|
Plagegeister aller Art und deren Bekämpfung: TR/DROPPER GEN auf dem RechnerWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
09.12.2009, 15:07 | #1 |
| TR/DROPPER GEN auf dem Rechner hey bin njeu hier und hab mich angemeldet, weil ich seit kurzem nach jedem start ne meldung von avira bekomme, dass ich den TR/Dropper Gen auf dem rechner habe... keine ahnung woher... hier der logfile: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:44:10, on 09.12.2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe E:\Programme\Avira\AntiVir Desktop\sched.exe E:\Programme\Avira\AntiVir Desktop\avguard.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RUNDLL32.EXE E:\Programme\Avira\AntiVir Desktop\avgnt.exe C:\Programme\Java\jre6\bin\jusched.exe C:\dir\install\u7k8\76k8l.exe E:\Programme\avmwlanstick\wlangui.exe C:\WINDOWS\system32\ctfmon.exe E:\Programme\DAEMON Tools Lite\daemon.exe C:\Programme\UltraMon\UltraMon.exe C:\Programme\UltraMon\UltraMonTaskbar.exe E:\Programme\avmwlanstick\WlanNetService.exe E:\Programme\LogMeIn Hamachi\hamachi-2.exe C:\Programme\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\svchost.exe C:\Programme\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe C:\Programme\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe E:\Programme\Mozilla Firefox\firefox.exe C:\Dokumente und Einstellungen\Besitzer\Desktop\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search.qip.ru R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.qip.ru R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.qip.ru/ie R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.qip.ru R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.qip.ru/ie R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip R3 - URLSearchHook: QIPBHO Class - {A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE} - C:\Dokumente und Einstellungen\Besitzer\Anwendungsdaten\Microsoft\Internet Explorer\qipsearchbar.dll R3 - URLSearchHook: (no name) - - (no file) O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: QIPBHO - {A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE} - C:\Dokumente und Einstellungen\Besitzer\Anwendungsdaten\Microsoft\Internet Explorer\qipsearchbar.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [nwiz] C:\Programme\NVIDIA Corporation\nView\nwiz.exe /install O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [avgnt] "E:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [amd_dc_opt] C:\Programme\AMD\Dual-Core Optimizer\amd_dc_opt.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [AVMWlanClient] E:\Programme\avmwlanstick\wlangui.exe O4 - HKLM\..\Run: [HKLM] C:\dir\install\u7k8\76k8l.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DAEMON Tools Lite] "E:\Programme\DAEMON Tools Lite\daemon.exe" -autorun O4 - HKCU\..\Run: [HKCU] C:\dir\install\u7k8\76k8l.exe O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\dir\install\u7k8\76k8l.exe O4 - HKCU\..\Policies\Explorer\Run: [Policies] C:\dir\install\u7k8\76k8l.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [Policies] c:\dir\install\u7k8\76k8l.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [Policies] c:\dir\install\u7k8\76k8l.exe (User 'Default user') O4 - Global Startup: UltraMon.lnk = ? O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: QIP 2005 - {1EF681F7-A04B-4D6D-9012-A307CCA55610} - E:\Programme\QIP\qip.exe (HKCU) O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll O23 - Service: ncvbads (7aasht6rf) - Unknown owner - C:\Programme\Gemeinsame Dateien\tysarekb\zamsdyg.exe O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - E:\Programme\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - E:\Programme\Avira\AntiVir Desktop\avguard.exe O23 - Service: AVM WLAN Connection Service - AVM Berlin - E:\Programme\avmwlanstick\WlanNetService.exe O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - E:\Programme\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - E:\Programme\LogMeIn Hamachi\hamachi-2.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software - C:\Programme\TuneUp Utilities 2010\TuneUpDefragService.exe O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Programme\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe -- End of file - 6523 bytes würde mich freuen wenn mir einer helfen kann und welche ausmaße das ganze annehmen kann... |
09.12.2009, 16:37 | #2 | |
| TR/DROPPER GEN auf dem Rechner Hallo und
__________________Zitat:
Mach alle versteckten Dateien und Ordner sichtbar Lass bitte diese Dateien C:\dir\install\u7k8\76k8l.exe C:\Programme\Gemeinsame Dateien\tysarekb\zamsdyg.exe hier Virustotal, hier virscan.org oder hier Jotti überprüfen (kann einige Minuten dauern), poste die gesamten Ergebnisse mit der Angabe der Größe der hochgeladenen Datei sowie die MD5 und SHA1 Angaben oder verlinke auf die Auswertung, bitte auch wenn nichts gefunden wurde. BTW. Hast du ein original Windows? MFG
__________________ |
09.12.2009, 23:43 | #3 |
| TR/DROPPER GEN auf dem Rechner hey danke für dei schnelle antwort.
__________________also seitdem ich hier gepostet habe ist die meldung beim neustart nicht wiedergekommen.. komisch also kann ich dir leider im moment nicht sagen auf welche datei sich avira bezogen hat.. und ich habe versucht auf allen drei seiten die datein upzuloaden, aber bei der ersten sagt der mir nach kurzer wartezeit, dass er die datei nicht finden kann.. und die zweite da ist es so, dass ich die datei nicht finden kann d.h. ich kann auf C:/Programme/Geminsamedateien/.... ja und ab da findet sich der ordner nicht mehr. hab auch alle datein sichtbar gemacht.. und zu deiner frage ob mein windows orig. ist ja ist es wieso fragst du?!^^ |
10.12.2009, 05:23 | #4 | ||
| TR/DROPPER GEN auf dem Rechner Hallo Zitat:
Zitat:
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll Arbeite bitte diese Anleitung ab http://www.trojaner-board.de/69886-a...-beachten.html und überprüfe dein System bitte auch mit GMER und poste alle Logs hierher, dann sehen wir weiter. MFG
__________________ Kein Support per PN - Bitte im Forum posten. Wenn du das Forum unterstützen möchtest Genitiv ins Wasser, weil es dativ ist http://www.vivaconagua.org/ |
10.12.2009, 20:10 | #5 |
| TR/DROPPER GEN auf dem Rechner Also dann hier mal die meldungen von avira: In der Datei 'C:\System Volume Information\_restore{209B44C6-413B-462C-8A88-B148A51960FC}\RP92\A0030489.exe' wurde ein Virus oder unerwünschtes Programm 'TR/Dropper.Gen' [trojan] gefunden. Ausgeführte Aktion: Zugriff verweigern Die Datei 'C:\WINDOWS\Temp\dt.exe' enthielt einen Virus oder unerwünschtes Programm 'TR/Dropper.Gen' [trojan]. Durchgeführte Aktion(en): Die Datei wurde ins Quarantäneverzeichnis unter dem Namen '4b4f17c4.qua' verschoben! Die Datei 'C:\WINDOWS\Temp\yg.exe' enthielt einen Virus oder unerwünschtes Programm 'TR/Dropper.Gen' [trojan]. Durchgeführte Aktion(en): Die Datei wurde ins Quarantäneverzeichnis unter dem Namen '4b4f17b7.qua' verschoben! Die Datei 'D:\RECYCLER\S-1-5-21-448539723-573735546-839522115-1004\Dd1.rar' enthielt einen Virus oder unerwünschtes Programm 'TR/Vundo.Gen' [trojan]. Durchgeführte Aktion(en): Die Datei wurde ignoriert. In der Datei 'C:\System Volume Information\_restore{209B44C6-413B-462C-8A88-B148A51960FC}\RP92\A0030489.exe' wurde ein Virus oder unerwünschtes Programm 'TR/Dropper.Gen' [trojan] gefunden. Ausgeführte Aktion: Zugriff verweigern In der Datei 'C:\dir\install\u7k8\76k8l.exe' wurde ein Virus oder unerwünschtes Programm 'TR/Dropper.Gen' [trojan] gefunden. Ausgeführte Aktion: Datei löschen so und habe den ccleander drüberlaufen lassen und der will immer irgendwelchen internet cache von mozilla löschen aber der wird nicht gelöscht sind 4 dateien: ANALYSE komplett - (0.261 Sek) ------------------------------------------------------------------------------------------ 9,73MB zu entfernen. (Ungefähre Größe) ------------------------------------------------------------------------------------------ Details der zu löschenden Dateien (Hinweis: Es wurden noch keine Dateien gelöscht) ------------------------------------------------------------------------------------------ Firefox/Mozilla - Internet-Cache 9.962KB 4 Dateien ------------------------------------------------------------------------------------------ C:\Dokumente und Einstellungen\Besitzer\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\mpq9zkvt.default\cache\_CACHE_001_ 2.352KB C:\Dokumente und Einstellungen\Besitzer\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\mpq9zkvt.default\cache\_CACHE_002_ 2.688KB C:\Dokumente und Einstellungen\Besitzer\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\mpq9zkvt.default\cache\_CACHE_003_ 4.857KB C:\Dokumente und Einstellungen\Besitzer\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\mpq9zkvt.default\cache\_CACHE_MAP_ 64KB und GMER hat auch was gefunden und ich sollte dir doch den log hier posten aber der ist zu lang was soll ich nun machen?!^^ |
10.12.2009, 20:16 | #6 | |
| TR/DROPPER GEN auf dem Rechner Hallo sieht ja nicht so gut aus Zitat:
Was hat Malwarebytes gefunden? MFG
__________________ --> TR/DROPPER GEN auf dem Rechner |
10.12.2009, 20:18 | #7 |
| TR/DROPPER GEN auf dem Rechner habs dann mal in 2 teile aufgespalten den log von GMER hier teil 1: GMER 1.0.15.15273 - http://www.gmer.net Rootkit scan 2009-12-10 20:02:17 Windows 5.1.2600 Service Pack 3 Running: 5nnt4fh0.exe; Driver: C:\DOKUME~1\Besitzer\LOKALE~1\Temp\fwdoapob.sys ---- System - GMER 1.0.15 ---- SSDT B87BE226 ZwCreateKey SSDT B87BE21C ZwCreateThread SSDT B87BE22B ZwDeleteKey SSDT B87BE235 ZwDeleteValueKey SSDT spes.sys ZwEnumerateKey [0xB7EC5CA4] SSDT spes.sys ZwEnumerateValueKey [0xB7EC6032] SSDT B87BE23A ZwLoadKey SSDT spes.sys ZwOpenKey [0xB7EA70C0] SSDT B87BE208 ZwOpenProcess SSDT B87BE20D ZwOpenThread SSDT spes.sys ZwQueryKey [0xB7EC610A] SSDT spes.sys ZwQueryValueKey [0xB7EC5F8A] SSDT B87BE244 ZwReplaceKey SSDT B87BE23F ZwRestoreKey SSDT B87BE230 ZwSetValueKey SSDT B87BE217 ZwTerminateProcess INT 0x63 ? 8ACA7BF8 INT 0x63 ? 8ACA7BF8 INT 0x73 ? 8AF0BBF8 INT 0x94 ? 8ACA7BF8 INT 0xA4 ? 8ACA7BF8 INT 0xB4 ? 8ACA7BF8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!MmIsThisAnNtAsSystem + 20A 80517600 10 Bytes [2A, 2A, 2A, 2A, 2A, 2A, 2A, ...] {SUB CH, [EDX]; SUB CH, [EDX]; SUB CH, [EDX]; SUB CH, [EDX]; SUB CL, [EDX]} .text ntkrnlpa.exe!MmIsThisAnNtAsSystem + 215 8051760B 108 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...] .text ntkrnlpa.exe!MmIsThisAnNtAsSystem + 282 80517678 25 Bytes [EB, 1F, 6A, 02, 59, 39, 4D, ...] .text ntkrnlpa.exe!MmIsThisAnNtAsSystem + 29C 80517692 10 Bytes [EB, 03, 39, 55, 10, 75, 50, ...] {JMP 0x5; CMP [EBP+0x10], EDX; JNZ 0x57; INC DWORD [EBP+0x8]} .text ntkrnlpa.exe!MmIsThisAnNtAsSystem + 2A7 8051769D 44 Bytes [C6, 1C, FF, 4D, 0C, 75, 93, ...] .text ... .text ntkrnlpa.exe!MmTrimAllSystemPagableMemory + 9 80519705 64 Bytes [D5, 55, 80, 3B, 05, EC, 1E, ...] .text ntkrnlpa.exe!MmTrimAllSystemPagableMemory + 4A 80519746 22 Bytes [45, FF, 50, BE, BC, 1B, 56, ...] .text ntkrnlpa.exe!MmTrimAllSystemPagableMemory + 61 8051975D 117 Bytes [00, 3B, 05, C0, 1B, 56, 80, ...] .text ntkrnlpa.exe!MmTrimAllSystemPagableMemory + D7 805197D3 47 Bytes CALL 82D1EDF6 .text ntkrnlpa.exe!MmTrimAllSystemPagableMemory + 107 80519803 70 Bytes [68, E0, 1E, 56, 80, E8, 13, ...] .text ... .text ntkrnlpa.exe!ZwGetWriteWatch + 4 8052118E 47 Bytes [00, 68, 18, A0, 4D, 80, E8, ...] .text ntkrnlpa.exe!ZwGetWriteWatch + 34 805211BE 15 Bytes [88, 45, A4, 33, DB, 89, 5D, ...] .text ntkrnlpa.exe!ZwGetWriteWatch + 44 805211CE 7 Bytes [00, 00, 00, A1, 3C, 21, 56] .text ntkrnlpa.exe!ZwGetWriteWatch + 4C 805211D6 22 Bytes [8D, 88, 00, 00, FF, FF, 3B, ...] .text ntkrnlpa.exe!ZwGetWriteWatch + 63 805211ED 50 Bytes [00, 3B, 45, 14, 73, 07, B8, ...] .text ... .text ntkrnlpa.exe!ZwResetWriteWatch + 1F 80521691 5 Bytes [C0, E9, A6, 02, 00] {SHR CL, 0xa6; ADD AL, [EAX]} .text ntkrnlpa.exe!ZwResetWriteWatch + 25 80521697 9 Bytes [2B, C7, 56, 8B, 75, 10, 2D, ...] .text ntkrnlpa.exe!ZwResetWriteWatch + 30 805216A2 12 Bytes [3B, C6, 73, 0A, B8, F1, 00, ...] .text ntkrnlpa.exe!ZwResetWriteWatch + 3E 805216B0 4 Bytes [53, 64, A1, 24] .text ntkrnlpa.exe!ZwResetWriteWatch + 45 805216B7 53 Bytes [83, 7D, 08, FF, 8B, 58, 44, ...] .text ... .text ntkrnlpa.exe!ObReferenceObjectByPointer + 2F 80526461 38 Bytes [00, 74, 08, 6A, 01, 56, E8, ...] .text ntkrnlpa.exe!ObReferenceObjectByPointer + 56 80526488 2 Bytes [56, 57] {PUSH ESI; PUSH EDI} .text ntkrnlpa.exe!ObReferenceObjectByPointer + 59 8052648B 14 Bytes [0D, 30, 2F, 56, 80, 89, 4A, ...] .text ntkrnlpa.exe!ObReferenceObjectByPointer + 69 8052649B 174 Bytes [C1, F0, 0F, B1, 37, 3B, C1, ...] .text ntkrnlpa.exe!ObfReferenceObject + 8C 8052654A 71 Bytes [00, CC, 4F, 62, 70, 52, 65, ...] .text ntkrnlpa.exe!ObfReferenceObject + D4 80526592 106 Bytes [FF, 84, C0, 0F, 84, AB, 00, ...] .text ntkrnlpa.exe!ObfReferenceObject + 13F 805265FD 1 Byte [E8] .text ntkrnlpa.exe!ObfReferenceObject + 13F 805265FD 154 Bytes CALL 8052B872 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!ObfDereferenceObject + A 80526698 30 Bytes CALL 80BC6F11 .text ntkrnlpa.exe!ObfDereferenceObject + 29 805266B7 28 Bytes [84, C0, 75, 23, 38, 05, D8, ...] .text ntkrnlpa.exe!ObfDereferenceObject + 46 805266D4 14 Bytes CALL 805BB393 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!ObfDereferenceObject + 56 805266E4 121 Bytes [8B, C7, 5F, 5E, 5B, C3, CC, ...] .text ntkrnlpa.exe!ObDereferenceObject + 6E 8052675E 15 Bytes [B0, 01, EB, F7, CC, CC, CC, ...] .text ntkrnlpa.exe!ZwSignalAndWaitForSingleObject + 7 8052676F 112 Bytes CALL 8053BB90 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!ZwSignalAndWaitForSingleObject + 78 805267E0 19 Bytes [53, 8D, 45, E0, 50, FF, 75, ...] .text ntkrnlpa.exe!ZwSignalAndWaitForSingleObject + 8C 805267F4 29 Bytes [09, 00, 8B, F0, 3B, F3, 0F, ...] .text ntkrnlpa.exe!ZwSignalAndWaitForSingleObject + AB 80526813 75 Bytes [C0, 8B, 4D, DC, 8B, 41, F0, ...] .text ntkrnlpa.exe!ZwSignalAndWaitForSingleObject + F7 8052685F 43 Bytes [3B, 05, E4, 46, 56, 80, 75, ...] .text ... .text ntkrnlpa.exe!ObIsDosDeviceLocallyMapped + 21 80526955 32 Bytes [83, 3C, BD, 60, 21, 56, 80, ...] .text ntkrnlpa.exe!ObIsDosDeviceLocallyMapped + 42 80526976 86 Bytes [C0, 5F, 5D, C2, 08, 00, CC, ...] .text ntkrnlpa.exe!ObIsDosDeviceLocallyMapped + 99 805269CD 36 Bytes [FF, 55, 8B, EC, 8B, 15, B8, ...] .text ntkrnlpa.exe!ObIsDosDeviceLocallyMapped + BE 805269F2 27 Bytes [49, 08, 3B, 4D, 0C, 74, 08, ...] .text ntkrnlpa.exe!ObIsDosDeviceLocallyMapped + DA 80526A0E 14 Bytes [55, 8B, EC, 51, 51, A1, 6C, ...] {PUSH EBP; MOV EBP, ESP; PUSH ECX; PUSH ECX; MOV EAX, [0x8056466c]; TEST EAX, EAX; PUSH EBX; PUSH ESI} .text ... .text ntkrnlpa.exe!PoStartNextPowerIrp + 41 80526BDF 13 Bytes [3D, 24, 33, 56, 80, 01, 7E, ...] .text ntkrnlpa.exe!PoStartNextPowerIrp + 4F 80526BED 12 Bytes [6A, 01, FF, 75, F8, E8, D5, ...] {PUSH 0x1; PUSH DWORD [EBP-0x8]; CALL 0xfffffffffffffddf; MOV ESI, EAX} .text ntkrnlpa.exe!PoStartNextPowerIrp + 5C 80526BFA 19 Bytes [F6, 74, 2B, 8B, 7E, 60, 8B, ...] {DIV BYTE [EBX+EBP-0x75]; JLE 0x66; MOV EAX, [EDI-0x20]; SUB EDI, 0x24; AND EAX, 0x5; CMP AL, 0x5; JZ 0x26} .text ntkrnlpa.exe!PoStartNextPowerIrp + 70 80526C0E 74 Bytes [46, 58, 8B, 4E, 5C, 89, 01, ...] .text ntkrnlpa.exe!PoStartNextPowerIrp + BB 80526C59 71 Bytes [FF, 8B, F8, 85, FF, 0F, 84, ...] .text ... .text ntkrnlpa.exe!PoCallDriver + 2 80526E92 59 Bytes [55, 8B, EC, 51, 53, 56, 57, ...] .text ntkrnlpa.exe!PoCallDriver + 3E 80526ECE 1 Byte [63] .text ntkrnlpa.exe!PoCallDriver + 3E 80526ECE 22 Bytes [63, 1C, 00, 32, D2, 8B, CB, ...] .text ntkrnlpa.exe!PoCallDriver + 55 80526EE5 41 Bytes JMP 80527023 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!PoCallDriver + 7F 80526F0F 57 Bytes [00, 80, F9, 02, 0F, 85, 97, ...] .text ... .text ntkrnlpa.exe!PoRequestPowerIrp + 30 8052709C 6 Bytes [00, C0, E9, F8, 00, 00] .text ntkrnlpa.exe!PoRequestPowerIrp + 37 805270A3 29 Bytes [33, D2, 57, 42, 8B, CE, E8, ...] .text ntkrnlpa.exe!PoRequestPowerIrp + 55 805270C1 95 Bytes CALL 805469D0 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!PoRequestPowerIrp + B5 80527121 19 Bytes [40, 50, 89, 47, E4, 89, 57, ...] .text ntkrnlpa.exe!PoRequestPowerIrp + C9 80527135 57 Bytes CALL 80528D1E \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ... .text ntkrnlpa.exe!PoCancelDeviceNotify + 34 805271DA 44 Bytes [C9, 7C, 57, 49, 89, 48, 04, ...] .text ntkrnlpa.exe!PoCancelDeviceNotify + 61 80527207 10 Bytes [49, 04, 89, 09, 38, 50, 20, ...] {DEC ECX; ADD AL, 0x89; OR [EAX], EDI; PUSH EAX; AND [ESI+0x74], BL; PUSH ES} .text ntkrnlpa.exe!PoCancelDeviceNotify + 6C 80527212 11 Bytes [0D, 68, 30, 56, 80, 52, 50, ...] .text ntkrnlpa.exe!PoCancelDeviceNotify + 78 8052721E 28 Bytes [8A, 55, FF, 8B, CF, FF, 15, ...] .text ntkrnlpa.exe!PoCancelDeviceNotify + 95 8052723B 13 Bytes [8A, 55, FF, 8B, CF, FF, 15, ...] .text ... .text ntkrnlpa.exe!PoRegisterDeviceNotify + 11 805277A1 10 Bytes [00, 00, 39, 45, 14, 0F, 84, ...] .text ntkrnlpa.exe!PoRegisterDeviceNotify + 1C 805277AC 31 Bytes [39, 45, 1C, 0F, 84, 82, 00, ...] .text ntkrnlpa.exe!PoRegisterDeviceNotify + 3C 805277CC 17 Bytes [00, 39, 41, 14, 74, 65, 6A, ...] .text ntkrnlpa.exe!PoRegisterDeviceNotify + 4F 805277DF 41 Bytes CALL 805279C3 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!PoRegisterDeviceNotify + 7A 8052780A 31 Bytes [85, C0, 7C, 1C, C7, 06, 50, ...] .text ... .text ntkrnlpa.exe!PoRegisterDeviceForIdleDetection + 2D 80527A83 51 Bytes [00, 8B, 70, 0C, 3B, F7, 74, ...] .text ntkrnlpa.exe!PoRegisterDeviceForIdleDetection + 61 80527AB7 35 Bytes [33, C0, 89, 46, 04, 89, 46, ...] .text ntkrnlpa.exe!PoRegisterDeviceForIdleDetection + 85 80527ADB 1 Byte [4D] .text ntkrnlpa.exe!PoRegisterDeviceForIdleDetection + 85 80527ADB 13 Bytes [4D, 08, 89, 7D, FC, 75, 1A, ...] {DEC EBP; OR [ECX+0x1a75fc7d], CL; CMP DWORD [EBP+0x10], -0x1; JNZ 0x21} .text ntkrnlpa.exe!PoRegisterDeviceForIdleDetection + 93 80527AE9 85 Bytes [41, 2C, 83, F8, 07, 74, 05, ...] .text ... .text ntkrnlpa.exe!PoSetSystemState + 28 80527CC0 71 Bytes [00, 5D, C2, 04, 00, CC, CC, ...] .text ntkrnlpa.exe!PoRegisterSystemState + 3E 80527D08 63 Bytes [06, B9, 00, 00, 00, 80, 0B, ...] .text ntkrnlpa.exe!PoUnregisterSystemState + 14 80527D48 81 Bytes CALL 8054B2DD \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!PoUnregisterSystemState + 66 80527D9A 29 Bytes [87, 01, 85, C0, 75, 1C, 21, ...] .text ntkrnlpa.exe!PoUnregisterSystemState + 84 80527DB8 147 Bytes [1E, 08, 01, 00, C2, 04, 00, ...] .text ntkrnlpa.exe!PoUnregisterSystemState + 118 80527E4C 21 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...] .text ntkrnlpa.exe!PoUnregisterSystemState + 12E 80527E62 48 Bytes [C1, 74, 1F, 8B, 08, 8B, 55, ...] .text ... .text ntkrnlpa.exe!PoSetPowerState + AE 80528002 58 Bytes [FF, 15, 24, 81, 4D, 80, 83, ...] .text ntkrnlpa.exe!PoSetPowerState + EA 8052803E 2 Bytes [20, 81] .text ntkrnlpa.exe!PoSetPowerState + EE 80528042 52 Bytes [8B, 4D, 08, 8B, 71, 08, C1, ...] .text ntkrnlpa.exe!PoSetPowerState + 123 80528077 28 Bytes [A3, 20, 64, 55, 80, A3, 28, ...] .text ntkrnlpa.exe!PoSetPowerState + 140 80528094 9 Bytes [10, C3, CC, CC, CC, CC, CC, ...] .text ... .text ntkrnlpa.exe!PsReturnPoolQuota + 59 8052A927 129 Bytes [74, 50, 8B, 45, 0C, 8B, 4D, ...] .text ntkrnlpa.exe!PsReturnPoolQuota + DC 8052A9AA 25 Bytes [00, F0, 0F, C1, 01, 29, 55, ...] .text ntkrnlpa.exe!PsReturnPoolQuota + F6 8052A9C4 71 Bytes [8B, 1E, 89, 45, F4, EB, B4, ...] .text ntkrnlpa.exe!PsReturnProcessNonPagedPoolQuota + 30 8052AA0C 42 Bytes [3B, C7, 89, 75, F4, 89, 4D, ...] .text ntkrnlpa.exe!PsReturnProcessNonPagedPoolQuota + 5B 8052AA37 57 Bytes [FC, 2B, 4D, FC, 8B, 45, F8, ...] .text ntkrnlpa.exe!PsReturnProcessNonPagedPoolQuota + 95 8052AA71 3 Bytes [C9, EB, 04] {LEAVE ; JMP 0x7} .text ntkrnlpa.exe!PsReturnProcessNonPagedPoolQuota + 9A 8052AA76 5 Bytes [2B, CA, 8B, 7D, F4] {SUB ECX, EDX; MOV EDI, [EBP-0xc]} .text ntkrnlpa.exe!PsReturnProcessNonPagedPoolQuota + A0 8052AA7C 85 Bytes [C3, F0, 0F, B1, 0F, 3B, C3, ...] .text ntkrnlpa.exe!PsReturnProcessPagedPoolQuota + 10 8052AAD2 222 Bytes [0F, 84, C8, 00, 00, 00, 8B, ...] .text ntkrnlpa.exe!PsReturnProcessPagedPoolQuota + EF 8052ABB1 62 Bytes [08, 3B, 05, B4, 39, 56, 80, ...] .text ntkrnlpa.exe!PsReturnProcessPagedPoolQuota + 12E 8052ABF0 11 Bytes [C1, 98, 00, 00, 00, F0, 0F, ...] {RCR DWORD [EAX-0x10000000], 0xf; ROL DWORD [ECX], 0x2b; POP EBP} .text ntkrnlpa.exe!PsReturnProcessPagedPoolQuota + 13A 8052ABFC 16 Bytes [74, 1C, B8, 60, 39, 56, 80, ...] .text ntkrnlpa.exe!PsReturnProcessPagedPoolQuota + 14B 8052AC0D 25 Bytes [8B, F8, BE, 80, 39, 56, 80, ...] .text ... .text ntkrnlpa.exe!PsChargeProcessPoolQuota + 11 8052ACF3 26 Bytes JMP 8052ADC2 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!PsChargeProcessPoolQuota + 2C 8052AD0E 7 Bytes [F8, 8D, 7E, 04, 8B, 07, 89] .text ntkrnlpa.exe!PsChargeProcessPoolQuota + 34 8052AD16 130 Bytes [FC, 8B, 4D, 10, 03, CB, 3B, ...] .text ntkrnlpa.exe!PsChargeProcessPoolQuota + B7 8052AD99 74 Bytes [94, 82, 9C, 00, 00, 00, 8B, ...] .text ntkrnlpa.exe!PsChargeProcessNonPagedPoolQuota + 16 8052ADE4 1 Byte [00] .text ntkrnlpa.exe!PsChargeProcessNonPagedPoolQuota + 16 8052ADE4 8 Bytes [00, 00, 53, 56, 8B, B0, 40, ...] .text ntkrnlpa.exe!PsChargeProcessNonPagedPoolQuota + 1F 8052ADED 95 Bytes [00, 57, 8B, 3E, 87, 45, FC, ...] .text ntkrnlpa.exe!PsChargeProcessNonPagedPoolQuota + 7F 8052AE4D 5 Bytes [EB, 06, 8B, F2, F0] .text ntkrnlpa.exe!PsChargeProcessNonPagedPoolQuota + 85 8052AE53 171 Bytes [B1, 31, 3B, D0, 77, F6, 8B, ...] .text ntkrnlpa.exe!PsChargeProcessPagedPoolQuota + 69 8052AEFF 157 Bytes [75, 0C, 53, 56, 6A, 01, E8, ...] .text ntkrnlpa.exe!PsChargeProcessPagedPoolQuota + 107 8052AF9D 17 Bytes [C6, 74, 18, 8D, 14, 18, 8B, ...] .text ntkrnlpa.exe!PsChargeProcessPagedPoolQuota + 11A 8052AFB0 130 Bytes [C0, 5F, 5E, 5B, C9, C2, 08, ...] .text ntkrnlpa.exe!PsGetCurrentThreadId + 3 8052B033 17 Bytes [01, 00, 00, 8B, 80, F0, 01, ...] {ADD [EAX], EAX; ADD [EBX+0x1f080], CL; ADD BL, AL; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; MOV EDI, EDI} .text ntkrnlpa.exe!PsGetVersion + 3 8052B045 32 Bytes [8B, EC, 8B, 45, 08, 85, C0, ...] .text ntkrnlpa.exe!PsGetVersion + 24 8052B066 18 Bytes [45, 10, 85, C0, 74, 0E, 8B, ...] {INC EBP; ADC [EBP-0x74f18b40], AL; OR EAX, 0x8054d0e8; AND ECX, 0x3fff} .text ntkrnlpa.exe!PsGetVersion + 37 8052B079 29 Bytes [08, 8B, 45, 14, 85, C0, 74, ...] .text ntkrnlpa.exe!PsGetVersion + 55 8052B097 16 Bytes [25, 00, 00, 00, F0, 3D, 00, ...] .text ntkrnlpa.exe!PsGetVersion + 66 8052B0A8 37 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...] .text ntkrnlpa.exe!PsGetJobSessionId + C 8052B0CE 5 Bytes [00, 00, 5D, C2, 04] .text ntkrnlpa.exe!PsGetJobSessionId + 12 8052B0D4 67 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...] .text ntkrnlpa.exe!PsGetProcessDebugPort + E 8052B118 205 Bytes [5D, C2, 04, 00, CC, CC, CC, ...] .text ntkrnlpa.exe!PsGetProcessPriorityClass + E 8052B1E6 46 Bytes [5D, C2, 04, 00, CC, CC, CC, ...] .text ntkrnlpa.exe!PsGetProcessWin32Process + D 8052B215 4 Bytes [00, 5D, C2, 04] .text ntkrnlpa.exe!PsGetProcessWin32Process + 12 8052B21A 13 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...] .text ntkrnlpa.exe!PsGetThreadId + 8 8052B228 14 Bytes [8B, 80, F0, 01, 00, 00, 5D, ...] {MOV EAX, [EAX+0x1f0]; POP EBP; RET 0x4; INT 3 ; INT 3 ; INT 3 ; INT 3 } .text ntkrnlpa.exe!PsGetThreadId + 17 8052B237 13 Bytes [CC, 8B, FF, 55, 8B, EC, 8B, ...] .text ntkrnlpa.exe!PsGetThreadFreezeCount + D 8052B245 8 Bytes [00, 5D, C2, 04, 00, CC, CC, ...] {ADD [EBP-0x3e], BL; ADD AL, 0x0; INT 3 ; INT 3 ; INT 3 } .text ntkrnlpa.exe!PsGetThreadHardErrorsAreDisabled 8052B250 5 Bytes [8B, FF, 55, 8B, EC] {MOV EDI, EDI; PUSH EBP; MOV EBP, ESP} .text ntkrnlpa.exe!PsGetThreadHardErrorsAreDisabled + 6 8052B256 18 Bytes [45, 08, 0F, B6, 80, 48, 02, ...] .text ntkrnlpa.exe!PsGetThreadHardErrorsAreDisabled + 19 8052B269 6 Bytes [CC, CC, CC, CC, CC, 8B] .text ntkrnlpa.exe!PsGetThreadProcessId + 2 8052B270 64 Bytes [55, 8B, EC, 8B, 45, 08, 8B, ...] .text ntkrnlpa.exe!IoIsSystemThread + 17 8052B2B1 12 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...] .text ntkrnlpa.exe!PsSetThreadHardErrorsAreDisabled + 8 8052B2BE 39 Bytes [81, C1, 48, 02, 00, 00, 80, ...] .text ntkrnlpa.exe!IoGetCurrentProcess + 4 8052B2E6 24 Bytes [00, 00, 8B, 40, 44, C3, CC, ...] .text ntkrnlpa.exe!PsGetCurrentProcessSessionId + D 8052B2FF 30 Bytes [FF, C3, CC, CC, CC, CC, CC, ...] .text ntkrnlpa.exe!PsGetCurrentThreadStackBase + C 8052B31E 10 Bytes [C3, CC, CC, CC, CC, CC, 64, ...] .text ntkrnlpa.exe!PsGetCurrentThreadStackLimit + 6 8052B32A 40 Bytes [8B, 40, 1C, C3, CC, CC, CC, ...] .text ntkrnlpa.exe!ExGetPreviousMode + 1F 8052B353 3 Bytes [D7, 8B, 35] .text ntkrnlpa.exe!ExGetPreviousMode + 23 8052B357 21 Bytes [39, 56, 80, 83, 25, 00, 39, ...] .text ntkrnlpa.exe!ExGetPreviousMode + 39 8052B36D 261 Bytes [33, C9, 41, FF, D7, 33, C9, ...] .text ntkrnlpa.exe!PsIsThreadTerminating + 9D 8052B473 29 Bytes [46, 04, 01, 88, 5D, FF, 74, ...] .text ntkrnlpa.exe!PsIsThreadTerminating + BB 8052B491 107 Bytes [7D, 0C, 53, 53, 53, 8D, 47, ...] .text ntkrnlpa.exe!PsIsThreadTerminating + 127 8052B4FD 50 Bytes [8B, 75, 08, 8B, 46, 08, 33, ...] .text ntkrnlpa.exe!PsIsThreadTerminating + 15A 8052B530 151 Bytes [0A, 00, 8B, 46, 0C, 66, C7, ...] .text ntkrnlpa.exe!PsIsThreadTerminating + 1F2 8052B5C8 7 Bytes [FF, FF, 56, E8, 22, 63, FC] .text ... .text ntkrnlpa.exe!vDbgPrintExWithPrefix + 7 8052B5FD 67 Bytes CALL 8053BB8D \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!vDbgPrintExWithPrefix + 4B 8052B641 52 Bytes [C7, 8D, 48, 01, 8A, 10, 40, ...] .text ntkrnlpa.exe!vDbgPrintExWithPrefix + 80 8052B676 17 Bytes [00, 2B, C6, 50, 8D, 84, 35, ...] .text ntkrnlpa.exe!vDbgPrintExWithPrefix + 92 8052B688 61 Bytes [C4, 10, 03, F0, 89, B5, E0, ...] .text ntkrnlpa.exe!vDbgPrintExWithPrefix + D1 8052B6C7 6 Bytes [75, 09, BE, 00, 02, 00] .text ... .text ntkrnlpa.exe!DbgPrintReturnControlC + 38 8052B754 32 Bytes [C6, 45, FB, 0A, 6A, 00, 66, ...] .text ntkrnlpa.exe!DbgPrintReturnControlC + 59 8052B775 99 Bytes CALL 80531ECB \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!DbgLoadImageSymbols + 9 8052B7D9 2 Bytes [45, 0C] .text ntkrnlpa.exe!DbgLoadImageSymbols + C 8052B7DC 40 Bytes [4D, 10, 50, 89, 45, F0, 89, ...] .text ntkrnlpa.exe!DbgLoadImageSymbols + 35 8052B805 63 Bytes [03, 8D, 45, F0, 50, FF, 75, ...] .text ntkrnlpa.exe!DbgLoadImageSymbols + 76 8052B846 36 Bytes [C9, C2, 0C, 00, CC, CC, CC, ...] .text ntkrnlpa.exe!DbgSetDebugFilterState + B 8052B86B 71 Bytes [CC, 00, CC, CC, CC, CC, CC, ...] .text ntkrnlpa.exe!DbgPrintEx + 1F 8052B8B3 35 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...] .text ntkrnlpa.exe!vDbgPrintEx + 1F 8052B8D7 5 Bytes [CC, CC, CC, CC, CC] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 } .text ntkrnlpa.exe!READ_REGISTER_UCHAR + 1 8052B8DD 11 Bytes [54, 24, 04, 8A, 02, C2, 04, ...] {PUSH ESP; AND AL, 0x4; MOV AL, [EDX]; RET 0x4; LEA ECX, [ECX+0x0]} .text ntkrnlpa.exe!READ_REGISTER_USHORT + 1 8052B8E9 22 Bytes [54, 24, 04, 66, 8B, 02, C2, ...] .text ntkrnlpa.exe!READ_REGISTER_BUFFER_UCHAR 8052B900 4 Bytes [8B, C6, 8B, D7] {MOV EAX, ESI; MOV EDX, EDI} .text ntkrnlpa.exe!READ_REGISTER_BUFFER_UCHAR + 5 8052B905 78 Bytes [4C, 24, 0C, 8B, 74, 24, 04, ...] .text ntkrnlpa.exe!WRITE_REGISTER_UCHAR 8052B954 27 Bytes [8B, 54, 24, 04, 8A, 44, 24, ...] .text ntkrnlpa.exe!WRITE_REGISTER_USHORT + 8 8052B970 111 Bytes [66, 89, 02, F0, 09, 54, 24, ...] .text ntkrnlpa.exe!WRITE_REGISTER_BUFFER_ULONG + 10 8052B9E0 64 Bytes [F3, A5, F0, 09, 4C, 24, 04, ...] .text ntkrnlpa.exe!RtlCopyUnicodeString + 2D 8052BA21 17 Bytes JMP 82DC2028 .text ntkrnlpa.exe!RtlCopyUnicodeString + 3F 8052BA33 148 Bytes [0A, 66, 3B, 4A, 02, 5F, 5E, ...] .text ntkrnlpa.exe!RtlAppendUnicodeToString + 6E 8052BAC8 95 Bytes [5E, C9, C2, 08, 00, CC, CC, ...] .text ntkrnlpa.exe!RtlAppendUnicodeStringToString + 56 8052BB28 56 Bytes [73, 07, D1, EF, 66, 83, 24, ...] .text ntkrnlpa.exe!RtlAppendUnicodeStringToString + 8F 8052BB61 227 Bytes [6A, 02, 99, 5E, F7, FE, 85, ...] .text ntkrnlpa.exe!RtlEqualString + 53 8052BC45 47 Bytes [0C, 3B, F0, 72, D3, B0, 01, ...] .text ntkrnlpa.exe!RtlMapSecurityErrorToNtStatus + 9 8052BC75 17 Bytes [88, 00, FD, F6, 7F, 83, F9, ...] {MOV [EAX], AL; STD ; IDIV BYTE [EDI-0x7d]; STC ; AND AL, 0x77; OUTSB ; MOVZX ECX, BYTE [ECX-0x7fad42d3]} .text ntkrnlpa.exe!RtlMapSecurityErrorToNtStatus + 1B 8052BC87 5 Bytes [24, 8D, F1, BC, 52] .text ntkrnlpa.exe!RtlMapSecurityErrorToNtStatus + 21 8052BC8D 2 Bytes [B8, 9A] .text ntkrnlpa.exe!RtlMapSecurityErrorToNtStatus + 24 8052BC90 41 Bytes [00, C0, EB, 59, B8, 08, 00, ...] .text ntkrnlpa.exe!RtlMapSecurityErrorToNtStatus + 4E 8052BCBA 13 Bytes [00, C0, EB, 2F, B8, 0D, 01, ...] .text ... .text ntkrnlpa.exe!RtlClearBit + 12 8052BD6A 69 Bytes [04, 83, E1, 07, B2, 01, D2, ...] .text ntkrnlpa.exe!RtlTestBit + A 8052BDB0 69 Bytes [08, 8B, 52, 04, 8B, C1, C1, ...] .text ntkrnlpa.exe!RtlClearAllBits + 28 8052BDF6 4 Bytes [5D, C2, 04, 00] {POP EBP; RET 0x4} .text ntkrnlpa.exe!RtlSetAllBits + 5 8052BE05 146 Bytes [8B, 45, 08, 8B, 08, 83, C1, ...] .text ntkrnlpa.exe!RtlFindClearBits + 70 8052BE98 34 Bytes [83, FE, 02, 73, 0B, 8D, 42, ...] .text ntkrnlpa.exe!RtlFindClearBits + 93 8052BEBB 57 Bytes [45, FC, 76, 03, 89, 5D, FC, ...] .text ntkrnlpa.exe!RtlFindClearBits + CD 8052BEF5 9 Bytes [0F, B6, DA, 0F, BE, 83, A0, ...] .text ntkrnlpa.exe!RtlFindClearBits + D7 8052BEFF 33 Bytes [03, C1, 3B, C6, 72, 11, 8B, ...] .text ntkrnlpa.exe!RtlFindClearBits + F9 8052BF21 32 Bytes [44, 01, 00, 00, 8B, 4D, FC, ...] .text ... .text ntkrnlpa.exe!RtlFindSetBits + 65 8052C0EF 14 Bytes CALL 78A049F7 .text ntkrnlpa.exe!RtlFindSetBits + 75 8052C0FF 47 Bytes CALL 83514407 .text ntkrnlpa.exe!RtlFindSetBits + A5 8052C12F 19 Bytes [4D, 08, 8B, 79, 04, 03, F8, ...] {DEC EBP; OR [EBX-0x7fcfb87], CL; MOV CL, [EDI]; AND CL, [EBX-0x7fb24f54]; INC EDI; CMP ESI, 0x9} .text ntkrnlpa.exe!RtlFindSetBits + B9 8052C143 84 Bytes [7D, EC, 88, 4D, 0F, 77, 68, ...] .text ntkrnlpa.exe!RtlFindSetBits + 10E 8052C198 17 Bytes [8B, 45, F8, 83, 45, 0C, 08, ...] .text ... .text ntkrnlpa.exe!RtlClearBits + 20 8052C35C 24 Bytes [F8, 8D, 04, 37, 83, F8, 08, ...] .text ntkrnlpa.exe!RtlClearBits + 39 8052C375 33 Bytes [76, 0C, 8A, 8F, A0, B0, 4D, ...] .text ntkrnlpa.exe!RtlClearBits + 5B 8052C397 7 Bytes [C0, 8B, FA, F3, AB, 8B, CB] {ROR BYTE [EBX-0x74540c06], 0xcb} .text ntkrnlpa.exe!RtlClearBits + 63 8052C39F 28 Bytes [E1, 03, 03, D3, F3, AA, 83, ...] .text ntkrnlpa.exe!RtlClearBits + 82 8052C3BE 81 Bytes [CC, CC, 8B, FF, 55, 8B, EC, ...] .text ntkrnlpa.exe!RtlSetBits + 50 8052C410 125 Bytes [4D, 10, 53, 8B, D9, C1, E9, ...] .text ntkrnlpa.exe!RtlFindClearRuns + 4A 8052C48E 157 Bytes [39, 83, C1, 08, 4A, 75, F8, ...] .text ntkrnlpa.exe!RtlFindClearRuns + E8 8052C52C 4 Bytes [8B, 4D, F4, 2B] .text ntkrnlpa.exe!RtlFindClearRuns + ED 8052C531 23 Bytes [83, C1, 08, 89, 4D, E4, 0F, ...] .text ntkrnlpa.exe!RtlFindClearRuns + 105 8052C549 44 Bytes [2B, D7, 0A, 0A, 0A, D9, 80, ...] .text ntkrnlpa.exe!RtlFindClearRuns + 132 8052C576 17 Bytes [BE, 89, A0, AC, 4D, 80, 39, ...] .text ... .text ntkrnlpa.exe!RtlFindLongestRunClear + 11 8052C69D 19 Bytes CALL 8052C443 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!RtlFindLongestRunClear + 25 8052C6B1 158 Bytes [45, FC, EB, 05, 83, 20, 00, ...] .text ntkrnlpa.exe!RtlNumberOfSetBits + 3F 8052C753 33 Bytes [BE, 92, A0, AF, 4D, 80, 03, ...] .text ntkrnlpa.exe!RtlAreBitsClear + 9 8052C775 63 Bytes [4D, 10, 53, 56, 57, 8B, 7D, ...] .text ntkrnlpa.exe!RtlAreBitsClear + 49 8052C7B5 9 Bytes [EB, 22, 8A, 18, 40, 84, 9A, ...] .text ntkrnlpa.exe!RtlAreBitsClear + 54 8052C7C0 50 Bytes [EB, 05, 8A, 10, 40, 84, D2, ...] .text ntkrnlpa.exe!RtlAreBitsSet + 3 8052C7F3 164 Bytes [8B, EC, 8B, 55, 0C, 8B, 4D, ...] .text ntkrnlpa.exe!RtlFindNextForwardRunClear + 1C 8052C898 192 Bytes [00, 00, 8B, 43, 04, 49, C1, ...] .text ntkrnlpa.exe!RtlFindNextForwardRunClear + DD 8052C959 90 Bytes [F6, C3, 01, 75, 05, 40, 3B, ...] .text ntkrnlpa.exe!RtlFindLastBackwardRunClear + 3E 8052C9B4 13 Bytes [FF, 75, 17, 2B, C1, 48, 83, ...] .text ntkrnlpa.exe!RtlFindLastBackwardRunClear + 4C 8052C9C2 19 Bytes JMP 20E88304 .text ntkrnlpa.exe!RtlFindLastBackwardRunClear + 60 8052C9D6 138 Bytes [8B, 1C, BE, 8B, C8, 83, E1, ...] .text ntkrnlpa.exe!RtlFindMostSignificantBit + 1B 8052CA61 13 Bytes [FF, FF, 33, C9, 0B, CE, 8B, ...] .text ntkrnlpa.exe!RtlFindMostSignificantBit + 29 8052CA6F 20 Bytes [00, FF, 33, C9, 0B, CE, 74, ...] .text ntkrnlpa.exe!RtlFindMostSignificantBit + 3F 8052CA85 79 Bytes [33, C9, 0B, CE, 74, 04, B3, ...] .text ntkrnlpa.exe!RtlFindMostSignificantBit + 8F 8052CAD5 22 Bytes [07, CF, 00, 00, 0F, B6, C8, ...] .text ntkrnlpa.exe!RtlFindMostSignificantBit + A6 8052CAEC 11 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP} .text ntkrnlpa.exe!RtlFindLeastSignificantBit + 6 8052CAF8 110 Bytes [45, 08, 33, D2, 8B, C8, 53, ...] .text ntkrnlpa.exe!RtlFindLeastSignificantBit + 75 8052CB67 111 Bytes [33, C9, 0B, CE, 74, 04, B3, ...] .text ntkrnlpa.exe!RtlFindSetBitsAndClear + 8 8052CBD8 16 Bytes [10, FF, 75, 0C, FF, 75, 08, ...] .text ntkrnlpa.exe!RtlFindSetBitsAndClear + 19 8052CBE9 227 Bytes [74, 0C, FF, 75, 0C, 56, FF, ...] .text ntkrnlpa.exe!RtlFindFirstRunClear + C9 8052CCCD 10 Bytes [29, 3F, 20, 00, 00, 45, 78, ...] .text ntkrnlpa.exe!RtlFindFirstRunClear + D4 8052CCD8 23 Bytes [65, 20, 27, 2E, 63, 78, 72, ...] .text ntkrnlpa.exe!RtlFindFirstRunClear + EC 8052CCF0 116 Bytes [65, 78, 74, 0A, 00, CC, CC, ...] .text ntkrnlpa.exe!RtlFindFirstRunClear + 161 8052CD65 52 Bytes [75, 10, FF, B5, 24, FD, FF, ...] .text ntkrnlpa.exe!RtlFindFirstRunClear + 196 8052CD9A 31 Bytes [F8, 62, 7F, 10, 74, 46, 83, ...] .text ... .text ntkrnlpa.exe!RtlWalkFrameChain + C 8052CE56 51 Bytes [89, 6D, D8, 8B, 75, D8, 89, ...] .text ntkrnlpa.exe!RtlWalkFrameChain + 40 8052CE8A 7 Bytes [89, 45, D0, 8B, B0, 34, 01] .text ntkrnlpa.exe!RtlWalkFrameChain + 48 8052CE92 63 Bytes [00, 89, 75, CC, 8B, 78, 20, ...] .text ntkrnlpa.exe!RtlWalkFrameChain + 88 8052CED2 6 Bytes [47, 08, 89, 45, E0, 8B] .text ntkrnlpa.exe!RtlWalkFrameChain + 8F 8052CED9 22 Bytes [04, 89, 7D, DC, 8B, 76, 60, ...] .text ... .text ntkrnlpa.exe!RtlCaptureStackBackTrace + 8 8052CF84 99 Bytes [01, 00, 00, 56, 8B, 75, 08, ...] .text ntkrnlpa.exe!RtlCaptureStackBackTrace + 6C 8052CFE8 41 Bytes [55, 08, 89, 11, 6A, 40, 8D, ...] .text ntkrnlpa.exe!RtlCaptureStackBackTrace + 96 8052D012 85 Bytes [45, 08, 56, 57, 8D, 78, 02, ...] .text ntkrnlpa.exe!RtlCaptureStackBackTrace + EC 8052D068 65 Bytes [56, 6A, 09, 58, 33, F6, 56, ...] .text ntkrnlpa.exe!RtlCaptureStackBackTrace + 12E 8052D0AA 72 Bytes [8D, 45, DC, 50, C7, 45, B4, ...] .text ... .text ntkrnlpa.exe!RtlSplay + 2 8052D12A 26 Bytes [55, 8B, EC, 8B, 45, 08, 39, ...] .text ntkrnlpa.exe!RtlSplay + 1D 8052D145 7 Bytes [00, 00, 3B, CA, 75, 18, 8B] .text ntkrnlpa.exe!RtlSplay + 25 8052D14D 10 Bytes [08, 85, C9, 89, 4A, 04, 74, ...] {OR [EBP+0x44a89c9], AL; JZ 0xa; MOV [ECX], EDX} .text ntkrnlpa.exe!RtlSplay + 30 8052D158 40 Bytes [50, 08, 89, 02, 89, 00, E9, ...] .text ntkrnlpa.exe!RtlSplay + 59 8052D181 207 Bytes [31, 3B, F1, 75, 04, 89, 00, ...] .text ... .text ntkrnlpa.exe!RtlSubtreePredecessor + 16 8052D2CE 44 Bytes [48, 08, 85, C9, 75, F7, EB, ...] .text ntkrnlpa.exe!RtlRealSuccessor + 1F 8052D2FB 163 Bytes [01, 39, 48, 08, 74, F7, 8B, ...] .text ntkrnlpa.exe!RtlRealPredecessor + 85 8052D39F 14 Bytes [10, 89, 30, 89, 11, 5B, EB, ...] .text ntkrnlpa.exe!RtlRealPredecessor + 94 8052D3AE 2 Bytes [89, 0E] {MOV [ESI], ECX} .text ntkrnlpa.exe!RtlRealPredecessor + 97 8052D3B1 73 Bytes [10, 89, 11, 89, 00, 8B, 71, ...] .text ntkrnlpa.exe!RtlRealPredecessor + E1 8052D3FB 135 Bytes [50, 08, 89, 70, 08, 89, 51, ...] .text ntkrnlpa.exe!RtlDelete + 45 8052D483 34 Bytes [50, EB, 26, 85, C0, 75, 03, ...] .text ntkrnlpa.exe!RtlDelete + 68 8052D4A6 14 Bytes [01, 8B, 36, 89, 30, 56, E8, ...] .text ntkrnlpa.exe!RtlDelete + 77 8052D4B5 23 Bytes [00, CC, CC, CC, CC, CC, CC, ...] .text ntkrnlpa.exe!RtlDeleteNoSplay + 11 8052D4CD 34 Bytes [7D, 0C, 74, 18, 39, 5E, 08, ...] .text ntkrnlpa.exe!RtlDeleteNoSplay + 34 8052D4F0 70 Bytes [39, 5E, 08, 75, 18, 8B, 06, ...] .text ntkrnlpa.exe!RtlDeleteNoSplay + 7B 8052D537 110 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...] .text ntkrnlpa.exe!RtlInsertElementGenericTableFull + 2C 8052D5A6 48 Bytes [C0, EB, 76, 83, 63, 04, 00, ...] .text ntkrnlpa.exe!RtlInsertElementGenericTableFull + 5D 8052D5D7 216 Bytes [8B, 45, 18, 75, 05, 89, 58, ...] .text ntkrnlpa.exe!RtlGetElementGenericTable + 6C 8052D6B0 16 Bytes [40, 04, 75, FA, 89, 41, 0C, ...] .text ntkrnlpa.exe!RtlGetElementGenericTable + 7D 8052D6C1 36 Bytes [5F, 5E, 5B, 5D, C2, 08, 00, ...] .text ntkrnlpa.exe!RtlEnumerateGenericTableWithoutSplaying + 4 8052D6E6 45 Bytes [EC, 8B, 45, 08, 8B, 00, 85, ...] .text ntkrnlpa.exe!RtlEnumerateGenericTableWithoutSplaying + 32 8052D714 47 Bytes [8B, C1, 8B, 48, 04, 85, C9, ...] .text ntkrnlpa.exe!RtlEnumerateGenericTableWithoutSplaying + 62 8052D744 68 Bytes [46, 04, 85, C0, 74, 15, 8B, ...] .text ntkrnlpa.exe!RtlInsertElementGenericTable + 13 8052D789 151 Bytes [FF, FF, 50, FF, 75, 08, FF, ...] .text ntkrnlpa.exe!RtlLookupElementGenericTableFull + 21 8052D821 182 Bytes [01, 75, 10, FF, 36, E8, FD, ...] .text ntkrnlpa.exe!RtlLookupElementGenericTable + 46 8052D8D8 41 Bytes [51, 04, 85, D2, 89, 50, 08, ...] .text ntkrnlpa.exe!RtlLookupElementGenericTable + 70 8052D902 170 Bytes [8B, FF, 55, 8B, EC, 51, 53, ...] .text ntkrnlpa.exe!RtlLookupElementGenericTable + 11B 8052D9AD 109 Bytes [DB, 56, 57, 74, 23, 8B, 41, ...] .text ntkrnlpa.exe!RtlLookupElementGenericTable + 189 8052DA1B 12 Bytes [8B, 3B, 8A, 47, 0C, 3A, C2, ...] .text ntkrnlpa.exe!RtlLookupElementGenericTable + 196 8052DA28 18 Bytes [EB, 10, 84, C0, 74, 1C, 57, ...] {JMP 0x12; TEST AL, AL; JZ 0x22; PUSH EDI; CALL 0xfffffffffffffeda; TEST EAX, EAX; JNZ 0x30; MOV EDI, [EDI]} .text ... .text ntkrnlpa.exe!RtlInsertElementGenericTableFullAvl + 35 8052DB3D 22 Bytes [57, 33, C0, 8B, FB, AB, AB, ...] .text ntkrnlpa.exe!RtlInsertElementGenericTableFullAvl + 4C 8052DB54 13 Bytes [C7, 46, 1C, 01, 00, 00, 00, ...] {MOV DWORD [ESI+0x1c], 0x1; JMP 0x57; CMP DWORD [EBP+0x1c], 0x2} .text ntkrnlpa.exe!RtlInsertElementGenericTableFullAvl + 5A 8052DB62 50 Bytes [45, 18, 8B, FB, 75, 05, 89, ...] .text ntkrnlpa.exe!RtlInsertElementGenericTableFullAvl + 8D 8052DB95 136 Bytes [0F, C6, 40, 0C, 00, 80, 7E, ...] .text ntkrnlpa.exe!RtlGetElementGenericTableAvl + 1F 8052DC1F 52 Bytes [00, 8D, 53, 01, 3B, D7, 0F, ...] .text ntkrnlpa.exe!RtlGetElementGenericTableAvl + 54 8052DC54 92 Bytes CALL 8052DA94 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!RtlGetElementGenericTableAvl + B1 8052DCB1 187 Bytes CALL 8052DA95 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!RtlEnumerateGenericTableWithoutSplayingAvl + 83 8052DD6D 80 Bytes [46, 08, 85, C0, 75, F0, 6A, ...] .text ntkrnlpa.exe!RtlInsertElementGenericTableAvl + 2E 8052DDBE 12 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; PUSH ESI} .text ntkrnlpa.exe!RtlDeleteElementGenericTableAvl + 7 8052DDCB 1 Byte [75] .text ntkrnlpa.exe!RtlDeleteElementGenericTableAvl + 7 8052DDCB 18 Bytes [75, 08, 8D, 45, 0C, 50, FF, ...] {JNZ 0xa; LEA EAX, [EBP+0xc]; PUSH EAX; PUSH DWORD [EBP+0xc]; PUSH ESI; CALL 0xffffffffffffff6b; CMP EAX, 0x1} .text ntkrnlpa.exe!RtlDeleteElementGenericTableAvl + 1A 8052DDDE 2 Bytes [04, 32] {ADD AL, 0x32} .text ntkrnlpa.exe!RtlDeleteElementGenericTableAvl + 1D 8052DDE1 83 Bytes [EB, 2F, 57, 8B, 7D, 0C, 3B, ...] .text ntkrnlpa.exe!RtlLookupElementGenericTableFullAvl + 1A 8052DE36 1 Byte [14] .text ntkrnlpa.exe!RtlLookupElementGenericTableFullAvl + 1D 8052DE39 8 Bytes [74, 04, 33, C0, EB, 05, 8B, ...] {JZ 0x6; XOR EAX, EAX; JMP 0xb; MOV EAX, [ESI]} .text ntkrnlpa.exe!RtlLookupElementGenericTableFullAvl + 26 8052DE42 15 Bytes [C0, 10, 5E, 5D, C2, 10, 00, ...] {RCL BYTE [EAX], 0x5e; POP EBP; RET 0x10; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; MOV EDI, EDI; PUSH EBP} .text ntkrnlpa.exe!RtlEnumerateGenericTableAvl + 4 8052DE52 10 Bytes [EC, 80, 7D, 0C, 00, 8B, 45, ...] {IN AL, DX ; CMP BYTE [EBP+0xc], 0x0; MOV EAX, [EBP+0x8]; JZ 0xe} .text ntkrnlpa.exe!RtlEnumerateGenericTableAvl + F 8052DE5D 16 Bytes [60, 20, 00, 8D, 48, 20, 51, ...] .text ntkrnlpa.exe!RtlEnumerateGenericTableAvl + 20 8052DE6E 7 Bytes [CC, CC, CC, CC, CC, CC, 8B] .text ntkrnlpa.exe!RtlEnumerateGenericTableLikeADirectory + 2 8052DE76 9 Bytes [55, 8B, EC, 51, 8B, 45, 18, ...] {PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x18]; PUSH EBX; PUSH ESI} .text ntkrnlpa.exe!RtlEnumerateGenericTableLikeADirectory + C 8052DE80 36 Bytes [30, 57, 8B, 7D, 08, 33, DB, ...] .text ntkrnlpa.exe!RtlEnumerateGenericTableLikeADirectory + 31 8052DEA5 137 Bytes [80, 8B, 45, 1C, 8B, 00, 3B, ...] .text ntkrnlpa.exe!RtlEnumerateGenericTableLikeADirectory + BB 8052DF2F 20 Bytes [01, 0F, 85, 5B, FF, FF, FF, ...] .text ntkrnlpa.exe!RtlLookupElementGenericTableAvl 8052DF44 62 Bytes [8B, FF, 55, 8B, EC, 8D, 45, ...] .text ntkrnlpa.exe!RtlGetCallersAddress + 1B 8052DF83 30 Bytes [00, 64, 89, 25, 00, 00, 00, ...] .text ntkrnlpa.exe!RtlGetCallersAddress + 3A 8052DFA2 71 Bytes [72, 04, 8B, 12, 3B, D5, 76, ...] .text ntkrnlpa.exe!RtlGetCallersAddress + 82 8052DFEA 17 Bytes [30, 00, 00, 3B, D0, 77, B0, ...] .text ntkrnlpa.exe!RtlGetCallersAddress + 94 8052DFFC 11 Bytes [00, 8B, 64, 24, 08, EB, AF, ...] .text ntkrnlpa.exe!RtlGetCallersAddress + A0 8052E008 7 Bytes [25, 64, 00, CC, CC, CC, CC] {AND EAX, 0xcccc0064; INT 3 ; INT 3 } .text ... .text ntkrnlpa.exe!VerSetConditionMask + 1E 8052E134 143 Bytes [8D, 4C, 40, FD, 0F, B6, 45, ...] .text ntkrnlpa.exe!RtlVerifyVersionInfo + 70 8052E1C4 80 Bytes [66, 8B, 86, 18, 01, 00, 00, ...] .text ntkrnlpa.exe!RtlVerifyVersionInfo + C1 8052E215 190 Bytes [75, 78, 0F, B7, 45, F8, 85, ...] .text ntkrnlpa.exe!RtlVerifyVersionInfo + 180 8052E2D4 12 Bytes JMP 8052E500 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!RtlVerifyVersionInfo + 18D 8052E2E1 69 Bytes [0F, 84, 28, 01, 00, 00, F6, ...] .text ntkrnlpa.exe!RtlVerifyVersionInfo + 1D3 8052E327 19 Bytes CALL 0C52E32A |
10.12.2009, 20:19 | #8 |
| TR/DROPPER GEN auf dem Rechner hier teil 2: .text ... .text ntkrnlpa.exe!RtlImageNtHeader + 4C 8052E562 81 Bytes [55, 8B, EC, 8B, 4D, 08, 0F, ...] .text ntkrnlpa.exe!RtlImageNtHeader + 9E 8052E5B4 104 Bytes [FF, FF, FF, 8B, C8, 85, C9, ...] .text ntkrnlpa.exe!RtlImageNtHeader + 107 8052E61D 13 Bytes [0F, 3B, 41, 54, 72, 0A, 50, ...] .text ntkrnlpa.exe!RtlImageNtHeader + 115 8052E62B 89 Bytes [EB, 02, 03, C7, 5F, 5E, 5D, ...] .text ntkrnlpa.exe!RtlImageNtHeader + 16F 8052E685 17 Bytes [75, 14, 89, 16, 75, 0F, 3B, ...] .text ... .text ntkrnlpa.exe!RtlImageDirectoryEntryToData + 53 8052E6FB 8 Bytes [EB, 02, 33, C0, 5B, 5D, C2, ...] .text ntkrnlpa.exe!RtlImageDirectoryEntryToData + 5C 8052E704 16 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] .text ntkrnlpa.exe!RtlInitString + 9 8052E715 58 Bytes [C7, 02, 00, 00, 00, 00, 89, ...] .text ntkrnlpa.exe!RtlInitAnsiString + C 8052E750 57 Bytes [00, 00, 00, 89, 7A, 04, 0B, ...] .text ntkrnlpa.exe!RtlInitUnicodeString + E 8052E78A 5 Bytes [00, 89, 7A, 04, 0B] .text ntkrnlpa.exe!RtlInitUnicodeString + 14 8052E790 30 Bytes [74, 22, 83, C9, FF, 33, C0, ...] .text ntkrnlpa.exe!RtlInitUnicodeString + 33 8052E7AF 11 Bytes [49, 49, 66, 89, 0A, 5F, C2, ...] {DEC ECX; DEC ECX; MOV [EDX], CX; POP EDI; RET 0x8; ADD [EAX], AL} .text ntkrnlpa.exe!RtlInitUnicodeString + 40 8052E7BC 92 Bytes [66, 66, 66, 66, 3A, 00, 00, ...] .text ntkrnlpa.exe!RtlIpv6AddressToStringA + B 8052E819 66 Bytes [08, 33, D2, 66, 39, 16, C7, ...] .text ntkrnlpa.exe!RtlIpv6AddressToStringA + 4E 8052E85C 12 Bytes [47, 66, 8B, 46, 0A, 66, 3B, ...] .text ntkrnlpa.exe!RtlIpv6AddressToStringA + 5B 8052E869 119 Bytes [FF, 75, 38, 66, 3B, C2, 75, ...] .text ntkrnlpa.exe!RtlIpv6AddressToStringA + D3 8052E8E1 27 Bytes [66, F7, 46, 08, FD, FF, 89, ...] .text ntkrnlpa.exe!RtlIpv6AddressToStringA + EF 8052E8FD 136 Bytes [00, 8B, 5D, F8, 3B, DA, 7E, ...] .text ... .text ntkrnlpa.exe!RtlIpv6AddressToStringExA + 39 8052EA2F 14 Bytes [8D, 45, B8, 74, 11, 68, E0, ...] .text ntkrnlpa.exe!RtlIpv6AddressToStringExA + 49 8052EA3F 16 Bytes [59, 59, 8D, 44, 05, B8, 50, ...] .text ntkrnlpa.exe!RtlIpv6AddressToStringExA + 5A 8052EA50 46 Bytes [8B, F0, 74, 13, FF, 75, 0C, ...] .text ntkrnlpa.exe!RtlIpv6AddressToStringExA + 89 8052EA7F 25 Bytes CALL 8053AF77 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!RtlIpv6AddressToStringExA + A3 8052EA99 55 Bytes JMP 0BF8DDA0 .text ... .text ntkrnlpa.exe!RtlIpv4AddressToStringExA + 2 8052EB14 73 Bytes [55, 8B, EC, 83, EC, 1C, A1, ...] .text ntkrnlpa.exe!RtlIpv4AddressToStringExA + 4C 8052EB5E 1 Byte [56] .text ntkrnlpa.exe!RtlIpv4AddressToStringExA + 4C 8052EB5E 5 Bytes [56, E8, 14, C4, 00] .text ntkrnlpa.exe!RtlIpv4AddressToStringExA + 52 8052EB64 20 Bytes [83, C4, 0C, 03, F0, 8D, 45, ...] .text ntkrnlpa.exe!RtlIpv4AddressToStringExA + 67 8052EB79 93 Bytes [C0, EB, 15, 8B, CA, 8B, C1, ...] .text ... .text ntkrnlpa.exe!RtlIpv6AddressToStringW + 1E 8052EC58 56 Bytes [66, 39, 56, 02, 0F, 85, A9, ...] .text ntkrnlpa.exe!RtlIpv6AddressToStringW + 57 8052EC91 52 Bytes [0B, 66, 3D, FF, FF, 75, 39, ...] .text ntkrnlpa.exe!RtlIpv6AddressToStringW + 8D 8052ECC7 50 Bytes CALL 8053B655 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!RtlIpv6AddressToStringW + C0 8052ECFA 32 Bytes CALL 8053B654 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!RtlIpv6AddressToStringW + E1 8052ED1B 14 Bytes [0F, 66, 81, 7E, 0A, 5E, FE, ...] .text ... .text ntkrnlpa.exe!RtlIpv6AddressToStringExW + 3 8052EE31 53 Bytes [8B, EC, 81, EC, 88, 00, 00, ...] .text ntkrnlpa.exe!RtlIpv6AddressToStringExW + 39 8052EE67 2 Bytes [7D, 10] {JGE 0x12} .text ntkrnlpa.exe!RtlIpv6AddressToStringExW + 3C 8052EE6A 43 Bytes [8D, 85, 78, FF, FF, FF, 74, ...] .text ntkrnlpa.exe!RtlIpv6AddressToStringExW + 68 8052EE96 111 Bytes [75, 0C, 68, 12, EE, 52, 80, ...] .text ntkrnlpa.exe!RtlIpv6AddressToStringExW + D8 8052EF06 5 Bytes [75, 00, 2E, 00, 25] .text ... .text ntkrnlpa.exe!RtlIpv4AddressToStringW + 1 8052EF1D 31 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...] .text ntkrnlpa.exe!RtlIpv4AddressToStringW + 21 8052EF3D 32 Bytes [00, 50, 68, FE, EE, 52, 80, ...] .text ntkrnlpa.exe!RtlIpv4AddressToStringW + 42 8052EF5E 87 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...] .text ntkrnlpa.exe!RtlIpv4AddressToStringExW + 52 8052EFB6 94 Bytes [83, C4, 0C, 8D, 34, 46, 8D, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressA + 1D 8052F015 32 Bytes [89, 55, EC, 89, 55, F8, 89, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressA + 3E 8052F036 50 Bytes [48, 74, 0F, 48, 0F, 84, 13, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressA + 71 8052F069 4 Bytes CALL 8053A3CE \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!RtlIpv6StringToAddressA + 76 8052F06E 29 Bytes [00, 85, C0, 59, 74, 21, 56, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressA + 94 8052F08C 93 Bytes JMP 8052F223 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ... .text ntkrnlpa.exe!RtlIpv6StringToAddressExA + 77 8052F38F 42 Bytes [80, FB, 5D, 74, 50, 0F, BE, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressExA + A2 8052F3BA 6 Bytes [C7, 99, 03, C8, 13, DA] .text ntkrnlpa.exe!RtlIpv6StringToAddressExA + A9 8052F3C1 42 Bytes [C1, D0, 83, D3, FF, 89, 5D, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressExA + D5 8052F3ED 18 Bytes [80, 7D, 0B, 00, 74, 90, 46, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressExA + E8 8052F400 5 Bytes [00, 46, 80, 3E, 30] .text ... .text ntkrnlpa.exe!RtlIpv4StringToAddressA + 3D 8052F593 53 Bytes [00, 85, C0, 59, 74, 09, C7, ...] .text ntkrnlpa.exe!RtlIpv4StringToAddressA + 73 8052F5C9 101 Bytes [00, 8A, 03, 84, C0, 0F, 84, ...] .text ntkrnlpa.exe!RtlIpv4StringToAddressA + D9 8052F62F 3 Bytes [85, C0, 59] {TEST EAX, EAX; POP ECX} .text ntkrnlpa.exe!RtlIpv4StringToAddressA + DD 8052F633 7 Bytes [04, 6A, 61, EB, 02, 6A, 41] {ADD AL, 0x6a; POPA ; JMP 0x7; PUSH 0x41} .text ntkrnlpa.exe!RtlIpv4StringToAddressA + E5 8052F63B 96 Bytes [4D, F8, 58, C1, E1, 04, 2B, ...] .text ... .text ntkrnlpa.exe!RtlIpv4StringToAddressExA + 3 8052F767 38 Bytes [8B, EC, 53, 56, 33, F6, 39, ...] .text ntkrnlpa.exe!RtlIpv4StringToAddressExA + 2A 8052F78E 7 Bytes [10, 50, FF, 75, 0C, FF, 75] .text ntkrnlpa.exe!RtlIpv4StringToAddressExA + 32 8052F796 36 Bytes CALL 8052F556 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!RtlIpv4StringToAddressExA + 57 8052F7BB 42 Bytes [C7, 45, 0C, 0A, 00, 00, 00, ...] .text ntkrnlpa.exe!RtlIpv4StringToAddressExA + 82 8052F7E6 14 Bytes JMP 8052F8C2 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ... .text ntkrnlpa.exe!RtlIpv6StringToAddressW + 62 8052F960 83 Bytes [00, 68, 80, 00, 00, 00, 56, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressW + B6 8052F9B4 59 Bytes [83, 7D, FC, 05, 0F, 87, 5D, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressW + F2 8052F9F0 93 Bytes [83, 7D, FC, 06, 0F, 87, 21, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressW + 150 8052FA4E 24 Bytes [C9, 00, 00, 00, 6A, 04, 56, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressW + 169 8052FA67 16 Bytes [89, 7D, EC, 89, 45, F0, 89, ...] .text ... .text ntkrnlpa.exe!RtlIpv6StringToAddressExW + 20 8052FC1C 8 Bytes [00, 39, 5D, 10, 0F, 84, 28, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressExW + 29 8052FC25 9 Bytes [00, 39, 5D, 14, 0F, 84, 1F, ...] {ADD [ECX], BH; POP EBP; ADC AL, 0xf; TEST [EDI], BL; ADD AL, [EAX]} .text ntkrnlpa.exe!RtlIpv6StringToAddressExW + 33 8052FC2F 35 Bytes [66, 83, 38, 5B, 89, 5D, FC, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressExW + 57 8052FC53 75 Bytes [0F, 8C, F5, 01, 00, 00, 8B, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressExW + A4 8052FCA0 53 Bytes CALL 8053C04D \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ... .text ntkrnlpa.exe!RtlIpv4StringToAddressW + 24 8052FE84 33 Bytes [75, 42, 47, 47, 33, C0, 66, ...] .text ntkrnlpa.exe!RtlIpv4StringToAddressW + 47 8052FEA7 36 Bytes [00, EB, 1E, 66, 8B, 07, 66, ...] .text ntkrnlpa.exe!RtlIpv4StringToAddressW + 6C 8052FECC 20 Bytes [74, 0A, 83, 7D, FC, 0A, 0F, ...] .text ntkrnlpa.exe!RtlIpv4StringToAddressW + 81 8052FEE1 62 Bytes [73, 26, 6A, 04, 56, E8, 65, ...] .text ntkrnlpa.exe!RtlIpv4StringToAddressW + C0 8052FF20 108 Bytes [85, C0, 59, 59, 74, 3D, 6A, ...] .text ... .text ntkrnlpa.exe!RtlIpv4StringToAddressExW + 40 805300AE 1 Byte [7D] .text ntkrnlpa.exe!RtlIpv4StringToAddressExW + 40 805300AE 63 Bytes [7D, 10, 66, 8B, 07, 66, 3D, ...] .text ntkrnlpa.exe!RtlIpv4StringToAddressExW + 80 805300EE 15 Bytes [00, 00, 47, 33, F6, 66, 8B, ...] .text ntkrnlpa.exe!RtlIpv4StringToAddressExW + 90 805300FE 8 Bytes [00, C6, 45, 13, 00, E9, B0, ...] .text ntkrnlpa.exe!RtlIpv4StringToAddressExW + 99 80530107 51 Bytes [00, 47, 47, 66, 81, FE, 80, ...] .text ... .text ntkrnlpa.exe!RtlLargeIntegerDivide + 30 8053021C 98 Bytes JMP 8C520540 .text ntkrnlpa.exe!RtlNtStatusToDosErrorNoTeb + 13 8053027F 71 Bytes [57, 8B, C8, BF, 00, 00, FF, ...] .text ntkrnlpa.exe!RtlNtStatusToDosErrorNoTeb + 5B 805302C7 19 Bytes [0F, B7, 1C, CD, EC, B9, 4D, ...] .text ntkrnlpa.exe!RtlNtStatusToDosErrorNoTeb + 6F 805302DB 21 Bytes [72, D9, EB, 16, C1, E1, 03, ...] .text ntkrnlpa.exe!RtlNtStatusToDosErrorNoTeb + 85 805302F1 11 Bytes [3B, D3, 72, 1A, 8B, C8, 23, ...] .text ntkrnlpa.exe!RtlNtStatusToDosErrorNoTeb + 91 805302FD 15 Bytes [01, C0, 75, 07, 25, FF, FF, ...] .text ... .text ntkrnlpa.exe!RtlRaiseException + 1F 8053036F 11 Bytes [8D, 85, 2C, FD, FF, FF, 89, ...] .text ntkrnlpa.exe!RtlRaiseException + 2B 8053037B 11 Bytes [89, 98, A4, 00, 00, 00, 89, ...] .text ntkrnlpa.exe!RtlRaiseException + 37 80530387 42 Bytes [89, B0, A0, 00, 00, 00, 89, ...] .text ntkrnlpa.exe!RtlRaiseException + 62 805303B2 1 Byte [00] .text ntkrnlpa.exe!RtlRaiseException + 62 805303B2 13 Bytes [00, 00, 8C, 98, 98, 00, 00, ...] .text ... .text ntkrnlpa.exe!RtlRandomEx + 4E 8053045C 42 Bytes [55, 8B, EC, 8B, 4D, 08, 53, ...] .text ntkrnlpa.exe!RtlRandomEx + 79 80530487 80 Bytes [C1, 6B, C0, 64, 83, C0, 4B, ...] .text ntkrnlpa.exe!RtlRandomEx + CA 805304D8 46 Bytes [EC, 51, 51, 56, 6A, 0D, FF, ...] .text ntkrnlpa.exe!RtlRandomEx + F9 80530507 2 Bytes CALL 80546781 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!RtlRandomEx + FE 8053050C 1 Byte [4D] .text ... .text ntkrnlpa.exe!RtlTimeToTimeFields + 3F 805305A9 21 Bytes [F9, 69, FF, 93, FE, FF, FF, ...] .text ntkrnlpa.exe!RtlTimeToTimeFields + 55 805305BF 31 Bytes [C1, F7, F3, 33, D2, BB, 90, ...] .text ntkrnlpa.exe!RtlTimeToTimeFields + 75 805305DF 22 Bytes [F7, F3, 85, D2, 74, 1B, 8D, ...] .text ntkrnlpa.exe!RtlTimeToTimeFields + 8C 805305F6 30 Bytes [0F, BF, 04, 45, 10, C1, 4D, ...] .text ntkrnlpa.exe!RtlTimeToTimeFields + AB 80530615 78 Bytes [45, FC, 33, D2, BB, E8, 03, ...] .text ... .text ntkrnlpa.exe!RtlTimeFieldsToTime + 1 8053066B 171 Bytes [FF, 55, 8B, EC, 83, EC, 14, ...] .text ntkrnlpa.exe!RtlTimeFieldsToTime + AD 80530717 89 Bytes [F6, 0F, BF, 86, 2E, C1, 4D, ...] .text ntkrnlpa.exe!RtlTimeFieldsToTime + 108 80530772 49 Bytes [F7, F6, 33, D2, 6A, 64, 5E, ...] .text ntkrnlpa.exe!RtlTimeFieldsToTime + 13B 805307A5 36 Bytes [EC, F7, F3, 85, D2, 74, 14, ...] .text ntkrnlpa.exe!RtlTimeFieldsToTime + 160 805307CA 20 Bytes [EB, 0A, 8B, 45, FC, 0F, BF, ...] .text ... .text ntkrnlpa.exe!RtlTimeToSecondsSince1980 + 8 80530814 50 Bytes [6A, 17, FF, 35, 64, C1, 4D, ...] .text ntkrnlpa.exe!RtlTimeToSecondsSince1980 + 3B 80530847 5 Bytes [B0, 01, 5D, C2, 08] .text ntkrnlpa.exe!RtlTimeToSecondsSince1980 + 41 8053084D 15 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...] .text ntkrnlpa.exe!RtlSecondsSince1980ToTime + B 8053085D 70 Bytes [8B, 45, 08, 33, C9, 03, C2, ...] .text ntkrnlpa.exe!RtlTimeToSecondsSince1970 + 1A 805308A4 101 Bytes CALL 8054677F \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!RtlSecondsSince1970ToTime + 3A 8053090A 9 Bytes [55, 8B, EC, 53, 56, 8B, 75, ...] {PUSH EBP; MOV EBP, ESP; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0x8]; PUSH EDI} .text ntkrnlpa.exe!RtlSecondsSince1970ToTime + 44 80530914 38 Bytes [75, 10, 8B, 7D, 0C, 57, FF, ...] .text ntkrnlpa.exe!RtlSecondsSince1970ToTime + 6B 8053093B 5 Bytes [F6, 85, FF, 76, 17] .text ntkrnlpa.exe!RtlSecondsSince1970ToTime + 71 80530941 50 Bytes [45, 10, 8B, 4A, 1C, 2B, C8, ...] .text ntkrnlpa.exe!RtlSecondsSince1970ToTime + A4 80530974 65 Bytes [8B, 45, 14, 85, C0, 74, 02, ...] .text ... .text ntkrnlpa.exe!RtlTraceDatabaseCreate + 2E 80530B64 1 Byte [8B] .text ntkrnlpa.exe!RtlTraceDatabaseCreate + 2E 80530B64 58 Bytes [8B, 4D, 10, 83, C9, 02, 53, ...] .text ntkrnlpa.exe!RtlTraceDatabaseCreate + 69 80530B9F 30 Bytes CALL 805309FC \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!RtlTraceDatabaseCreate + 88 80530BBE 187 Bytes [45, 18, 85, C0, 75, 09, C7, ...] .text ntkrnlpa.exe!RtlTraceDatabaseDestroy + 24 80530C7A 97 Bytes CALL 805309DE \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!RtlTraceDatabaseValidate + 26 80530CDC 1 Byte [D0] .text ntkrnlpa.exe!RtlTraceDatabaseValidate + 26 80530CDC 274 Bytes [D0, 8B, 01, EB, 03, 8B, 40, ...] .text ntkrnlpa.exe!RtlTraceDatabaseFind + EF 80530DEF 50 Bytes [51, BE, 00, 10, 00, 00, 56, ...] .text ntkrnlpa.exe!RtlTraceDatabaseFind + 122 80530E22 91 Bytes [08, 01, 77, 14, 89, 47, 0C, ...] .text ntkrnlpa.exe!RtlTraceDatabaseFind + 17E 80530E7E 33 Bytes [00, 83, C4, 0C, FF, 75, 10, ...] .text ntkrnlpa.exe!RtlTraceDatabaseFind + 1A0 80530EA0 1 Byte [00] .text ntkrnlpa.exe!RtlTraceDatabaseFind + 1A0 80530EA0 41 Bytes [00, 8B, 4F, 44, 8B, C3, C1, ...] .text ... .text ntkrnlpa.exe!RtlTraceDatabaseUnlock + 1 80530EE1 43 Bytes [FF, 55, 8B, EC, 5D, E9, 91, ...] .text ntkrnlpa.exe!RtlTraceDatabaseAdd + 1D 80530F0D 49 Bytes [FF, FF, FF, 75, 08, 8A, D8, ...] .text ntkrnlpa.exe!RtlTraceDatabaseAdd + 50 80530F40 112 Bytes [85, C0, 74, 3B, 8B, 75, 08, ...] .text ntkrnlpa.exe!RtlTraceDatabaseAdd + C1 80530FB1 45 Bytes [8B, D8, 83, FB, FF, 0F, 84, ...] .text ntkrnlpa.exe!RtlTraceDatabaseAdd + EF 80530FDF 7 Bytes [FF, 73, 04, E8, 3F, FF, FF] .text ntkrnlpa.exe!RtlTraceDatabaseAdd + F7 80530FE7 99 Bytes [84, C0, 0F, 84, 00, 01, 00, ...] .text ... .text ntkrnlpa.exe!RtlUnwind + 32 80531134 36 Bytes [45, 04, 8D, B5, 84, FC, FF, ...] .text ntkrnlpa.exe!RtlUnwind + 57 80531159 25 Bytes [BD, 94, FC, FF, FF, 39, 7D, ...] .text ntkrnlpa.exe!RtlUnwind + 72 80531174 204 Bytes [50, C7, 85, 30, FD, FF, FF, ...] .text ntkrnlpa.exe!RtlUnwind + 140 80531242 5 Bytes [FF, 01, 00, 00, 00] .text ntkrnlpa.exe!RtlUnwind + 146 80531248 40 Bytes [B5, DC, FC, FF, FF, E8, FE, ...] .text ... .text ntkrnlpa.exe!VfIsVerificationEnabled + 31 80533221 30 Bytes CALL 80662740 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!VfIsVerificationEnabled + 50 80533240 19 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...] .text ntkrnlpa.exe!VfFailDeviceNode + F 80533255 152 Bytes [FF, 84, C0, 74, 21, 8D, 45, ...] .text ntkrnlpa.exe!VfFailDriver + 30 805332EE 6 Bytes [C9, C3, CC, CC, CC, CC] {LEAVE ; RET ; INT 3 ; INT 3 ; INT 3 ; INT 3 } .text ntkrnlpa.exe!VfFailDriver + 37 805332F5 60 Bytes [CC, 8B, FF, 55, 8B, EC, 8B, ...] .text ntkrnlpa.exe!VfFailDriver + 74 80533332 9 Bytes [8B, 0F, EB, 0D, 0F, B7, 11, ...] .text ntkrnlpa.exe!VfFailDriver + 7E 8053333C 37 Bytes [3B, 55, 0C, 74, 21, 8B, 0E, ...] .text ntkrnlpa.exe!VfFailDriver + A4 80533362 89 Bytes JMP 4D200033 .text ... .text ntkrnlpa.exe!WmiGetClock + 35 8053484B 8 Bytes [F7, 75, 0A, 64, A1, 24, 01, ...] .text ntkrnlpa.exe!WmiGetClock + 3E 80534854 9 Bytes [8B, F0, EB, 07, 8B, CF, E8, ...] .text ntkrnlpa.exe!WmiGetClock + 48 8053485E 34 Bytes [FF, 8B, 86, 44, 01, 00, 00, ...] .text ntkrnlpa.exe!WmiGetClock + 6B 80534881 76 Bytes [F7, 75, 0B, 64, A1, 24, 01, ...] .text ntkrnlpa.exe!WmiGetClock + B8 805348CE 28 Bytes [68, 6C, 01, 00, 00, 68, F0, ...] .text ... .text ntkrnlpa.exe!WmiTraceMessageVa + 7 80534E2D 82 Bytes CALL 8053BB90 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!WmiTraceMessageVa + 5A 80534E80 18 Bytes [45, CC, 8B, 48, FC, 89, 4D, ...] {INC EBP; INT 3 ; MOV ECX, [EAX-0x4]; MOV [EBP-0x48], ECX; CMP ECX, ESI; JZ 0x21; ADD EAX, 0x4; MOV [EBP-0x34], EAX} .text ntkrnlpa.exe!WmiTraceMessageVa + 6D 80534E93 85 Bytes [48, FC, 89, 4D, B4, 3B, CE, ...] .text ntkrnlpa.exe!WmiTraceMessageVa + C4 80534EEA 92 Bytes [EB, 02, 33, C9, 89, 4D, C8, ...] .text ntkrnlpa.exe!WmiTraceMessageVa + 121 80534F47 1 Byte [00] .text ... .text ntkrnlpa.exe!NtTraceEvent + 15 8053511D 27 Bytes [00, 64, A1, 24, 01, 00, 00, ...] .text ntkrnlpa.exe!NtTraceEvent + 31 80535139 30 Bytes [0F, 85, 0E, 01, 00, 00, 66, ...] .text ntkrnlpa.exe!NtTraceEvent + 50 80535158 34 Bytes [FB, 40, 73, 70, 8D, 3C, 9D, ...] .text ntkrnlpa.exe!NtTraceEvent + 73 8053517B 27 Bytes [04, 8B, CA, EB, 02, 33, C9, ...] .text ntkrnlpa.exe!NtTraceEvent + 8F 80535197 144 Bytes [F8, 01, 75, 19, 83, C8, FF, ...] .text ... .text ntkrnlpa.exe!IoWMIWriteEvent + 9 80535293 40 Bytes [42, 56, 80, 00, 75, 0A, B8, ...] .text ntkrnlpa.exe!IoWMIWriteEvent + 32 805352BC 111 Bytes [46, 08, 66, 3D, FF, FF, 74, ...] .text ntkrnlpa.exe!IoWMIWriteEvent + A2 8053532C 49 Bytes [FF, 00, 00, 0F, 87, E2, 00, ...] .text ntkrnlpa.exe!IoWMIWriteEvent + D4 8053535E 72 Bytes [74, 09, 32, D2, 8B, CE, E8, ...] .text ntkrnlpa.exe!IoWMIWriteEvent + 11E 805353A8 8 Bytes [FF, 76, 04, 88, 45, 0B, E8, ...] .text ... .text ntkrnlpa.exe!IoWMIHandleToInstanceName + 3 8053542B 120 Bytes [8B, EC, FF, 75, 10, 33, C0, ...] .text ntkrnlpa.exe!IoWMIDeviceObjectToInstanceName + 5A 805354A4 1 Byte [10] .text ntkrnlpa.exe!IoWMIDeviceObjectToInstanceName + 5A 805354A4 7 Bytes [10, FF, 36, E8, 4E, 00, 00] .text ntkrnlpa.exe!IoWMIDeviceObjectToInstanceName + 62 805354AC 1 Byte [6A] .text ntkrnlpa.exe!IoWMIDeviceObjectToInstanceName + 62 805354AC 6 Bytes [6A, 00, 6A, 00, 83, C6] .text ntkrnlpa.exe!IoWMIDeviceObjectToInstanceName + 69 805354B3 106 Bytes CALL 804FA243 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ... .text ntkrnlpa.exe!ExInitializeResourceLite + 27 80535723 14 Bytes [BE, FF, FF, 0F, B7, C0, 89, ...] .text ntkrnlpa.exe!ExInitializeResourceLite + 36 80535732 18 Bytes [68, 80, 33, 55, 80, 8B, D6, ...] {PUSH 0x80553380; MOV EDX, ESI; MOV ECX, 0x80565d70; CALL 0x1129e; POP EDI} .text ntkrnlpa.exe!ExInitializeResourceLite + 49 80535745 52 Bytes [C0, 5E, 5D, C2, 04, 00, CC, ...] .text ntkrnlpa.exe!ExDisableResourceBoostLite + 2A 8053577A 6 Bytes [CC, CC, CC, CC, CC, CC] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 } .text ntkrnlpa.exe!ExReleaseResourceLite + 1 80535781 93 Bytes [FF, 55, 8B, EC, 83, EC, 0C, ...] .text ntkrnlpa.exe!ExReleaseResourceLite + 60 805357E0 2 Bytes [14, 81] {ADC AL, 0x81} .text ntkrnlpa.exe!ExReleaseResourceLite + 64 805357E4 29 Bytes [53, 57, 53, FF, 76, 10, E8, ...] .text ntkrnlpa.exe!ExReleaseResourceLite + 82 80535802 16 Bytes [46, 0E, 8D, 4D, F4, FF, 15, ...] {INC ESI; PUSH CS; LEA ECX, [EBP-0xc]; CALL [0x804d8114]; POP EDI; POP ESI; POP EBX; LEAVE ; RET } .text ntkrnlpa.exe!ExReleaseResourceLite + 93 80535813 30 Bytes [46, 20, 39, 38, 74, 2B, 8D, ...] .text ... .text ntkrnlpa.exe!ExSetResourceOwnerPointer + 73 80535A6B 4 Bytes [8D, 0C, D0, EB] .text ntkrnlpa.exe!ExSetResourceOwnerPointer + 78 80535A70 21 Bytes [39, 30, 74, E2, 83, C0, 08, ...] .text ntkrnlpa.exe!ExSetResourceOwnerPointer + 8E 80535A86 35 Bytes [9E, 44, FC, FF, CC, CC, CC, ...] .text ntkrnlpa.exe!ExConvertExclusiveToSharedLite + 1A 80535AAA 162 Bytes [46, 2C, 80, 66, 0E, 7F, 66, ...] .text ntkrnlpa.exe!ExDeleteResourceLite + 61 80535B4D 153 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...] .text ntkrnlpa.exe!ExIsResourceAcquiredSharedLite + 21 80535BE7 95 Bytes [39, 7E, 18, 75, 05, 8B, 76, ...] .text ntkrnlpa.exe!ExIsResourceAcquiredSharedLite + 81 80535C47 65 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...] .text ntkrnlpa.exe!ExIsResourceAcquiredSharedLite + C3 80535C89 4 Bytes [FF, 55, 8B, EC] {CALL [EBP-0x75]; IN AL, DX } .text ntkrnlpa.exe!ExIsResourceAcquiredSharedLite + C8 80535C8E 19 Bytes [EC, 14, 83, 4D, F0, FF, 56, ...] .text ntkrnlpa.exe!ExIsResourceAcquiredSharedLite + DC 80535CA2 48 Bytes [46, 28, 52, 89, 55, F4, 89, ...] .text ... .text ntkrnlpa.exe!ExReinitializeResourceLite + 4 805360A0 17 Bytes [EC, 56, 8B, 75, 08, 8B, 46, ...] .text ntkrnlpa.exe!ExReinitializeResourceLite + 16 805360B2 37 Bytes [33, C9, 41, 3B, D1, 76, 0C, ...] .text ntkrnlpa.exe!ExReinitializeResourceLite + 3C 805360D8 63 Bytes CALL 804FCEDB \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!ExReinitializeResourceLite + 7D 80536119 28 Bytes [5F, 33, C0, 5E, 5D, C2, 04, ...] .text ntkrnlpa.exe!ExAcquireResourceExclusiveLite + 12 80536138 73 Bytes [75, 08, 8D, 4E, 34, 8D, 55, ...] .text ntkrnlpa.exe!ExAcquireResourceExclusiveLite + 5C 80536182 69 Bytes [8A, D8, 8D, 4D, F4, FF, 15, ...] .text ntkrnlpa.exe!ExAcquireResourceExclusiveLite + A2 805361C8 26 Bytes [55, 8B, EC, 83, EC, 0C, 53, ...] .text ntkrnlpa.exe!ExAcquireResourceExclusiveLite + BE 805361E4 1 Byte [10] .text ntkrnlpa.exe!ExAcquireResourceExclusiveLite + C3 805361E9 64 Bytes [DB, 66, 39, 5E, 0C, 75, 15, ...] .text ntkrnlpa.exe!ExAcquireResourceSharedLite 8053622C 6 Bytes [8B, FF, 55, 8B, EC, 83] .text ntkrnlpa.exe!ExAcquireResourceSharedLite + 7 80536233 136 Bytes [0C, 53, 56, 57, 64, A1, 24, ...] .text ntkrnlpa.exe!ExAcquireResourceSharedLite + 90 805362BC 24 Bytes [40, 04, EB, F7, 33, DB, 43, ...] .text ntkrnlpa.exe!ExAcquireResourceSharedLite + A9 805362D5 22 Bytes [EB, 1F, 33, DB, 43, 89, 38, ...] .text ntkrnlpa.exe!ExAcquireResourceSharedLite + C0 805362EC 18 Bytes [8B, 56, 10, 8B, CE, E8, 92, ...] .text ... .text ntkrnlpa.exe!ExAcquireSharedStarveExclusive + 4 80536308 71 Bytes [EC, 83, EC, 0C, 53, 56, 57, ...] .text ntkrnlpa.exe!ExAcquireSharedStarveExclusive + 4C 80536350 9 Bytes [5E, 10, 75, 3C, 8D, 45, F4, ...] {POP ESI; ADC [EBP+0x3c], DH; LEA EAX, [EBP-0xc]; PUSH EAX; PUSH ESI} .text ntkrnlpa.exe!ExAcquireSharedStarveExclusive + 56 8053635A 2 Bytes CALL 8053568B \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!ExAcquireSharedStarveExclusive + 5B 8053635F 12 Bytes [C8, 8D, 45, F4, 50, 8B, D7, ...] .text ntkrnlpa.exe!ExAcquireSharedStarveExclusive + 68 8053636C 29 Bytes [FF, 3B, C3, 74, B7, 39, 38, ...] .text ... .text ntkrnlpa.exe!ExAcquireSharedWaitForExclusive + 29 805363FD 63 Bytes [0C, 0F, 84, 8B, 00, 00, 00, ...] .text ntkrnlpa.exe!ExAcquireSharedWaitForExclusive + 69 8053643D 20 Bytes [4D, F4, FF, 15, 14, 81, 4D, ...] .text ntkrnlpa.exe!ExAcquireSharedWaitForExclusive + 7E 80536452 64 Bytes [00, 00, 66, 39, 46, 2E, 74, ...] .text ntkrnlpa.exe!ExAcquireSharedWaitForExclusive + BF 80536493 2 Bytes [7E, 20] {JLE 0x22} .text ntkrnlpa.exe!ExAcquireSharedWaitForExclusive + C2 80536496 37 Bytes [5E, 24, 66, 89, 5E, 0C, EB, ...] .text ... .text ntkrnlpa.exe!ExQueryPoolBlockSize + B 80536717 42 Bytes [20, 56, 8B, 75, 08, 74, 18, ...] .text ntkrnlpa.exe!ExQueryPoolBlockSize + 36 80536742 5 Bytes [00, B8, 00, 10, 00] .text ntkrnlpa.exe!ExQueryPoolBlockSize + 3C 80536748 23 Bytes [EB, 27, 8B, 55, 0C, 33, C0, ...] .text ntkrnlpa.exe!ExQueryPoolBlockSize + 54 80536760 21 Bytes [8D, 04, C5, F8, FF, FF, FF, ...] .text ntkrnlpa.exe!ExQueryPoolBlockSize + 6A 80536776 86 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...] .text ... .text ntkrnlpa.exe!ExAllocatePool + E 80537016 152 Bytes CALL 8054B966 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!ExAllocatePoolWithQuotaTag + 25 805370AF 7 Bytes [75, 11, F6, 05, ED, A7, 55] .text ntkrnlpa.exe!ExAllocatePoolWithQuotaTag + 2D 805370B7 61 Bytes [20, 75, 08, 0F, B6, DB, 83, ...] .text ntkrnlpa.exe!ExAllocatePoolWithQuotaTag + 6B 805370F5 24 Bytes [00, 8B, 78, 44, 83, 66, FC, ...] .text ntkrnlpa.exe!ExAllocatePoolWithQuotaTag + 84 8053710E 70 Bytes [25, FF, 01, 00, 00, C1, E0, ...] .text ntkrnlpa.exe!ExAllocatePoolWithQuotaTag + CB 80537155 6 Bytes [00, C0, E8, C0, FE, 00] .text ... .text ntkrnlpa.exe!ExAllocatePoolWithQuota + D 805371DB 12 Bytes CALL 80537087 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) .text ntkrnlpa.exe!ExAllocatePoolWithQuota + 1C 805371EA 175 Bytes [CC, CC, 8B, FF, 55, 8B, EC, ...] .text ntkrnlpa.exe!ExNotifyCallback + AE 8053729A 1 Byte [CC] {INT 3 } .text ntkrnlpa.exe!ExNotifyCallback + AE 8053729A 358 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...] ? spes.sys Das System kann die angegebene Datei nicht finden. ! .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB4D82380, 0x3DF545, 0xE8000020] .text USBPORT.SYS!DllUnload B4D3F8AC 5 Bytes JMP 8ACA71D8 .text aqcpzp7w.SYS B4CC7386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...] .text aqcpzp7w.SYS B4CC73AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text aqcpzp7w.SYS B4CC73C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH} .text aqcpzp7w.SYS B4CC73C9 1 Byte [30] .text aqcpzp7w.SYS B4CC73C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL} .text ... ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EA8042] spes.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EA813E] spes.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EA80C0] spes.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EA8800] spes.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EA86D6] spes.sys IAT \SystemRoot\System32\Drivers\aqcpzp7w.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E IAT \SystemRoot\System32\Drivers\aqcpzp7w.SYS[HAL.dll!READ_PORT_UCHAR] 1C8D9E88 IAT \SystemRoot\System32\Drivers\aqcpzp7w.SYS[HAL.dll!KeGetCurrentIrql] 9E880000 IAT \SystemRoot\System32\Drivers\aqcpzp7w.SYS[HAL.dll!KfRaiseIrql] 00001CA9 IAT \SystemRoot\System32\Drivers\aqcpzp7w.SYS[HAL.dll!KfLowerIrql] 0E798366 IAT \SystemRoot\System32\Drivers\aqcpzp7w.SYS[HAL.dll!HalGetInterruptVector] 74AAB000 IAT \SystemRoot\System32\Drivers\aqcpzp7w.SYS[HAL.dll!HalTranslateBusAddress] 8186C636 IAT \SystemRoot\System32\Drivers\aqcpzp7w.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C IAT \SystemRoot\System32\Drivers\aqcpzp7w.SYS[HAL.dll!KfReleaseSpinLock] 1C8386C6 IAT \SystemRoot\System32\Drivers\aqcpzp7w.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000 IAT \SystemRoot\System32\Drivers\aqcpzp7w.SYS[HAL.dll!READ_PORT_USHORT] 001C8E86 IAT \SystemRoot\System32\Drivers\aqcpzp7w.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200 IAT \SystemRoot\System32\Drivers\aqcpzp7w.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CAA IAT \SystemRoot\System32\Drivers\aqcpzp7w.SYS[WMILIB.SYS!WmiSystemControl] 8800001C IAT \SystemRoot\System32\Drivers\aqcpzp7w.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB19E IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EB7E9C] spes.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\winlogon.exe[1520] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtLockProductActivationKeys] [0500073E] C:\WINDOWS\system32\antiwpa.dll IAT C:\WINDOWS\system32\winlogon.exe[1520] @ C:\WINDOWS\system32\winlogon.exe [USER32.dll!GetSystemMetrics] [05000756] C:\WINDOWS\system32\antiwpa.dll ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8AF0A1F8 Device \FileSystem\Fastfat \FatCdrom 899841F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{748C74E4-64EA-47B3-BBEA-5723CAFCB50E} 8AB48500 Device \Driver\PCI_PNP8730 \Device\00000044 spes.sys Device \Driver\usbohci \Device\USBPDO-0 8ACA61F8 Device \Driver\usbohci \Device\USBPDO-1 8ACA61F8 Device \Driver\usbohci \Device\USBPDO-2 8ACA61F8 Device \Driver\usbohci \Device\USBPDO-3 8ACA61F8 Device \Driver\usbohci \Device\USBPDO-4 8ACA61F8 Device \Driver\usbehci \Device\USBPDO-5 8ACB8500 Device \Driver\Ftdisk \Device\HarddiskVolume1 8AE9A1F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8AE9A1F8 Device \Driver\Cdrom \Device\CdRom0 8ACB5500 Device \Driver\Ftdisk \Device\HarddiskVolume3 8AE9A1F8 Device \Driver\Cdrom \Device\CdRom1 8ACB5500 Device \Driver\atapi \Device\Ide\IdePort0 [B7E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [B7E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B7E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [B7E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [B7E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [B7E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\sptd \Device\4213228730 spes.sys Device \Driver\Ftdisk \Device\HarddiskVolume4 8AE9A1F8 Device \Driver\Cdrom \Device\CdRom2 8ACB5500 Device \Driver\usbstor \Device\00000080 8AAA9500 Device \Driver\usbstor \Device\00000074 8AAA9500 Device \Driver\Cdrom \Device\CdRom3 8ACB5500 Device \Driver\Cdrom \Device\CdRom4 8ACB5500 Device \Driver\usbstor \Device\00000076 8AAA9500 Device \Driver\usbstor \Device\00000077 8AAA9500 Device \Driver\NetBT \Device\NetBt_Wins_Export 8AB48500 Device \Driver\NetBT \Device\NetBT_Tcpip_{BF278232-7C08-494D-B0FC-621B96F8DE38} 8AB48500 Device \Driver\usbstor \Device\00000078 8AAA9500 Device \Driver\usbstor \Device\00000079 8AAA9500 Device \Driver\NetBT \Device\NetbiosSmb 8AB48500 Device \Driver\usbohci \Device\USBFDO-0 8ACA61F8 Device \Driver\usbstor \Device\0000007a 8AAA9500 Device \Driver\usbohci \Device\USBFDO-1 8ACA61F8 Device \Driver\usbohci \Device\USBFDO-2 8ACA61F8 Device \Driver\usbstor \Device\0000007b 8AAA9500 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8AB6A500 Device \Driver\usbstor \Device\0000007c 8AAA9500 Device \Driver\usbohci \Device\USBFDO-3 8ACA61F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8AB6A500 Device \Driver\usbstor \Device\0000007d 8AAA9500 Device \Driver\Ftdisk \Device\FtControl 8AE9A1F8 Device \Driver\usbohci \Device\USBFDO-4 8ACA61F8 Device \Driver\usbstor \Device\0000007e 8AAA9500 Device \Driver\usbehci \Device\USBFDO-5 8ACB8500 Device \Driver\usbstor \Device\0000007f 8AAA9500 Device \Driver\aqcpzp7w \Device\Scsi\aqcpzp7w1Port4Path0Target1Lun0 8AB2F500 Device \Driver\aqcpzp7w \Device\Scsi\aqcpzp7w1Port4Path0Target3Lun0 8AB2F500 Device \Driver\aqcpzp7w \Device\Scsi\aqcpzp7w1Port4Path0Target0Lun0 8AB2F500 Device \Driver\aqcpzp7w \Device\Scsi\aqcpzp7w1 8AB2F500 Device \Driver\aqcpzp7w \Device\Scsi\aqcpzp7w1Port4Path0Target2Lun0 8AB2F500 Device \FileSystem\Fastfat \Fat 899841F8 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 8AB46500 ---- Processes - GMER 1.0.15 ---- Process C:\Dokumente und Einstellungen\Besitzer\Desktop\5nnt4fh0.exe (*** hidden *** ) 1308 Process C:\Programme\TuneUp Utilities 2010\TuneUpDefragService.exe (*** hidden *** ) 1780 Process C:\Programme\Gemeinsame Dateien\tysarekb\zamsdyg.exe (*** hidden *** ) 2060 Process E:\Programme\Mozilla Firefox\firefox.exe (*** hidden *** ) 2628 Process C:\WINDOWS\System32\alg.exe (*** hidden *** ) 3088 Process C:\WINDOWS\System32\wbem\wmiapsrv.exe (*** hidden *** ) 3264 Process E:\Programme\CCleaner\CCleaner.exe (*** hidden *** ) 3540 Process F:\treiber & utilities\utorrent.exe (*** hidden *** ) 3700 Process C:\Programme\Windows Media Player\wmplayer.exe (*** hidden *** ) 4016 Process C:\Programme\Gemeinsame Dateien\tysarekb\zamsdyg.exe (*** hidden *** ) 4044 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x58 0xCE 0x33 0x3C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB5 0xCD 0x27 0x41 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD4 0xD7 0x04 0x03 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xBB 0x9A 0xEE 0xFA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x13 0xED 0x68 0x4E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3@hdf12 0x13 0xED 0x68 0x4E ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x58 0xCE 0x33 0x3C ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB5 0xCD 0x27 0x41 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD4 0xD7 0x04 0x03 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xBB 0x9A 0xEE 0xFA ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x13 0xED 0x68 0x4E ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3@hdf12 0x13 0xED 0x68 0x4E ... ---- EOF - GMER 1.0.15 ---- |
10.12.2009, 20:26 | #9 |
| TR/DROPPER GEN auf dem Rechner hmmm.. das ist ja nicht gut. denke das soll heißen, dass das auf ne formatierung hinausläuft oder? hmm also malewarebytes ist noch am durchlaufen sobald der fertig ist werd ich das hier reinstellen aber danke erstmal schönen abend noch |
Themen zu TR/DROPPER GEN auf dem Rechner |
adobe, antivir, antivir guard, antiwpa, avira, besitzer, dateien, desktop, dll, einstellungen, explorer, firefox, hijack, hijackthis, hkus\s-1-5-18, internet, internet explorer, logfile, microsoft, mozilla, nvidia, plug-in, programme, rundll, software, stick, system, windows, windows xp |