log-2012-11-30 (21-28-14).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 312847 Laufzeit: 1 Stunde(n), 4 Minute(n), 53 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 1 C:\Users\Hobbit\0.9368733570250305.exe (Trojan.Weelsof.gen) -> Erfolgreich gelöscht und in Quarantäne gestellt. (Ende) Warum klappt das mit der codebox net? Hier nun noch die log vom GMER Scan: [codebox] GMER Logfile: GMER Logfile: Code:
ATTFilter GMER 1.0.15.15641 - hxxp://www.gmer.net Rootkit scan 2012-12-01 10:44:02 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.02.0 Running: gmer.exe; Driver: C:\Users\Hobbit\AppData\Local\Temp\fxlcyuoc.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x9004C4BA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x916AEC22] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x9004CED6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x90057FA8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x90057FF4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x90058176] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x90057F16] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x916AEFA6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x90057F5E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0x9004D11C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0x9004D2F4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x90058130] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x9004D93E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x9004C508] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x916AECEA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x916AD3EC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x9004C556] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x90051534] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x9004E3A6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x90057FD2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x90058016] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x9005819A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x90057F3C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x900580BA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x90057F86] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x90058154] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x916AEE4A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x9004E272] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThreadEx [0x9004DF86] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x9004C5A4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x9004C5F2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0x9004D7BE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x9004C1FA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x9004C3AA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x9004C350] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x9004DAF8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x9004DC54] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x9004C41A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x916AEEFE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x9004D636] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0x916AD41C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x9004C640] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x916AED96] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x916C7E56] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82E55A49 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E8F4D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82E96500 4 Bytes [BA, C4, 04, 90] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82E96528 4 Bytes [22, EC, 6A, 91] {AND CH, AH; PUSH -0x6f} .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82E96588 4 Bytes [D6, CE, 04, 90] {SALC ; INTO ; ADD AL, 0x90} .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82E965DC 2 Bytes [A8, 7F] {TEST AL, 0x7f} .text ntkrnlpa.exe!KeRemoveQueueEx + 11AA 82E965DF 5 Bytes [90, F4, 7F, 05, 90] {NOP ; HLT ; JG 0x9; NOP } .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 83024C88 5 Bytes JMP 916C4CF6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 8303D2B0 5 Bytes JMP 916C6828 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 830523F7 4 Bytes CALL 9004EA8D \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 8306C20E 4 Bytes CALL 9004EAA3 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 830F610E 7 Bytes JMP 916C7E5A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE spsys.sys!?SPRevision@@3PADA + 4F90 BDA35000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...] PAGE spsys.sys!?SPRevision@@3PADA + 50B3 BDA35123 629 Bytes [05, A3, BD, FE, 05, 34, 05, ...] PAGE spsys.sys!?SPRevision@@3PADA + 5329 BDA35399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...] PAGE spsys.sys!?SPRevision@@3PADA + 538F BDA353FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...] PAGE spsys.sys!?SPRevision@@3PADA + 543B BDA354AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...] PAGE ... ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[736] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[764] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001703FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[764] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001701F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[764] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[764] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 00180A08 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[764] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 001803FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[764] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 00180804 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[764] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 001801F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[764] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 00180600 .text C:\Windows\system32\csrss.exe[788] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[824] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[828] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\system32\csrss.exe[840] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\system32\services.exe[876] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text ... .text C:\Windows\system32\SearchIndexer.exe[1520] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 002203FC .text C:\Windows\system32\SearchIndexer.exe[1520] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 002201F8 .text C:\Windows\system32\SearchIndexer.exe[1520] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[1520] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 00240A08 .text C:\Windows\system32\SearchIndexer.exe[1520] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 002403FC .text C:\Windows\system32\SearchIndexer.exe[1520] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 00240804 .text C:\Windows\system32\SearchIndexer.exe[1520] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 002401F8 .text C:\Windows\system32\SearchIndexer.exe[1520] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 00240600 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1556] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[1560] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001703FC .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[1560] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001701F8 .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[1560] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[1560] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 002F0A08 .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[1560] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 002F03FC .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[1560] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 002F0804 .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[1560] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 002F01F8 .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[1560] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 002F0600 .text C:\Windows\system32\svchost.exe[1612] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1720] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1752] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\system32\igfxext.exe[1788] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001703FC .text C:\Windows\system32\igfxext.exe[1788] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001701F8 .text C:\Windows\system32\igfxext.exe[1788] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\system32\igfxext.exe[1788] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 00180A08 .text C:\Windows\system32\igfxext.exe[1788] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 001803FC .text C:\Windows\system32\igfxext.exe[1788] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 00180804 .text C:\Windows\system32\igfxext.exe[1788] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 001801F8 .text C:\Windows\system32\igfxext.exe[1788] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 00180600 .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1824] kernel32.dll!SetUnhandledExceptionFilter 7790F4FB 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1824] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\system32\WLANExt.exe[1832] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\system32\conhost.exe[1840] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1856] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001E03FC .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1856] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001E01F8 .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1856] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1856] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1856] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 001F03FC .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1856] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 001F0804 .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1856] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 001F01F8 .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1856] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 001F0600 .text C:\Windows\System32\spoolsv.exe[2000] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[2028] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\system32\Dwm.exe[2224] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\system32\taskhost.exe[2232] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\Explorer.EXE[2284] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text ... .text C:\Windows\System32\TpShocks.exe[2412] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 002E03FC .text C:\Windows\System32\TpShocks.exe[2412] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 002E01F8 .text C:\Windows\System32\TpShocks.exe[2412] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\System32\TpShocks.exe[2412] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 002F0A08 .text C:\Windows\System32\TpShocks.exe[2412] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 002F03FC .text C:\Windows\System32\TpShocks.exe[2412] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 002F0804 .text C:\Windows\System32\TpShocks.exe[2412] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 002F01F8 .text C:\Windows\System32\TpShocks.exe[2412] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 002F0600 .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2448] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\system32\igfxsrvc.exe[2460] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001E03FC .text C:\Windows\system32\igfxsrvc.exe[2460] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001E01F8 .text C:\Windows\system32\igfxsrvc.exe[2460] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\system32\igfxsrvc.exe[2460] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 001F0A08 .text C:\Windows\system32\igfxsrvc.exe[2460] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 001F03FC .text C:\Windows\system32\igfxsrvc.exe[2460] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 001F0804 .text C:\Windows\system32\igfxsrvc.exe[2460] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 001F01F8 .text C:\Windows\system32\igfxsrvc.exe[2460] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 001F0600 .text C:\Program Files\Microsoft SQL Server\MSSQL$WDP30\Binn\sqlservr.exe[3076] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001603FC .text C:\Program Files\Microsoft SQL Server\MSSQL$WDP30\Binn\sqlservr.exe[3076] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001601F8 .text C:\Program Files\Microsoft SQL Server\MSSQL$WDP30\Binn\sqlservr.exe[3076] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Program Files\Microsoft SQL Server\MSSQL$WDP30\Binn\sqlservr.exe[3076] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 00180A08 .text C:\Program Files\Microsoft SQL Server\MSSQL$WDP30\Binn\sqlservr.exe[3076] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 001803FC .text C:\Program Files\Microsoft SQL Server\MSSQL$WDP30\Binn\sqlservr.exe[3076] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 00180804 .text C:\Program Files\Microsoft SQL Server\MSSQL$WDP30\Binn\sqlservr.exe[3076] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 001801F8 .text C:\Program Files\Microsoft SQL Server\MSSQL$WDP30\Binn\sqlservr.exe[3076] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 00180600 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3108] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001E03FC .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3108] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001E01F8 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3108] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3108] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 00200A08 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3108] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 002003FC .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3108] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 00200804 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3108] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 002001F8 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3108] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 00200600 .text C:\Windows\system32\svchost.exe[3132] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[3132] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[3132] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[3132] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 000D0A08 .text C:\Windows\system32\svchost.exe[3132] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 000D03FC .text C:\Windows\system32\svchost.exe[3132] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 000D0804 .text C:\Windows\system32\svchost.exe[3132] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 000D01F8 .text C:\Windows\system32\svchost.exe[3132] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 000D0600 .text C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe[3192] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 000E03FC .text C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe[3192] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 000E01F8 .text C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe[3192] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe[3192] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 000F0A08 .text C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe[3192] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 000F03FC .text C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe[3192] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 000F0804 .text C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe[3192] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 000F01F8 .text C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe[3192] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 000F0600 .text C:\Windows\system32\vssvc.exe[3236] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001203FC .text C:\Windows\system32\vssvc.exe[3236] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001201F8 .text C:\Windows\system32\vssvc.exe[3236] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\system32\vssvc.exe[3236] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 00140A08 .text C:\Windows\system32\vssvc.exe[3236] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 001403FC .text C:\Windows\system32\vssvc.exe[3236] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 00140804 .text C:\Windows\system32\vssvc.exe[3236] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 001401F8 .text C:\Windows\system32\vssvc.exe[3236] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 00140600 .text C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE[3324] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001703FC .text C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE[3324] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001701F8 .text C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE[3324] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE[3324] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 00190A08 .text C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE[3324] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 001903FC .text C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE[3324] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 00190804 .text C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE[3324] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 001901F8 .text C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE[3324] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 00190600 .text C:\Windows\system32\wbem\unsecapp.exe[3592] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 000703FC .text C:\Windows\system32\wbem\unsecapp.exe[3592] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 000701F8 .text C:\Windows\system32\wbem\unsecapp.exe[3592] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\system32\wbem\unsecapp.exe[3592] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 00080A08 .text C:\Windows\system32\wbem\unsecapp.exe[3592] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 000803FC .text C:\Windows\system32\wbem\unsecapp.exe[3592] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 00080804 .text C:\Windows\system32\wbem\unsecapp.exe[3592] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 000801F8 .text C:\Windows\system32\wbem\unsecapp.exe[3592] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 00080600 .text C:\Users\Hobbit\Desktop\gmer.exe[3600] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[3684] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 000E03FC .text C:\Windows\system32\wbem\wmiprvse.exe[3684] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 000E01F8 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[3684] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 00200A08 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 002003FC .text C:\Windows\system32\wbem\wmiprvse.exe[3684] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 00200804 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 002001F8 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 00200600 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4024] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001E03FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4024] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001E01F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4024] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4024] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 00200A08 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4024] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 002003FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4024] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 00200804 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4024] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 002001F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4024] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 00200600 .text C:\Windows\System32\rundll32.exe[4040] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001303FC .text C:\Windows\System32\rundll32.exe[4040] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001301F8 .text C:\Windows\System32\rundll32.exe[4040] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\System32\rundll32.exe[4040] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 00140A08 .text C:\Windows\System32\rundll32.exe[4040] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 001403FC .text C:\Windows\System32\rundll32.exe[4040] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 00140804 .text C:\Windows\System32\rundll32.exe[4040] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 001401F8 .text C:\Windows\System32\rundll32.exe[4040] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 00140600 .text C:\Program Files\FreePDF_XP\fpassist.exe[4088] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001D03FC .text C:\Program Files\FreePDF_XP\fpassist.exe[4088] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001D01F8 .text C:\Program Files\FreePDF_XP\fpassist.exe[4088] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Program Files\FreePDF_XP\fpassist.exe[4088] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 001E0A08 .text C:\Program Files\FreePDF_XP\fpassist.exe[4088] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 001E03FC .text C:\Program Files\FreePDF_XP\fpassist.exe[4088] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 001E0804 .text C:\Program Files\FreePDF_XP\fpassist.exe[4088] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 001E01F8 .text C:\Program Files\FreePDF_XP\fpassist.exe[4088] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 001E0600 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4196] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4220] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001E03FC .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4220] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001E01F8 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4220] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4220] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 001F0A08 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4220] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 001F03FC .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4220] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 001F0804 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4220] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 001F01F8 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4220] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 001F0600 .text C:\Windows\System32\mobsync.exe[4252] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 000F03FC .text C:\Windows\System32\mobsync.exe[4252] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 000F01F8 .text C:\Windows\System32\mobsync.exe[4252] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\System32\mobsync.exe[4252] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 00110A08 .text C:\Windows\System32\mobsync.exe[4252] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 001103FC .text C:\Windows\System32\mobsync.exe[4252] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 00110804 .text C:\Windows\System32\mobsync.exe[4252] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 001101F8 .text C:\Windows\System32\mobsync.exe[4252] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 00110600 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[4396] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[4556] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\system32\sppsvc.exe[4608] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Program Files\Lenovo\System Update\SUService.exe[4640] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] .text C:\Windows\system32\taskeng.exe[5620] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62] ---- Devices - GMER 1.0.15 ---- Device aswSP.SYS (avast! self protection module/AVAST Software) Device Ntfs.sys (NT-Dateisystemtreiber/Microsoft Corporation) AttachedDevice tdrpm273.sys (Acronis Try&Decide Volume Filter Driver/Acronis) Device fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\00000051 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device volmgr.sys (Volume Manager Driver/Microsoft Corporation) AttachedDevice fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\78dd08a7b88c Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\78dd08a7b88c (not active ControlSet) ---- EOF - GMER 1.0.15 ---- --- --- --- [/codebox] Frag mich gerade, ob es nicht gleich besser ist das System neu aufzusetzen??!! Wie würdet Ihr vorgehen? Gruß theexciter Geändert von theexciter (01.12.2012 um 10:49 Uhr) |
01.12.2012, 12:38 | #2 | ||
/// TB-Ausbilder | Windows 7 32bit - GVU Trojaner 11.3 - Trojan.Wheelsof.gen Du weißt nicht wie sich das eingeschlichen hat?
__________________Ich schon ... Zitat:
Supportstopp: Cracks oder Keygens Damit ist das Thema beendet.
__________________ |
01.12.2012, 13:04 | #3 |
| Windows 7 32bit - GVU Trojaner 11.3 - Trojan.Wheelsof.gen ????
__________________Was ist das? Wie kommt das da rauf? |
Themen zu Windows 7 32bit - GVU Trojaner 11.3 - Trojan.Wheelsof.gen |
adobe, adobe flash player, antivirus, avast, bho, defender, explorer, firefox, flash player, format, helper, hotkey, lenovo, logfile, löschen, malwarebytes, microsoft, minidump, mozilla, ntdll.dll, opera, plug-in, registry, rundll, software, system, system neu, trojaner, windows |