|
Plagegeister aller Art und deren Bekämpfung: Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigtWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
13.11.2009, 14:37 | #1 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt Hallo Community, seit ca. 2 Wochen belästigt mich mein Rechner mit extrem langsamen Shutdowns (der Zusammenhang zu Trojanern wird noch deutlich), und zwar sowohl bei der Profilabmeldung als auch beim Runterfahren selbst. Ersteres konnte ich inzwischen klären, aber Letzteres nervt immer noch ungemein. Folgendes ist vom Ablauf her Sache: 1) Abmeldung und Shutdown dauerten immer mal wieder je ca. 2 Minuten (der Shutdown selbst fast immer) 2) Vor ca. 1 Woche fing AntiVir an, alle 5 Minuten einen Trojaner zu melden. Es beschränkte sich auf den Temp-Ordner (also wohl Downloads kleiner Dateien), ich löschte den Kram bzw verschob ihn in die Quarantäne. Upload zu virustotal.com ergab nur bei AntiVir und McAfee einen Alarm: TR/Dropper.Gen. Den Trojaner wurde ich los, aber das Problem änderte sich nicht. Also habe ich einige Treiber aktualisiert. Das schien etwas zu bewirken, aber kurze Zeit später gings von vorn los. Seitdem habe ich mehrere Dinge ausprobiert: - Programme: Registry Booster, SpeedupmyPC, Hijackthis, eScan, Security Task Manager, Combofix, Bit Defender - Registry: ClearPagefileatShutdown = 0/1, Löschung überflüssiger Einträge (auch NULL), HungAppTimeout = 1000, WaitToKillAppTimeout = 1000, DisablePagingExecutive = 1 Ergebnis: Combofix fand ein Rootkit und desinfizierte die Datei. Das Problem besteht aber weiterhin. Inzwischen bin ich darauf gekommen, dass zumeist das Internet an ist bzw war, bevor das Problem auftrat. Shutdowns direkt nach dem Hochfahren des Userprofils laufen nämlich anstandslos. So weit so gut, doch eins ist verwirrend: auch ohne angeschaltetes Internet tritt der Fehler hie und da auf. Meine Frage: kann es sein, dass trotz der ganzen Tests immer noch irgendwo ein rezentes Progrämmchen rumpfuscht, das ggf nach einer Weile (evtl wiederholt ?!) nach Hause zu telefonieren versucht und sich auch von Shutdowns nicht sofort beeindrucken lässt ? Vielleicht ein weiterer Trojaner, der noch von keinem Sucher entdeckt wird ? Wenn ja, müsste das Ding theoretisch auf der "tieferen" (?!) Windows-Ebene fuhrwerken, denn die Profilabmeldung ist ja wieder ok. Erst der generelle Shutdown (beim Klick auf den Computernamen Auf Wiedersehen-Bildschirm vom XP) braucht idiotisch lange. Interessant ist dahingehend, dass HijackThis m. E. nichts Ungewöhnliches anzeigt. Kurz und gut: Zustand: extreme Verwirrung Abhilfe: gern gesehen Ideen ? Immer her damit...bei Bedarf haue ich nochmal HijackThis drauf, vielleicht findet einige zusätzliche Paar Augen noch was. Besten Dank im Voraus, Steffen |
13.11.2009, 14:56 | #2 |
/// Selecta Jahrusso | Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigtEine Bereinigung ist mitunter mit viel Arbeit für Dich verbunden.
Hinweis: Ich kann Dir niemals eine Garantie geben, dass ich auch alles finde. Eine Formatierung ist meist der Schnellere und immer der sicherste Weg. Solltest Du Dich für eine Bereinigung entscheiden, arbeite bitte folgendes ab. Poste bitte alle Logfiles in Code-Tags. Klicke antworten --> # danach [code]text[/code] So sollte das dann hier aussehen nach dem antworten: Code:
ATTFilter deine Logfile Vista und Win7 User Alle Tools mit Rechtsklick "als Administrator ausführen" starten. schritt 1 Windows-Explorer öffnen (Windows-Taste + E) und unter => Extras => Ordneroptionen => im Reiter "Ansicht"
schritt 2 Poste bitte den Inhalt von C:\combofix.txt schritt 3 Systemscan mit OTL Lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
schritt 4
Manche Logfiles sind sehr lange, bitte in mehrere Posts aufteilen
__________________ |
13.11.2009, 16:37 | #3 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt Beim Download ist mir aufgefallen, dass ich GMER auch schon im Einsatz hatte. Konnte aber mir den ganzen Begriffen und Abkürzungen nicht viel anfangen und habe daher nicht mehr dran gedacht.
__________________Egal, ich musste eh neu scannen. Hier erstmal der Combofix-Log, Teil I: Code:
ATTFilter ComboFix 09-11-13.04 - Liebig 13.11.2009 15:51.1.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.1535.1181 [GMT 1:00] ausgeführt von:: c:\dokumente und einstellungen\Liebig\Desktop\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning disabled* (Updated) {804E5358-FFA4-00EB-0D24-347CA8A3377C} AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning disabled* (Updated) {804E5358-FFA4-011E-0D24-347CA8A3377C} AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning enabled* (Outdated) {00000000-0000-0000-0000-000000000000} AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning enabled* (Updated) {804E5358-FFA4-00DA-0D24-347CA8A3377C} AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning enabled* (Updated) {804E5358-FFA4-010C-0D24-347CA8A3377C} AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning enabled* (Updated) {804E5358-FFA4-011C-0D24-347CA8A3377C} FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B} Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !! . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\regedit.com c:\windows\system32\taskmgr.com . ((((((((((((((((((((((( Dateien erstellt von 2009-10-13 bis 2009-11-13 )))))))))))))))))))))))))))))) . 2009-11-12 19:19 . 2009-11-12 19:19 -------- d-----w- c:\programme\microsoft frontpage 2009-11-12 12:40 . 2009-11-12 12:40 -------- d---a-w- c:\windows\rundll16.exe 2009-11-12 11:55 . 2009-11-12 11:55 -------- d-----w- c:\programme\Gemeinsame Dateien\MicroWorld 2009-11-11 22:05 . 2009-11-11 22:05 -------- d---a-w- c:\windows\VDLL.DLL 2009-11-11 22:05 . 2009-11-11 22:05 -------- d---a-w- c:\windows\system32\runouce.exe 2009-11-11 22:05 . 2009-11-11 22:05 -------- d---a-w- c:\windows\RUNDL132.EXE 2009-11-11 22:02 . 2009-11-11 22:02 632064 ----a-w- c:\windows\system32\msvcr80.dll 2009-11-11 22:02 . 2009-11-11 22:02 554240 ----a-w- c:\windows\system32\msvcp80.dll 2009-11-11 22:02 . 2009-11-11 22:02 34048 ----a-w- c:\windows\system32\eEmpty.exe 2009-11-11 22:02 . 2008-04-14 02:23 140800 ----a-w- c:\windows\system32\T.COM 2009-11-11 22:02 . 2008-04-14 02:22 153600 ----a-w- c:\windows\R.COM 2009-11-11 18:37 . 2009-11-11 18:37 -------- d-----r- c:\dokumente und einstellungen\NetworkService\Favoriten 2009-11-11 18:36 . 2009-11-11 18:36 -------- d-sh--w- c:\dokumente und einstellungen\NetworkService\IETldCache 2009-11-10 16:33 . 2009-11-10 16:33 -------- d-----w- C:\Brother 2009-11-10 12:14 . 2008-05-18 17:54 9216 ----a-w- c:\windows\system32\drivers\videX32.sys 2009-11-08 15:12 . 2009-03-25 05:29 130432 ----a-w- c:\windows\system32\drivers\Rtnicxp.sys 2009-11-08 15:12 . 2009-03-03 11:18 73728 ----a-w- c:\windows\system32\RtNicProp32.dll 2009-11-08 14:19 . 2006-09-20 15:25 5627904 ----a-w- c:\windows\system32\nvdisps.dll 2009-11-08 14:19 . 2006-09-20 15:25 2904064 ----a-w- c:\windows\system32\nvvitvs.dll 2009-11-08 14:19 . 2006-09-20 15:25 2035712 ----a-w- c:\windows\system32\nvwss.dll 2009-11-08 14:19 . 2006-09-20 15:25 188416 ----a-w- c:\windows\system32\nvmccss.dll 2009-11-08 14:19 . 2006-09-20 15:25 888832 ----a-w- c:\windows\system32\nvmobls.dll 2009-11-08 14:19 . 2006-09-20 15:25 3051520 ----a-w- c:\windows\system32\nvgames.dll 2009-11-06 14:34 . 2009-11-10 23:05 -------- d-----w- c:\programme\Setup Files 2009-11-04 13:36 . 2009-11-10 21:54 -------- d-----w- c:\programme\Uniblue 2009-11-03 23:22 . 2009-11-03 23:22 152576 ----a-w- c:\dokumente und einstellungen\Liebig\Anwendungsdaten\Sun\Java\jre1.6.0_17\lzma.dll 2009-10-20 10:35 . 2009-08-06 17:24 44768 ----a-w- c:\windows\system32\wups2.dll 2009-10-20 10:35 . 2008-10-16 13:13 202776 ----a-w- c:\windows\system32\wuweb.dll 2009-10-20 10:35 . 2009-08-06 17:24 35552 -c--a-w- c:\windows\system32\dllcache\wups.dll 2009-10-20 10:35 . 2009-08-06 17:24 35552 ----a-w- c:\windows\system32\wups.dll 2009-10-20 10:35 . 2008-10-16 13:12 323608 ----a-w- c:\windows\system32\wucltui.dll 2009-10-20 10:35 . 2008-10-16 13:13 1809944 ----a-w- c:\windows\system32\wuaueng.dll 2009-10-20 10:35 . 2008-10-16 13:09 51224 ------w- c:\windows\system32\wuauclt.exe 2009-10-20 10:35 . 2008-10-16 13:12 561688 ----a-w- c:\windows\system32\wuapi.dll 2009-10-20 10:35 . 2008-10-16 13:09 92696 ----a-w- c:\windows\system32\cdm.dll . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-12 19:29 . 2009-06-25 16:47 -------- d-----w- c:\programme\Trillian 2009-11-11 19:26 . 2008-08-10 01:05 -------- d---a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP 2009-11-10 23:31 . 2008-02-22 19:24 -------- d-----w- c:\programme\Flock 2009-11-10 20:59 . 2004-08-04 12:00 86770 ----a-w- c:\windows\system32\perfc007.dat 2009-11-10 20:59 . 2004-08-04 12:00 501756 ----a-w- c:\windows\system32\perfh007.dat 2009-11-10 16:33 . 2008-12-09 17:01 50 ----a-w- c:\windows\system32\bridf06a.dat 2009-11-10 16:32 . 2009-03-28 15:47 57 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Brother\BrLog\BrCollectDir\BR_cat.bat 2009-11-10 12:51 . 2009-06-14 22:27 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2009-11-07 15:46 . 2006-01-27 11:34 -------- d-----w- c:\programme\AVM_update 2009-11-06 16:32 . 2009-09-03 16:35 586107 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aescript.dll 2009-11-06 16:32 . 2009-09-03 16:35 2093432 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aeheur.dll 2009-11-05 16:39 . 2009-11-04 13:37 -------- d-----w- c:\dokumente und einstellungen\Liebig\Anwendungsdaten\Uniblue 2009-11-05 16:39 . 2009-11-05 16:38 -------- dc-h--w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\{C4C0E335-EDDF-46A0-A57D-F3802AE44275} 2009-11-05 16:38 . 2006-01-27 14:08 69392 ----a-w- c:\dokumente und einstellungen\Liebig\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT 2009-11-05 14:21 . 2009-09-03 16:35 422261 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aepack.dll 2009-11-05 14:21 . 2009-09-03 16:35 364916 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aegen.dll 2009-11-05 14:21 . 2009-09-03 16:35 184694 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aecore.dll 2009-11-04 00:25 . 2008-05-01 13:05 -------- d-----w- c:\programme\UPHClean 2009-11-03 23:23 . 2006-03-23 18:27 -------- d-----w- c:\programme\Java 2009-11-01 08:43 . 2007-08-17 19:36 -------- d-----w- c:\programme\Eumex 504PC USB 2009-10-29 18:38 . 2009-11-05 16:39 2838480 -c--a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}\speedupmypc2009.exe 2009-10-17 12:31 . 2009-03-19 16:54 -------- d-----w- c:\programme\Avira 2009-10-15 10:10 . 2006-01-26 11:36 -------- d-----w- c:\programme\Gemeinsame Dateien\Adobe 2009-10-12 17:21 . 2006-01-27 20:17 -------- d-----w- c:\programme\Winamp 2009-10-11 03:17 . 2008-12-26 16:42 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-10-02 22:15 . 2009-09-03 16:35 479604 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aerdl.dll 2009-10-02 22:15 . 2009-09-03 16:35 393587 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aeemu.dll 2009-09-19 12:11 . 2008-01-02 19:26 179792 ----a-w- c:\windows\system32\guard32.dll 2009-09-19 12:11 . 2008-01-02 19:26 87104 ----a-w- c:\windows\system32\drivers\inspect.sys 2009-09-19 12:11 . 2008-01-02 19:26 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys 2009-09-19 12:11 . 2008-01-02 19:26 132296 ----a-w- c:\windows\system32\drivers\cmdGuard.sys 2009-09-16 13:07 . 2006-01-29 15:26 -------- d-----w- c:\programme\ChessBase 2009-09-15 15:58 . 2009-09-03 16:35 106867 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aevdf.dll 2009-09-11 14:17 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-09-03 15:24 . 2009-09-03 16:35 237940 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aehelp.dll 2009-09-03 15:24 . 2009-09-03 16:35 127346 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aescn.dll 2009-08-29 07:54 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll 2009-08-26 19:41 . 2009-08-26 19:41 152576 ----a-w- c:\dokumente und einstellungen\Liebig\Anwendungsdaten\Sun\Java\jre1.6.0_15\lzma.dll 2009-08-26 18:11 . 2009-03-19 16:54 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll 2008-02-28 11:30 . 2008-02-28 11:30 14852 ----a-w- c:\programme\settings.dat 2006-10-26 18:40 . 2006-10-26 18:40 13 ----a-w- c:\programme\ATT00019.txt . Geändert von ElSteffe (13.11.2009 um 17:12 Uhr) |
13.11.2009, 16:39 | #4 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt Combofix, Teil II: Code:
ATTFilter ------- Sigcheck ------- [-] 2006-10-18 20:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll [-] 2006-10-18 20:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\dllcache\mspmsnsv.dll . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\programme\QuickTime\qttask.exe" [2008-05-27 413696] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-09-20 7680000] "COMODO Firewall Pro"="c:\programme\COMODO\Firewall\cfp.exe" [2009-09-19 1799952] "UnlockerAssistant"="c:\programme\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872] "QuickTime Task"="c:\programme\QuickTime\qttask.exe" [2008-05-27 413696] "FreePDF Assistant"="c:\programme\FreePDF_XP\fpassist.exe" [2008-07-22 357376] "avgnt"="c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "SSBkgdUpdate"="c:\programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648] "PaperPort PTD"="c:\programme\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393] "IndexSearch"="c:\programme\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960] "BrMfcWnd"="c:\programme\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592] "ControlCenter3"="c:\programme\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824] "COMODO Internet Security"="c:\programme\COMODO\Firewall\cfp.exe" [2009-09-19 1799952] "SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [2009-10-11 149280] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-09-20 86016] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-12-10 1519616] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\guard32.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService] @="service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "d:\\Daten_alt\\Programme\\Zubehör\\Backgammon\\backgw32.exe"= R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [02.01.2008 20:26 132296] R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [02.01.2008 20:26 25160] R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [19.03.2009 17:54 108289] R2 AVMPORT;AVMPORT;c:\windows\system32\drivers\avmport.sys [27.01.2006 23:55 59520] R2 CAPI20;Eumex 504PC USB;c:\windows\system32\drivers\Capi20.sys [17.08.2007 20:36 964428] R3 AVMCOWAN;AVMCOWAN;c:\windows\system32\drivers\avmcowan.sys [24.11.2005 01:00 53632] R3 fpcibase;FRITZ!Card PCI;c:\windows\system32\drivers\fpcibase.sys [26.01.2006 11:46 537600] S2 DETEWECP;Telekom ISDN Port;c:\windows\system32\drivers\detewecp.sys [17.08.2007 20:36 38480] S3 AVMWAN;NDIS WAN CAPI Treiber;c:\windows\system32\drivers\avmwan.sys [26.01.2006 11:46 38608] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\39.tmp --> c:\windows\system32\39.tmp [?] S3 MsibiosDevice;MsibiosDevice;\??\c:\programme\MSI\Live Update 4\LU4\msibios.sys --> c:\programme\MSI\Live Update 4\LU4\msibios.sys [?] S3 NETFRITZ;AVM FRITZ!web PPP over ISDN;c:\windows\system32\drivers\Netfritz.sys [27.01.2006 12:44 316928] S3 WEBNTACCESS;WEBNTACCESS;c:\windows\system32\Ntaccess.sys [14.04.2008 02:21 17920] S4 SAVAdminService;Sophos Anti-Virus Statusreporter;"c:\programme\Sophos\Sophos Anti-Virus\SAVAdminService.exe" --> c:\programme\Sophos\Sophos Anti-Virus\SAVAdminService.exe [?] S4 SAVService;Sophos Anti-Virus;"c:\programme\Sophos\Sophos Anti-Virus\SavService.exe" --> c:\programme\Sophos\Sophos Anti-Virus\SavService.exe [?] S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys --> c:\windows\system32\DRIVERS\SophosBootDriver.sys [?] --- Andere Dienste/Treiber im Speicher --- *Deregistered* - mbr *Deregistered* - PROCEXP113 *Deregistered* - uphcleanhlp . . ------- Zusätzlicher Suchlauf ------- . uStart Page = about:blank uInternet Connection Wizard,ShellNext = iexplore DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-13 16:00 Windows 5.1.2600 Service Pack 3 NTFS detected NTDLL code modification: ZwClose, ZwOpenFile Scanne versteckte Prozesse... Scanne versteckte Autostarteinträge... Scanne versteckte Dateien... Scan erfolgreich abgeschlossen versteckte Dateien: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\39.tmp" . Zeit der Fertigstellung: 2009-11-13 16:02 ComboFix-quarantined-files.txt 2009-11-13 15:02 Vor Suchlauf: 9 Verzeichnis(se), 22.521.589.760 Bytes frei Nach Suchlauf: 12 Verzeichnis(se), 22.481.281.024 Bytes frei - - End Of File - - 410F8361CBC4AC1D8878BE0E83F887D7 |
13.11.2009, 16:43 | #5 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt OTL, Teil I (irgendwas hat sich zuerst gebissen, mir wurde beim Ausführen ein Schadprogramm gemeldet und mein Rechner stürzte ab...vielleicht hatte ich ein Modul der Firewall oder des Virenscanners nicht abgeschaltet): Code:
ATTFilter OTL logfile created on: 13.11.2009 16:16:11 - Run 1 OTL by OldTimer - Version 3.1.5.0 Folder = C:\Dokumente und Einstellungen\Liebig\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 1,50 Gb Total Physical Memory | 1,07 Gb Available Physical Memory | 71,46% Memory free 4,00 Gb Paging File | 4,00 Gb Available in Paging File | 100,00% Paging File free Paging file location(s): [Binary data over 100 bytes] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme Drive C: | 29,29 Gb Total Space | 21,04 Gb Free Space | 71,82% Space Free | Partition Type: NTFS Drive D: | 45,23 Gb Total Space | 41,96 Gb Free Space | 92,77% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: LIEBIG-2DA4E295 Current User Name: Liebig Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Dokumente und Einstellungen\Liebig\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Programme\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.) PRC - C:\Programme\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.) PRC - C:\Programme\COMODO\Firewall\cfp.exe (COMODO) PRC - C:\Programme\COMODO\Firewall\cmdagent.exe (COMODO) PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH) PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH) PRC - C:\Programme\internet explorer\iexplore.exe (Microsoft Corporation) PRC - C:\Programme\internet explorer\iexplore.exe (Microsoft Corporation) PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) PRC - C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation) PRC - C:\Programme\FreePDF_XP\fpassist.exe (shbox.de) PRC - C:\Programme\QuickTime\QTTask.exe (Apple Inc.) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation) PRC - C:\Programme\Unlocker\UnlockerAssistant.exe () PRC - C:\Programme\Brother\Brmfcmon\BrMfcWnd.exe () PRC - C:\Programme\UPHClean\uphclean.exe (Microsoft Corporation) PRC - C:\Programme\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.) ========== Modules (SafeList) ========== MOD - C:\Dokumente und Einstellungen\Liebig\Desktop\OTL.exe (OldTimer Tools) MOD - C:\WINDOWS\system32\guard32.dll (COMODO) MOD - C:\WINDOWS\system32\wbem\framedyn.dll (Microsoft Corporation) MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (Microsoft Corporation) MOD - C:\Programme\Unlocker\UnlockerHook.dll () ========== Win32 Services (SafeList) ========== SRV - (Sophos AutoUpdate Service) -- File not found SRV - (SAVService) -- File not found SRV - (SAVAdminService) -- File not found SRV - (MySql) -- File not found SRV - (JavaQuickStarterService) -- C:\Programme\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.) SRV - (cmdAgent) -- C:\Programme\COMODO\Firewall\cmdagent.exe (COMODO) SRV - (AntiVirService) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH) SRV - (AntiVirSchedulerService) -- C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH) SRV - (FontCache3.0.0.0) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation) SRV - (idsvc) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation) SRV - (NetTcpPortSharing) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation) SRV - (clr_optimization_v2.0.50727_32) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation) SRV - (aspnet_state) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation) SRV - (helpsvc) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll (Microsoft Corporation) SRV - (NVSvc) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation) SRV - (UPHClean) -- C:\Programme\UPHClean\uphclean.exe (Microsoft Corporation) SRV - (IDriverT) -- C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation) ========== Driver Services (SafeList) ========== DRV - (tmcomm) -- C:\WINDOWS\system32\drivers\tmcomm.sys (Trend Micro Inc.) DRV - (Inspect) -- C:\WINDOWS\System32\DRIVERS\inspect.sys (COMODO) DRV - (cmdHlp) -- C:\WINDOWS\system32\drivers\cmdhlp.sys (COMODO) DRV - (cmdGuard) -- C:\WINDOWS\system32\drivers\cmdGuard.sys (COMODO) DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH) DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH) DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH) DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation ) DRV - (avgio) -- C:\Programme\Avira\AntiVir Desktop\avgio.sys (Avira GmbH) DRV - (videX32) -- C:\WINDOWS\system32\DRIVERS\videX32.sys (VIA Technologies, Inc.) DRV - (WEBNTACCESS) -- C:\WINDOWS\system32\Ntaccess.sys (Your Corporation) DRV - (nm) -- C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation) DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation) DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) DRV - (VIAudio) -- C:\WINDOWS\system32\drivers\vinyl97.sys (VIA Technologies, Inc.) DRV - (vsdatant) -- C:\WINDOWS\system32\vsdatant.sys (Zone Labs, LLC) DRV - (fpcibase) -- C:\WINDOWS\system32\drivers\fpcibase.sys (AVM Berlin) DRV - (AVMCOWAN) -- C:\WINDOWS\system32\drivers\avmcowan.sys (AVM GmbH) DRV - (PxHelp20) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions) DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation) DRV - (BrUsbSer) -- C:\WINDOWS\system32\drivers\BrUsbSer.sys (Brother Industries Ltd.) DRV - (BrSerIf) -- C:\WINDOWS\system32\drivers\BrSerIf.sys (Brother Industries Ltd.) DRV - (NETFRITZ) -- C:\WINDOWS\system32\drivers\Netfritz.sys (AVM Berlin) DRV - (ENTECH) -- C:\WINDOWS\system32\drivers\Entech.sys (EnTech Taiwan) DRV - (BrScnUsb) -- C:\WINDOWS\system32\drivers\BrScnUsb.sys (Brother Industries Ltd.) DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.) DRV - (ROOTMODEM) -- C:\WINDOWS\system32\drivers\rootmdm.sys (Microsoft Corporation) DRV - (rtl8139) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation) DRV - (CAPI20) -- C:\WINDOWS\System32\Drivers\CAPI20.SYS (DeTeWe Berlin) DRV - (viaagp1) -- C:\WINDOWS\system32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.) DRV - (AVMWAN) -- C:\WINDOWS\system32\drivers\avmwan.sys (AVM Berlin) DRV - (DETEWECP) -- C:\WINDOWS\System32\drivers\detewecp.sys (DeTeWe Berlin) DRV - (AVMPORT) -- C:\WINDOWS\System32\drivers\avmport.sys (AVM Berlin) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data] IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://de.msn.com/?ocid=iehp IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 96 3E E4 49 FA 4F CA 01 [binary data] IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 [2009.09.15 16:13:10 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\Mozilla\Extensions [2009.09.15 16:13:10 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\Mozilla\Extensions\{a463f10c-3994-11da-9945-000d60ca027b} O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated) O2 - BHO: (PicLens for Internet Explorer) - {53349B29-8E4B-447A-9068-5C83EB591753} - C:\Programme\PicLensIE\PicLens.dll (Cooliris Inc.) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.) O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {00000000-0000-0000-0000-000000000000} - No CLSID value found. O4 - HKLM..\Run: [avgnt] C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [BrMfcWnd] C:\Programme\Brother\Brmfcmon\BrMfcWnd.exe () O4 - HKLM..\Run: [COMODO Firewall Pro] C:\Programme\COMODO\Firewall\cfp.exe (COMODO) O4 - HKLM..\Run: [COMODO Internet Security] C:\Programme\COMODO\Firewall\cfp.exe (COMODO) O4 - HKLM..\Run: [ControlCenter3] C:\Programme\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.) O4 - HKLM..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe (shbox.de) O4 - HKLM..\Run: [IndexSearch] C:\Programme\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.) O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe () O4 - HKLM..\Run: [PaperPort PTD] C:\Programme\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.) O4 - HKLM..\Run: [QuickTime Task] C:\Programme\QuickTime\qttask.exe (Apple Inc.) O4 - HKLM..\Run: [SSBkgdUpdate] C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Scansoft, Inc.) O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.) O4 - HKLM..\Run: [UnlockerAssistant] C:\Programme\Unlocker\UnlockerAssistant.exe () O4 - HKCU..\Run: [QuickTime Task] C:\Programme\QuickTime\qttask.exe (Apple Inc.) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClearRecentDocsOnExit = 1 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disableregistrytools = 0 O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe File not found O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} Reg Error: Key error. (YInstStarter Class) O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/scanner/sources/de/scan8/oscan8.cab (Reg Error: Key error.) O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} http://liveupdate.msi.com.tw/autobios/LOnline/install.cab (WebSDev Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\ipp - No CLSID value found O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp - No CLSID value found O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O20 - AppInit_DLLs: (C:\WINDOWS\system32\guard32.dll) - C:\WINDOWS\system32\guard32.dll (COMODO) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home O31 - SafeBoot: AlternateShell - cmd.exe O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.01.26 11:54:59 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck) - File not found O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation) O34 - HKLM BootExecute: (*) - File not found O34 - HKLM BootExecute: (OODBS) - File not found O35 - comfile [open] -- "%1" %* File not found O35 - exefile [open] -- "%1" %* File not found ========== Files/Folders - Created Within 30 Days ========== |
13.11.2009, 16:44 | #6 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt OTL, Teil II: Code:
ATTFilter [2009.11.13 16:09:01 | 00,529,408 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Liebig\Desktop\OTL.exe [2009.11.13 16:06:48 | 00,000,000 | --SD | C] -- C:\ComboFix [2009.11.13 16:03:06 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp [2009.11.13 15:45:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT [2009.11.13 15:40:23 | 00,000,000 | RH-D | C] -- C:\Dokumente und Einstellungen\Liebig\Recent [2009.11.12 20:19:58 | 00,000,000 | ---D | C] -- C:\Programme\xerox [2009.11.12 20:19:58 | 00,000,000 | ---D | C] -- C:\Programme\movie maker [2009.11.12 20:19:57 | 00,000,000 | ---D | C] -- C:\Programme\netmeeting [2009.11.12 20:19:57 | 00,000,000 | ---D | C] -- C:\Programme\msn gaming zone [2009.11.12 20:19:56 | 00,000,000 | ---D | C] -- C:\Programme\windows media player [2009.11.12 20:19:56 | 00,000,000 | ---D | C] -- C:\Programme\microsoft frontpage [2009.11.12 17:04:32 | 00,000,000 | ---D | C] -- C:\Config.Msi [2009.11.12 13:40:13 | 00,000,000 | ---D | C] -- C:\WINDOWS\rundll16.exe [2009.11.12 12:55:25 | 00,000,000 | ---D | C] -- C:\Programme\Gemeinsame Dateien\MicroWorld [2009.11.11 23:05:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\VDLL.DLL [2009.11.11 23:05:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\runouce.exe [2009.11.11 23:05:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\RUNDL132.EXE [2009.11.11 23:02:22 | 00,632,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr80.dll [2009.11.11 23:02:21 | 00,554,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcp80.dll [2009.11.11 23:02:19 | 00,034,048 | ---- | C] (MicroWorld Technologies Inc.) -- C:\WINDOWS\System32\eEmpty.exe [2009.11.11 23:02:13 | 00,153,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\R.COM [2009.11.11 23:02:13 | 00,140,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\T.COM [2009.11.10 17:33:23 | 00,000,000 | ---D | C] -- C:\Brother [2009.11.10 13:14:36 | 00,009,216 | ---- | C] (VIA Technologies, Inc.) -- C:\WINDOWS\System32\drivers\videX32.sys [2009.11.08 16:12:56 | 00,130,432 | ---- | C] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\System32\drivers\Rtnicxp.sys [2009.11.08 15:19:20 | 05,627,904 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvdisps.dll [2009.11.08 15:19:20 | 02,904,064 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvvitvs.dll [2009.11.08 15:19:20 | 02,035,712 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvwss.dll [2009.11.08 15:19:20 | 00,188,416 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvmccss.dll [2009.11.08 15:19:19 | 03,051,520 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvgames.dll [2009.11.08 15:19:19 | 00,888,832 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvmobls.dll [2009.11.06 15:34:21 | 00,000,000 | ---D | C] -- C:\Programme\Setup Files [2009.11.05 19:39:29 | 00,000,000 | ---D | C] -- D:\Liebig\Eigene Dateien\My Drivers [2009.11.05 17:38:45 | 00,000,000 | -H-D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{C4C0E335-EDDF-46A0-A57D-F3802AE44275} [2009.11.04 14:37:08 | 00,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\Uniblue [2009.11.04 14:36:57 | 00,000,000 | ---D | C] -- C:\Programme\Uniblue [2009.11.04 00:23:49 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe [2009.11.04 00:23:49 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe [2009.11.04 00:23:49 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe [2009.10.28 15:54:08 | 00,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Liebig\Desktop\AVK Personal Dortmund [2009.10.20 11:35:31 | 00,202,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuweb.dll [2009.10.20 11:35:31 | 00,044,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wups2.dll [2009.10.20 11:35:30 | 00,323,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wucltui.dll [2009.10.20 11:35:30 | 00,035,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wups.dll [2009.10.20 11:35:30 | 00,035,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wups.dll [2009.10.20 11:35:29 | 01,809,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuaueng.dll [2009.10.20 11:35:29 | 00,213,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuaucpl.cpl [2009.10.20 11:35:28 | 00,051,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuauclt.exe [2009.10.20 11:35:27 | 00,561,688 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll [2009.10.20 11:35:26 | 00,092,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cdm.dll [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2009.11.13 16:14:21 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2009.11.13 16:14:01 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml [2009.11.13 16:12:05 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2009.11.13 16:12:02 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2009.11.13 16:11:59 | 16,101,41696 | -HS- | M] () -- C:\hiberfil.sys [2009.11.13 16:09:11 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Liebig\Desktop\OTL.exe [2009.11.13 16:00:52 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini [2009.11.13 15:40:25 | 07,864,320 | ---- | M] () -- C:\Dokumente und Einstellungen\Liebig\NTUSER.DAT [2009.11.13 15:40:25 | 00,000,190 | -HS- | M] () -- C:\Dokumente und Einstellungen\Liebig\ntuser.ini [2009.11.12 20:28:24 | 00,001,592 | ---- | M] () -- C:\Dokumente und Einstellungen\Liebig\Desktop\Trillian.lnk [2009.11.12 12:55:51 | 00,000,028 | ---- | M] () -- C:\WINDOWS\Lic.xxx [2009.11.12 00:58:39 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2009.11.11 23:02:21 | 00,632,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr80.dll [2009.11.11 23:02:20 | 00,554,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcp80.dll [2009.11.11 23:02:18 | 00,034,048 | ---- | M] (MicroWorld Technologies Inc.) -- C:\WINDOWS\System32\eEmpty.exe [2009.11.10 21:59:08 | 01,158,866 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2009.11.10 21:59:08 | 00,501,756 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat [2009.11.10 21:59:08 | 00,483,428 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2009.11.10 21:59:08 | 00,086,770 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat [2009.11.10 21:59:08 | 00,072,906 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2009.11.10 17:53:32 | 00,000,425 | ---- | M] () -- C:\WINDOWS\BRWMARK.INI [2009.11.10 17:53:32 | 00,000,027 | ---- | M] () -- C:\WINDOWS\BRPP2KA.INI [2009.11.10 17:49:30 | 00,294,072 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2009.11.10 17:33:59 | 00,001,011 | ---- | M] () -- C:\WINDOWS\Brpfx04a.ini [2009.11.10 17:33:59 | 00,000,149 | ---- | M] () -- C:\WINDOWS\brpcfx.ini [2009.11.10 17:33:59 | 00,000,050 | ---- | M] () -- C:\WINDOWS\System32\bridf06a.dat [2009.11.10 13:51:49 | 00,102,664 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys [2009.11.09 19:01:47 | 06,384,498 | -H-- | M] () -- C:\Dokumente und Einstellungen\Liebig\Lokale Einstellungen\Anwendungsdaten\IconCache.db [2009.11.08 16:21:41 | 00,000,177 | ---- | M] () -- C:\WINDOWS\ChssBase.ini [2009.11.05 17:56:03 | 00,000,709 | ---- | M] () -- C:\Dokumente und Einstellungen\Liebig\CommandDispatchers.xml [2009.11.05 17:56:00 | 00,001,367 | ---- | M] () -- C:\Dokumente und Einstellungen\Liebig\cleaner-config.xml [2009.11.05 17:39:13 | 00,000,845 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\SpeedUpMyPC 2009.lnk [2009.11.05 17:38:41 | 00,069,392 | ---- | M] () -- C:\Dokumente und Einstellungen\Liebig\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT [2009.11.04 15:35:04 | 00,000,844 | ---- | M] () -- C:\Dokumente und Einstellungen\Liebig\Desktop\RegistryBooster.lnk [2009.11.04 14:48:42 | 00,000,991 | ---- | M] () -- C:\WINDOWS\win.ini [2009.11.04 14:48:42 | 00,000,211 | RHS- | M] () -- C:\boot.ini [2009.10.26 17:03:41 | 00,038,400 | ---- | M] () -- C:\Dokumente und Einstellungen\Liebig\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2009.10.20 17:44:16 | 00,345,425 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20091025-015916.backup [2009.10.19 12:04:35 | 01,081,616 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MSCOMCTL.OCX [2009.10.15 15:09:42 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2009.10.15 11:10:27 | 00,001,715 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Adobe Reader 9.lnk [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files Created - No Company Name ========== [2009.11.12 02:42:50 | 16,101,41696 | -HS- | C] () -- C:\hiberfil.sys [2009.11.11 23:02:52 | 00,000,028 | ---- | C] () -- C:\WINDOWS\Lic.xxx [2009.11.11 23:02:20 | 00,000,522 | ---- | C] () -- C:\WINDOWS\System32\Microsoft.VC80.CRT.manifest [2009.11.08 16:12:56 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll [2009.11.05 17:56:01 | 00,000,709 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\CommandDispatchers.xml [2009.11.05 17:56:00 | 00,001,367 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\cleaner-config.xml [2009.11.05 17:39:13 | 00,000,845 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\SpeedUpMyPC 2009.lnk [2009.11.04 15:34:22 | 00,000,844 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\Desktop\RegistryBooster.lnk [2009.10.15 11:10:27 | 00,001,715 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Adobe Reader 9.lnk [2009.03.28 16:48:04 | 00,027,114 | ---- | C] () -- C:\WINDOWS\maxlink.ini [2009.03.19 19:47:16 | 00,000,521 | ---- | C] () -- C:\WINDOWS\my.ini [2009.03.11 18:48:37 | 00,063,488 | ---- | C] () -- C:\WINDOWS\xobglu16.dll [2009.03.11 18:48:37 | 00,033,244 | ---- | C] () -- C:\WINDOWS\xobglu32.dll [2008.12.09 18:06:32 | 00,000,425 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI [2008.12.09 18:06:32 | 00,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI [2008.12.09 18:01:40 | 00,001,011 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini [2008.12.09 18:01:40 | 00,000,149 | ---- | C] () -- C:\WINDOWS\brpcfx.ini [2008.12.09 18:00:00 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll [2008.10.16 16:23:30 | 00,000,530 | ---- | C] () -- C:\WINDOWS\System32\tx13_ic.ini [2008.10.16 16:23:29 | 00,131,072 | ---- | C] () -- C:\WINDOWS\System32\CSVSpecialProcessing.dll [2008.10.16 16:23:29 | 00,102,400 | ---- | C] () -- C:\WINDOWS\System32\SARzilla.dll [2008.05.01 18:53:48 | 00,000,000 | ---- | C] () -- C:\WINDOWS\OODCNT.INI [2008.05.01 15:40:57 | 06,384,498 | -H-- | C] () -- C:\Dokumente und Einstellungen\Liebig\Lokale Einstellungen\Anwendungsdaten\IconCache.db [2008.03.11 17:10:48 | 00,000,079 | ---- | C] () -- C:\WINDOWS\SW_Win2000X1.DLL [2008.03.11 17:10:42 | 00,000,027 | ---- | C] () -- C:\WINDOWS\SW_Win2146X32.DLL [2008.03.11 17:06:56 | 00,004,106 | ---- | C] () -- C:\WINDOWS\CX_SearchHistory.INI [2008.02.28 14:23:02 | 00,000,043 | ---- | C] () -- C:\WINDOWS\gswin32.ini [2008.02.28 13:16:17 | 00,116,224 | ---- | C] () -- C:\WINDOWS\System32\redmonnt.dll [2008.02.28 12:30:38 | 00,014,852 | ---- | C] () -- C:\Programme\settings.dat [2008.02.01 08:18:14 | 00,009,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\FlashSys.sys [2007.11.06 16:31:06 | 00,000,000 | ---- | C] () -- C:\WINDOWS\LiveBilliards.INI [2007.09.10 14:27:35 | 00,049,253 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\Lokale Einstellungen\Anwendungsdaten\FASTWiz.log [2007.05.08 17:13:10 | 00,000,035 | ---- | C] () -- C:\WINDOWS\System32\backgw.ini [2006.10.26 19:40:43 | 00,000,013 | ---- | C] () -- C:\Programme\ATT00019.txt [2006.07.11 17:55:45 | 00,000,336 | ---- | C] () -- C:\WINDOWS\WININIT.INI [2006.06.29 13:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont [2006.06.29 13:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont [2006.05.02 23:38:24 | 00,000,748 | ---- | C] () -- C:\WINDOWS\SetBrowser.ini [2006.04.18 14:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont [2006.04.18 14:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont [2006.03.10 19:47:43 | 00,000,215 | ---- | C] () -- C:\WINDOWS\AntiDial.ini [2006.02.08 15:37:23 | 00,000,305 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\addr_file.html [2006.01.29 16:32:17 | 00,000,177 | ---- | C] () -- C:\WINDOWS\ChssBase.ini [2006.01.28 14:59:47 | 00,000,487 | ---- | C] () -- C:\WINDOWS\Capictrl.INI [2006.01.28 02:31:15 | 00,001,706 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\iwatch.txt [2006.01.28 00:00:44 | 00,000,059 | ---- | C] () -- C:\WINDOWS\WINPHONE.INI [2006.01.27 21:18:03 | 00,000,508 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2006.01.27 21:17:41 | 00,000,155 | ---- | C] () -- C:\WINDOWS\winamp.ini [2006.01.27 19:06:02 | 00,038,400 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2006.01.27 15:08:49 | 00,069,392 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT [2006.01.26 15:05:13 | 00,000,139 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\Lokale Einstellungen\Anwendungsdaten\fusioncache.dat [2006.01.26 14:11:10 | 00,003,972 | ---- | C] () -- C:\WINDOWS\System32\drivers\PciBus.sys [2006.01.26 12:48:28 | 00,000,000 | ---- | C] () -- C:\WINDOWS\ZDDBView.INI [2006.01.26 12:48:21 | 00,000,022 | ---- | C] () -- C:\WINDOWS\zdbui32.ini [2006.01.26 12:00:50 | 00,000,062 | -HS- | C] () -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\desktop.ini [2006.01.26 11:44:46 | 00,000,062 | -HS- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini [2005.12.10 03:06:00 | 01,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll [2005.12.10 03:06:00 | 01,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll [2005.12.10 03:06:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll [2005.12.10 03:06:00 | 00,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll [2005.12.10 03:06:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll [2005.12.10 03:06:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll [2005.12.10 03:06:00 | 00,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll [2004.08.04 13:00:00 | 00,000,991 | ---- | C] () -- C:\WINDOWS\win.ini [2004.08.04 13:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini [2002.03.04 10:16:34 | 00,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll [1999.01.22 19:46:56 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL ========== Alternate Data Streams ========== @Alternate Data Stream - 147 bytes -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:DFC5A2B2 @Alternate Data Stream - 127 bytes -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:D1B5B4F1 @Alternate Data Stream - 114 bytes -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:A8ADE5D8 < End of report > Geändert von ElSteffe (13.11.2009 um 17:36 Uhr) |
13.11.2009, 16:45 | #7 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt OTL - Extras: Code:
ATTFilter OTL Extras logfile created on: 13.11.2009 16:16:11 - Run 1 OTL by OldTimer - Version 3.1.5.0 Folder = C:\Dokumente und Einstellungen\Liebig\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 1,50 Gb Total Physical Memory | 1,07 Gb Available Physical Memory | 71,46% Memory free 4,00 Gb Paging File | 4,00 Gb Available in Paging File | 100,00% Paging File free Paging file location(s): [Binary data over 100 bytes] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme Drive C: | 29,29 Gb Total Space | 21,04 Gb Free Space | 71,82% Space Free | Partition Type: NTFS Drive D: | 45,23 Gb Total Space | 41,96 Gb Free Space | 92,77% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: LIEBIG-2DA4E295 Current User Name: Liebig Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .chm [@ = chm.file] -- "%SYSTEMROOT%\hh.exe" %1 .html [@ = htmlfile] -- C:\Programme\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* File not found chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 File not found cmdfile [open] -- "%1" %* File not found comfile [open] -- "%1" %* File not found exefile [open] -- "%1" %* File not found htmlfile [edit] -- "C:\Programme\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation) htmlfile [open] -- "C:\Programme\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation) htmlfile [opennew] -- "C:\Programme\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation) http [open] -- "C:\Programme\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation) https [open] -- "C:\Programme\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation) piffile [open] -- "%1" %* File not found regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" File not found scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S File not found txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Applications\iexplore.exe [open] -- "C:\Programme\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation) CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" File not found ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 0 "DoNotAllowExceptions" = 0 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 "139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation) "C:\WINDOWS\system32\mmc.exe" = C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console -- (Microsoft Corporation) "D:\Daten_alt\Programme\Zubehör\Backgammon\backgw32.exe" = D:\Daten_alt\Programme\Zubehör\Backgammon\backgw32.exe:*:Enabled:Backgammon -- (Geert Verkade) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{00010407-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Professional "{00040407-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Disc 2 "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 "{08098D1B-BA82-400D-B571-546F5AF7EDFF}" = PicLens for Internet Explorer "{0830FBE8-A848-4A37-BF62-D89CB3EF0F60}" = Fritz8 "{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime "{1F99A4C4-0F84-46B3-BC55-F202C1DB1096}" = PicLens Publisher "{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform "{23C3F5C0-566B-478B-AAB6-197ADAD0C945}" = Uniblue SpeedUpMyPC 2009 "{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java(TM) 6 Update 17 "{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10 "{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe® Photoshop® Album Starter Edition 3.0 "{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0 "{7148F0A8-6813-11D6-A77B-00B0D0142010}" = Java 2 Runtime Environment, SE v1.4.2_01 "{71C97545-E547-4A8B-B0C8-61FF853270AC}" = PaperPort "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{AC76BA86-7AD7-1031-7B44-A92000000001}" = Adobe Reader 9.2 - Deutsch "{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8 "{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{E63E34A7-E552-412B-9E40-FD6FC5227ABA}_is1" = Uniblue RegistryBooster 2010 "{EFCE5837-FC21-11D6-9D24-00010240CE95}" = Java 2 Runtime Environment, SE v1.4.1_02 "{F0F563C4-D4AD-41C4-A8A6-26664C027D11}" = Brother MFL-Pro Suite "{FF77941A-2BFA-4A18-BE2E-69B9498E4D55}" = User Profile Hive Cleanup Service "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus "AVM ISDN CAPI Port" = ISDN CAPI Port "COMODO Firewall Pro" = COMODO Firewall Pro "Convert XLS_is1" = Convert XLS "Eumex 504PC USB" = Telekom Eumex 504PC USB "Flock" = Flock 1.0 "FreePDF_XP" = FreePDF XP (Remove only) "FRITZ! 2.0" = AVM FRITZ! "GPL Ghostscript 8.63" = GPL Ghostscript 8.63 "ie8" = Windows Internet Explorer 8 "InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager "IrfanView" = IrfanView (remove only) "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "NVIDIA Drivers" = NVIDIA Drivers "phase5" = phase5 "Redirection Port Monitor" = RedMon - Redirection Port Monitor "ShockwaveFlash" = Adobe Flash Player 9 ActiveX "Trillian" = Trillian "Uniblue SpeedUpMyPC 2009" = Uniblue SpeedUpMyPC 2009 "Unlocker" = Unlocker 1.8.5 "Winamp" = Winamp "Windows XP Service Pack" = Windows XP Service Pack 3 "WinPhone" = WinPhone "WinRAR archiver" = WinRAR Archivierer "XpsEPSC" = XML Paper Specification Shared Components Pack 1.0 "XPSEPSCLP" = XML Paper Specification Shared Components Language Pack 1.0 ========== HKEY_CURRENT_USER Uninstall List ========== [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "Adobe Digital Editions" = Adobe Digital Editions ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 12.11.2009 15:20:22 | Computer Name = LIEBIG-2DA4E295 | Source = crypt32 | ID = 131080 Description = Der automatische Aktualisierungsabruf der Drittanbieterstammlisten-Sequenznummer von <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> ist fehlgeschlagen mit dem Fehler: Dieser Vorgang wurde wegen Zeitüberschreitung zurückgegeben. . Error - 12.11.2009 16:01:18 | Computer Name = LIEBIG-2DA4E295 | Source = crypt32 | ID = 131080 Description = Der automatische Aktualisierungsabruf der Drittanbieterstammlisten-Sequenznummer von <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> ist fehlgeschlagen mit dem Fehler: Dieser Vorgang wurde wegen Zeitüberschreitung zurückgegeben. . Error - 12.11.2009 16:19:58 | Computer Name = LIEBIG-2DA4E295 | Source = crypt32 | ID = 131080 Description = Der automatische Aktualisierungsabruf der Drittanbieterstammlisten-Sequenznummer von <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> ist fehlgeschlagen mit dem Fehler: Dieser Vorgang wurde wegen Zeitüberschreitung zurückgegeben. . Error - 12.11.2009 16:36:30 | Computer Name = LIEBIG-2DA4E295 | Source = crypt32 | ID = 131080 Description = Der automatische Aktualisierungsabruf der Drittanbieterstammlisten-Sequenznummer von <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> ist fehlgeschlagen mit dem Fehler: Dieser Vorgang wurde wegen Zeitüberschreitung zurückgegeben. . Error - 12.11.2009 18:09:42 | Computer Name = LIEBIG-2DA4E295 | Source = EventSystem | ID = 4609 Description = Das COM+-Ereignissystem hat einen ungültigen Rückgabecode während der internen Verarbeitung erkannt. HRESULT war 800706BF von Zeile 44 von d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp. Wenden Sie sich an den Microsoft-Produktsuppor Error - 12.11.2009 18:09:42 | Computer Name = LIEBIG-2DA4E295 | Source = VSS | ID = 8193 Description = Volumeschattenkopie-Dienstfehler: Beim Aufrufen von Routine "CoCreateInstance" ist ein unerwarteter Fehler aufgetreten. hr = 0x80040206. Error - 12.11.2009 18:52:28 | Computer Name = LIEBIG-2DA4E295 | Source = Application Hang | ID = 1002 Description = Stillstehende Anwendung ComboFix.exe, Version 0.0.0.0, Stillstandmodul hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000. Error - 12.11.2009 18:52:52 | Computer Name = LIEBIG-2DA4E295 | Source = Application Hang | ID = 1002 Description = Stillstehende Anwendung ComboFix.exe, Version 0.0.0.0, Stillstandmodul hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000. Error - 12.11.2009 18:53:11 | Computer Name = LIEBIG-2DA4E295 | Source = Application Hang | ID = 1002 Description = Stillstehende Anwendung ComboFix.exe, Version 0.0.0.0, Stillstandmodul hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000. Error - 13.11.2009 11:08:27 | Computer Name = LIEBIG-2DA4E295 | Source = Application Error | ID = 1000 Description = Fehlgeschlagene Anwendung iexplore.exe, Version 8.0.6001.18702, fehlgeschlagenes Modul unknown, Version 0.0.0.0, Fehleradresse 0x4ebb83bd. [ System Events ] Error - 13.11.2009 11:15:18 | Computer Name = LIEBIG-2DA4E295 | Source = Service Control Manager | ID = 7023 Description = Der Dienst "RAS-Verbindungsverwaltung" wurde mit folgendem Fehler beendet: %%2 Error - 13.11.2009 11:15:19 | Computer Name = LIEBIG-2DA4E295 | Source = Service Control Manager | ID = 7023 Description = Der Dienst "RAS-Verbindungsverwaltung" wurde mit folgendem Fehler beendet: %%2 Error - 13.11.2009 11:15:19 | Computer Name = LIEBIG-2DA4E295 | Source = Service Control Manager | ID = 7023 Description = Der Dienst "RAS-Verbindungsverwaltung" wurde mit folgendem Fehler beendet: %%2 Error - 13.11.2009 11:15:20 | Computer Name = LIEBIG-2DA4E295 | Source = Service Control Manager | ID = 7023 Description = Der Dienst "RAS-Verbindungsverwaltung" wurde mit folgendem Fehler beendet: %%2 Error - 13.11.2009 11:15:21 | Computer Name = LIEBIG-2DA4E295 | Source = Service Control Manager | ID = 7023 Description = Der Dienst "RAS-Verbindungsverwaltung" wurde mit folgendem Fehler beendet: %%2 Error - 13.11.2009 11:15:22 | Computer Name = LIEBIG-2DA4E295 | Source = Service Control Manager | ID = 7023 Description = Der Dienst "RAS-Verbindungsverwaltung" wurde mit folgendem Fehler beendet: %%2 Error - 13.11.2009 11:15:22 | Computer Name = LIEBIG-2DA4E295 | Source = Service Control Manager | ID = 7023 Description = Der Dienst "RAS-Verbindungsverwaltung" wurde mit folgendem Fehler beendet: %%2 Error - 13.11.2009 11:15:23 | Computer Name = LIEBIG-2DA4E295 | Source = Service Control Manager | ID = 7023 Description = Der Dienst "RAS-Verbindungsverwaltung" wurde mit folgendem Fehler beendet: %%2 Error - 13.11.2009 11:15:24 | Computer Name = LIEBIG-2DA4E295 | Source = Service Control Manager | ID = 7023 Description = Der Dienst "RAS-Verbindungsverwaltung" wurde mit folgendem Fehler beendet: %%2 Error - 13.11.2009 11:15:25 | Computer Name = LIEBIG-2DA4E295 | Source = Service Control Manager | ID = 7023 Description = Der Dienst "RAS-Verbindungsverwaltung" wurde mit folgendem Fehler beendet: %%2 < End of report > |
13.11.2009, 16:51 | #8 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt GMER, Teil I: Code:
ATTFilter GMER 1.0.15.15220 - http://www.gmer.net Rootkit scan 2009-11-13 16:33:35 Windows 5.1.2600 Service Pack 3 Running: 9hufmi1h.exe; Driver: C:\DOKUME~1\Liebig\LOKALE~1\Temp\afwyikod.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xB8587D46] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xB8587250] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xB85878EA] SSDT B9E4977E ZwCreateKey SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0xB8587132] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xB8589254] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xB858952C] SSDT B9E49774 ZwCreateThread SSDT B9E49783 ZwDeleteKey SSDT B9E4978D ZwDeleteValueKey SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0xB8586A5A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xB8588ED6] SSDT B9E49792 ZwLoadKey SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xB85874D4] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xB8587B2E] SSDT B9E49760 ZwOpenProcess SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xB8587764] SSDT B9E49765 ZwOpenThread SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xB8588688] SSDT B9E4979C ZwReplaceKey SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xB85889F0] SSDT B9E49797 ZwRestoreKey SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0xB8588C72] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xB8589084] SSDT B9E49788 ZwSetValueKey SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xB858746E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xB8587658] SSDT B9E4976F ZwTerminateProcess SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0xB8586ECA] SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xB6F086D0] ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!_abnormal_termination + 78 804E26D4 2 Bytes [46, 7D] .text ntoskrnl.exe!_abnormal_termination + 7B 804E26D7 1 Byte [B8] .text ntoskrnl.exe!_abnormal_termination + C8 804E2724 2 Bytes [50, 72] .text ntoskrnl.exe!_abnormal_termination + CB 804E2727 1 Byte [B8] .text ntoskrnl.exe!_abnormal_termination + E0 804E273C 4 Bytes JMP 87B85878 .text ... ? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys Das System kann die angegebene Datei nicht finden. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Programme\Java\jre6\bin\jqs.exe[176] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] ntdll.dll!NtDeleteFile 7C91D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] ntdll.dll!NtFreeVirtualMemory 7C91D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] ntdll.dll!NtLoadDriver 7C91D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] ntdll.dll!NtSetInformationProcess 7C91DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] ntdll.dll!NtUnloadDriver 7C91DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] ntdll.dll!RtlAllocateHeap 7C9200C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] ntdll.dll!LdrLoadDll 7C9263C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] ntdll.dll!LdrUnloadDll 7C92738B 5 Bytes JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] ntdll.dll!LdrGetProcedureAddress 7C927EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95} .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] WS2_32.dll!WSASocketW 71A1404E 7 Bytes JMP 10001E90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] WS2_32.dll!WSASocketA 71A18B6A 5 Bytes JMP 10001E70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] ADVAPI32.dll!OpenServiceW 77DB6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] ADVAPI32.dll!OpenServiceA 77DC4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] ADVAPI32.dll!CreateServiceA 77E07211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] ADVAPI32.dll!CreateServiceW 77E073A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] ole32.dll!CoCreateInstanceEx 774D0526 5 Bytes JMP 10008450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] ole32.dll!CoGetClassObject 774E56C5 5 Bytes JMP 10008590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jqs.exe[176] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) |
13.11.2009, 16:52 | #9 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt GMER, Teil II: Code:
ATTFilter .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] ntdll.dll!NtDeleteFile 7C91D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] ntdll.dll!NtFreeVirtualMemory 7C91D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] ntdll.dll!NtLoadDriver 7C91D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] ntdll.dll!NtSetInformationProcess 7C91DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] ntdll.dll!NtUnloadDriver 7C91DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] ntdll.dll!RtlAllocateHeap 7C9200C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] ntdll.dll!LdrLoadDll 7C9263C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] ntdll.dll!LdrUnloadDll 7C92738B 5 Bytes JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] ntdll.dll!LdrGetProcedureAddress 7C927EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] ADVAPI32.dll!OpenServiceW 77DB6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] ADVAPI32.dll!OpenServiceA 77DC4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] ADVAPI32.dll!CreateServiceA 77E07211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] ADVAPI32.dll!CreateServiceW 77E073A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] ole32.dll!CoCreateInstanceEx 774D0526 5 Bytes JMP 10008450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] ole32.dll!CoGetClassObject 774E56C5 5 Bytes JMP 10008590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] WS2_32.dll!WSASocketW 71A1404E 7 Bytes JMP 10001E90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] WS2_32.dll!WSASocketA 71A18B6A 5 Bytes JMP 10001E70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] SHELL32.dll!ShellExecuteExW 7E6B996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] SHELL32.dll!ShellExecuteEx 7E6F0EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] SHELL32.dll!ShellExecuteA 7E6F11E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[192] SHELL32.dll!ShellExecuteW 7E765D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] ntdll.dll!NtDeleteFile 7C91D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] ntdll.dll!NtFreeVirtualMemory 7C91D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] ntdll.dll!NtLoadDriver 7C91D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] ntdll.dll!NtSetInformationProcess 7C91DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] ntdll.dll!NtUnloadDriver 7C91DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] ntdll.dll!RtlAllocateHeap 7C9200C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] ntdll.dll!LdrLoadDll 7C9263C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] ntdll.dll!LdrUnloadDll 7C92738B 5 Bytes JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] ntdll.dll!LdrGetProcedureAddress 7C927EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95} .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] ADVAPI32.dll!OpenServiceW 77DB6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] ADVAPI32.dll!OpenServiceA 77DC4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] ADVAPI32.dll!CreateServiceA 77E07211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] ADVAPI32.dll!CreateServiceW 77E073A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] ole32.dll!CoCreateInstanceEx 774D0526 5 Bytes JMP 10008450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] ole32.dll!CoGetClassObject 774E56C5 5 Bytes JMP 10008590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] SHELL32.dll!ShellExecuteExW 7E6B996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] SHELL32.dll!ShellExecuteEx 7E6F0EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] SHELL32.dll!ShellExecuteA 7E6F11E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\msiexec.exe[220] SHELL32.dll!ShellExecuteW 7E765D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) |
13.11.2009, 16:54 | #10 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt GMER, Teil III: Code:
ATTFilter .text C:\WINDOWS\system32\nvsvc32.exe[300] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] ntdll.dll!NtDeleteFile 7C91D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] ntdll.dll!NtFreeVirtualMemory 7C91D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] ntdll.dll!NtLoadDriver 7C91D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] ntdll.dll!NtSetInformationProcess 7C91DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] ntdll.dll!NtUnloadDriver 7C91DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] ntdll.dll!RtlAllocateHeap 7C9200C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] ntdll.dll!LdrLoadDll 7C9263C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] ntdll.dll!LdrUnloadDll 7C92738B 5 Bytes JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] ntdll.dll!LdrGetProcedureAddress 7C927EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95} .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] ADVAPI32.dll!OpenServiceW 77DB6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] ADVAPI32.dll!OpenServiceA 77DC4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] ADVAPI32.dll!CreateServiceA 77E07211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[300] ADVAPI32.dll!CreateServiceW 77E073A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] ntdll.dll!NtDeleteFile 7C91D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] ntdll.dll!NtFreeVirtualMemory 7C91D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] ntdll.dll!NtLoadDriver 7C91D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] ntdll.dll!NtSetInformationProcess 7C91DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] ntdll.dll!NtUnloadDriver 7C91DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] ntdll.dll!RtlAllocateHeap 7C9200C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] ntdll.dll!LdrLoadDll 7C9263C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] ntdll.dll!LdrUnloadDll 7C92738B 5 Bytes JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] ntdll.dll!LdrGetProcedureAddress 7C927EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95} .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] ADVAPI32.dll!OpenServiceW 77DB6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] ADVAPI32.dll!OpenServiceA 77DC4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] ADVAPI32.dll!CreateServiceA 77E07211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] ADVAPI32.dll!CreateServiceW 77E073A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] ole32.dll!CoCreateInstanceEx 774D0526 5 Bytes JMP 10008450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] ole32.dll!CoGetClassObject 774E56C5 5 Bytes JMP 10008590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] SHELL32.dll!ShellExecuteExW 7E6B996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] SHELL32.dll!ShellExecuteEx 7E6F0EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] SHELL32.dll!ShellExecuteA 7E6F11E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[332] SHELL32.dll!ShellExecuteW 7E765D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) |
13.11.2009, 16:55 | #11 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt GMER, Teil IV: Code:
ATTFilter .text C:\WINDOWS\system32\services.exe[852] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] ntdll.dll!NtDeleteFile 7C91D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] ntdll.dll!NtFreeVirtualMemory 7C91D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] ntdll.dll!NtLoadDriver 7C91D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] ntdll.dll!NtSetInformationProcess 7C91DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] ntdll.dll!NtUnloadDriver 7C91DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] ntdll.dll!RtlAllocateHeap 7C9200C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] ntdll.dll!LdrLoadDll 7C9263C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] ntdll.dll!LdrUnloadDll 7C92738B 5 Bytes JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] ntdll.dll!LdrGetProcedureAddress 7C927EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95} .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!OpenServiceW 77DB6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!OpenServiceA 77DC4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!CreateServiceA 77E07211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!CreateServiceW 77E073A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[852] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] ntdll.dll!NtDeleteFile 7C91D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] ntdll.dll!NtFreeVirtualMemory 7C91D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] ntdll.dll!NtLoadDriver 7C91D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] ntdll.dll!NtSetInformationProcess 7C91DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] ntdll.dll!NtUnloadDriver 7C91DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] ntdll.dll!RtlAllocateHeap 7C9200C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] ntdll.dll!LdrLoadDll 7C9263C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] ntdll.dll!LdrUnloadDll 7C92738B 5 Bytes JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] ntdll.dll!LdrGetProcedureAddress 7C927EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95} .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!OpenServiceW 77DB6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!OpenServiceA 77DC4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!CreateServiceA 77E07211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!CreateServiceW 77E073A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] WS2_32.dll!WSASocketW 71A1404E 7 Bytes JMP 10001E90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] WS2_32.dll!WSASocketA 71A18B6A 5 Bytes JMP 10001E70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] ole32.dll!CoCreateInstanceEx 774D0526 5 Bytes JMP 10008450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] ole32.dll!CoGetClassObject 774E56C5 5 Bytes JMP 10008590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] SHELL32.dll!ShellExecuteExW 7E6B996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] SHELL32.dll!ShellExecuteEx 7E6F0EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] SHELL32.dll!ShellExecuteA 7E6F11E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[864] SHELL32.dll!ShellExecuteW 7E765D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) |
13.11.2009, 16:57 | #12 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt GMER, Teil V: Code:
ATTFilter .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtDeleteFile 7C91D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtFreeVirtualMemory 7C91D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtLoadDriver 7C91D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtSetInformationProcess 7C91DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtUnloadDriver 7C91DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!RtlAllocateHeap 7C9200C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!LdrLoadDll 7C9263C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!LdrUnloadDll 7C92738B 5 Bytes JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!LdrGetProcedureAddress 7C927EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95} .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!OpenServiceW 77DB6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!OpenServiceA 77DC4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!CreateServiceA 77E07211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!CreateServiceW 77E073A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] ole32.dll!CoCreateInstanceEx 774D0526 5 Bytes JMP 10008450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] ole32.dll!CoGetClassObject 774E56C5 5 Bytes JMP 10008590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] SHELL32.dll!ShellExecuteExW 7E6B996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] SHELL32.dll!ShellExecuteEx 7E6F0EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] SHELL32.dll!ShellExecuteA 7E6F11E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1032] SHELL32.dll!ShellExecuteW 7E765D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtDeleteFile 7C91D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtFreeVirtualMemory 7C91D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtLoadDriver 7C91D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtSetInformationProcess 7C91DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtUnloadDriver 7C91DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!RtlAllocateHeap 7C9200C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!LdrLoadDll 7C9263C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!LdrUnloadDll 7C92738B 5 Bytes JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!LdrGetProcedureAddress 7C927EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95} .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!OpenServiceW 77DB6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!OpenServiceA 77DC4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!CreateServiceA 77E07211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!CreateServiceW 77E073A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] ole32.dll!CoCreateInstanceEx 774D0526 5 Bytes JMP 10008450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] ole32.dll!CoGetClassObject 774E56C5 5 Bytes JMP 10008590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] SHELL32.dll!ShellExecuteExW 7E6B996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] SHELL32.dll!ShellExecuteEx 7E6F0EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] SHELL32.dll!ShellExecuteA 7E6F11E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1104] SHELL32.dll!ShellExecuteW 7E765D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\COMODO\Firewall\cmdagent.exe[1200] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 0040FB50 C:\Programme\COMODO\Firewall\cmdagent.exe (COMODO Internet Security/COMODO) |
13.11.2009, 16:59 | #13 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt GMER, Teil VI: Code:
ATTFilter .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtDeleteFile 7C91D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtFreeVirtualMemory 7C91D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtLoadDriver 7C91D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtSetInformationProcess 7C91DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtUnloadDriver 7C91DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!RtlAllocateHeap 7C9200C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!LdrLoadDll 7C9263C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!LdrUnloadDll 7C92738B 5 Bytes JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!LdrGetProcedureAddress 7C927EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95} .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!OpenServiceW 77DB6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!OpenServiceA 77DC4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!CreateServiceA 77E07211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!CreateServiceW 77E073A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] ole32.dll!CoCreateInstanceEx 774D0526 5 Bytes JMP 10008450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] ole32.dll!CoGetClassObject 774E56C5 5 Bytes JMP 10008590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] SHELL32.dll!ShellExecuteExW 7E6B996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] SHELL32.dll!ShellExecuteEx 7E6F0EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] SHELL32.dll!ShellExecuteA 7E6F11E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1240] SHELL32.dll!ShellExecuteW 7E765D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] ntdll.dll!NtDeleteFile 7C91D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] ntdll.dll!NtFreeVirtualMemory 7C91D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] ntdll.dll!NtLoadDriver 7C91D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] ntdll.dll!NtSetInformationProcess 7C91DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] ntdll.dll!NtUnloadDriver 7C91DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] ntdll.dll!RtlAllocateHeap 7C9200C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] ntdll.dll!LdrLoadDll 7C9263C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] ntdll.dll!LdrUnloadDll 7C92738B 5 Bytes JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] ntdll.dll!LdrGetProcedureAddress 7C927EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95} .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] ADVAPI32.dll!OpenServiceW 77DB6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] ADVAPI32.dll!OpenServiceA 77DC4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] ADVAPI32.dll!CreateServiceA 77E07211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] ADVAPI32.dll!CreateServiceW 77E073A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] ole32.dll!CoCreateInstanceEx 774D0526 5 Bytes JMP 10008450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] ole32.dll!CoGetClassObject 774E56C5 5 Bytes JMP 10008590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] SHELL32.dll!ShellExecuteExW 7E6B996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] SHELL32.dll!ShellExecuteEx 7E6F0EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] SHELL32.dll!ShellExecuteA 7E6F11E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1540] SHELL32.dll!ShellExecuteW 7E765D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) |
13.11.2009, 17:00 | #14 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt GMER, Teil VII: Code:
ATTFilter .text C:\WINDOWS\system32\spoolsv.exe[1564] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] ntdll.dll!NtDeleteFile 7C91D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] ntdll.dll!NtFreeVirtualMemory 7C91D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] ntdll.dll!NtLoadDriver 7C91D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] ntdll.dll!NtSetInformationProcess 7C91DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] ntdll.dll!NtUnloadDriver 7C91DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] ntdll.dll!RtlAllocateHeap 7C9200C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] ntdll.dll!LdrLoadDll 7C9263C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] ntdll.dll!LdrUnloadDll 7C92738B 5 Bytes JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] ntdll.dll!LdrGetProcedureAddress 7C927EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95} .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] ADVAPI32.dll!OpenServiceW 77DB6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] ADVAPI32.dll!OpenServiceA 77DC4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] ADVAPI32.dll!CreateServiceA 77E07211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] ADVAPI32.dll!CreateServiceW 77E073A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] ole32.dll!CoCreateInstanceEx 774D0526 5 Bytes JMP 10008450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] ole32.dll!CoGetClassObject 774E56C5 5 Bytes JMP 10008590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] SHELL32.dll!ShellExecuteExW 7E6B996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] SHELL32.dll!ShellExecuteEx 7E6F0EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] SHELL32.dll!ShellExecuteA 7E6F11E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1564] SHELL32.dll!ShellExecuteW 7E765D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] ntdll.dll!NtDeleteFile 7C91D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] ntdll.dll!NtFreeVirtualMemory 7C91D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] ntdll.dll!NtLoadDriver 7C91D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] ntdll.dll!NtSetInformationProcess 7C91DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] ntdll.dll!NtUnloadDriver 7C91DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] ntdll.dll!RtlAllocateHeap 7C9200C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] ntdll.dll!LdrLoadDll 7C9263C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] ntdll.dll!LdrUnloadDll 7C92738B 5 Bytes JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] ntdll.dll!LdrGetProcedureAddress 7C927EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95} .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] ADVAPI32.dll!OpenServiceW 77DB6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] ADVAPI32.dll!OpenServiceA 77DC4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] ADVAPI32.dll!CreateServiceA 77E07211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] ADVAPI32.dll!CreateServiceW 77E073A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] WS2_32.dll!WSASocketW 71A1404E 7 Bytes JMP 10001E90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] WS2_32.dll!WSASocketA 71A18B6A 5 Bytes JMP 10001E70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] SHELL32.dll!ShellExecuteExW 7E6B996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] SHELL32.dll!ShellExecuteEx 7E6F0EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] SHELL32.dll!ShellExecuteA 7E6F11E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1612] SHELL32.dll!ShellExecuteW 7E765D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) |
13.11.2009, 17:03 | #15 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt GMER, Teil VIII: Code:
ATTFilter .text C:\WINDOWS\System32\alg.exe[1964] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] ntdll.dll!NtDeleteFile 7C91D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] ntdll.dll!NtFreeVirtualMemory 7C91D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] ntdll.dll!NtLoadDriver 7C91D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] ntdll.dll!NtSetInformationProcess 7C91DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] ntdll.dll!NtUnloadDriver 7C91DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] ntdll.dll!RtlAllocateHeap 7C9200C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] ntdll.dll!LdrLoadDll 7C9263C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] ntdll.dll!LdrUnloadDll 7C92738B 5 Bytes JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] ntdll.dll!LdrGetProcedureAddress 7C927EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95} .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] ADVAPI32.dll!OpenServiceW 77DB6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] ADVAPI32.dll!OpenServiceA 77DC4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] ADVAPI32.dll!CreateServiceA 77E07211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] ADVAPI32.dll!CreateServiceW 77E073A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] ole32.dll!CoCreateInstanceEx 774D0526 5 Bytes JMP 10008450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] ole32.dll!CoGetClassObject 774E56C5 5 Bytes JMP 10008590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] WS2_32.dll!WSASocketW 71A1404E 7 Bytes JMP 10001E90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] WS2_32.dll!WSASocketA 71A18B6A 5 Bytes JMP 10001E70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] SHELL32.dll!ShellExecuteExW 7E6B996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] SHELL32.dll!ShellExecuteEx 7E6F0EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] SHELL32.dll!ShellExecuteA 7E6F11E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\alg.exe[1964] SHELL32.dll!ShellExecuteW 7E765D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtDeleteFile 7C91D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtFreeVirtualMemory 7C91D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtLoadDriver 7C91D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtSetInformationProcess 7C91DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtUnloadDriver 7C91DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!RtlAllocateHeap 7C9200C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!LdrLoadDll 7C9263C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!LdrUnloadDll 7C92738B 5 Bytes JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!LdrGetProcedureAddress 7C927EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95} .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!OpenServiceW 77DB6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!OpenServiceA 77DC4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!CreateServiceA 77E07211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!CreateServiceW 77E073A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] ole32.dll!CoCreateInstanceEx 774D0526 5 Bytes JMP 10008450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] ole32.dll!CoGetClassObject 774E56C5 5 Bytes JMP 10008590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] WININET.dll!InternetConnectA 408CDEAE 5 Bytes JMP 10001E30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] WININET.dll!InternetConnectW 408CF862 5 Bytes JMP 10001E50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] SHELL32.dll!ShellExecuteExW 7E6B996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] SHELL32.dll!ShellExecuteEx 7E6F0EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] SHELL32.dll!ShellExecuteA 7E6F11E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[1984] SHELL32.dll!ShellExecuteW 7E765D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) |
Themen zu Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt |
5 minuten, ablauf, antivir, combofix, computer, dateien, down, escan, fehler, frage, hijack, hijackthis, internet, mcafee, problem, programme, rechner, registry, registry booster, rootkit, security, shutdown, speedupmypc, temp-ordner, treiber, trojaner, virus, virustotal.com, wiederholt, windows, windows xp |