| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: DR/Autoit.TC.115 und TR/FraudPack.ajcpWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
28.12.2009, 17:14
| #1 | |
 |  DR/Autoit.TC.115 und TR/FraudPack.ajcp Hi, bei meiner Freundin kamen kürzlich immer wieder WerbePopups, also die Browserfenster öffneten sich selbstständig. Das Problem hatte ich hier bereits geschildert. Ich habe dann mittels mbam einige infizierte Dateien entfernen können, jedoch bestand das Problem weiterhin. Nun kamen nach dem Einschalten des PC mehrere Virenmeldungen von Avira Antivir: DR/Autoit.TC.115 und TR/FraudPack.ajcp wurden erkannt. Kann jemand helfen? Zitat:
|
|
29.12.2009, 11:50
| #2 | |||
| /// Helfer-Team    | DR/Autoit.TC.115 und TR/FraudPack.ajcp Hallo und Herzlich Willkommen!
__________________ Was bereits auf dem Rechner passiert: Zitat:
Wichtig ist, dass du selbst bestimmst, welches Risiko du eingehen willst...besonders wenn du z.B Online-Banking machst usw Zitat:
- Die Anweisungen bitte gründlich lesen und immer streng einhalten, da ich die Reihenfolge nach bestimmten Kriterien vorbereitet habe: 1. ich brauche mehr `Übersicht` bzw Daten über einen längeren Zeitraum - dazu bitte Versteckte - und Systemdateien sichtbar machen:: → Klicke unter Start auf Arbeitsplatz. → Klicke im Menü Extras auf Ordneroptionen. → Dateien und Ordner/Erweiterungen bei bekannten Dateitypen ausblenden → Haken entfernen → Geschützte und Systemdateien ausblenden → Haken entfernen → Versteckte Dateien und Ordner/Alle Dateien und Ordner anzeigen → Haken setzen. → Bei "Geschützte Systemdateien ausblenden" darf kein Häkchen sein und "Alle Dateien und Ordner anzeigen" muss aktiviert sein. 2. Für XP und Win2000 (ansonsten auslassen) → lade Dir das filelist.zip auf deinen Desktop herunter → entpacke die Zip-Datei auf deinen Desktop → starte nun mit einem Doppelklick auf die Datei "filelist.bat" - Dein Editor (Textverarbeitungsprogramm) wird sich öffnen → kopiere aus die erzeugten Logfile alle 7 Verzeichnisse ("C\...") usw - aber nur die Einträge der letzten 6 Monate - hier in deinem Thread ** vor jedem Eintrag steht ein Datum, also Einträge, die älter als 6 Monate sind bitte herauslöschen! 3. Ich würde gerne noch all deine installierten Programme sehen: Lade dir das Tool CCleaner herunter installieren ("Füge CCleaner Yahoo! Toolbar hinzu" abwählen)→ starten→ unter Options settings-> "german" einstellen dann klick auf "Extra (um die installierten Programme auch anzuzeigen)→ weiter auf "Als Textdatei speichern..." wird eine Textdatei (*.txt) erstellt, kopiere dazu den Inhalt und füge ihn da ein 4.
5. Um einen tieferen Einblick in dein System, um eine mögliche Infektion mit einem Rootkit/Info v.wikipedia.org) aufzuspüren, werden wir ein Tool - Gmer - einsetzen :
** keine Verbindung zu einem Netzwerk und Internet - WLAN nicht vergessen Wenn der Scan beendet ist, bitte alle Programme und Tools wieder aktivieren! ** kannst Du das Log bei File-Upload.net/kostenlos hochladen und den Link mir hier posten. Zitat:
** Möglichst nicht ins internet gehen, kein Online-Banking, File-sharing, Chatprogramme usw grußCoverflow |
|
29.12.2009, 13:35
| #3 |
| | DR/Autoit.TC.115 und TR/FraudPack.ajcp Ok, also hier erstmal das filelist-Log
__________________Code:
ATTFilter ----- Root -----------------------------
Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: 78A6-D7DA
Verzeichnis von C:\
29.12.2009 13:20 43 filelist.txt
29.12.2009 12:16 2.147.061.760 hiberfil.sys
29.12.2009 12:16 805.306.368 pagefile.sys
26.12.2009 13:08 0 khw
----- Windows --------------------------
Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: 78A6-D7DA
Verzeichnis von C:\WINDOWS
29.12.2009 12:17 0 0.log
29.12.2009 12:17 159 wiadebug.log
29.12.2009 12:17 313 wiaservc.log
29.12.2009 12:16 2.048 bootstat.dat
28.12.2009 18:22 5.073 WindowsUpdate.log
26.12.2009 18:19 164.352 msa.exe
26.12.2009 17:17 22.316 setupapi.log
29.11.2009 13:24 116 NeroDigital.ini
27.11.2009 15:43 526 eReg.dat
13.11.2009 19:23 24 SELINGUA.INI
30.08.2009 10:05 169 RtlRack.ini
----- System 32 (Achtung: Zeitfenster beachten!) ---
Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: 78A6-D7DA
Verzeichnis von C:\WINDOWS\system32
29.12.2009 12:17 204.100 nvapps.xml
26.12.2009 15:03 2.206 wpa.dbl
26.12.2009 13:07 (1.579) autorun.i
26.12.2009 13:07 (833) autorun.in
19.12.2009 11:46 12.524 KGyGaAvL.sys
29.10.2009 18:14 392.296 perfh009.dat
29.10.2009 18:14 58.596 perfc009.dat
29.10.2009 18:14 405.118 perfh007.dat
29.10.2009 18:14 70.580 perfc007.dat
29.10.2009 18:14 938.224 PerfStringBackup.INI
----- Tasks ----------------------------
Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: 78A6-D7DA
Verzeichnis von C:\WINDOWS\tasks
29.12.2009 13:09 278 {66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
26.12.2009 18:19 240 {35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
----- Windows/Temp -----------------------
Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: 78A6-D7DA
Verzeichnis von C:\WINDOWS\Temp
14.11.2009 22:52 7.168 etilqs_faNciDRYIZjbHVXABWw9
14.11.2009 22:52 1.028 etilqs_R3RphEOkT7tm0VLwLPfm
14.11.2009 22:52 512 etilqs_qa9sclhamg2f6L0mCjuQ
----- Temp -----------------------------
Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: 78A6-D7DA
Verzeichnis von C:\DOKUME~1\***\LOKALE~1\Temp
29.12.2009 13:19 549 t853zogh.zip
29.12.2009 12:17 0 JET2F48.tmp
29.12.2009 12:17 11.097 LVCOMSX.LOG
26.12.2009 19:27 39.532 a.dat
26.12.2009 18:19 168.960 c.exe
26.12.2009 18:19 164.352 b.exe
26.12.2009 18:19 349.696 a.exe
26.12.2009 16:51 311.296 ~DF9098.tmp
25.12.2009 17:50 16.384 ~DF1AA0.tmp
25.12.2009 17:49 16.384 ~DF5F3F.tmp
11.12.2009 10:00 1.166.464 55b8nihn.rar
27.11.2009 16:07 24.516 SIntfNT.dll
27.11.2009 16:07 19.924 SIntf32.dll
27.11.2009 16:07 12.067 SIntf16.dll
15.11.2009 14:52 36.526.028 ubi54.tmp.exe
15.11.2009 14:08 36.864 CmdLineExt02.dll
14.11.2009 10:23 212.992 3_-_Straftaten_gegen_die_k__rperliche_Unversehrtheit.ppt
01.11.2009 13:47 288.768 1_-_Einleitung__Straftaten_gegen_das_Leben.ppt
30.10.2009 16:11 1.734.274 newn46rn.rar
19.10.2009 10:56 1.392.805 LastScan.jpg
08.10.2009 22:35 100.293 coredmp
05.10.2009 16:18 252 r2h68.tmp
05.10.2009 12:03 27.648 18-taeterschaft04.doc
24.08.2009 12:07 39.424 at10910 Folien 040609.doc
26.07.2009 09:04 358.912 e62iavbc.rar
23.07.2009 14:35 16.825.216 718631~1.exe
10.07.2009 14:09 823 {AC76BA86-7AD7-1031-7B44-A81300000003}.ini
12.06.2009 07:54 2.196.934 g0rtfkqy.exe
05.06.2009 14:26 167.936 schuldrecht.ppt
05.06.2009 12:55 26.112 Hinweise zum Gutachten-und Urteilsstil.doc
05.06.2009 12:52 22.528 Fall Kopierpapier.doc
Code:
ATTFilter 1.9.2.1705
ABBYY FineReader 6.0 Sprint ABBYY Software House 6.00.1395.41612
Adobe Flash Player 10 Plugin Adobe Systems Incorporated 10.0.12.36
Adobe Flash Player 9 ActiveX Adobe Systems 9
Adobe Reader 9.1 - Deutsch Adobe Systems Incorporated 9.1.0
Advanced IM Password Recovery (remove only)
AGEIA PhysX v7.11.13 AGEIA Technologies, Inc. 7.11.13
Apple Mobile Device Support Apple Inc. 2.1.1.13
Apple Software Update Apple Inc. 2.1.1.116
Avance AC'97 Audio
Avira AntiVir Personal - Free Antivirus Avira GmbH
Bonjour Apple Inc. 1.0.105
CCleaner Piriform 2.27
Connection Manager deinstallieren
DivX DivXNetworks, Inc. 5.2
DivX Player DivXNetworks, Inc. 2.5.4
DivX Web Player DivX,Inc. 1.4.2
DVD Shrink 3.2 DVD Shrink
EVEREST Home Edition v2.20 Lavalys Inc 2.20
ffdshow [rev 1723] [2007-12-24] 1.0
Harry Potter TM
HijackThis 2.0.2 TrendMicro 2.0.2
ICQ Toolbar ICQ 3.0.0
ICQ6.5 ICQ 6.5
IL-2 Sturmovik: Forgotten Battles Ubi Soft 1.00.0000
iTunes Apple Inc. 8.0.1.11
J2SE Runtime Environment 5.0 Update 6 Sun Microsystems, Inc. 1.5.0.60
Lexmark 2300 Series
Lexmark Fax-Lösungen Lexmark International, Inc.
Logitech Audio Echo Cancellation Component
Logitech QuickCam Logitech Inc. 10.00.1439
Logitech Video Enumerator
Logitech® Camera-Treiber
MA111 Configuration Utility
Malwarebytes' Anti-Malware Malwarebytes Corporation
Microsoft .NET Framework 2.0 Microsoft Corporation
Microsoft .NET Framework 2.0 Language Pack - DEU Microsoft Corporation
Microsoft Encarta 2007 - Enzyklopädie
Microsoft Office Professional Edition 2003 Microsoft Corporation 11.0.5614.0
Microsoft Visual C++ 2005 Redistributable Microsoft Corporation 8.0.56336
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Corporation 9.0.30729
MobileMe Control Panel Apple Inc. 2.1.1.13
Mozilla Firefox (2.0.0.20) Mozilla 2.0.0.20 (de)
MSN
MSXML 6.0 Parser Microsoft Corporation 6.00.3883.8
Nero 7 Demo Nero AG 7.00.1466
NVIDIA Drivers NVIDIA Corporation 1.3
PC-Bibliothek
PowerDVD CyberLink Corporation 7.0.2211.0
Proteinbiosynthese Schroedel 1.0
QuickTime Apple Inc. 7.55.90.70
RealPlayer
Sacred 2 Demo Ascaron Entertainment 1.0.0.0
Sacred Underworld Ascaron Entertainment GmbH
SCHLECKER Foto Digital Service
Selingua
Sony Ericsson PC Suite Sony Ericsson 1.30.82
System Requirements Lab
THE SETTLERS - Rise of an Empire Ubisoft 1.00.0000
ubi.com
UMVPLStandalone
VeohTV BETA Veoh Networks, Inc. 3.9.1
VideoLAN VLC media player 0.8.6f VideoLAN Team 0.8.6f
Winamp (remove only)
WinRAR Archivierer
Xfire (remove only)
XnView 1.97 Gougelet Pierre-e 1.97
Xvid 1.1.3 final uninstall Xvid team (Koepi) 1.1
µTorrent 1.8.0
EDIT Hier nun das F-Secure-Log, jedoch wurde hierbei kein Fund angezeigt Code:
ATTFilter 12/29/09 13:33:09 [Info]: BlackLight Engine 2.2.1092 initialized
12/29/09 13:33:09 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/29/09 13:33:10 [Note]: 7019 4
12/29/09 13:33:10 [Note]: 7005 0
12/29/09 13:33:24 [Note]: 7006 0
12/29/09 13:33:24 [Note]: 7011 1776
12/29/09 13:33:24 [Note]: 7035 0
12/29/09 13:33:25 [Note]: 7026 0
12/29/09 13:33:25 [Note]: 7026 0
12/29/09 13:33:27 [Note]: FSRAW library version 1.7.1024
12/29/09 13:36:44 [Note]: 2000 1012
12/29/09 13:36:44 [Note]: 2000 1012
12/29/09 13:37:00 [Note]: 7007 0
Code:
ATTFilter gmer.exe hat ein Problem festgestellt und muss beendet werden.
Problemsignatur
AppName: gmer.exe AppVer: 1.0.15.15281 ModName: gmer.exe
ModVer: 1.0.15.15281 Offset: 0005c887
Geändert von kall9r (29.12.2009 um 13:53 Uhr) |
|
29.12.2009, 16:40
| #4 |
| | DR/Autoit.TC.115 und TR/FraudPack.ajcp Ich habe nun mehrfach den Rechner komplett gescannt mit Antivir und dazu die agressiven Einstellungen angewandt. Die im Titel erwähnten Viren/Trojaner tauchten hierbei nichtmehr auf, jedoch 2 neue. In der Datei "aimpr.exe" befand sich offenbar "SPR/PSW.AdvancedPR.N" Und in der "config.exe" vom DivX-Player das hier "PCk/Asprotect" (="Programm mit ungewöhnlichem Laufzeitpacker komprimiert"). Wie soll ich weiter verfahren und wie kann ich GMER zum laufen kriegen? Bricht wie gesagt direkt nach dem Starten während des obligatorischen Standardscans schon ab. Gibt es eine Alternative? |
|
29.12.2009, 19:07
| #5 | |
| /// Helfer-Team | DR/Autoit.TC.115 und TR/FraudPack.ajcp hi Zitat:
 Ok, wenn GMER nicht will... 1. Lade und installiere das Tool RootRepeal herunter - setze einen Hacken bei: "Drivers", "Stealth Objects" und "Hidden Services" dann klick auf "OK" - nach der Scan, klick auf "Save Report" - speichere das Logfile als RootRepeal.txt auf dem Desktop und Kopiere den Inhalt hier in den Thread 2. Bitte unbedingt alle vorhandenen externen Laufwerke inkl. evtl. vorhandener USB-Sticks an den Rechner anschließen, aber dabei die Shift-Taste gedrückt halten, damit die Autorun-Funktion nicht ausgeführt wird. Lade Dir Malwarebytes Anti-Malware von→ malwarebytes.org
3. poste erneut: Trend Micro HijackThis-Logfile - Keine offenen Fenster, solang bis HijackThis läuft!! filelist.bat - den letzten sechs Monaten! |
|
01.01.2010, 18:07
| #6 |
| | DR/Autoit.TC.115 und TR/FraudPack.ajcp Ok, also ich hoffe ich hab das mit RootRepeal richtig gemacht, konnte mir nämlich nur die einzelnen Reports speichern und habe die nicht zusammen geklatscht, damit es nicht zu unübersichtlich wird. "hidden services" wurden gar keine gefunden. Drivers: Code:
ATTFilter ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/01/01 17:28
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================
Drivers
-------------------
Name:
Image Path:
Address: 0xF7A37000 Size: 98304 File Visible: No Signed: No
Status: -
Name:
Image Path:
Address: 0x00000000 Size: 0 File Visible: No Signed: No
Status: -
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xF7627000 Size: 53248 File Visible: - Signed: Yes
Status: -
Name: a2z6qbkw.SYS
Image Path: C:\WINDOWS\System32\Drivers\a2z6qbkw.SYS
Address: 0xB9CE5000 Size: 421888 File Visible: No Signed: No
Status: -
Name: a347bus.sys
Image Path: a347bus.sys
Address: 0xF740C000 Size: 160640 File Visible: - Signed: No
Status: -
Name: ACEDRV05.sys
Image Path: C:\WINDOWS\system32\drivers\ACEDRV05.sys
Address: 0xB7AA9000 Size: 389120 File Visible: - Signed: No
Status: -
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF7868000 Size: 188800 File Visible: - Signed: Yes
Status: -
Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2181632 File Visible: - Signed: Yes
Status: -
Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xB7878000 Size: 138496 File Visible: - Signed: Yes
Status: -
Name: agp440.sys
Image Path: agp440.sys
Address: 0xF7687000 Size: 42368 File Visible: - Signed: Yes
Status: -
Name: ALCXWDM.SYS
Image Path: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Address: 0xB9D4C000 Size: 653920 File Visible: - Signed: Yes
Status: -
Name: arp1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Address: 0xF7596000 Size: 60800 File Visible: - Signed: Yes
Status: -
Name: atksgt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\atksgt.sys
Address: 0xB6D2A000 Size: 271360 File Visible: - Signed: Yes
Status: -
Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xBA575000 Size: 3072 File Visible: - Signed: Yes
Status: -
Name: avgio.sys
Image Path: C:\Programme\Avira\AntiVir Desktop\avgio.sys
Address: 0xF79FF000 Size: 6144 File Visible: - Signed: Yes
Status: -
Name: avgntflt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\avgntflt.sys
Address: 0xB72FF000 Size: 81920 File Visible: - Signed: Yes
Status: -
Name: avipbb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\avipbb.sys
Address: 0xB7772000 Size: 114688 File Visible: - Signed: Yes
Status: -
Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF79F5000 Size: 4224 File Visible: - Signed: Yes
Status: -
Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7897000 Size: 12288 File Visible: - Signed: Yes
Status: -
Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xB9E84000 Size: 63744 File Visible: - Signed: Yes
Status: -
Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF7576000 Size: 49536 File Visible: - Signed: Yes
Status: -
Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF7667000 Size: 53248 File Visible: - Signed: Yes
Status: -
Name: disk.sys
Image Path: disk.sys
Address: 0xF7657000 Size: 36352 File Visible: - Signed: Yes
Status: -
Name: dmio.sys
Image Path: dmio.sys
Address: 0xF7961000 Size: 154112 File Visible: - Signed: Yes
Status: -
Name: dmload.sys
Image Path: dmload.sys
Address: 0xF798D000 Size: 5888 File Visible: - Signed: Yes
Status: -
Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF75A6000 Size: 61440 File Visible: - Signed: Yes
Status: -
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB7688000 Size: 98304 File Visible: No Signed: No
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A07000 Size: 8192 File Visible: No Signed: No
Status: -
Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xB7860000 Size: 12288 File Visible: - Signed: Yes
Status: -
Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: - Signed: Yes
Status: -
Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7AA9000 Size: 4096 File Visible: - Signed: Yes
Status: -
Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xB6EB2000 Size: 143360 File Visible: - Signed: Yes
Status: -
Name: fdc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys
Address: 0xF775F000 Size: 27392 File Visible: - Signed: Yes
Status: -
Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xB9EA4000 Size: 35072 File Visible: - Signed: Yes
Status: -
Name: flpydisk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\flpydisk.sys
Address: 0xF77EF000 Size: 20480 File Visible: - Signed: Yes
Status: -
Name: fltMgr.sys
Image Path: fltMgr.sys
Address: 0xBA7E1000 Size: 124800 File Visible: - Signed: Yes
Status: -
Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF79F3000 Size: 7936 File Visible: - Signed: Yes
Status: -
Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF7838000 Size: 126336 File Visible: - Signed: Yes
Status: -
Name: gameenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\gameenum.sys
Address: 0xBA5FB000 Size: 10624 File Visible: - Signed: Yes
Status: -
Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xBA5F3000 Size: 9984 File Visible: - Signed: Yes
Status: -
Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EC000 Size: 131968 File Visible: - Signed: Yes
Status: -
Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xB9E64000 Size: 36864 File Visible: - Signed: Yes
Status: -
Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF77FF000 Size: 28672 File Visible: - Signed: Yes
Status: -
Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xB9DFC000 Size: 9600 File Visible: - Signed: Yes
Status: -
Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xB5E45000 Size: 263040 File Visible: - Signed: Yes
Status: -
Name: hyvlbhp.sys
Image Path: hyvlbhp.sys
Address: 0xF75F7000 Size: 54016 File Visible: No Signed: No
Status: -
Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF76C7000 Size: 53248 File Visible: - Signed: Yes
Status: -
Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF7586000 Size: 41856 File Visible: - Signed: Yes
Status: -
Name: intelide.sys
Image Path: intelide.sys
Address: 0xF798B000 Size: 5504 File Visible: - Signed: Yes
Status: -
Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xF76E7000 Size: 40192 File Visible: - Signed: Yes
Status: -
Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xB793A000 Size: 134912 File Visible: - Signed: Yes
Status: -
Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xB79DB000 Size: 74752 File Visible: - Signed: Yes
Status: -
Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF7607000 Size: 36224 File Visible: - Signed: Yes
Status: -
Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF7767000 Size: 25216 File Visible: - Signed: Yes
Status: -
Name: kbdhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xB786C000 Size: 14848 File Visible: - Signed: Yes
Status: -
Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7987000 Size: 8192 File Visible: - Signed: Yes
Status: -
Name: ks.sys
Image Path: C:\WINDOWS\system32\drivers\ks.sys
Address: 0xB9EB4000 Size: 143360 File Visible: - Signed: Yes
Status: -
Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xBA718000 Size: 92032 File Visible: - Signed: Yes
Status: -
Name: lirsgt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\lirsgt.sys
Address: 0xB79F6000 Size: 18048 File Visible: - Signed: Yes
Status: -
Name: LVPr2Mon.sys
Image Path: C:\WINDOWS\system32\drivers\LVPr2Mon.sys
Address: 0xF773F000 Size: 17792 File Visible: - Signed: Yes
Status: -
Name: lvusbsta.sys
Image Path: C:\WINDOWS\system32\drivers\lvusbsta.sys
Address: 0xB9E54000 Size: 33280 File Visible: - Signed: Yes
Status: -
Name: MA111nd5.sys
Image Path: C:\WINDOWS\system32\DRIVERS\MA111nd5.sys
Address: 0xB76A0000 Size: 696320 File Visible: - Signed: No
Status: -
Name: mbamswissarmy.sys
Image Path: C:\WINDOWS\system32\drivers\mbamswissarmy.sys
Address: 0xF77BF000 Size: 32768 File Visible: - Signed: Yes
Status: -
Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF79F9000 Size: 4224 File Visible: - Signed: Yes
Status: -
Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF77DF000 Size: 23552 File Visible: - Signed: Yes
Status: -
Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xB9DF8000 Size: 12288 File Visible: - Signed: Yes
Status: -
Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF7637000 Size: 42240 File Visible: - Signed: Yes
Status: -
Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xB6E5D000 Size: 181248 File Visible: - Signed: Yes
Status: -
Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xB77B6000 Size: 453120 File Visible: - Signed: Yes
Status: -
Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF780F000 Size: 19072 File Visible: - Signed: Yes
Status: -
Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xBA75F000 Size: 35072 File Visible: - Signed: Yes
Status: -
Name: msmpu401.sys
Image Path: C:\WINDOWS\system32\drivers\msmpu401.sys
Address: 0xF7A99000 Size: 2944 File Visible: - Signed: Yes
Status: -
Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xBA58D000 Size: 15488 File Visible: - Signed: Yes
Status: -
Name: Mup.sys
Image Path: Mup.sys
Address: 0xBA643000 Size: 107904 File Visible: - Signed: Yes
Status: -
Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xBA65E000 Size: 182912 File Visible: - Signed: Yes
Status: -
Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xBA5B3000 Size: 9600 File Visible: - Signed: Yes
Status: -
Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xB9C48000 Size: 12928 File Visible: - Signed: Yes
Status: -
Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB9CCE000 Size: 91776 File Visible: - Signed: Yes
Status: -
Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xBA73F000 Size: 38016 File Visible: - Signed: Yes
Status: -
Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF75B6000 Size: 34560 File Visible: - Signed: Yes
Status: -
Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xB795B000 Size: 162816 File Visible: - Signed: Yes
Status: -
Name: nic1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Address: 0xF76F7000 Size: 61824 File Visible: - Signed: Yes
Status: -
Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF7817000 Size: 30848 File Visible: - Signed: Yes
Status: -
Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xBA68B000 Size: 574592 File Visible: - Signed: Yes
Status: -
Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2181632 File Visible: - Signed: Yes
Status: -
Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7A7E000 Size: 2944 File Visible: - Signed: Yes
Status: -
Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF012000 Size: 6189056 File Visible: - Signed: Yes
Status: -
Name: nv4_mini.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Address: 0xB9F57000 Size: 6307328 File Visible: - Signed: Yes
Status: -
Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF7617000 Size: 61056 File Visible: - Signed: Yes
Status: -
Name: parport.sys
Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xB9F0C000 Size: 80384 File Visible: - Signed: Yes
Status: -
Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF770F000 Size: 18688 File Visible: - Signed: Yes
Status: -
Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF79D9000 Size: 7040 File Visible: - Signed: Yes
Status: -
Name: PCANDIS5.SYS
Image Path: C:\WINDOWS\system32\PCANDIS5.SYS
Address: 0xB5F84000 Size: 14976 File Visible: - Signed: No
Status: -
Name: pci.sys
Image Path: pci.sys
Address: 0xF7857000 Size: 68224 File Visible: - Signed: Yes
Status: -
Name: PCI_NTPNP6826
Image Path: \Driver\PCI_NTPNP6826
Address: 0x00000000 Size: 0 File Visible: No Signed: No
Status: -
Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\Drivers\PCIIDEX.SYS
Address: 0xF7707000 Size: 28672 File Visible: - Signed: Yes
Status: -
Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2181632 File Visible: - Signed: Yes
Status: -
Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xB9ED7000 Size: 147456 File Visible: - Signed: Yes
Status: -
Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB9CBD000 Size: 69120 File Visible: - Signed: Yes
Status: -
Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF77CF000 Size: 17792 File Visible: - Signed: Yes
Status: -
Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF7677000 Size: 35648 File Visible: - Signed: No
Status: -
Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xB9DF4000 Size: 8832 File Visible: - Signed: Yes
Status: -
Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xBA78F000 Size: 51328 File Visible: - Signed: Yes
Status: -
Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xBA77F000 Size: 41472 File Visible: - Signed: Yes
Status: -
Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xBA76F000 Size: 48384 File Visible: - Signed: Yes
Status: -
Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF77D7000 Size: 16512 File Visible: - Signed: Yes
Status: -
Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2181632 File Visible: - Signed: Yes
Status: -
Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xB7825000 Size: 174592 File Visible: - Signed: Yes
Status: -
Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF79FB000 Size: 4224 File Visible: - Signed: Yes
Status: -
Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xB9C8C000 Size: 196864 File Visible: - Signed: Yes
Status: -
Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF7566000 Size: 57600 File Visible: - Signed: Yes
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB5F30000 Size: 49152 File Visible: No Signed: No
Status: -
Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS
Address: 0xF7434000 Size: 98304 File Visible: - Signed: Yes
Status: -
Name: secdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\secdrv.sys
Address: 0xB6E39000 Size: 11200 File Visible: - Signed: No
Status: -
Name: serenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xBA5FF000 Size: 15488 File Visible: - Signed: Yes
Status: -
Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xB9EFB000 Size: 65920 File Visible: - Signed: Yes
Status: -
Name: sptd.sys
Image Path: sptd.sys
Address: 0xF744C000 Size: 958464 File Visible: - Signed: No
Status: -
Name: sr.sys
Image Path: sr.sys
Address: 0xBA7CF000 Size: 73472 File Visible: - Signed: Yes
Status: -
Name: SSHDRV85.sys
Image Path: C:\WINDOWS\system32\drivers\SSHDRV85.sys
Address: 0xB7A5E000 Size: 307200 File Visible: - Signed: No
Status: -
Name: ssmdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
Address: 0xF7727000 Size: 23040 File Visible: - Signed: Yes
Status: -
Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF79C3000 Size: 4352 File Visible: - Signed: Yes
Status: -
Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xB73E7000 Size: 60800 File Visible: - Signed: Yes
Status: -
Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xB7983000 Size: 359808 File Visible: - Signed: Yes
Status: -
Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF77C7000 Size: 20480 File Visible: - Signed: Yes
Status: -
Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xBA74F000 Size: 40704 File Visible: - Signed: Yes
Status: -
Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB9C58000 Size: 209408 File Visible: - Signed: Yes
Status: -
Name: usbccgp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Address: 0xF7777000 Size: 31616 File Visible: - Signed: Yes
Status: -
Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF79C9000 Size: 8192 File Visible: - Signed: Yes
Status: -
Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF7757000 Size: 26624 File Visible: - Signed: Yes
Status: -
Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xBA72F000 Size: 57600 File Visible: - Signed: Yes
Status: -
Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB9F20000 Size: 143360 File Visible: - Signed: Yes
Status: -
Name: usbprint.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbprint.sys
Address: 0xF7787000 Size: 25856 File Visible: - Signed: Yes
Status: -
Name: usbscan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbscan.sys
Address: 0xB7870000 Size: 15104 File Visible: - Signed: Yes
Status: -
Name: USBSTOR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Address: 0xF7747000 Size: 26496 File Visible: - Signed: Yes
Status: -
Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF774F000 Size: 20480 File Visible: - Signed: Yes
Status: -
Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF7807000 Size: 20992 File Visible: - Signed: Yes
Status: -
Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB9F43000 Size: 81920 File Visible: - Signed: Yes
Status: -
Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF7647000 Size: 53760 File Visible: - Signed: Yes
Status: -
Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xF76D7000 Size: 34560 File Visible: - Signed: Yes
Status: -
Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF778F000 Size: 20480 File Visible: - Signed: Yes
Status: -
Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xB70BA000 Size: 82944 File Visible: - Signed: Yes
Status: -
Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1843200 File Visible: - Signed: Yes
Status: -
Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1843200 File Visible: - Signed: Yes
Status: -
Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\WMILIB.SYS
Address: 0xF7989000 Size: 8192 File Visible: - Signed: Yes
Status: -
Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2181632 File Visible: - Signed: Yes
Status: -
Name: ws2ifsl.sys
Image Path: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Address: 0xBA5E3000 Size: 12032 File Visible: - Signed: Yes
Status: -
Stealth Objects: Code:
ATTFilter ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/01/01 17:29
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================
Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x89b9d1e8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x89b9d1e8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x89b9d1e8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x89b9d1e8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89b9d1e8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89b9d1e8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x89b9d1e8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x89b9d1e8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89b9d1e8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89b9d1e8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89b9d1e8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89b9d1e8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89b9d1e8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89b9d1e8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89b9d1e8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89b9d1e8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x89b9d1e8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89b9d1e8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89b9d1e8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89b9d1e8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89b9d1e8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x89b9d1e8 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x896371e8 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x896371e8 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x89918180 Size: 11
Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x896371e8 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x896371e8 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x896371e8 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x896371e8 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x896371e8 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x896371e8 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x896371e8 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x896371e8 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x896371e8 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x896371e8 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x896371e8 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x896371e8 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x896371e8 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x896371e8 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x896371e8 Size: 121
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_CREATE]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_CLOSE]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_READ]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_WRITE]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_QUERY_EA]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_SET_EA]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_SHUTDOWN]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_CLEANUP]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_SET_SECURITY]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_POWER]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_SET_QUOTA]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: a2z6qbkw扨湩က, IRP_MJ_PNP]
Process: System Address: 0x899eef00 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_READ]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x89920c70 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x899faf00 Size: 99
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x89934790 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x89934790 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x89934790 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x89934790 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89934790 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89934790 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x89934790 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89934790 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x89934790 Size: 121
Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x89b9f1e8 Size: 121
Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x89b9f1e8 Size: 121
Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x89b9f1e8 Size: 121
Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x89b9f1e8 Size: 121
Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89b9f1e8 Size: 121
Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89b9f1e8 Size: 121
Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89b9f1e8 Size: 121
Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89b9f1e8 Size: 121
Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x89b9f1e8 Size: 121
Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89b9f1e8 Size: 121
Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x89b9f1e8 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x89a13790 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x89a13790 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89a13790 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89a13790 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x89a13790 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89a13790 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x89a13790 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x89c0c1e8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x89c0c1e8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x89c0c1e8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89c0c1e8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89c0c1e8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89c0c1e8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89c0c1e8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x89c0c1e8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x89c0c1e8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89c0c1e8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x89c0c1e8 Size: 121
Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x89943790 Size: 121
Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x89943790 Size: 121
Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89943790 Size: 121
Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89943790 Size: 121
Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x89943790 Size: 121
Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x89943790 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x89949790 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x89949790 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89949790 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89949790 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x89949790 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89949790 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x89949790 Size: 121
Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x8979ab98 Size: 11
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x89a26e30 Size: 11
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x897461e8 Size: 121
Object: Hidden Code [Driver: NpfsЅఐ偶瑲, IRP_MJ_READ]
Process: System Address: 0x899f5280 Size: 11
Object: Hidden Code [Driver: MsfsЅఐ卆浩, IRP_MJ_READ]
Process: System Address: 0x89a35568 Size: 11
Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ]
Process: System Address: 0x89b66188 Size: 11
Object: Hidden Code [Driver: CdfsЅ扏煓̸掀Ђఄ灐†LVMV, IRP_MJ_CREATE]
Process: System Address: 0x8991a698 Size: 121
Object: Hidden Code [Driver: CdfsЅ扏煓̸掀Ђఄ灐†LVMV, IRP_MJ_CLOSE]
Process: System Address: 0x8991a698 Size: 121
Object: Hidden Code [Driver: CdfsЅ扏煓̸掀Ђఄ灐†LVMV, IRP_MJ_READ]
Process: System Address: 0x89a03348 Size: 11
Object: Hidden Code [Driver: CdfsЅ扏煓̸掀Ђఄ灐†LVMV, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8991a698 Size: 121
Object: Hidden Code [Driver: CdfsЅ扏煓̸掀Ђఄ灐†LVMV, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8991a698 Size: 121
Object: Hidden Code [Driver: CdfsЅ扏煓̸掀Ђఄ灐†LVMV, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8991a698 Size: 121
Object: Hidden Code [Driver: CdfsЅ扏煓̸掀Ђఄ灐†LVMV, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8991a698 Size: 121
Object: Hidden Code [Driver: CdfsЅ扏煓̸掀Ђఄ灐†LVMV, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8991a698 Size: 121
Object: Hidden Code [Driver: CdfsЅ扏煓̸掀Ђఄ灐†LVMV, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8991a698 Size: 121
Object: Hidden Code [Driver: CdfsЅ扏煓̸掀Ђఄ灐†LVMV, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8991a698 Size: 121
Object: Hidden Code [Driver: CdfsЅ扏煓̸掀Ђఄ灐†LVMV, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8991a698 Size: 121
Object: Hidden Code [Driver: CdfsЅ扏煓̸掀Ђఄ灐†LVMV, IRP_MJ_CLEANUP]
Process: System Address: 0x8991a698 Size: 121
Object: Hidden Code [Driver: CdfsЅ扏煓̸掀Ђఄ灐†LVMV, IRP_MJ_PNP]
Process: System Address: 0x8991a698 Size: 121
MBAM hat 6 infizierte Dateien gefunden: Code:
ATTFilter Malwarebytes' Anti-Malware 1.43
Datenbank Version: 3468
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
01.01.2010 17:15:07
mbam-log-2010-01-01 (17-15-07).txt
Scan-Methode: Vollständiger Scan (C:\|D:\|E:\|J:\|)
Durchsuchte Objekte: 171877
Laufzeit: 41 minute(s), 3 second(s)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 6
Infizierte Registrierungswerte: 2
Infizierte Dateiobjekte der Registrierung: 1
Infizierte Verzeichnisse: 0
Infizierte Dateien: 6
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel:
HKEY_CURRENT_USER\SOFTWARE\LEO0WTUNO7 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSHNAS (Trojan.Renos) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\J8RPLTROBQ (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrcs (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\j8rpltrobq (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe csrcs.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.
Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)
Infizierte Dateien:
C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Temp\a.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Temp\b.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Temp\c.exe (Trojan.Dropper) -> Delete on reboot.
danach erneut durchlaufen lassen: Code:
ATTFilter Malwarebytes' Anti-Malware 1.43
Datenbank Version: 3468
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
01.01.2010 18:03:23
mbam-log-2010-01-01 (18-03-23).txt
Scan-Methode: Vollständiger Scan (C:\|D:\|E:\|J:\|)
Durchsuchte Objekte: 171874
Laufzeit: 43 minute(s), 47 second(s)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)
Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)
Infizierte Dateien:
(Keine bösartigen Objekte gefunden)
HiJackThis: Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:06:02, on 01.01.2010 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe C:\WINDOWS\Explorer.EXE C:\Programme\Avira\AntiVir Desktop\sched.exe C:\Programme\Avira\AntiVir Desktop\avguard.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\bmwebcfg.exe C:\Programme\Bonjour\mDNSResponder.exe C:\Programme\ICQ6Toolbar\ICQ Service.exe C:\WINDOWS\system32\nvsvc32.exe C:\Programme\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\SOUNDMAN.EXE C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe C:\Programme\Gemeinsame Dateien\Logitech\LComMgr\Communications_Helper.exe C:\Programme\Gemeinsame Dateien\Logitech\LComMgr\LVComSX.exe C:\Programme\Tools\Player\Quicktime\QTTask.exe C:\Programme\iTunes\iTunesHelper.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Programme\Avira\AntiVir Desktop\avgnt.exe C:\Programme\ICQ6.5\ICQ.exe C:\Programme\NETGEAR\MA111 Configuration Utility\wlancfg4.exe C:\Programme\iPod\bin\iPodService.exe E:\Downloads\Antivirus_kram\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = h**p://google.icq.com/search/search_frame.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://google.icq.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.sat1.de/index.php?icqpath=icq R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll R3 - URLSearchHook: (no name) - - (no file) O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Hilfsobjekt für Encarta Web-Begleiter - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll O3 - Toolbar: Encarta Web-Begleiter - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Programme\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programme\Gemeinsame Dateien\Logitech\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [LVCOMSX] "C:\Programme\Gemeinsame Dateien\Logitech\LComMgr\LVComSX.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\Tools\Player\Quicktime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\RunServices: [csrcs] C:\WINDOWS\system32\csrcs.exe O4 - HKCU\..\Run: [Veoh] "C:\Programme\Veoh Networks\Veoh\VeohClient.exe" /VeohHide O4 - HKCU\..\Run: [ICQ] "C:\Programme\ICQ6.5\ICQ.exe" silent O4 - Global Startup: MA111 Configuration Utility.lnk = ? O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\Tools\Internet\Messenger\icq\ICQToolbar\toolbaru.dll/SEARCH.HTML O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Encarta Suchleiste - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\Tools\Internet\Messenger\icq\ICQLite\ICQLite.exe (file missing) O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\Tools\Internet\Messenger\icq\ICQLite\ICQLite.exe (file missing) O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: bmnet.dll O10 - Unknown file in Winsock LSP: bmnet.dll O10 - Unknown file in Winsock LSP: bmnet.dll O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe O23 - Service: ICQ Service - Unknown owner - C:\Programme\ICQ6Toolbar\ICQ Service.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programme\Gemeinsame Dateien\Logitech\SrvLnch\SrvLnch.exe O23 - Service: lxcg_device - Unknown owner - C:\WINDOWS\system32\lxcgcoms.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\CyberLink\Shared Files\RichVideo.exe -- End of file - 7435 bytes Filelist: Code:
ATTFilter ----- Root -----------------------------
Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: 78A6-D7DA
Verzeichnis von C:\
01.01.2010 18:07 43 filelist.txt
01.01.2010 17:16 2.147.061.760 hiberfil.sys
01.01.2010 17:16 805.306.368 pagefile.sys
29.12.2009 13:24 4.229 filelist1.txt
26.12.2009 13:08 0 khw
----- Windows --------------------------
Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: 78A6-D7DA
Verzeichnis von C:\WINDOWS
01.01.2010 17:17 0 0.log
01.01.2010 17:16 159 wiadebug.log
01.01.2010 17:16 313 wiaservc.log
01.01.2010 17:16 2.048 bootstat.dat
01.01.2010 17:15 78 WindowsUpdate.log
29.11.2009 13:24 116 NeroDigital.ini
27.11.2009 15:43 526 eReg.dat
13.11.2009 19:23 24 SELINGUA.INI
30.08.2009 10:05 169 RtlRack.ini
----- System 32 (Achtung: Zeitfenster beachten!) ---
Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: 78A6-D7DA
Verzeichnis von C:\WINDOWS\system32
01.01.2010 17:16 204.100 nvapps.xml
01.01.2010 13:23 2.206 wpa.dbl
26.12.2009 13:07 (1.579) autorun.i
26.12.2009 13:07 (833) autorun.in
19.12.2009 11:46 12.524 KGyGaAvL.sys
29.10.2009 18:14 392.296 perfh009.dat
29.10.2009 18:14 58.596 perfc009.dat
29.10.2009 18:14 405.118 perfh007.dat
29.10.2009 18:14 70.580 perfc007.dat
29.10.2009 18:14 938.224 PerfStringBackup.INI
----- Windows/Temp -----------------------
Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: 78A6-D7DA
Verzeichnis von C:\WINDOWS\Temp
14.11.2009 22:52 7.168 etilqs_faNciDRYIZjbHVXABWw9
14.11.2009 22:52 1.028 etilqs_R3RphEOkT7tm0VLwLPfm
14.11.2009 22:52 512 etilqs_qa9sclhamg2f6L0mCjuQ
----- Temp -----------------------------
Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: 78A6-D7DA
Verzeichnis von C:\DOKUME~1\***\LOKALE~1\Temp
01.01.2010 17:17 0 JET20B2.tmp
01.01.2010 17:17 17.926 LVCOMSX.LOG
01.01.2010 16:17 311.296 ~DFD48B.tmp
31.12.2009 13:39 68.096 mtawws2v.ppt
30.12.2009 16:43 70.656 4-2_-_Straftaten_gegen_die_pers__nliche_Freiheit.ppt
29.12.2009 15:27 416 java_install_reg.log
29.12.2009 13:19 549 t853zogh.zip
26.12.2009 19:27 39.532 a.dat
26.12.2009 16:51 311.296 ~DF9098.tmp
25.12.2009 17:50 16.384 ~DF1AA0.tmp
25.12.2009 17:49 16.384 ~DF5F3F.tmp
11.12.2009 10:00 1.166.464 55b8nihn.rar
27.11.2009 16:07 24.516 SIntfNT.dll
27.11.2009 16:07 19.924 SIntf32.dll
27.11.2009 16:07 12.067 SIntf16.dll
15.11.2009 14:52 36.526.028 ubi54.tmp.exe
15.11.2009 14:08 36.864 CmdLineExt02.dll
14.11.2009 10:23 212.992 3_-_Straftaten_gegen_die_k__rperliche_Unversehrtheit.ppt
01.11.2009 13:47 288.768 1_-_Einleitung__Straftaten_gegen_das_Leben.ppt
30.10.2009 16:11 1.734.274 newn46rn.rar
19.10.2009 10:56 1.392.805 LastScan.jpg
08.10.2009 22:35 100.293 coredmp
05.10.2009 16:18 252 r2h68.tmp
05.10.2009 12:03 27.648 18-taeterschaft04.doc
24.08.2009 12:07 39.424 at10910 Folien 040609.doc
26.07.2009 09:04 358.912 e62iavbc.rar
23.07.2009 14:35 16.825.216 718631~1.exe
10.07.2009 14:09 823 {AC76BA86-7AD7-1031-7B44-A81300000003}.ini
12.06.2009 07:54 2.196.934 g0rtfkqy.exe
05.06.2009 14:26 167.936 schuldrecht.ppt
05.06.2009 12:55 26.112 Hinweise zum Gutachten-und Urteilsstil.doc
05.06.2009 12:52 22.528 Fall Kopierpapier.doc
Geändert von kall9r (01.01.2010 um 18:15 Uhr) |
|
02.01.2010, 06:54
| #7 |
| /// Helfer-Team | DR/Autoit.TC.115 und TR/FraudPack.ajcp hi 1. Lade das SDFix von AndyManchesta eine der folgenden Links herunter: bleepingcomputer.com andymanchesta.com
- Wenn die Desktop Icons wieder da sind, wird das Skript ein Fenster öffnen und das Ergebnis als einen Report.txt im Ordner SDFix speichern. Kopiere den Inhalt dieses Report.txt und poste ihn! 2. Schliesse alle Programme einschliesslich Internet Explorer und fixe mit Hijackthis die Einträge aus der nachfolgenden Codebox (HijackThis starten→ "Do a system scan only"→ Einträge auswählen→ Häckhen setzen→ "Fix checked"klicken→ PC neu aufstarten): HijackThis erstellt ein Backup, Falls bei "Fixen" etwas schief geht, kann man unter "View the list of backups"- die Objekte wiederherstellen Code:
ATTFilter R3 - URLSearchHook: (no name) - - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Programme\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll (file missing)
O4 - HKLM\..\RunServices: [csrcs] C:\WINDOWS\system32\csrcs.exe
alle Anwendungen schließen → Ordner für temporäre Dateien bitte leeren **Der Temp Ordner,ist für temporäre Dateien,also der Inhalt kann man ohne weiteres löschen.- Dateien, die noch in Benutzung sind, nicht löschbar. **Lösche nur den Inhalt der Ordner, nicht die Ordner selbst!
4. reinige dein System mit Ccleaner:
5. - Lade dir RSIT - http://filepony.de/download-rsit/: - an einen Ort deiner Wahl und führe die rsit.exe aus - wird "Hijackthis" auch von RSIT installiert und ausgeführt - RSIT erstellt 2 Logfiles (C:\rsit\log.txt und C:\rsit\info.txt) mit erweiterten Infos von deinem System - diese beide bitte komplett hier posten **Kannst Du das Log in Textdatei speichern und hier anhängen (auf "Erweitert" klicken) |
|
02.01.2010, 20:52
| #8 |
| | DR/Autoit.TC.115 und TR/FraudPack.ajcp SDFix: Code:
ATTFilter SDFix: Version 1.240
Run by *** on 02.01.2010 at 20:00
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Temp\ubi54.tmp.exe - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-02 20:39:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:be254b73
"s2"=dword:7994e65d
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Programme\Tools\Brennen\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:b8,93,f0,9c,ca,eb,cb,62,7f,7d,7b,43,95,23,a9,d7,ec,e8,3f,28,66,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,68,26,15,aa,89,88,fa,a1,e0,4b,30,23,0c,17,0d,ac,6e,..
"khjeh"=hex:61,4a,d5,93,43,53,e4,45,f3,d7,fa,94,09,34,d1,ea,2d,9f,66,a6,e2,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:43,04,3b,d8,79,39,ef,9a,4e,ba,ee,59,af,ad,64,06,96,56,ef,82,4f,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Programme\Tools\Brennen\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:b8,93,f0,9c,ca,eb,cb,62,7f,7d,7b,43,95,23,a9,d7,ec,e8,3f,28,66,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,68,26,15,aa,89,88,fa,a1,e0,4b,30,23,0c,17,0d,ac,6e,..
"khjeh"=hex:61,4a,d5,93,43,53,e4,45,f3,d7,fa,94,09,34,d1,ea,2d,9f,66,a6,e2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:43,04,3b,d8,79,39,ef,9a,4e,ba,ee,59,af,ad,64,06,96,56,ef,82,4f,..
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120% (Trial Version)"
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\Tools\\Internet\\Messenger\\icq\\ICQLite\\ICQLite.exe"="C:\\Programme\\Tools\\Internet\\Messenger\\icq\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"
"E:\\Azureus\\Azureus\\Azureus.exe"="E:\\Azureus\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\WINDOWS\\system32\\lxcgcoms.exe"="C:\\WINDOWS\\system32\\lxcgcoms.exe:*:Enabled:2300 Series"
"D:\\Spiele\\Siedler 6\\Play Settlers 6.exe"="D:\\Spiele\\Siedler 6\\Play Settlers 6.exe:*:Disabled:Play THE SETTLERS - Rise of an Empire"
"C:\\Programme\\ICQ6\\ICQ.exe"="C:\\Programme\\ICQ6\\ICQ.exe:*:Enabled:ICQ6"
"C:\\Programme\\Messenger\\msmsgs.exe"="C:\\Programme\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Programme\\Ascaron Entertainment\\Sacred 2 - Demo\\system\\s2gs.exe"="C:\\Programme\\Ascaron Entertainment\\Sacred 2 - Demo\\system\\s2gs.exe:*:Enabled:Sacred 2 Game Server"
"C:\\Programme\\Ascaron Entertainment\\Sacred 2 - Demo\\system\\sacred2.exe"="C:\\Programme\\Ascaron Entertainment\\Sacred 2 - Demo\\system\\sacred2.exe:*:Enabled:Sacred 2"
"C:\\Programme\\Bonjour\\mDNSResponder.exe"="C:\\Programme\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Programme\\iTunes\\iTunes.exe"="C:\\Programme\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Programme\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Programme\\Veoh Networks\\Veoh\\VeohClient.exe:*:Disabled:Veoh Client"
"C:\\Programme\\Zattoo\\zattood.exe"="C:\\Programme\\Zattoo\\zattood.exe:*:Disabled:zattood"
"C:\\Programme\\DAP\\DAP.exe"="C:\\Programme\\DAP\\DAP.exe:*:Disabled:Download Accelerator Plus (DAP)"
"C:\\Programme\\uTorrent\\uTorrent.exe"="C:\\Programme\\uTorrent\\uTorrent.exe:*:Disabled:æTorrent"
"C:\\Programme\\Ascaron Entertainment\\Sacred Underworld\\Sacred.exe"="C:\\Programme\\Ascaron Entertainment\\Sacred Underworld\\Sacred.exe:*:Enabled:Sacred"
"C:\\Programme\\ICQ6.5\\ICQ.exe"="C:\\Programme\\ICQ6.5\\ICQ.exe:*:Enabled:ICQ6"
"E:\\Downloads\\sft-loader\\leecher.exe"="E:\\Downloads\\sft-loader\\leecher.exe:*:Enabled:SFT Loader"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Wed 3 Jan 2007 56 ..SHR --- "C:\WINDOWS\system32\BE7CFECCF9.sys"
Sat 19 Dec 2009 12,524 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Fri 18 Feb 2005 38,912 A..H. --- "C:\Dokumente und Einstellungen\***\Eigene Dateien\Schriften\~WRL1005.tmp"
Fri 18 Feb 2005 22,528 A..H. --- "C:\Dokumente und Einstellungen\***\Eigene Dateien\Schriften\~WRL2999.tmp"
Fri 18 Feb 2005 19,968 A..H. --- "C:\Dokumente und Einstellungen\***\Eigene Dateien\Schriften\~WRL3808.tmp"
Fri 18 Feb 2005 38,912 A..H. --- "C:\Dokumente und Einstellungen\***\Eigene Dateien\Schriften\~WRL3943.tmp"
Sat 2 Jan 2010 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3118e39ffffb244560638e7e221e1956\BIT4.tmp"
Fri 2 May 2008 3,493,888 A..H. --- "C:\Dokumente und Einstellungen\***\Anwendungsdaten\U3\temp\Launchpad Removal.exe"
Finished!
|
|
02.01.2010, 21:11
| #9 |
| | DR/Autoit.TC.115 und TR/FraudPack.ajcp Habe die Anweisungen befolgt, mit HijackThis die 3 Einträge gefixt und anschließend mit CCleaner die auszuführenden Aktionen durchgeführt. Und hier noch die beiden Logs von RSIT |
|
05.01.2010, 02:31
| #10 | ||
| /// Helfer-Team | DR/Autoit.TC.115 und TR/FraudPack.ajcp hi 1. Kannst du die Programme die wir verwendet haben und nicht brauchst entfernen, bis auf: Code:
ATTFilter HijackThis/Trend Micro
hjtscanlist
CCleaner
2. - Speichermedien wie Externe Festplatte/USB-Stick usw bitte anschließen - Halte aber beim einstecken des Sticks die Shift-Taste gedrückt! Dadurch wird der Autostart des Datenträgers deaktiviert. - Lade das Combofix von einem der folgenden Download Spiegel herunter: BleepingComputer - ForoSpyware - Wichtig!:[/u] muss auf dem Desktop installiert werden! - Antiviren, - und andere Schutz/Spyprogramme bitte deaktivieren - Schließe jeder externe Datenträger (USB Stick und USB Festplatte etc) an dein Computer an - dabei die Shift-Taste bitte unbedingt gedrückt halten! - Per Doppelklick die ComboFix.exe starten und den Anweisungen folgen - Falls die Microsoft-Windows-Wiederherstellungskonsole auf dein Rechner nicht installiert ist, und wenn du direkt gefragt wirst, es zu ermöglichen stimme dem Lizenzvertrag zu. Danach erscheint ein Fenster zur Bestätigung, ansonsten wird ComboFix mit der Arbeit fortfahren - bestätige mit "ja", damit den Suchlauf automatisch beginnen kann Zitat:
Zitat:
|
|
14.01.2010, 12:59
| #11 |
| | DR/Autoit.TC.115 und TR/FraudPack.ajcp Hallo an alle! Bin neu hier und habe wohl das gleiche Problem erwischt. 1.: Ich habe Vista und wollte fragen, ob ich nach dem gleichen Muster vorgehen soll, wie der Themensteller hier? 2.: Wenn ihr schreibt, dass alle Programme während eines Scans beendet werden müssen, meint ihr dann auch die Programme, die im Hitergrund laufen (die ich im Taskmanager unter "Prozesse" finde)? 3.: Ich kenne mich mit Fachbegriffen sehr schlecht aus (das kann man wohl auch nicht so schnell beheben )Vielen Dank und viele Grüße, Lukcy |
|
14.01.2010, 16:31
| #12 |
| /// Helfer-Team | DR/Autoit.TC.115 und TR/FraudPack.ajcp @Lukcy  Allgemeine Forenregeln: Neue Thread eröffnen!Also bitte nicht in die Threads anderer User hineinposten,sondern suche dir das richtige Unterforum für deine Frage aus! Dort "Neues Thema" auswählen und dein Problem so kurz und detailliert wie möglich beschreiben gruß Cf |
|
| Themen zu DR/Autoit.TC.115 und TR/FraudPack.ajcp |
| adobe, antivir, antivir guard, antivirus, avira, bho, bonjour, desktop, entfernen, excel, firefox, hijack, hijackthis, infizierte dateien, internet, internet explorer, logfile, monitor, mozilla, netgear, plug-in, problem, rundll, software, system, web companion, windows, windows xp |
Linear-Darstellung
