So, nun scannte er wieder und hängte sich dann bei "\bxipptp" auf.
Maus stoppt, WIn stopp!
SHIFT-ALT-ENTF geht nicht
Mache: ON-Schalter bis AUS...

Ich bin jetzt mal kurz angebunden, aber bitte nicht unhöflich verstehen:
Neustart und nach besten Wissen alle Programme beendet (auch über SHIFT-ALT-ENTF)
GMER 1.0.15.15281 scannt.
Ich muss jetzt erstmal was essen, bei dem ganzen Stress.
Bis dann!
Gerhard "Schmerlenotto"

So, nun hat GMER über Nacht den Scan durchgeführt. Wegen der Länge kommt das Log in drei Teilen (auch als drei .txt-files hochgeladen):

GMER Teil 1:
GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-08-06 06:19:44
Windows 5.1.2600 Service Pack 3
Running: u4jf7786.exe; Driver: C:\DOKUME~1\GERHAR~1\LOKALE~1\Temp\pxlyypow.sys


---- System - GMER 1.0.15 ----

SSDT spjb.sys ZwCreateKey [0xB9EA80E0]
SSDT spjb.sys ZwEnumerateKey [0xB9EC6CA2]
SSDT spjb.sys ZwEnumerateValueKey [0xB9EC7030]
SSDT spjb.sys ZwOpenKey [0xB9EA80C0]
SSDT \??\C:\Programme\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenProcess [0xA3426C90]
SSDT \??\C:\Programme\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenThread [0xA3426D7E]
SSDT spjb.sys ZwQueryKey [0xB9EC7108]
SSDT spjb.sys ZwQueryValueKey [0xB9EC6F88]
SSDT spjb.sys ZwSetValueKey [0xB9EC719A]
SSDT \??\C:\Programme\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwTerminateProcess [0xA3426BF4]
SSDT \??\C:\Programme\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwTerminateThread [0xA3426EC4]

INT 0x74 ? 8A8F0BF8
INT 0x83 ? 8A8F0BF8
INT 0x94 ? 8A8FEBF8
INT 0x94 ? 8A8FEBF8
INT 0x94 ? 8A8FEBF8
INT 0x94 ? 8A8FEBF8
INT 0x94 ? 8A8F0BF8
INT 0x94 ? 8A8FEBF8
INT 0xB4 ? 8A8FEBF8
INT 0xB4 ? 8A8FEBF8
INT 0xB4 ? 8A8F0BF8
INT 0xB4 ? 8A8F0BF8
INT 0xB4 ? 8A8FEBF8

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!NtSetInformationThread + 138 805CC200 23 Bytes [EC, 8B, 00, 8B, 00, 89, 45, ...]
PAGE ntkrnlpa.exe!NtSetInformationThread + 150 805CC218 2 Bytes [85, 9D]
PAGE ntkrnlpa.exe!NtSetInformationThread + 155 805CC21D 5 Bytes [C7, 45, FC, 03, 00]
PAGE ntkrnlpa.exe!NtSetInformationThread + 15B 805CC223 42 Bytes [00, 8A, 06, 88, 45, A0, 89, ...]
PAGE ntkrnlpa.exe!NtSetInformationThread + 186 805CC24E 22 Bytes [75, A0, FF, 75, CC, E8, 8C, ...]
PAGE ...
PAGE ntkrnlpa.exe!PsEstablishWin32Callouts + 1 805CC94F 96 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...]
PAGE ntkrnlpa.exe!PsEstablishWin32Callouts + 62 805CC9B0 8 Bytes [48, 28, 89, 0D, 04, 4C, 56, ...]
PAGE ntkrnlpa.exe!PsEstablishWin32Callouts + 6B 805CC9B9 8 Bytes [48, 2C, 89, 0D, 08, 4C, 56, ...] {DEC EAX; SUB AL, 0x89; OR EAX, 0x80564c08}
PAGE ntkrnlpa.exe!PsEstablishWin32Callouts + 74 805CC9C2 33 Bytes [48, 30, 89, 0D, 14, 4C, 56, ...]
PAGE ntkrnlpa.exe!PsEstablishWin32Callouts + 96 805CC9E4 77 Bytes [5D, C2, 04, 00, CC, CC, CC, ...]
PAGE ntkrnlpa.exe!PsSetProcessPriorityByClass + 44 805CCA32 45 Bytes [00, 74, 11, 8B, 80, D0, 00, ...]
PAGE ntkrnlpa.exe!PsSetProcessPriorityByClass + 72 805CCA60 64 Bytes CALL 805AFF63 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!PsSetProcessPriorityByClass + B3 805CCAA1 33 Bytes [0A, B8, 22, 00, 00, C0, E9, ...]
PAGE ntkrnlpa.exe!PsSetProcessPriorityByClass + D5 805CCAC3 20 Bytes [46, 44, 89, 45, E0, 38, 9E, ...]
PAGE ntkrnlpa.exe!PsSetProcessPriorityByClass + EA 805CCAD8 45 Bytes CALL 80510C49 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ...
PAGE ntkrnlpa.exe!NtQueryInformationProcess + 6B 805CCFB9 178 Bytes [FC, FF, 8B, 85, 28, FF, FF, ...]
PAGE ntkrnlpa.exe!NtQueryInformationProcess + 11E 805CD06C 33 Bytes [00, 8B, 45, E0, 89, 06, E9, ...]
PAGE ntkrnlpa.exe!NtQueryInformationProcess + 140 805CD08E 32 Bytes JMP 805CD46C \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!NtQueryInformationProcess + 162 805CD0B0 10 Bytes CALL 805BB47F \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!NtQueryInformationProcess + 16D 805CD0BB 10 Bytes [8C, 3A, 0D, 00, 00, 8B, 3D, ...]
PAGE ...
PAGE ntkrnlpa.exe!NtSetInformationProcess + 57 805CDE9B 3 Bytes CALL 80614099 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!NtSetInformationProcess + 5B 805CDE9F 4 Bytes [8D, 04, 1F, 3B]
PAGE ntkrnlpa.exe!NtSetInformationProcess + 60 805CDEA4 13 Bytes [72, 08, 3B, 05, 34, 21, 56, ...]
PAGE ntkrnlpa.exe!NtSetInformationProcess + 6E 805CDEB2 30 Bytes [00, 83, 4D, FC, FF, 8B, 45, ...]
PAGE ntkrnlpa.exe!NtSetInformationProcess + 8D 805CDED1 91 Bytes CALL 80592C59 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ...
PAGE ntkrnlpa.exe!PsDereferenceImpersonationToken + 71 805CED39 59 Bytes [75, 0C, 33, C0, 38, 46, 24, ...]
PAGE ntkrnlpa.exe!PsReferencePrimaryToken + D 805CED75 26 Bytes [00, 00, 00, 8B, CB, E8, 9F, ...]
PAGE ntkrnlpa.exe!PsReferencePrimaryToken + 28 805CED90 44 Bytes [8F, D4, 00, 00, 00, 83, C6, ...]
PAGE ntkrnlpa.exe!PsReferencePrimaryToken + 55 805CEDBD 226 Bytes [89, 45, 08, 8D, 51, FC, 8B, ...]
PAGE ntkrnlpa.exe!PsReferenceImpersonationToken + A2 805CEEA0 28 Bytes [13, 8D, 47, 34, 39, 00, 74, ...]
PAGE ntkrnlpa.exe!PsReferenceImpersonationToken + BF 805CEEBD 20 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...]
PAGE ntkrnlpa.exe!PsReferenceImpersonationToken + D4 805CEED2 28 Bytes [00, 08, 8B, 87, 20, 02, 00, ...]
PAGE ntkrnlpa.exe!PsReferenceImpersonationToken + F3 805CEEF1 105 Bytes [8D, B7, 38, 02, 00, 00, 8B, ...]
PAGE ntkrnlpa.exe!PsReferenceImpersonationToken + 15D 805CEF5B 71 Bytes [FF, 83, D4, 00, 00, 00, 0F, ...]
PAGE ...
PAGE ntkrnlpa.exe!PsImpersonateClient + 2B 805CF0D5 16 Bytes [8D, B3, 48, 02, 00, 00, F6, ...]
PAGE ntkrnlpa.exe!PsImpersonateClient + 3C 805CF0E6 5 Bytes [00, 64, A1, 24, 01]
PAGE ntkrnlpa.exe!PsImpersonateClient + 42 805CF0EC 71 Bytes [00, 8B, F8, FF, 8F, D4, 00, ...]
PAGE ntkrnlpa.exe!PsImpersonateClient + 8A 805CF134 30 Bytes CALL 8060C54F \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!PsImpersonateClient + A9 805CF153 22 Bytes JMP 805CF345 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ...
PAGE ntkrnlpa.exe!PsDisableImpersonation + 68 805CF3D4 25 Bytes [8B, 43, 08, 89, 47, 08, 8A, ...]
PAGE ntkrnlpa.exe!PsDisableImpersonation + 82 805CF3EE 22 Bytes [FC, 8B, 4D, 0C, 6A, 02, 33, ...]
PAGE ntkrnlpa.exe!PsDisableImpersonation + 99 805CF405 145 Bytes [FF, 86, D4, 00, 00, 00, 75, ...]
PAGE ntkrnlpa.exe!PsRevertToSelf + 1F 805CF497 56 Bytes [0F, B1, 0F, 85, C0, 74, 07, ...]
PAGE ntkrnlpa.exe!PsRevertToSelf + 58 805CF4D0 19 Bytes CALL 8060C550 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!PsRevertToSelf + 6C 805CF4E4 7 Bytes [74, 0C, B1, 01, C6, 46, 49]
PAGE ntkrnlpa.exe!PsRevertToSelf + 74 805CF4EC 53 Bytes [FF, 15, 0C, 81, 4D, 80, 85, ...]
PAGE ntkrnlpa.exe!PsRevertThreadToSelf + 1A 805CF522 82 Bytes [00, 00, 8B, F8, FF, 8F, D4, ...]
PAGE ntkrnlpa.exe!PsRevertThreadToSelf + 6D 805CF575 2 Bytes [87, D4] {XCHG ESP, EDX}
PAGE ntkrnlpa.exe!PsRevertThreadToSelf + 71 805CF579 53 Bytes [00, 75, 13, 8D, 47, 34, 39, ...]
PAGE ntkrnlpa.exe!PsRevertThreadToSelf + A7 805CF5AF 73 Bytes [08, 85, F6, 74, 3C, 57, 56, ...]
PAGE ntkrnlpa.exe!PsRevertThreadToSelf + F1 805CF5F9 12 Bytes CALL 805C5DF4 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ...
PAGE ntkrnlpa.exe!PsAssignImpersonationToken + 4A 805CF75A 3 Bytes CALL 805BB483 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!PsAssignImpersonationToken + 4E 805CF75E 35 Bytes [3B, C3, 0F, 8C, D0, 00, 00, ...]
PAGE ntkrnlpa.exe!PsAssignImpersonationToken + 72 805CF782 1 Byte [00]
PAGE ntkrnlpa.exe!PsAssignImpersonationToken + 72 805CF782 8 Bytes [00, 00, 00, 56, E8, A3, 8A, ...]
PAGE ntkrnlpa.exe!PsAssignImpersonationToken + 7B 805CF78B 22 Bytes [50, 53, 53, 56, 8B, 7D, 08, ...]
PAGE ...
PAGE ntkrnlpa.exe!PsSetCreateProcessNotifyRoutine + 1A 805CFC34 74 Bytes [8B, F0, 85, F6, 74, 1F, 56, ...]
PAGE ntkrnlpa.exe!PsSetCreateProcessNotifyRoutine + 65 805CFC7F 49 Bytes [49, D0, 03, 00, 56, E8, 2B, ...]
PAGE ntkrnlpa.exe!PsSetCreateProcessNotifyRoutine + 97 805CFCB1 14 Bytes [84, C0, 75, 1F, 83, C3, 04, ...]
PAGE ntkrnlpa.exe!PsSetCreateProcessNotifyRoutine + A6 805CFCC0 9 Bytes [BF, 0D, 00, 00, C0, 56, E8, ...]
PAGE ntkrnlpa.exe!PsSetCreateProcessNotifyRoutine + B0 805CFCCA 16 Bytes [00, 8B, C7, 5F, 5E, 5B, 5D, ...]
PAGE ...
PAGE ntkrnlpa.exe!PsSetCreateThreadNotifyRoutine + 12 805CFCFC 20 Bytes [8B, D8, 3B, DF, 75, 07, B8, ...]
PAGE ntkrnlpa.exe!PsSetCreateThreadNotifyRoutine + 27 805CFD11 23 Bytes CALL 8060CAFC \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!PsSetCreateThreadNotifyRoutine + 3F 805CFD29 38 Bytes [CB, 02, 02, 00, B8, 9A, 00, ...]
PAGE ntkrnlpa.exe!PsRemoveCreateThreadNotifyRoutine + 2 805CFD50 34 Bytes [55, 8B, EC, 53, 56, 57, 33, ...]
PAGE ntkrnlpa.exe!PsRemoveCreateThreadNotifyRoutine + 25 805CFD73 9 Bytes [0D, 56, 6A, 00, 57, E8, 81, ...]
PAGE ntkrnlpa.exe!PsRemoveCreateThreadNotifyRoutine + 2F 805CFD7D 116 Bytes [84, C0, 75, 1C, 56, 57, E8, ...]
PAGE ntkrnlpa.exe!PsRemoveCreateThreadNotifyRoutine + A4 805CFDF2 18 Bytes [F6, 86, 48, 02, 00, 00, 03, ...]
PAGE ntkrnlpa.exe!PsRemoveCreateThreadNotifyRoutine + B7 805CFE05 92 Bytes [08, 74, 04, C6, 45, E7, 01, ...]
PAGE ...
PAGE ntkrnlpa.exe!PsSetLoadImageNotifyRoutine + 4 805CFF92 34 Bytes [EC, 53, 57, 33, FF, 57, FF, ...]
PAGE ntkrnlpa.exe!PsSetLoadImageNotifyRoutine + 27 805CFFB5 6 Bytes [53, 56, E8, 42, CB, 03]
PAGE ntkrnlpa.exe!PsSetLoadImageNotifyRoutine + 2E 805CFFBC 1 Byte [84]
PAGE ntkrnlpa.exe!PsSetLoadImageNotifyRoutine + 2E 805CFFBC 32 Bytes [84, C0, 75, 1D, 83, C7, 04, ...]
PAGE ntkrnlpa.exe!PsSetLoadImageNotifyRoutine + 4F 805CFFDD 49 Bytes [33, C9, B8, C8, 39, 56, 80, ...]
PAGE ntkrnlpa.exe!PsRemoveLoadImageNotifyRoutine + 15 805D000F 43 Bytes [8B, F0, 85, F6, 74, 1F, 56, ...]
PAGE ntkrnlpa.exe!PsRemoveLoadImageNotifyRoutine + 41 805D003B 18 Bytes [72, CC, B8, 7A, 00, 00, C0, ...]
PAGE ntkrnlpa.exe!PsRemoveLoadImageNotifyRoutine + 54 805D004E 53 Bytes [83, C9, FF, F0, 0F, C1, 08, ...]
PAGE ntkrnlpa.exe!PsRemoveLoadImageNotifyRoutine + 8A 805D0084 28 Bytes [74, 38, 53, 56, 57, 6A, 08, ...]
PAGE ntkrnlpa.exe!PsRemoveLoadImageNotifyRoutine + A7 805D00A1 38 Bytes [03, 00, FF, 75, 10, FF, 75, ...]
PAGE ...
PAGE ntkrnlpa.exe!ZwCreateThread + C 805D0FDE 25 Bytes [83, 65, FC, 00, 64, A1, 24, ...]
PAGE ntkrnlpa.exe!ZwCreateThread + 26 805D0FF8 16 Bytes [A1, 34, 21, 56, 80, 8B, 4D, ...]
PAGE ntkrnlpa.exe!ZwCreateThread + 38 805D100A 24 Bytes [8B, 01, 89, 01, 8B, 5D, 18, ...]
PAGE ntkrnlpa.exe!ZwCreateThread + 51 805D1023 96 Bytes [00, F6, C3, 03, 74, 05, E8, ...]
PAGE ntkrnlpa.exe!ZwCreateThread + B2 805D1084 52 Bytes [C0, EB, 63, 8B, 5D, 20, 8B, ...]
PAGE ...
PAGE ntkrnlpa.exe!PsCreateSystemThread + 37 805D112F 11 Bytes [CC, CC, CC, CC, CC, 6A, 0C, ...]
PAGE ntkrnlpa.exe!ZwCreateProcessEx + 7 805D113B 88 Bytes CALL 8053BBA0 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!ZwCreateProcessEx + 60 805D1194 21 Bytes [75, 20, FF, 75, 1C, FF, 75, ...]
PAGE ntkrnlpa.exe!ZwCreateProcessEx + 76 805D11AA 5 Bytes [FF, EB, 05, B8, 0D]
PAGE ntkrnlpa.exe!ZwCreateProcessEx + 7D 805D11B1 182 Bytes CALL 8053BBDA \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!ZwQueueApcThread + 38 805D1268 2 Bytes [45, 08]
PAGE ntkrnlpa.exe!ZwQueueApcThread + 3B 805D126B 95 Bytes [DB, F6, 80, 48, 02, 00, 00, ...]
PAGE ntkrnlpa.exe!ZwQueueApcThread + 9C 805D12CC 11 Bytes [C0, 5F, 8B, 4D, 08, E8, C4, ...]
PAGE ntkrnlpa.exe!ZwQueueApcThread + A8 805D12D8 104 Bytes [C3, 5B, C9, C2, 14, 00, CC, ...]
PAGE ntkrnlpa.exe!PsGetContextThread + 5D 805D1341 16 Bytes [8B, 95, C8, FC, FF, FF, A1, ...]
PAGE ntkrnlpa.exe!PsGetContextThread + 6E 805D1352 36 Bytes [8B, 0A, 89, 8D, B0, FC, FF, ...]
PAGE ntkrnlpa.exe!PsGetContextThread + 93 805D1377 116 Bytes [CC, 00, 00, 00, 83, 4D, FC, ...]
PAGE ntkrnlpa.exe!PsGetContextThread + 108 805D13EC 33 Bytes [00, 8A, 8D, CF, FC, FF, FF, ...]
PAGE ntkrnlpa.exe!PsGetContextThread + 12A 805D140E 56 Bytes [FF, 33, C0, 40, C3, 8B, 85, ...]
PAGE ...
PAGE ntkrnlpa.exe!ZwGetContextThread + A 805D14EE 27 Bytes [01, 00, 00, 8A, 80, 40, 01, ...]
PAGE ntkrnlpa.exe!ZwGetContextThread + 26 805D150A 173 Bytes CALL 805BB47E \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!PsSetContextThread + 68 805D15B8 26 Bytes [CA, B8, 20, 00, 01, 00, 23, ...]
PAGE ntkrnlpa.exe!PsSetContextThread + 83 805D15D3 16 Bytes [FF, 8B, F3, 8D, BD, 14, FD, ...]
PAGE ntkrnlpa.exe!PsSetContextThread + 94 805D15E4 43 Bytes [C8, 83, E1, 03, F3, A4, 83, ...]
PAGE ntkrnlpa.exe!PsSetContextThread + C0 805D1610 10 Bytes [89, 85, 0C, FD, FF, FF, 89, ...]
PAGE ntkrnlpa.exe!PsSetContextThread + CB 805D161B 21 Bytes [FF, 8A, 45, 10, 88, 85, 00, ...]
PAGE ...
PAGE ntkrnlpa.exe!ZwSetContextThread + 2F 805D1723 24 Bytes [8B, F0, 85, F6, 7C, 2A, 57, ...]
PAGE ntkrnlpa.exe!ZwSetContextThread + 48 805D173C 76 Bytes CALL 805D154F \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!PsGetProcessExitProcessCalled + D 805D1789 59 Bytes CALL DD5E3B90
PAGE ntkrnlpa.exe!PsSetJobUIRestrictionsClass + 11 805D17C5 3 Bytes [5D, C2, 08]
PAGE ntkrnlpa.exe!PsSetJobUIRestrictionsClass + 15 805D17C9 5 Bytes [CC, CC, CC, CC, CC] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 }
PAGE ntkrnlpa.exe!PsSetProcessPriorityClass + 1 805D17CF 2 Bytes [FF, 55]
PAGE ntkrnlpa.exe!PsSetProcessPriorityClass + 4 805D17D2 49 Bytes [EC, 8A, 45, 0C, 8B, 4D, 08, ...]
PAGE ntkrnlpa.exe!PsSetThreadWin32Thread + 2 805D1804 82 Bytes [55, 8B, EC, 8B, 45, 0C, 85, ...]
PAGE ntkrnlpa.exe!PsSetProcessSecurityPort + 9 805D1857 140 Bytes [4D, 08, 89, 81, 98, 01, 00, ...]
PAGE ntkrnlpa.exe!PsSetProcessWin32Process + 2 805D18E4 16 Bytes [55, 8B, EC, 51, 83, 65, FC, ...]
PAGE ntkrnlpa.exe!PsSetProcessWin32Process + 13 805D18F5 70 Bytes [8B, 7D, 08, 8B, F0, FF, 8E, ...]
PAGE ntkrnlpa.exe!PsSetProcessWin32Process + 5A 805D193C 12 Bytes [C0, EB, 19, 81, C7, 30, 01, ...]
PAGE ntkrnlpa.exe!PsSetProcessWin32Process + 67 805D1949 62 Bytes [10, 75, 05, 83, 27, 00, EB, ...]
PAGE ntkrnlpa.exe!PsSetProcessWin32Process + A6 805D1988 9 Bytes [8B, 45, FC, 5F, 5E, 5B, C9, ...]
PAGE ...
PAGE ntkrnlpa.exe!PsSetLegoNotifyRoutine + D 805D19A5 47 Bytes [B8, D0, 00, 00, 00, 5D, C2, ...]
PAGE ntkrnlpa.exe!PsSetLegoNotifyRoutine + 3D 805D19D5 23 Bytes CALL 805D7ABA \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!PsSetLegoNotifyRoutine + 55 805D19ED 3 Bytes CALL 805264CB \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!PsSetLegoNotifyRoutine + 59 805D19F1 238 Bytes CALL 805D78CB \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!PsSetLegoNotifyRoutine + 148 805D1AE0 34 Bytes [08, 00, 00, 00, 56, E8, E0, ...]
PAGE ...
PAGE ntkrnlpa.exe!PsGetProcessExitTime + 66 805D1F80 6 Bytes [EC, 83, EC, 0C, 83, 4D]
PAGE ntkrnlpa.exe!PsGetProcessExitTime + 6D 805D1F87 31 Bytes [FF, 53, 56, 57, 33, FF, C7, ...]
PAGE ntkrnlpa.exe!PsGetProcessExitTime + 8E 805D1FA8 49 Bytes [74, 11, F6, 86, 48, 02, 00, ...]
PAGE ntkrnlpa.exe!PsGetProcessExitTime + C1 805D1FDB 1 Byte [8D]
PAGE ntkrnlpa.exe!PsGetProcessExitTime + C1 805D1FDB 164 Bytes [8D, 45, F4, 50, 57, 57, 57, ...]
PAGE ...
PAGE ntkrnlpa.exe!ZwRegisterThreadTerminatePort + 2 805D273A 142 Bytes [55, 8B, EC, 51, 56, 64, A1, ...]
PAGE ntkrnlpa.exe!ZwRegisterThreadTerminatePort + 91 805D27C9 3 Bytes CALL 805D206B \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!ZwRegisterThreadTerminatePort + 95 805D27CD 21 Bytes [5D, C2, 14, 00, CC, CC, CC, ...]
PAGE ntkrnlpa.exe!ZwRegisterThreadTerminatePort + AB 805D27E3 12 Bytes [FF, 75, 08, 8B, 7D, 0C, 6A, ...]
PAGE ntkrnlpa.exe!ZwRegisterThreadTerminatePort + B8 805D27F0 4 Bytes [68, F8, FF, 5E]
PAGE ...
PAGE ntkrnlpa.exe!ZwTerminateProcess + 2 805D2984 5 Bytes [55, 8B, EC, 83, EC]
PAGE ntkrnlpa.exe!ZwTerminateProcess + 8 805D298A 31 Bytes [53, 56, 57, 64, A1, 24, 01, ...]
PAGE ntkrnlpa.exe!ZwTerminateProcess + 28 805D29AA 30 Bytes [FF, C6, 45, FF, 00, 8A, 87, ...]
PAGE ntkrnlpa.exe!ZwTerminateProcess + 47 805D29C9 20 Bytes CALL 805BB47F \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!ZwTerminateProcess + 5C 805D29DE 4 Bytes [8D, 86, 48, 02]
PAGE ...
PAGE ntkrnlpa.exe!ZwTerminateThread + 21 805D2B9D 6 Bytes [01, 75, 43, B8, DB, 00]
PAGE ntkrnlpa.exe!ZwTerminateThread + 28 805D2BA4 62 Bytes [C0, EB, 5B, 83, 7D, 08, FE, ...]
PAGE ntkrnlpa.exe!ZwTerminateThread + 67 805D2BE3 18 Bytes CALL 805D2856 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!ZwTerminateThread + 7A 805D2BF6 1 Byte [FF]
PAGE ntkrnlpa.exe!ZwTerminateThread + 7A 805D2BF6 51 Bytes [FF, 8B, CB, 8B, F8, E8, 9A, ...]
PAGE ntkrnlpa.exe!PsTerminateSystemThread + 1C 805D2C2A 7 Bytes [75, 08, 50, E8, 28, FC, FF]
PAGE ntkrnlpa.exe!PsTerminateSystemThread + 24 805D2C32 20 Bytes [5D, C2, 04, 00, CC, CC, CC, ...]
PAGE ntkrnlpa.exe!PsTerminateSystemThread + 39 805D2C47 96 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...]
PAGE ntkrnlpa.exe!PsTerminateSystemThread + 9A 805D2CA8 60 Bytes [00, 3B, 35, B4, 39, 56, 80, ...]
PAGE ntkrnlpa.exe!PsTerminateSystemThread + D7 805D2CE5 6 Bytes CALL 805264C9 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ...
PAGE ntkrnlpa.exe!PsLookupProcessThreadByCid + 4B 805D3051 13 Bytes [86, D4, 00, 00, 00, 75, 13, ...]
PAGE ntkrnlpa.exe!PsLookupProcessThreadByCid + 59 805D305F 16 Bytes [B1, 01, C6, 46, 49, 01, FF, ...]
PAGE ntkrnlpa.exe!PsLookupProcessThreadByCid + 6A 805D3070 36 Bytes [00, C0, 74, 3F, 80, 3F, 06, ...]
PAGE ntkrnlpa.exe!PsLookupProcessThreadByCid + 8F 805D3095 11 Bytes [45, 0C, 85, C0, 74, 0D, 8B, ...]
PAGE ntkrnlpa.exe!PsLookupProcessThreadByCid + 9B 805D30A1 57 Bytes CALL 805264C8 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!PsLookupProcessByProcessId + 19 805D30DB 61 Bytes [35, C0, 39, 56, 80, E8, A7, ...]
PAGE ntkrnlpa.exe!PsLookupProcessByProcessId + 57 805D3119 4 Bytes [35, C0, 39, 56]
PAGE ntkrnlpa.exe!PsLookupProcessByProcessId + 5C 805D311E 62 Bytes CALL 8060D8A4 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!PsLookupThreadByThreadId + F 805D315D 1 Byte [08]
PAGE ntkrnlpa.exe!PsLookupThreadByThreadId + F 805D315D 9 Bytes [08, 8B, F0, FF, 8E, D4, 00, ...]
PAGE ntkrnlpa.exe!PsLookupThreadByThreadId + 19 805D3167 71 Bytes [35, C0, 39, 56, 80, E8, 1B, ...]
PAGE ntkrnlpa.exe!PsLookupThreadByThreadId + 61 805D31AF 5 Bytes [5F, FF, 86, D4, 00]
PAGE ntkrnlpa.exe!PsLookupThreadByThreadId + 68 805D31B6 6 Bytes [75, 13, 8D, 46, 34, 39]
PAGE ...
PAGE ntkrnlpa.exe!ZwSetLdtEntries + B 805D38AF 33 Bytes [CC, CC, CC, CC, CC, 6A, 34, ...]
PAGE ntkrnlpa.exe!ZwSetLdtEntries + 2D 805D38D1 30 Bytes [7D, 0C, 10, 73, 0A, B8, 04, ...]
PAGE ntkrnlpa.exe!ZwSetLdtEntries + 4C 805D38F0 11 Bytes [D8, 89, 5D, D8, 85, DB, 75, ...]
PAGE ntkrnlpa.exe!ZwSetLdtEntries + 58 805D38FC 28 Bytes JMP 805D3B84 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!ZwSetLdtEntries + 75 805D3919 16 Bytes [E1, 03, F3, A4, 83, 4D, FC, ...]
PAGE ...
PAGE ntkrnlpa.exe!ZwSuspendThread + 7 805D489B 1 Byte [E8]
PAGE ntkrnlpa.exe!ZwSuspendThread + 7 805D489B 43 Bytes CALL 8053BBA0 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!ZwSuspendThread + 33 805D48C7 147 Bytes [3B, F0, 72, 02, 89, 18, 8B, ...]
PAGE ntkrnlpa.exe!ZwResumeThread + 1 805D495B 5 Bytes [20, 68, 18, AA, 4D] {AND [EAX+0x18], CH; STOSB ; DEC EBP}
PAGE ntkrnlpa.exe!ZwResumeThread + 7 805D4961 249 Bytes CALL 8053BBA0 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!ZwSuspendProcess + 3A 805D4A5C 21 Bytes CALL 805D4841 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!ZwSuspendProcess + 50 805D4A72 7 Bytes [00, CC, CC, CC, CC, CC, 8B]
PAGE ntkrnlpa.exe!ZwResumeProcess + 2 805D4A7A 54 Bytes [55, 8B, EC, 51, 56, 64, A1, ...]
PAGE ntkrnlpa.exe!ZwResumeProcess + 3A 805D4AB2 28 Bytes CALL 805D46F3 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!ZwAlertThread + 1 805D4ACF 9 Bytes [FF, 55, 8B, EC, 51, 64, A1, ...]
PAGE ntkrnlpa.exe!ZwAlertThread + B 805D4AD9 29 Bytes [00, 8A, 80, 40, 01, 00, 00, ...]
PAGE ntkrnlpa.exe!ZwAlertThread + 29 805D4AF7 28 Bytes CALL 805BB482 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!ZwAlertThread + 47 805D4B15 59 Bytes [C9, C2, 04, 00, CC, CC, CC, ...]
PAGE ntkrnlpa.exe!ZwAlertResumeThread + 33 805D4B51 31 Bytes [3B, F0, 72, 02, 89, 18, 8B, ...]
PAGE ntkrnlpa.exe!ZwAlertResumeThread + 53 805D4B71 29 Bytes CALL 805BB481 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!ZwAlertResumeThread + 71 805D4B8F 35 Bytes [FC, 01, 00, 00, 00, 3B, F3, ...]
PAGE ntkrnlpa.exe!ZwAlertResumeThread + 95 805D4BB3 4 Bytes CALL 8059993B \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!ZwAlertResumeThread + 9A 805D4BB8 132 Bytes [45, DC, EB, 18, 8B, 45, EC, ...]
PAGE ntkrnlpa.exe!ZwTestAlert + 5B 805D4C3D 18 Bytes [00, 00, 10, 53, 74, 60, 64, ...]
PAGE ntkrnlpa.exe!ZwTestAlert + 6F 805D4C51 54 Bytes [6A, 02, 8D, 4E, 6C, 5A, 33, ...]
PAGE ntkrnlpa.exe!ZwTestAlert + A6 805D4C88 26 Bytes [FF, 83, D4, 00, 00, 00, 75, ...]
PAGE ntkrnlpa.exe!ZwTestAlert + C1 805D4CA3 40 Bytes [F6, 87, 98, 00, 00, 00, 01, ...]
PAGE ntkrnlpa.exe!ZwTestAlert + EB 805D4CCD 93 Bytes [00, 01, 74, 0E, 8B, 87, 38, ...]
PAGE ...
PAGE ntkrnlpa.exe!ZwIsProcessInJob + 11 805D51B3 51 Bytes [00, 6A, 00, 88, 45, FC, 8D, ...]
PAGE ntkrnlpa.exe!ZwIsProcessInJob + 46 805D51E8 49 Bytes [8B, 87, 34, 01, 00, 00, 85, ...]
PAGE ntkrnlpa.exe!ZwIsProcessInJob + 78 805D521A 17 Bytes [6A, 00, 8D, 45, FC, 50, FF, ...] {PUSH 0x0; LEA EAX, [EBP-0x4]; PUSH EAX; PUSH DWORD [EBP-0x4]; PUSH DWORD [0x80563940]; PUSH 0x4}
PAGE ntkrnlpa.exe!ZwIsProcessInJob + 8A 805D522C 34 Bytes CALL 805BB480 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!ZwIsProcessInJob + AD 805D524F 40 Bytes [75, 13, 8B, 75, 08, 8B, CE, ...]
PAGE ...
PAGE ntkrnlpa.exe!ZwCreateJobSet + 5A 805D5338 6 Bytes [00, 8A, 80, 40, 01, 00] {ADD [EDX+0x14080], CL}
PAGE ntkrnlpa.exe!ZwCreateJobSet + 61 805D533F 48 Bytes [88, 45, D8, 89, 5D, FC, 3C, ...]
PAGE ntkrnlpa.exe!ZwCreateJobSet + 92 805D5370 64 Bytes [CE, 8B, 75, 0C, 8B, C1, C1, ...]
PAGE ntkrnlpa.exe!ZwCreateJobSet + D3 805D53B1 114 Bytes [35, 40, 39, 56, 80, 6A, 04, ...]
PAGE ntkrnlpa.exe!ZwCreateJobSet + 148 805D5426 109 Bytes [75, 40, 3B, DE, 74, 21, 3B, ...]
PAGE ...
PAGE ntkrnlpa.exe!ZwCreateJobObject + 11 805D55B7 38 Bytes [00, 89, 45, D8, 8A, 80, 40, ...]
PAGE ntkrnlpa.exe!ZwCreateJobObject + 38 805D55DE 32 Bytes [01, 89, 19, 83, 4D, FC, FF, ...]
PAGE ntkrnlpa.exe!ZwCreateJobObject + 59 805D55FF 86 Bytes CALL 805C135F \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!ZwCreateJobObject + B0 805D5656 55 Bytes [01, 00, 00, 01, C6, 86, 5A, ...]
PAGE ntkrnlpa.exe!ZwCreateJobObject + E8 805D568E 23 Bytes CALL 80535705 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ...
PAGE ntkrnlpa.exe!ZwOpenJobObject + 3A 805D5766 108 Bytes [EB, 16, 8B, 45, EC, 8B, 00, ...]
PAGE ntkrnlpa.exe!ZwOpenJobObject + A7 805D57D3 22 Bytes [FF, 55, 8B, EC, 83, EC, 20, ...]
PAGE ntkrnlpa.exe!ZwOpenJobObject + BE 805D57EA 54 Bytes [8B, D8, FF, 8B, D4, 00, 00, ...]
PAGE ntkrnlpa.exe!ZwOpenJobObject + F6 805D5822 4 Bytes [F6, 86, 98, 00]
PAGE ntkrnlpa.exe!ZwOpenJobObject + FC 805D5828 38 Bytes [08, 8B, 86, 80, 00, 00, 00, ...]
PAGE ...
PAGE ntkrnlpa.exe!ZwQueryInformationJobObject + 4 805D5C02 30 Bytes [00, 68, 98, AA, 4D, 80, E8, ...]
PAGE ntkrnlpa.exe!ZwQueryInformationJobObject + 23 805D5C21 13 Bytes [4D, 0C, 83, F9, 0B, 0F, 8D, ...] {DEC EBP; OR AL, 0x83; STC ; OR ECX, [EDI]; LEA EAX, [EBP+0x3b000008]; RETF }
PAGE ntkrnlpa.exe!ZwQueryInformationJobObject + 31 805D5C2F 64 Bytes [8E, 7D, 08, 00, 00, 8B, 04, ...]
PAGE ntkrnlpa.exe!ZwQueryInformationJobObject + 72 805D5C70 12 Bytes [88, 85, 20, FF, FF, FF, 84, ...]
PAGE ntkrnlpa.exe!ZwQueryInformationJobObject + 7F 805D5C7D 27 Bytes [52, 57, 8B, 7D, 10, 57, E8, ...]
PAGE ...
PAGE ntkrnlpa.exe!ZwAssignProcessToJobObject + 66 805D6648 48 Bytes [00, 0D, 01, 01, 00, 00, 50, ...]
PAGE ntkrnlpa.exe!ZwAssignProcessToJobObject + 97 805D6679 25 Bytes [8D, 87, CC, 00, 00, 00, 53, ...]
PAGE ntkrnlpa.exe!ZwAssignProcessToJobObject + B3 805D6695 28 Bytes CALL 805CED64 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!ZwAssignProcessToJobObject + D0 805D66B2 122 Bytes CALL 805C5EA9 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!ZwAssignProcessToJobObject + 14B 805D672D 46 Bytes CALL 80526697 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ...
PAGE ntkrnlpa.exe!ZwSetInformationJobObject + 3D 805D6949 46 Bytes [8D, BD, 7C, FF, FF, FF, AB, ...]
PAGE ntkrnlpa.exe!ZwSetInformationJobObject + 6D 805D6979 16 Bytes [8B, 04, 9D, C0, F0, 67, 80, ...]
PAGE ntkrnlpa.exe!ZwSetInformationJobObject + 7E 805D698A 44 Bytes [64, A1, 24, 01, 00, 00, 8B, ...]
PAGE ntkrnlpa.exe!ZwSetInformationJobObject + AB 805D69B7 36 Bytes [8B, 45, 14, 03, C6, 3B, C6, ...]
PAGE ntkrnlpa.exe!ZwSetInformationJobObject + D1 805D69DD 4 Bytes JMP 805D7491 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ...
PAGE ntkrnlpa.exe!ZwTerminateJobObject + 17 805D74B7 58 Bytes [88, 45, FC, 8D, 45, 08, 50, ...]
PAGE ntkrnlpa.exe!ZwTerminateJobObject + 52 805D74F2 197 Bytes CALL 805D656A \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!ZwTerminateJobObject + 118 805D75B8 28 Bytes [8D, 9F, 44, 02, 00, 00, 8B, ...]
PAGE ntkrnlpa.exe!ZwTerminateJobObject + 136 805D75D6 33 Bytes [00, 02, 74, 6A, 3B, 96, 8C, ...]
PAGE ntkrnlpa.exe!ZwTerminateJobObject + 158 805D75F8 14 Bytes CALL 805D2AFA \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ...
PAGE ntkrnlpa.exe!ZwImpersonateThread + 43 805D77E5 55 Bytes [00, A1, 34, 21, 56, 80, 3B, ...]
PAGE ntkrnlpa.exe!ZwImpersonateThread + 7B 805D781D 40 Bytes [85, C0, 0F, 8C, 91, 00, 00, ...]
PAGE ntkrnlpa.exe!ZwImpersonateThread + A4 805D7846 35 Bytes [F0, EB, 47, 8D, 45, A8, 50, ...]
PAGE ntkrnlpa.exe!ZwImpersonateThread + C8 805D786A 114 Bytes [F2, 01, 00, 8B, F0, FF, 75, ...]
PAGE ntkrnlpa.exe!IoDeleteController + 11 805D78DD 44 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...]
PAGE ntkrnlpa.exe!IoDeleteController + 3F 805D790B 55 Bytes CALL 8052665B \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!IoDeleteController + 77 805D7943 47 Bytes [65, FC, 00, 53, 56, 57, 64, ...]
PAGE ntkrnlpa.exe!IoDeleteController + A7 805D7973 31 Bytes CALL 8052665B \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!IoDeleteController + C7 805D7993 47 Bytes [B1, 01, C6, 46, 49, 01, FF, ...]
PAGE ...
PAGE ntkrnlpa.exe!LdrEnumResources + A 805D8B4E 52 Bytes [33, FF, 39, 7D, 18, 89, 7D, ...]
PAGE ntkrnlpa.exe!LdrEnumResources + 40 805D8B84 44 Bytes JMP 805D8D7B \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!LdrEnumResources + 6D 805D8BB1 12 Bytes [00, 83, 7D, 10, 00, 76, 14, ...] {ADD [EBX+0x7600107d], AL; ADC AL, 0x8b; INC EBP; OR AL, 0x53; PUSH ESI}
PAGE ntkrnlpa.exe!LdrEnumResources + 7A 805D8BBE 47 Bytes CALL 805D87B3 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!LdrEnumResources + AA 805D8BEE 46 Bytes [FF, FF, 7F, 23, CB, 03, CE, ...]
PAGE ...
PAGE ntkrnlpa.exe!LdrFindResource_U + 14 805D8DB2 3 Bytes CALL 805D8825 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!LdrFindResource_U + 18 805D8DB6 2 Bytes [5D, C2]
PAGE ntkrnlpa.exe!LdrFindResource_U + 1B 805D8DB9 7 Bytes [00, CC, CC, CC, CC, CC, CC] {ADD AH, CL; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 }
PAGE ntkrnlpa.exe!LdrFindResourceDirectory_U + 1 805D8DC1 21 Bytes [FF, 55, 8B, EC, FF, 75, 14, ...]
PAGE ntkrnlpa.exe!LdrFindResourceDirectory_U + 17 805D8DD7 4 Bytes [FF, 5D, C2, 10]
PAGE ntkrnlpa.exe!LdrFindResourceDirectory_U + 1C 805D8DDC 24 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...]
PAGE ntkrnlpa.exe!RtlMultiByteToUnicodeN + 13 805D8DF5 5 Bytes [00, 0F, 85, D2, 01]
PAGE ntkrnlpa.exe!RtlMultiByteToUnicodeN + 1B 805D8DFD 210 Bytes [5D, 18, 3B, FB, 73, 02, 8B, ...]
PAGE ntkrnlpa.exe!RtlMultiByteToUnicodeN + EE 805D8ED0 203 Bytes [34, 71, 66, 89, 70, 26, 0F, ...]
PAGE ntkrnlpa.exe!RtlMultiByteToUnicodeN + 1BA 805D8F9C 126 Bytes [34, 71, 66, 89, 70, 04, 0F, ...]
PAGE ntkrnlpa.exe!RtlMultiByteToUnicodeN + 239 805D901B 59 Bytes [35, 04, C5, 67, 80, 66, 8B, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlOemToUnicodeN + 69 805D9139 7 Bytes [59, 1A, 0F, B6, 58, 0C, 66] {POP ECX; SBB CL, [EDI]; MOV DH, 0x58; OR AL, 0x66}
PAGE ntkrnlpa.exe!RtlOemToUnicodeN + 71 805D9141 95 Bytes [1C, 5A, 66, 89, 59, 18, 0F, ...]
PAGE ntkrnlpa.exe!RtlOemToUnicodeN + D1 805D91A1 15 Bytes [1C, 5A, 66, 89, 59, 08, 0F, ...]
PAGE ntkrnlpa.exe!RtlOemToUnicodeN + E1 805D91B1 183 Bytes [59, 06, 0F, B6, 58, 02, 66, ...]
PAGE ntkrnlpa.exe!RtlOemToUnicodeN + 199 805D9269 282 Bytes [18, 5F, 1B, C0, 5E, 25, 05, ...]
PAGE ntkrnlpa.exe!RtlUnicodeToMultiByteN + 22 805D9384 1 Byte [D6]
PAGE ntkrnlpa.exe!RtlUnicodeToMultiByteN + 22 805D9384 222 Bytes [D6, 8B, 45, 10, 85, C0, 74, ...]
PAGE ntkrnlpa.exe!RtlUnicodeToMultiByteN + 101 805D9463 78 Bytes [FF, FF, EB, 4E, 85, F6, 8B, ...]
PAGE ntkrnlpa.exe!RtlUnicodeToMultiByteN + 150 805D94B2 11 Bytes [08, 89, 01, 5F, 5E, 33, C0, ...]
PAGE ntkrnlpa.exe!RtlUnicodeToMultiByteN + 15C 805D94BE 19 Bytes [5A, 94, 5D, 80, 50, 94, 5D, ...] {POP EDX; XCHG ESP, EAX; POP EBP; ADC BYTE [EAX-0x6c], 0x5d; ADD BYTE [ESI-0x6c], 0x5d; CMP BYTE [ESP+EDX*4], 0x5d; XOR BYTE [EDX], 0x94; POP EBP}
PAGE ...
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToMultiByteN + 29 805D952D 48 Bytes [45, 10, 85, C0, 89, 4D, 0C, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToMultiByteN + 5A 805D955E 217 Bytes [01, 8B, 15, 04, C5, 67, 80, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToMultiByteN + 134 805D9638 69 Bytes [B7, 4F, E4, 0F, B6, 0C, 01, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToMultiByteN + 17A 805D967E 45 Bytes [83, E3, 0F, 03, F3, 0F, B7, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToMultiByteN + 1A8 805D96AC 33 Bytes [C5, 67, 80, 0F, B7, 0C, 4A, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlUnicodeToOemN + 11 805D9D61 19 Bytes [56, 57, 89, 55, 18, 0F, 85, ...] {PUSH ESI; PUSH EDI; MOV [EBP+0x18], EDX; JNZ 0xf7; CMP EDX, [EBP+0xc]; JB 0x13; MOV EDX, [EBP+0xc]}
PAGE ntkrnlpa.exe!RtlUnicodeToOemN + 25 805D9D75 38 Bytes [45, 10, 85, C0, 74, 02, 89, ...]
PAGE ntkrnlpa.exe!RtlUnicodeToOemN + 4C 805D9D9C 18 Bytes [0F, 77, 07, FF, 24, BD, BD, ...]
PAGE ntkrnlpa.exe!RtlUnicodeToOemN + 5F 805D9DAF 65 Bytes [20, 83, C1, 10, 88, 59, FF, ...]
PAGE ntkrnlpa.exe!RtlUnicodeToOemN + A1 805D9DF1 79 Bytes [B7, 58, 0C, 8A, 1C, 33, 88, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToOemN + 29 805D9F2B 9 Bytes [45, 10, 85, C0, 89, 4D, FC, ...] {INC EBP; ADC [EBP-0x3b27640], AL; JZ 0xb}
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToOemN + 33 805D9F35 32 Bytes [08, 8B, 55, 14, A1, 20, C7, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToOemN + 54 805D9F56 67 Bytes [0F, B7, 0F, 0F, B6, 0C, 01, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToOemN + 98 805D9F9A 161 Bytes [B7, D6, 8B, FA, C1, EF, 08, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToOemN + 13A 805DA03C 17 Bytes [01, 8B, 15, 1C, C7, 67, 80, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlCustomCPToUnicodeN + 4 805DA840 88 Bytes [EC, 53, 8B, 5D, 08, 56, 57, ...]
PAGE ntkrnlpa.exe!RtlCustomCPToUnicodeN + 5D 805DA899 45 Bytes [0F, B6, 58, 0D, 66, 8B, 1C, ...]
PAGE ntkrnlpa.exe!RtlCustomCPToUnicodeN + 8B 805DA8C7 83 Bytes [59, 14, 0F, B6, 58, 09, 66, ...]
PAGE ntkrnlpa.exe!RtlCustomCPToUnicodeN + DF 805DA91B 7 Bytes [59, 06, 0F, B6, 58, 02, 66]
PAGE ntkrnlpa.exe!RtlCustomCPToUnicodeN + E7 805DA923 187 Bytes [1C, 5A, 66, 89, 59, 04, 0F, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlUnicodeToCustomCPN + 49 805DAA69 26 Bytes [FF, 0F, 77, 07, FF, 24, BD, ...]
PAGE ntkrnlpa.exe!RtlUnicodeToCustomCPN + 64 805DAA84 54 Bytes [0F, B7, 18, 8A, 1C, 33, 88, ...]
PAGE ntkrnlpa.exe!RtlUnicodeToCustomCPN + 9B 805DAABB 53 Bytes [88, 59, 05, 0F, B7, 58, 0C, ...]
PAGE ntkrnlpa.exe!RtlUnicodeToCustomCPN + D1 805DAAF1 63 Bytes [B7, 58, 16, 8A, 1C, 33, 88, ...]
PAGE ntkrnlpa.exe!RtlUnicodeToCustomCPN + 111 805DAB31 8 Bytes [74, 38, 83, 7D, 10, 00, 74, ...] {JZ 0x3a; CMP DWORD [EBP+0x10], 0x0; JZ 0x3a}
PAGE ...
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToCustomCPN + 2 805DABD2 40 Bytes [55, 8B, EC, 83, EC, 0C, 8B, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToCustomCPN + 2C 805DABFC 54 Bytes [14, 85, C0, 89, 55, 08, 74, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToCustomCPN + 63 805DAC33 45 Bytes [45, 0C, 10, 83, C1, 20, 66, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToCustomCPN + 91

GMER Teil 2:

805DAC61 3 Bytes [DF, C1, EB]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeToCustomCPN + 95 805DAC65 417 Bytes [0F, B7, 1C, 5A, 89, 7D, 18, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlInitCodePageTable + 61 805DB4A1 63 Bytes [33, F6, 66, 39, 32, 74, 08, ...]
PAGE ntkrnlpa.exe!RtlInitCodePageTable + A1 805DB4E1 56 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...]
PAGE ntkrnlpa.exe!RtlInitCodePageTable + DA 805DB51A 8 Bytes [14, 8D, 46, 2C, 50, FF, 75, ...] {ADC AL, 0x8d; INC ESI; SUB AL, 0x50; PUSH DWORD [EBP+0x8]}
PAGE ntkrnlpa.exe!RtlInitCodePageTable + E3 805DB523 34 Bytes [19, FF, FF, FF, 56, FF, 75, ...]
PAGE ntkrnlpa.exe!RtlInitCodePageTable + 106 805DB546 105 Bytes [55, 8B, EC, 53, 56, 8B, 75, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlGetDefaultCodePage + 26 805DB672 14 Bytes [CC, CC, 8B, FF, 55, 8B, EC, ...]
PAGE ntkrnlpa.exe!PfxInitialize + D 805DB681 118 Bytes [66, C7, 00, 00, 02, 89, 40, ...]
PAGE ntkrnlpa.exe!PfxRemovePrefix + 66 805DB6F8 35 Bytes [01, 02, 89, 41, 04, 8B, 4E, ...]
PAGE ntkrnlpa.exe!PfxRemovePrefix + 8A 805DB71C 138 Bytes [57, 8B, 7D, 08, 0F, B7, 17, ...]
PAGE ntkrnlpa.exe!PfxRemovePrefix + 115 805DB7A7 169 Bytes [D8, 0F, B7, D1, 89, 5D, F0, ...]
PAGE ntkrnlpa.exe!PfxRemovePrefix + 1BF 805DB851 25 Bytes [F8, 72, E1, 8B, 7D, 0C, 39, ...]
PAGE ntkrnlpa.exe!PfxRemovePrefix + 1D9 805DB86B 1 Byte [85]
PAGE ...
PAGE ntkrnlpa.exe!RtlInitializeUnicodePrefix + 2 805DB8DC 20 Bytes [55, 8B, EC, 8B, 45, 08, 66, ...]
PAGE ntkrnlpa.exe!RtlInitializeUnicodePrefix + 17 805DB8F1 46 Bytes [40, 04, 5D, C2, 04, 00, CC, ...]
PAGE ntkrnlpa.exe!RtlRemoveUnicodePrefix + 25 805DB921 142 Bytes [7E, 23, 81, F9, 03, 08, 00, ...]
PAGE ntkrnlpa.exe!RtlRemoveUnicodePrefix + B4 805DB9B0 2 Bytes [19, EB] {SBB EBX, EBP}
PAGE ntkrnlpa.exe!RtlRemoveUnicodePrefix + B7 805DB9B3 57 Bytes [83, C0, 0C, 8B, F0, EB, 02, ...]
PAGE ntkrnlpa.exe!RtlRemoveUnicodePrefix + F1 805DB9ED 20 Bytes [83, C0, F4, EB, 03, 8B, 49, ...]
PAGE ntkrnlpa.exe!RtlRemoveUnicodePrefix + 106 805DBA02 113 Bytes [8B, 4E, 04, 89, 48, 04, 83, ...]
PAGE ntkrnlpa.exe!RtlNextUnicodePrefix + 58 805DBA74 45 Bytes [F7, EB, 18, 8B, 46, 04, 66, ...]
PAGE ntkrnlpa.exe!RtlNextUnicodePrefix + 86 805DBAA2 212 Bytes [55, 8B, EC, 8B, 55, 08, 0F, ...]
PAGE ntkrnlpa.exe!RtlNextUnicodePrefix + 15B 805DBB77 45 Bytes [00, 00, A1, F0, C2, 67, 80, ...]
PAGE ntkrnlpa.exe!RtlNextUnicodePrefix + 189 805DBBA5 240 Bytes [75, 10, EB, 3A, 66, 83, 7D, ...]
PAGE ntkrnlpa.exe!RtlNextUnicodePrefix + 27A 805DBC96 42 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...]
PAGE ntkrnlpa.exe!PfxInsertPrefix + 25 805DBCC1 395 Bytes [83, 66, 08, 00, 89, 36, 8B, ...]
PAGE ntkrnlpa.exe!RtlInsertUnicodePrefix + 2D 805DBE4D 109 Bytes [59, 04, 89, 4D, FC, EB, 06, ...]
PAGE ntkrnlpa.exe!RtlInsertUnicodePrefix + 9B 805DBEBB 19 Bytes [83, F8, 02, 75, C4, 8B, 7D, ...] {CMP EAX, 0x2; JNZ 0xffffffffffffffc9; MOV EDI, [EBP+0x10]; MOV [EBP+0x8], EDI; MOV EAX, [EBP+0x8]; PUSH -0x1; PUSH DWORD [EBP+0xc]}
PAGE ntkrnlpa.exe!RtlInsertUnicodePrefix + AF 805DBECF 107 Bytes CALL 805DBACA \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlInsertUnicodePrefix + 11B 805DBF3B 19 Bytes CALL 8052D134 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlInsertUnicodePrefix + 12F 805DBF4F 47 Bytes [70, 04, B0, 01, 5F, 5E, 5B, ...]
PAGE ntkrnlpa.exe!RtlFindUnicodePrefix + 1F 805DBF7F 29 Bytes [76, 04, 66, 39, 46, 02, 7F, ...]
PAGE ntkrnlpa.exe!RtlFindUnicodePrefix + 3D 805DBF9D 4 Bytes [FF, 83, F8, 03]
PAGE ntkrnlpa.exe!RtlFindUnicodePrefix + 42 805DBFA2 1 Byte [05]
PAGE ntkrnlpa.exe!RtlFindUnicodePrefix + 42 805DBFA2 39 Bytes [05, 8B, 5B, 04, EB, 07, 85, ...]
PAGE ntkrnlpa.exe!RtlFindUnicodePrefix + 6A 805DBFCA 25 Bytes [FF, 83, F8, 02, 74, 55, 83, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlSelfRelativeToAbsoluteSD + 15 805DC1C5 75 Bytes JMP 805DC301 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlSelfRelativeToAbsoluteSD + 61 805DC211 27 Bytes [00, 00, 8B, 7D, 18, 8B, 5D, ...]
PAGE ntkrnlpa.exe!RtlSelfRelativeToAbsoluteSD + 7D 805DC22D 65 Bytes [00, 00, 8B, 7D, FC, 3B, 3A, ...]
PAGE ntkrnlpa.exe!RtlSelfRelativeToAbsoluteSD + BF 805DC26F 34 Bytes [00, 00, 51, 50, 57, E8, 37, ...]
PAGE ntkrnlpa.exe!RtlSelfRelativeToAbsoluteSD + E3 805DC293 105 Bytes CALL 8053A8AC \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ...
PAGE ntkrnlpa.exe!RtlAbsoluteToSelfRelativeSD + 11 805DC43B 126 Bytes [00, C0, EB, 0C, FF, 75, 10, ...]
PAGE ntkrnlpa.exe!RtlCreateAcl + 66 805DC4BA 4 Bytes [C6, 45, E7, 02] {MOV BYTE [EBP-0x19], 0x2}
PAGE ntkrnlpa.exe!RtlCreateAcl + 6B 805DC4BF 10 Bytes [7D, 08, 8A, 07, 3C, 02, 0F, ...]
PAGE ntkrnlpa.exe!RtlCreateAcl + 77 805DC4CB 76 Bytes [3C, 04, 0F, 87, E3, 01, 00, ...]
PAGE ntkrnlpa.exe!RtlCreateAcl + C4 805DC518 104 Bytes [83, 99, 01, 00, 00, 8D, 48, ...]
PAGE ntkrnlpa.exe!RtlCreateAcl + 12D 805DC581 31 Bytes [B6, C0, 8D, 04, 85, 10, 00, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlGetAce + 4 805DC6CE 97 Bytes [EC, 8B, 4D, 08, 8A, 01, 3C, ...]
PAGE ntkrnlpa.exe!RtlGetAce + 66 805DC730 227 Bytes [00, CC, CC, CC, CC, CC, 8B, ...]
PAGE ntkrnlpa.exe!RtlGetAce + 14C 805DC816 60 Bytes [8B, FF, 55, 8B, EC, 56, 8B, ...]
PAGE ntkrnlpa.exe!RtlGetAce + 189 805DC853 199 Bytes [3F, 0F, B7, 4E, 04, 8B, 45, ...]
PAGE ntkrnlpa.exe!RtlAddAce + 7B 805DC91D 63 Bytes [85, C0, 74, 52, 0F, B7, 4E, ...]
PAGE ntkrnlpa.exe!RtlAddAce + BB 805DC95D 24 Bytes [45, 0C, 66, 01, 46, 04, 8A, ...]
PAGE ntkrnlpa.exe!RtlAddAce + D4 805DC976 24 Bytes [00, C0, 5F, 5B, 5E, C9, C2, ...]
PAGE ntkrnlpa.exe!RtlDeleteAce + B 805DC98F 25 Bytes [17, FB, FF, FF, 84, C0, 74, ...]
PAGE ntkrnlpa.exe!RtlDeleteAce + 25 805DC9A9 110 Bytes [FF, 84, C0, 75, 07, B8, 0D, ...]
PAGE ntkrnlpa.exe!RtlDeleteAce + 94 805DCA18 31 Bytes [4D, 0C, 83, F9, 04, 0F, 87, ...]
PAGE ntkrnlpa.exe!RtlDeleteAce + B4 805DCA38 6 Bytes [02, 75, 05, 25, 3F, FF]
PAGE ntkrnlpa.exe!RtlDeleteAce + BB 805DCA3F 51 Bytes [FF, 85, C0, 74, 0A, B8, 0D, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlAddAccessAllowedAce + 1D 805DCAFD 40 Bytes [00, CC, CC, CC, CC, CC, CC, ...]
PAGE ntkrnlpa.exe!RtlAddAccessAllowedAceEx + 24 805DCB28 110 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE ntkrnlpa.exe!RtlAddAccessAllowedAceEx + 93 805DCB97 140 Bytes [88, D4, 00, 00, 00, 6A, 02, ...]
PAGE ntkrnlpa.exe!RtlAddAccessAllowedAceEx + 120 805DCC24 47 Bytes [B0, 01, EB, 02, 32, C0, 5D, ...]
PAGE ntkrnlpa.exe!RtlAddAccessAllowedAceEx + 150 805DCC54 76 Bytes [EC, 8B, 45, 0C, 56, 8B, 75, ...]
PAGE ntkrnlpa.exe!RtlAddAccessAllowedAceEx + 19D 805DCCA1 18 Bytes [70, 08, 89, 75, F8, E8, 7F, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlCreateAtomTable + 55 805DCD61 21 Bytes [F3, AA, 56, 89, 5E, 0C, E8, ...]
PAGE ntkrnlpa.exe!RtlCreateAtomTable + 6B 805DCD77 96 Bytes [C7, 06, 41, 74, 6F, 6D, 89, ...]
PAGE ntkrnlpa.exe!RtlDestroyAtomTable + 3A 805DCDD8 35 Bytes [37, 89, 75, D8, 83, 27, 00, ...]
PAGE ntkrnlpa.exe!RtlDestroyAtomTable + 5E 805DCDFC 58 Bytes [EB, E7, FF, 45, E4, EB, CC, ...]
PAGE ntkrnlpa.exe!RtlDestroyAtomTable + 99 805DCE37 17 Bytes [89, 45, E0, 83, 4D, FC, FF, ...]
PAGE ntkrnlpa.exe!RtlDestroyAtomTable + AB 805DCE49 51 Bytes [CC, CC, CC, CC, CC, 6A, 20, ...]
PAGE ntkrnlpa.exe!RtlEmptyAtomTable + 2F 805DCE7D 1 Byte [75]
PAGE ntkrnlpa.exe!RtlEmptyAtomTable + 2F 805DCE7D 10 Bytes [75, E0, 8B, 45, E0, 3B, 43, ...] {JNZ 0xffffffffffffffe2; MOV EAX, [EBP-0x20]; CMP EAX, [EBX+0xc]; JAE 0x4b}
PAGE ntkrnlpa.exe!RtlEmptyAtomTable + 3A 805DCE88 2 Bytes [7D, E4] {JGE 0xffffffffffffffe6}
PAGE ntkrnlpa.exe!RtlEmptyAtomTable + 3D 805DCE8B 8 Bytes [7D, D8, 83, 45, E4, 04, 8B, ...] {JGE 0xffffffffffffffda; ADD DWORD [EBP-0x1c], 0x4; MOV ESI, [EDI]}
PAGE ntkrnlpa.exe!RtlEmptyAtomTable + 46 805DCE94 22 Bytes [75, D0, 85, F6, 74, 29, 80, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlAddAtomToAtomTable + 13 805DD095 42 Bytes [FF, 84, C0, 75, 0A, B8, 0D, ...]
PAGE ntkrnlpa.exe!RtlAddAtomToAtomTable + 3E 805DD0C0 22 Bytes [72, 0C, 89, 7D, E0, C7, 45, ...]
PAGE ntkrnlpa.exe!RtlAddAtomToAtomTable + 55 805DD0D7 28 Bytes [84, 26, 01, 00, 00, 66, 8B, ...]
PAGE ntkrnlpa.exe!RtlAddAtomToAtomTable + 72 805DD0F4 5 Bytes JMP 805DD202 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlAddAtomToAtomTable + 78 805DD0FA 26 Bytes [45, DC, 50, 8D, 45, D8, 50, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlLookupAtomInAtomTable + 30 805DD24E 3 Bytes CALL 805DCEFD \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlLookupAtomInAtomTable + 34 805DD252 21 Bytes [84, C0, 74, 27, 66, 81, 7D, ...]
PAGE ntkrnlpa.exe!RtlLookupAtomInAtomTable + 4A 805DD268 80 Bytes [EB, 03, 89, 7D, E4, 8B, 45, ...]
PAGE ntkrnlpa.exe!RtlLookupAtomInAtomTable + 9B 805DD2B9 179 Bytes [89, 7D, E4, 8B, 45, 10, 3B, ...]
PAGE ntkrnlpa.exe!RtlDeleteAtomFromAtomTable + 67 805DD36D 3 Bytes [FF, 48, 08] {DEC DWORD [EAX+0x8]}
PAGE ntkrnlpa.exe!RtlDeleteAtomFromAtomTable + 6B 805DD371 59 Bytes [39, 58, 08, 75, 53, 53, 8D, ...]
PAGE ntkrnlpa.exe!RtlDeleteAtomFromAtomTable + A7 805DD3AD 9 Bytes [89, 5D, E4, EB, 17, 8B, 45, ...]
PAGE ntkrnlpa.exe!RtlDeleteAtomFromAtomTable + B2 805DD3B8 39 Bytes [00, 89, 45, D8, 33, C0, 40, ...]
PAGE ntkrnlpa.exe!RtlDeleteAtomFromAtomTable + DA 805DD3E0 25 Bytes [CC, CC, CC, CC, CC, CC, 6A, ...]
PAGE ntkrnlpa.exe!RtlPinAtomInAtomTable + 14 805DD3FA 38 Bytes [84, C0, 75, 07, B8, 0D, 00, ...]
PAGE ntkrnlpa.exe!RtlPinAtomInAtomTable + 3B 805DD421 10 Bytes [00, 50, FF, 75, 08, E8, 25, ...] {ADD [EAX-0x1], DL; JNZ 0xd; CALL 0xfffffffffffff82f}
PAGE ntkrnlpa.exe!RtlPinAtomInAtomTable + 46 805DD42C 40 Bytes [45, DC, 3B, C7, 74, 35, 66, ...]
PAGE ntkrnlpa.exe!RtlPinAtomInAtomTable + 6F 805DD455 12 Bytes [8B, 00, 89, 45, E0, 33, C0, ...] {MOV EAX, [EAX]; MOV [EBP-0x20], EAX; XOR EAX, EAX; INC EAX; RET ; MOV ESP, [EBP-0x18]}
PAGE ntkrnlpa.exe!RtlPinAtomInAtomTable + 7C 805DD462 31 Bytes [45, E0, 89, 45, E4, 83, 4D, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlQueryAtomInAtomTable + 4F 805DD4DB 6 Bytes [85, C0, 75, 0C, C7, 45]
PAGE ntkrnlpa.exe!RtlQueryAtomInAtomTable + 56 805DD4E2 22 Bytes JMP 805DD614 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlQueryAtomInAtomTable + 6D 805DD4F9 14 Bytes [85, FF, 74, 06, C7, 07, 01, ...]
PAGE ntkrnlpa.exe!RtlQueryAtomInAtomTable + 7C 805DD508 324 Bytes [0F, 84, 0A, 01, 00, 00, 0F, ...]
PAGE ntkrnlpa.exe!RtlQueryAtomInAtomTable + 1C1 805DD64D 199 Bytes CALL 805DCB7A \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlInitializeRangeList + 33 805DD715 30 Bytes [56, 57, 8B, 7D, 08, 8D, 77, ...]
PAGE ntkrnlpa.exe!RtlInitializeRangeList + 53 805DD735 93 Bytes [00, 8B, 50, 04, 3B, 51, 04, ...]
PAGE ntkrnlpa.exe!RtlInitializeRangeList + B1 805DD793 114 Bytes [55, FC, 85, D2, 75, 16, 8B, ...]
PAGE ntkrnlpa.exe!RtlInitializeRangeList + 124 805DD806 200 Bytes [05, 89, 37, 89, 47, 04, 8B, ...]
PAGE ntkrnlpa.exe!RtlInitializeRangeList + 1ED 805DD8CF 23 Bytes [8B, 55, 08, 5F, 5E, 52, 53, ...]
PAGE ntkrnlpa.exe!RtlFreeRangeList + 1 805DD8E7 6 Bytes [FF, 55, 8B, EC, 56, 57] {CALL [EBP-0x75]; IN AL, DX ; PUSH ESI; PUSH EDI}
PAGE ntkrnlpa.exe!RtlFreeRangeList + 8 805DD8EE 1 Byte [7D]
PAGE ntkrnlpa.exe!RtlFreeRangeList + 8 805DD8EE 7 Bytes [7D, 08, 8B, 0F, 83, 67, 08]
PAGE ntkrnlpa.exe!RtlFreeRangeList + 10 805DD8F6 27 Bytes [83, 67, 0C, 00, 83, E9, 1C, ...]
PAGE ntkrnlpa.exe!RtlFreeRangeList + 2C 805DD912 40 Bytes [8B, CE, 8D, 46, 1C, 8B, 30, ...]
PAGE ntkrnlpa.exe!RtlGetFirstRange + F 805DD93B 164 Bytes [72, 10, 89, 71, 0C, 8B, 32, ...]
PAGE ntkrnlpa.exe!RtlGetFirstRange + B4 805DD9E0 111 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...]
PAGE ntkrnlpa.exe!RtlGetNextRange + 6A 805DDA50 176 Bytes [14, 8B, 45, 0C, 89, 59, 08, ...]
PAGE ntkrnlpa.exe!RtlGetNextRange + 11B 805DDB01 77 Bytes [01, 89, 43, 04, 8B, 45, 08, ...]
PAGE ntkrnlpa.exe!RtlCopyRangeList + 1B 805DDB4F 53 Bytes [43, 08, 89, 46, 08, 8B, 43, ...]
PAGE ntkrnlpa.exe!RtlCopyRangeList + 51 805DDB85 14 Bytes [78, 1C, 3B, DF, 75, DA, 33, ...]
PAGE ntkrnlpa.exe!RtlCopyRangeList + 60 805DDB94 25 Bytes CALL 805DD8E5 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlCopyRangeList + 7A 805DDBAE 121 Bytes [08, 8B, 46, 08, 85, C0, 57, ...]
PAGE ntkrnlpa.exe!RtlCopyRangeList + F4 805DDC28 55 Bytes [48, 08, 3B, 4D, 0C, 72, 2F, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlFindRange + 12 805DDC9A 25 Bytes [7D, 14, 48, 33, C9, 2B, F8, ...]
PAGE ntkrnlpa.exe!RtlFindRange + 2C 805DDCB4 37 Bytes [1B, DA, 8B, 55, 10, 3B, D6, ...]
PAGE ntkrnlpa.exe!RtlFindRange + 52 805DDCDA 18 Bytes [F1, 0F, 82, 0C, 01, 00, 00, ...]
PAGE ntkrnlpa.exe!RtlFindRange + 65 805DDCED 19 Bytes [00, 00, 8B, 4D, 20, 03, 4D, ...]
PAGE ntkrnlpa.exe!RtlFindRange + 79 805DDD01 29 Bytes [00, 77, 09, 3B, 4D, 0C, 0F, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlIsRangeAvailable + 2 805DE006 7 Bytes [55, 8B, EC, 83, EC, 10, 8D]
PAGE ntkrnlpa.exe!RtlIsRangeAvailable + B 805DE00F 35 Bytes [50, 8D, 45, F0, 50, FF, 75, ...]
PAGE ntkrnlpa.exe!RtlIsRangeAvailable + 2F 805DE033 46 Bytes [45, 1C, FF, 75, 24, 33, C9, ...]
PAGE ntkrnlpa.exe!RtlIsRangeAvailable + 5E 805DE062 163 Bytes [FF, 8B, 4D, 2C, 88, 01, 33, ...]
PAGE ntkrnlpa.exe!RtlIsRangeAvailable + 102 805DE106 69 Bytes [8B, 49, 20, 8B, 39, 8D, 72, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlMergeRangeLists + 1 805DE225 2 Bytes [FF, 55]
PAGE ntkrnlpa.exe!RtlMergeRangeLists + 4 805DE228 157 Bytes [EC, 51, 53, 56, 57, FF, 75, ...]
PAGE ntkrnlpa.exe!RtlMergeRangeLists + A2 805DE2C6 88 Bytes [FF, 85, C0, 74, 25, F6, 46, ...]
PAGE ntkrnlpa.exe!RtlAddRange + 1B 805DE31F 123 Bytes [C0, EB, 5B, 56, FF, 75, 28, ...]
PAGE ntkrnlpa.exe!RtlDeleteRange + 15 805DE39B 7 Bytes [32, 83, EE, 1C, 3B, DA, C7]
PAGE ntkrnlpa.exe!RtlDeleteRange + 1D 805DE3A3 15 Bytes [F8, 8C, 02, 00, C0, 89, 75, ...] {CLC ; MOV WORD [EDX], ES; ADD AL, AL; MOV [EBP-0x4], ESI; JZ 0xf7; PUSH EDI}
PAGE ntkrnlpa.exe!RtlDeleteRange + 2D 805DE3B3 1 Byte [03]
PAGE ntkrnlpa.exe!RtlDeleteRange + 30 805DE3B6 15 Bytes [FC, 8B, 51, 04, 8B, 7D, 18, ...]
PAGE ntkrnlpa.exe!RtlDeleteRange + 40 805DE3C6 119 Bytes [00, 77, 09, 39, 45, 14, 0F, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlDeleteOwnersRanges + 51 805DE509 21 Bytes [CF, 8B, 7F, 1C, EB, C0, 8B, ...]
PAGE ntkrnlpa.exe!RtlDeleteOwnersRanges + 67 805DE51F 51 Bytes [68, 80, 65, 55, 80, 89, 50, ...]
PAGE ntkrnlpa.exe!RtlDeleteOwnersRanges + 9B 805DE553 62 Bytes [FC, 5F, 5E, 5B, C9, C2, 08, ...]
PAGE ntkrnlpa.exe!RtlInvertRangeList + 32 805DE592 100 Bytes [6A, 00, 83, C2, FF, 83, D3, ...]
PAGE ntkrnlpa.exe!RtlInvertRangeList + 97 805DE5F7 81 Bytes [CC, CC, CC, CC, CC, 6A, 30, ...]
PAGE ntkrnlpa.exe!RtlZeroHeap + 4D 805DE649 23 Bytes [8B, 45, D8, 8B, 4D, DC, 8B, ...]
PAGE ntkrnlpa.exe!RtlZeroHeap + 65 805DE661 10 Bytes [77, 20, 89, 75, E0, 3B, 77, ...] {JA 0x22; MOV [EBP-0x20], ESI; CMP ESI, [EDI+0x24]; JAE 0x6f}
PAGE ntkrnlpa.exe!RtlZeroHeap + 71 805DE66D 142 Bytes [06, C1, E0, 03, 89, 45, C4, ...]
PAGE ntkrnlpa.exe!RtlZeroHeap + 101 805DE6FD 38 Bytes CALL 8053BBD9 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlZeroHeap + 128 805DE724 85 Bytes [55, 8B, EC, 83, EC, 0C, 56, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlDestroyHeap + 16 805DF1A2 91 Bytes JMP 805DF235 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlDestroyHeap + 72 805DF1FE 51 Bytes [00, 8D, 45, 08, 50, 8D, 45, ...]
PAGE ntkrnlpa.exe!RtlDestroyHeap + A6 805DF232 52 Bytes [FF, 4E, 75, EE, 5E, 5B, 33, ...]
PAGE ntkrnlpa.exe!RtlSizeHeap + 23 805DF267 47 Bytes [0F, B7, 41, F8, 0F, B6, 49, ...]
PAGE ntkrnlpa.exe!RtlSizeHeap + 53 805DF297 88 Bytes [65, 6E, 74, 20, 28, 25, 78, ...]
PAGE ntkrnlpa.exe!RtlSizeHeap + AC 805DF2F0 38 Bytes [03, 89, 45, F4, 8D, 47, 08, ...]
PAGE ntkrnlpa.exe!RtlSizeHeap + D3 805DF317 5 Bytes [8D, 45, 1C, 50, 6A]
PAGE ntkrnlpa.exe!RtlSizeHeap + D9 805DF31D 143 Bytes CALL 804FFE90 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ...
PAGE ntkrnlpa.exe!RtlCreateHeap + 19 805DF985 104 Bytes [89, 45, D8, F6, 45, 0B, 10, ...]
PAGE ntkrnlpa.exe!RtlCreateHeap + 82 805DF9EE 15 Bytes [C0, 40, C3, 8B, 65, E8, 8B, ...]
PAGE ntkrnlpa.exe!RtlCreateHeap + 92 805DF9FE 85 Bytes [D3, 0F, 8C, AE, 03, 00, 00, ...]
PAGE ntkrnlpa.exe!RtlCreateHeap + E8 805DFA54 57 Bytes [89, 45, B4, 53, 6A, 2C, 8D, ...]
PAGE ntkrnlpa.exe!RtlCreateHeap + 122 805DFA8E 19 Bytes [76, 07, C7, 45, BC, 00, F0, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlAllocateHeap + 45 805E0CE1 50 Bytes [01, 41, 83, C1, 0F, 83, E1, ...]
PAGE ntkrnlpa.exe!RtlAllocateHeap + 78 805E0D14 12 Bytes [83, 3B, 02, 00, 00, 8D, 84, ...] {CMP DWORD [EBX], 0x2; ADD [EAX], AL; LEA EAX, [ESI+EDI*8+0x178]}
PAGE ntkrnlpa.exe!RtlAllocateHeap + 86 805E0D22 46 Bytes [D4, 39, 00, 0F, 84, DA, 00, ...]
PAGE ntkrnlpa.exe!RtlAllocateHeap + B5 805E0D51 65 Bytes [F9, 8B, 4D, A8, 75, 08, 8B, ...]
PAGE ntkrnlpa.exe!RtlAllocateHeap + F7 805E0D93 30 Bytes [0F, 8B, 4D, DC, 29, 4E, 28, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlFreeHeap + 5C 805E15CC 16 Bytes [00, 80, 7B, 07, 40, 0F, 83, ...] {ADD [EAX+0xf40077b], AL; CMP DWORD [EBX-0x7cffffff], 0x4d; CLD ; PUSH DWORD [EBX]}
PAGE ntkrnlpa.exe!RtlFreeHeap + 6D 805E15DD 37 Bytes [40, 89, 45, FC, 84, C8, 75, ...]
PAGE ntkrnlpa.exe!RtlFreeHeap + 93 805E1603 152 Bytes [45, E0, 57, 8D, 45, E0, 50, ...]
PAGE ntkrnlpa.exe!RtlFreeHeap + 12C 805E169C 82 Bytes [00, 00, 81, F9, 00, FE, 00, ...]
PAGE ntkrnlpa.exe!RtlFreeHeap + 17F 805E16EF 23 Bytes [08, 89, 50, 04, 89, 02, 89, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlAnsiCharToUnicodeChar + C 805E17B2 76 Bytes [53, 56, 8B, 75, 08, 8B, 06, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeString + 9 805E17FF 26 Bytes [56, 8B, 75, 0C, 66, 8B, 06, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeString + 24 805E181A 30 Bytes [85, C0, 89, 47, 04, 75, 1A, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeString + 43 805E1839 106 Bytes [00, 00, 0F, B7, 16, 6A, 00, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeString + AE 805E18A4 83 Bytes [B7, C0, 8B, 5F, 04, 66, 89, ...]
PAGE ntkrnlpa.exe!RtlDowncaseUnicodeString + 2E 805E18F8 5 Bytes [00, C0, E9, 93, 00]
PAGE ntkrnlpa.exe!RtlDowncaseUnicodeString + 34 805E18FE 21 Bytes [00, 66, 3B, 47, 02, 76, 0A, ...]
PAGE ntkrnlpa.exe!RtlDowncaseUnicodeString + 4A 805E1914 28 Bytes JMP 08558959
PAGE ntkrnlpa.exe!RtlDowncaseUnicodeString + 67 805E1931 343 Bytes [77, 08, 0F, B7, C0, 83, C0, ...]
PAGE ntkrnlpa.exe!RtlFreeOemString + 9 805E1A89 12 Bytes [40, 04, 85, C0, 74, 07, 50, ...]
PAGE ntkrnlpa.exe!RtlFreeOemString + 16 805E1A96 34 Bytes [5D, C2, 04, 00, CC, CC, CC, ...]
PAGE ntkrnlpa.exe!RtlUnicodeStringToAnsiSize + 19 805E1AB9 13 Bytes [45, 08, 40, 5D, C2, 04, 00, ...] {INC EBP; OR [EAX+0x5d], AL; RET 0x4; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 }
PAGE ntkrnlpa.exe!RtlAnsiStringToUnicodeSize + 1 805E1AC7 23 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...]
PAGE ntkrnlpa.exe!RtlAnsiStringToUnicodeSize + 19 805E1ADF 8 Bytes [45, 08, 83, C0, 02, 5D, C2, ...]
PAGE ntkrnlpa.exe!RtlAnsiStringToUnicodeSize + 22 805E1AE8 45 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...]
PAGE ntkrnlpa.exe!RtlCompareUnicodeString + 28 805E1B16 7 Bytes [C1, 03, C6, 80, 7D, 10, 00] {ROL DWORD [EBX], 0xc6; CMP BYTE [EBP+0x10], 0x0}
PAGE ntkrnlpa.exe!RtlCompareUnicodeString + 30 805E1B1E 23 Bytes [45, FC, 0F, 84, FE, 00, 00, ...]
PAGE ntkrnlpa.exe!RtlCompareUnicodeString + 48 805E1B36 283 Bytes [3A, 33, C0, 66, 8B, 06, 46, ...]
PAGE ntkrnlpa.exe!RtlEqualUnicodeString + 18 805E1C52 32 Bytes [EE, 00, 00, 00, 8B, 71, 04, ...]
PAGE ntkrnlpa.exe!RtlEqualUnicodeString + 39 805E1C73 3 Bytes [83, B3, 00]
PAGE ntkrnlpa.exe!RtlEqualUnicodeString + 3E 805E1C78 4 Bytes [A1, F0, C2, 67]
PAGE ntkrnlpa.exe!RtlEqualUnicodeString + 43 805E1C7D 19 Bytes [66, 8B, 16, 33, C9, 66, 8B, ...]
PAGE ntkrnlpa.exe!RtlEqualUnicodeString + 58 805E1C92 63 Bytes [0F, 84, 8A, 00, 00, 00, 66, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlPrefixUnicodeString + 5C 805E1DAE 132 Bytes [FA, 61, 73, 05, 0F, B7, D2, ...]
PAGE ntkrnlpa.exe!RtlPrefixUnicodeString + E1 805E1E33 1 Byte [5D]
PAGE ntkrnlpa.exe!RtlPrefixUnicodeString + E1 805E1E33 15 Bytes [5D, 0C, FF, 4D, 08, 0F, 85, ...]
PAGE ntkrnlpa.exe!RtlPrefixUnicodeString + F1 805E1E43 10 Bytes [1B, 85, D2, 74, 15, 8B, C3, ...]
PAGE ntkrnlpa.exe!RtlPrefixUnicodeString + FC 805E1E4E 60 Bytes [0F, 66, 8B, 34, 38, 47, 47, ...]
PAGE ntkrnlpa.exe!RtlCreateUnicodeString + 1F 805E1E8B 126 Bytes [55, 08, 89, 42, 04, 74, 22, ...]
PAGE ntkrnlpa.exe!RtlHashUnicodeString + 48 805E1F0A 133 Bytes [53, 66, 8B, 16, 46, 46, 66, ...]
PAGE ntkrnlpa.exe!RtlHashUnicodeString + CE 805E1F90 42 Bytes [55, 8B, EC, 83, EC, 64, A1, ...]
PAGE ntkrnlpa.exe!RtlHashUnicodeString + FA 805E1FBC 13 Bytes [FF, 0F, 85, A6, 02, 00, 00, ...]
PAGE ntkrnlpa.exe!RtlHashUnicodeString + 108 805E1FCA 34 Bytes CALL 8052BB49 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlHashUnicodeString + 12B 805E1FED 43 Bytes [56, 04, 8B, 4D, 08, 33, C0, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlAnsiStringToUnicodeString + 1F 805E22A1 123 Bytes [8D, 44, 00, 02, 3D, FF, FF, ...]
PAGE ntkrnlpa.exe!RtlAnsiStringToUnicodeString + 9B 805E231D 110 Bytes CALL C17AAC88
PAGE ntkrnlpa.exe!RtlUnicodeStringToAnsiString + 58 805E238C 90 Bytes [27, B8, 17, 00, 00, C0, EB, ...]
PAGE ntkrnlpa.exe!RtlUnicodeStringToAnsiString + B3 805E23E7 146 Bytes [46, 04, 8B, 4D, 0C, 88, 1C, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToAnsiString + 7C 805E247A 136 Bytes [FF, 8B, F8, 3B, FB, 7D, 15, ...]
PAGE ntkrnlpa.exe!RtlOemStringToUnicodeString + 55 805E2503 206 Bytes [00, C0, EB, 4D, 66, 3B, 4E, ...]
PAGE ntkrnlpa.exe!RtlUnicodeStringToOemString + 72 805E25D2 65 Bytes [B7, 06, 50, FF, 76, 04, E8, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToOemString + 4 805E2614 38 Bytes [EC, 80, 3D, 28, C7, 67, 80, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToOemString + 2B 805E263B 120 Bytes JMP 805E26CD \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToOemString + A4 805E26B4 36 Bytes [15, 24, FC, 67, 80, 83, 66, ...]
PAGE ntkrnlpa.exe!RtlOemStringToCountedUnicodeString 805E26DA 25 Bytes [8B, FF, 55, 8B, EC, 53, 33, ...]
PAGE ntkrnlpa.exe!RtlOemStringToCountedUnicodeString + 1A 805E26F4 8 Bytes [EB, 07, 0F, B7, 07, 8D, 44, ...]
PAGE ntkrnlpa.exe!RtlOemStringToCountedUnicodeString + 23 805E26FD 146 Bytes [83, C0, FE, 3B, C3, 75, 11, ...]
PAGE ntkrnlpa.exe!RtlOemStringToCountedUnicodeString + B6 805E2790 7 Bytes [CC, CC, CC, CC, CC, CC, 8B]
PAGE ntkrnlpa.exe!RtlUnicodeStringToCountedOemString + 2 805E2798 9 Bytes [55, 8B, EC, 80, 3D, 28, C7, ...]
PAGE ntkrnlpa.exe!RtlUnicodeStringToCountedOemString + C 805E27A2 196 Bytes [53, 57, 8B, 7D, 0C, 74, 08, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToCountedOemString 805E286A 60 Bytes [8B, FF, 55, 8B, EC, 80, 3D, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToCountedOemString + 3D 805E28A7 17 Bytes [3D, FF, FF, 00, 00, 76, 07, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToCountedOemString + 4F 805E28B9 177 Bytes [56, 8B, 75, 08, 66, 89, 06, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToCountedOemString + 101 805E296B 95 Bytes [3C, 50, 2E, 74, 07, 42, 3B, ...]
PAGE ntkrnlpa.exe!RtlUpcaseUnicodeStringToCountedOemString + 161 805E29CB 60 Bytes [C0, EB, 13, FF, 75, 10, 8D, ...]
PAGE ntkrnlpa.exe!RtlUpperChar + 14 805E2A08 1 Byte [00]
PAGE ntkrnlpa.exe!RtlUpperChar + 14 805E2A08 7 Bytes [00, 00, 83, F0, 20, E9, F6]
PAGE ntkrnlpa.exe!RtlUpperChar + 1E 805E2A12 5 Bytes [80, 3D, 10, C5, 67]
PAGE ntkrnlpa.exe!RtlUpperChar + 24 805E2A18 10 Bytes [00, 56, 57, 75, 67, 8B, 0D, ...]
PAGE ntkrnlpa.exe!RtlUpperChar + 2F 805E2A23 80 Bytes [0F, B6, C0, 0F, B7, 04, 41, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlCompareString + 26 805E2B38 4 Bytes [C1, 80, 7D, 10]
PAGE ntkrnlpa.exe!RtlCompareString + 2B 805E2B3D 303 Bytes [8D, 1C, 30, 74, 4E, EB, 28, ...]
PAGE ntkrnlpa.exe!RtlUpperString + 9 805E2C6D 1 Byte [4D]
PAGE ntkrnlpa.exe!RtlUpperString + 9 805E2C6D 117 Bytes [4D, 08, 66, 8B, 51, 02, 56, ...]
PAGE ntkrnlpa.exe!RtlAppendAsciizToString + 35 805E2CE3 174 Bytes [00, C0, EB, 17, 51, 8B, 4E, ...]
PAGE ntkrnlpa.exe!RtlValidSid + 34 805E2D92 45 Bytes CALL 805A7B1A \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlValidSid + 62 805E2DC0 104 Bytes [02, 75, 58, 8A, 50, 03, 3A, ...]
PAGE ntkrnlpa.exe!RtlLengthRequiredSid + 1 805E2E29 78 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...]
PAGE ntkrnlpa.exe!RtlSubAuthoritySid + 2 805E2E78 45 Bytes [55, 8B, EC, 8B, 45, 0C, 8B, ...]
PAGE ntkrnlpa.exe!RtlLengthSid + 6 805E2EA6 78 Bytes [45, 08, 0F, B6, 40, 01, 8D, ...]
PAGE ntkrnlpa.exe!RtlCopySid + 39 805E2EF5 160 Bytes [FF, 55, 8B, EC, 51, 83, 65, ...]
PAGE ntkrnlpa.exe!RtlCopySid + DA 805E2F96 21 Bytes [FF, 3C, 01, 74, 07, B8, 78, ...]
PAGE ntkrnlpa.exe!RtlCopySid + F0 805E2FAC 33 Bytes [75, 04, 6A, 0A, EB, 02, 6A, ...]
PAGE ntkrnlpa.exe!RtlCopySid + 112 805E2FCE 3 Bytes [53, 00, 2D]
PAGE ntkrnlpa.exe!RtlCopySid + 116 805E2FD2 1 Byte [31]
PAGE ...
PAGE ntkrnlpa.exe!RtlConvertSidToUnicodeString + 16 805E2FF4 32 Bytes [FC, 8B, 45, 08, 56, 89, 85, ...]
PAGE ntkrnlpa.exe!RtlConvertSidToUnicodeString + 37 805E3015 182 Bytes [00, 57, 8D, 85, FC, FD, FF, ...]
PAGE ntkrnlpa.exe!RtlConvertSidToUnicodeString + EE 805E30CC 80 Bytes [76, 4A, EB, 09, 8D, 45, FA, ...]
PAGE ntkrnlpa.exe!RtlConvertSidToUnicodeString + 13F 805E311D 47 Bytes [2B, 8D, 85, FC, FD, FF, FF, ...]
PAGE ntkrnlpa.exe!RtlConvertSidToUnicodeString + 16F 805E314D 44 Bytes [75, F1, 8D, 85, FC, FD, FF, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlCopyLuid + B 805E31E5 94 Bytes [4D, 08, 89, 11, 8B, 40, 04, ...]
PAGE ntkrnlpa.exe!RtlCreateSecurityDescriptor + 1C 805E3244 51 Bytes [C0, 5F, EB, 05, B8, 58, 00, ...]
PAGE ntkrnlpa.exe!RtlValidSecurityDescriptor + 22 805E3278 105 Bytes [46, 04, 66, 85, 7E, 02, 74, ...]
PAGE ntkrnlpa.exe!RtlValidSecurityDescriptor + 8C 805E32E2 9 Bytes [84, C0, 74, 3F, 66, 8B, 46, ...]
PAGE ntkrnlpa.exe!RtlValidSecurityDescriptor + 96 805E32EC 70 Bytes [75, 04, 33, F6, EB, 13, 66, ...]
PAGE ntkrnlpa.exe!RtlValidSecurityDescriptor + DD 805E3333 158 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...]
PAGE ntkrnlpa.exe!RtlLengthSecurityDescriptor + 9A 805E33D2 19 Bytes [74, 0C, 0F, B7, 49, 02, 83, ...]
PAGE ntkrnlpa.exe!RtlLengthSecurityDescriptor + AE 805E33E6 135 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...]
PAGE ntkrnlpa.exe!RtlGetDaclSecurityDescriptor + 1A 805E346E 18 Bytes [80, E1, 04, 80, F9, 04, 0F, ...]
PAGE ntkrnlpa.exe!RtlGetDaclSecurityDescriptor + 2D 805E3481 43 Bytes [F6, C1, 04, 75, 04, 33, C9, ...]
PAGE ntkrnlpa.exe!RtlGetDaclSecurityDescriptor + 59 805E34AD 155 Bytes [5D, C2, 10, 00, CC, CC, CC, ...]
PAGE ntkrnlpa.exe!RtlGetSaclSecurityDescriptor + 2B 805E3549 60 Bytes [48, 02, F6, C1, 10, 75, 04, ...]
PAGE ntkrnlpa.exe!RtlSetOwnerSecurityDescriptor + 6 805E3586 15 Bytes [45, 08, 80, 38, 01, 74, 07, ...]
PAGE ntkrnlpa.exe!RtlSetOwnerSecurityDescriptor + 16 805E3596 46 Bytes [48, 02, 84, ED, 79, 07, B8, ...]
PAGE ntkrnlpa.exe!RtlSetOwnerSecurityDescriptor + 46 805E35C6 17 Bytes [48, 02, 33, C0, 5D, C2, 0C, ...] {DEC EAX; ADD DH, [EBX]; RCR BYTE [EBP-0x3e], 0xc; ADD AH, CL; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; MOV EDI, EDI; PUSH EBP}
PAGE ntkrnlpa.exe!RtlGetOwnerSecurityDescriptor + 4 805E35D8 14 Bytes [EC, 8B, 45, 08, 80, 38, 01, ...] {IN AL, DX ; MOV EAX, [EBP+0x8]; CMP BYTE [EAX], 0x1; JZ 0x10; MOV EAX, 0xc0000058}
PAGE ntkrnlpa.exe!RtlGetOwnerSecurityDescriptor + 13 805E35E7 3 Bytes [28, F6, 40] {SUB DH, DH; INC EAX}
PAGE ntkrnlpa.exe!RtlGetOwnerSecurityDescriptor + 17 805E35EB 47 Bytes [80, 8B, 48, 04, 74, 06, 85, ...]
PAGE ntkrnlpa.exe!RtlSetGroupSecurityDescriptor + 1 805E361B 34 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...]
PAGE ntkrnlpa.exe!RtlSetGroupSecurityDescriptor + 24 805E363E 12 Bytes [55, 0C, 83, 60, 08, 00, 85, ...]
PAGE ntkrnlpa.exe!RtlSetGroupSecurityDescriptor + 31 805E364B 9 Bytes [81, E1, FD, FF, 00, 00, 80, ...]
PAGE ntkrnlpa.exe!RtlSetGroupSecurityDescriptor + 3B 805E3655 60 Bytes [66, 89, 48, 02, 74, 07, 83, ...]
PAGE ntkrnlpa.exe!RtlGetGroupSecurityDescriptor + 24 805E3692 24 Bytes [55, 0C, 89, 0A, 8A, 40, 02, ...]
PAGE ntkrnlpa.exe!RtlGetGroupSecurityDescriptor + 3D 805E36AB 16 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...]
PAGE ntkrnlpa.exe!RtlAreAllAccessesGranted + C 805E36BC 91 Bytes [0C, F7, D8, 1A, C0, FE, C0, ...]
PAGE ntkrnlpa.exe!RtlMapGenericMask + 34 805E3718 38 Bytes [71, 08, 0B, F2, 89, 30, 8B, ...]
PAGE ntkrnlpa.exe!RtlMapGenericMask + 5B 805E373F 82 Bytes [FF, 55, 8B, EC, 53, 8B, 5D, ...]
PAGE ntkrnlpa.exe!RtlMapGenericMask + AE 805E3792 8 Bytes [01, EB, 06, 8B, 45, 0C, 8B, ...]
PAGE ntkrnlpa.exe!RtlMapGenericMask + B7 805E379B 92 Bytes [21, 07, 0F, B7, 46, 02, FF, ...]
PAGE ntkrnlpa.exe!RtlMapGenericMask + 114 805E37F8 67 Bytes [00, 00, 76, 4E, 89, 45, FC, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlValidRelativeSecurityDescriptor + 60 805E3A3C 2 Bytes [75, DE] {JNZ 0xffffffffffffffe0}
PAGE ntkrnlpa.exe!RtlValidRelativeSecurityDescriptor + 63 805E3A3F 15 Bytes [40, 01, 3C, 0F, 77, D7, 0F, ...]
PAGE ntkrnlpa.exe!RtlValidRelativeSecurityDescriptor + 73 805E3A4F 5 Bytes [39, 45, 08, 72, C8] {CMP [EBP+0x8], EAX; JB 0xffffffffffffffcd}
PAGE ntkrnlpa.exe!RtlValidRelativeSecurityDescriptor + 79 805E3A55 68 Bytes [7E, 08, 85, FF, 75, 08, F6, ...]
PAGE ntkrnlpa.exe!RtlValidRelativeSecurityDescriptor + BE 805E3A9A 43 Bytes [7E, 10, 85, FF, 74, 35, 8D, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlEqualSid + 1 805E3B5F 59 Bytes [FF, 55, 8B, EC, 56, 8B, 75, ...]
PAGE ntkrnlpa.exe!RtlEqualSid + 3D 805E3B9B 107 Bytes [FF, 55, 8B, EC, 81, EC, A0, ...]
PAGE ntkrnlpa.exe!RtlEqualSid + A9 805E3C07 16 Bytes [C6, 45, D5, 00, C6, 45, D6, ...] {MOV BYTE [EBP-0x2b], 0x0; MOV BYTE [EBP-0x2a], 0x0; MOV BYTE [EBP-0x29], 0x0; MOV BYTE [EBP-0x28], 0x0}
PAGE ntkrnlpa.exe!RtlEqualSid + BA 805E3C18 76 Bytes CALL 805E2E3D \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlEqualSid + 107 805E3C65 42 Bytes [87, 76, 03, 00, 00, 83, 65, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlInitializeBitMap + C 805E5F28 42 Bytes [08, 8B, 4D, 0C, 89, 48, 04, ...]
PAGE ntkrnlpa.exe!RtlIntegerToChar + 1B 805E5F53 112 Bytes CALL C888D358
PAGE ntkrnlpa.exe!RtlIntegerToChar + 8C 805E5FC4 54 Bytes [88, 0E, 85, C0, 75, E0, 8D, ...]
PAGE ntkrnlpa.exe!RtlIntegerToChar + C3 805E5FFB 79 Bytes [7D, BC, 8B, D9, C1, E9, 02, ...]
PAGE ntkrnlpa.exe!RtlIntegerToChar + 113 805E604B 13 Bytes [CC, 6A, 0C, 68, 60, B1, 4D, ...] {INT 3 ; PUSH 0xc; PUSH 0x804db160; CALL 0xfffffffffff55b55}
PAGE ntkrnlpa.exe!RtlCharToInteger + D 805E6059 26 Bytes [75, 08, 8A, 1E, EB, 09, 46, ...]
PAGE ntkrnlpa.exe!RtlCharToInteger + 28 805E6074 9 Bytes [05, 80, FB, 2B, 75, 03, 8A, ...]
PAGE ntkrnlpa.exe!RtlCharToInteger + 32 805E607E 91 Bytes [7D, 0C, 85, FF, 75, 38, 6A, ...]
PAGE ntkrnlpa.exe!RtlCharToInteger + 8E 805E60DA 80 Bytes [6A, 04, EB, 06, 33, C9, EB, ...]
PAGE ntkrnlpa.exe!RtlCharToInteger + DF 805E612B 30 Bytes [D3, E2, 0B, D0, 8A, 06, 46, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlUnicodeStringToInteger + 7 805E617B 15 Bytes CALL 8053BBA0 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlUnicodeStringToInteger + 17 805E618B 80 Bytes [5E, D1, EF, 74, 1A, 4F, 33, ...]
PAGE ntkrnlpa.exe!RtlUnicodeStringToInteger + 68 805E61DC 65 Bytes [75, 7A, 85, FF, 74, 46, 4F, ...]
PAGE ntkrnlpa.exe!RtlUnicodeStringToInteger + AA 805E621E 213 Bytes [74, 08, 4F, 66, 8B, 02, 03, ...]
PAGE ntkrnlpa.exe!RtlUnicodeStringToInteger + 180 805E62F4 37 Bytes [CC, CC, CC, CC, CC, CC, 6A, ...]
PAGE ntkrnlpa.exe!RtlIntegerToUnicode + 20 805E631A 23 Bytes [74, 2A, 48, 48, 74, 21, 83, ...]
PAGE ntkrnlpa.exe!RtlIntegerToUnicode + 38 805E6332 3 Bytes JMP 805E6409 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlIntegerToUnicode + 3C 805E6336 1 Byte [00]
PAGE ntkrnlpa.exe!RtlIntegerToUnicode + 3C 805E6336 20 Bytes [00, 00, 6A, 04, EB, 02, 6A, ...]
PAGE ntkrnlpa.exe!RtlIntegerToUnicode + 52 805E634C 29 Bytes [00, 33, FF, 85, FF, 74, 0C, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlIntegerToUnicodeString + D 805E642D 72 Bytes [56, 8B, 75, 10, 89, 45, FC, ...]
PAGE ntkrnlpa.exe!RtlIntegerToUnicodeString + 56 805E6476 3 Bytes CALL 804EE1C9 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlIntegerToUnicodeString + 5A 805E647A 75 Bytes [C9, C2, 0C, 00, CC, CC, CC, ...]
PAGE ntkrnlpa.exe!RtlIntegerToUnicodeString + A6 805E64C6 47 Bytes JMP 805E6633 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlIntegerToUnicodeString + D6 805E64F6 91 Bytes [8B, BD, 7C, FF, FF, FF, 3B, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlInt64ToUnicodeString + 18 805E6838 18 Bytes [0C, 56, 8B, 75, 14, 89, 45, ...]
PAGE ntkrnlpa.exe!RtlInt64ToUnicodeString + 2B 805E684B 37 Bytes CALL 805E6482 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlInt64ToUnicodeString + 51 805E6871 17 Bytes [D4, 6A, 00, 8D, 45, D4, 50, ...] {AAM 0x6a; ADD [EBP+0x5650d445], CL; CALL 0xffffffffffffba11; MOV ECX, [EBP-0x4]; POP ESI}
PAGE ntkrnlpa.exe!RtlInt64ToUnicodeString + 63 805E6883 3 Bytes CALL 804EE1C9 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlInt64ToUnicodeString + 67 805E6887 124 Bytes [C9, C2, 10, 00, CC, CC, CC, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlGetNtGlobalFlags + A 805E6B06 17 Bytes [45, 00, 47, 00, 49, 00, 53, ...] {INC EBP; ADD [EDI+0x0], AL; DEC ECX; ADD [EBX+0x0], DL; PUSH ESP; ADD [EDX+0x0], DL; POP ECX; ADD [EAX+EAX+0x55], BL}
PAGE ntkrnlpa.exe!RtlGetNtGlobalFlags + 1C 805E6B18 7 Bytes [53, 00, 45, 00, 52, 00, 5C]
PAGE ntkrnlpa.exe!RtlGetNtGlobalFlags + 24 805E6B20 61 Bytes [00, 00, CC, CC, CC, CC, CC, ...]
PAGE ntkrnlpa.exe!RtlFormatCurrentUserKeyPath + 37 805E6B5F 4 Bytes [C0, 0F, 85, B7]
PAGE ntkrnlpa.exe!RtlFormatCurrentUserKeyPath + 3C 805E6B64 54 Bytes [00, 00, 8D, 45, A8, 50, 53, ...]
PAGE ntkrnlpa.exe!RtlFormatCurrentUserKeyPath + 73 805E6B9B 68 Bytes [3B, DF, 7C, 7C, 8D, 45, A4, ...]
PAGE ntkrnlpa.exe!RtlFormatCurrentUserKeyPath + B8 805E6BE0 15 Bytes [8B, 45, A4, 8B, 4E, 04, 66, ...] {MOV EAX, [EBP-0x5c]; MOV ECX, [ESI+0x4]; MOV [EBP-0x62], AX; MOVZX EAX, [ESI]; SHR EAX, 0x1}
PAGE ntkrnlpa.exe!RtlFormatCurrentUserKeyPath + C9 805E6BF1 66 Bytes [41, 57, FF, 75, AC, 89, 45, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlQueryRegistryValues + 1 805E73A5 37 Bytes [FF, 55, 8B, EC, 83, EC, 3C, ...]
PAGE ntkrnlpa.exe!RtlQueryRegistryValues + 27 805E73CB 151 Bytes [00, 89, 75, EC, 81, 65, EC, ...]
PAGE ntkrnlpa.exe!RtlQueryRegistryValues + BF 805E7463 141 Bytes [3B, 45, F0, 74, 0C, 50, E8, ...]
PAGE ntkrnlpa.exe!RtlQueryRegistryValues + 14D 805E74F1 29 Bytes CALL 805002EE \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlQueryRegistryValues + 16B 805E750F 82 Bytes [80, 0F, 84, ED, 01, 00, 00, ...]
PAGE

GMER Teil 3:

...
PAGE ntkrnlpa.exe!RtlWriteRegistryValue + 37 805E77B5 27 Bytes CALL 80501084 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlWriteRegistryValue + 53 805E77D1 1 Byte [C9]
PAGE ntkrnlpa.exe!RtlWriteRegistryValue + 53 805E77D1 3 Bytes [C9, C2, 18]
PAGE ntkrnlpa.exe!RtlCheckRegistryKey + 5 805E77DF 1 Byte [8D]
PAGE ntkrnlpa.exe!RtlCheckRegistryKey + 8 805E77E2 9 Bytes [50, 6A, 00, FF, 75, 0C, FF, ...] {PUSH EAX; PUSH 0x0; PUSH DWORD [EBP+0xc]; PUSH DWORD [EBP+0x8]}
PAGE ntkrnlpa.exe!RtlCheckRegistryKey + 12 805E77EC 22 Bytes [E4, F4, FF, FF, 85, C0, 7C, ...]
PAGE ntkrnlpa.exe!RtlCheckRegistryKey + 2A 805E7804 139 Bytes [CC, CC, CC, CC, 8B, FF, 55, ...]
PAGE ntkrnlpa.exe!RtlDeleteRegistryValue + 54 805E7890 9 Bytes [5A, 00, 6F, 00, 6E, 00, 65, ...] {POP EDX; ADD [EDI+0x0], CH; OUTSB ; ADD [EBP+0x0], AH; DEC ECX}
PAGE ntkrnlpa.exe!RtlDeleteRegistryValue + 5E 805E789A 7 Bytes [6E, 00, 66, 00, 6F, 00, 72]
PAGE ntkrnlpa.exe!RtlDeleteRegistryValue + 66 805E78A2 28 Bytes [6D, 00, 61, 00, 74, 00, 69, ...]
PAGE ntkrnlpa.exe!RtlDeleteRegistryValue + 83 805E78BF 24 Bytes [75, 08, 68, 88, 78, 5E, 80, ...]
PAGE ntkrnlpa.exe!RtlQueryTimeZoneInformation + 2 805E78D8 6 Bytes [55, 8B, EC, 81, EC, F4]
PAGE ntkrnlpa.exe!RtlQueryTimeZoneInformation + B 805E78E1 21 Bytes [53, 8D, 45, FC, 50, 33, DB, ...]
PAGE ntkrnlpa.exe!RtlQueryTimeZoneInformation + 21 805E78F7 49 Bytes [55, 08, 56, 57, 6A, 2B, 59, ...]
PAGE ntkrnlpa.exe!RtlQueryTimeZoneInformation + 53 805E7929 38 Bytes [50, FF, FF, FF, 8D, 4A, 44, ...]
PAGE ntkrnlpa.exe!RtlQueryTimeZoneInformation + 7A 805E7950 46 Bytes [48, FF, FF, FF, 89, 85, 64, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlSetTimeZoneInformation + 5 805E7A03 1 Byte [51]
PAGE ntkrnlpa.exe!RtlSetTimeZoneInformation + A 805E7A08 13 Bytes CALL 805E78B4 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlSetTimeZoneInformation + 18 805E7A16 22 Bytes [00, 53, 56, 57, 8B, 7D, 08, ...]
PAGE ntkrnlpa.exe!RtlSetTimeZoneInformation + 2F 805E7A2D 41 Bytes CALL 805E777B \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlSetTimeZoneInformation + 59 805E7A57 6 Bytes [75, FC, 56, E8, 1F, FD]
PAGE ...
PAGE ntkrnlpa.exe!RtlDecompressBuffer + 35 805E7C13 36 Bytes [14, 85, 78, F1, 67, 80, EB, ...]
PAGE ntkrnlpa.exe!RtlDecompressFragment + F 805E7C39 5 Bytes [74, 32, 66, 3D, 01]
PAGE ntkrnlpa.exe!RtlDecompressFragment + 15 805E7C3F 133 Bytes [74, 2C, A8, F0, 74, 07, B8, ...]
PAGE ntkrnlpa.exe!RtlReserveChunk + 1 805E7CC5 13 Bytes [FF, 55, 8B, EC, 33, C0, 8A, ...]
PAGE ntkrnlpa.exe!RtlReserveChunk + F 805E7CD3 153 Bytes [74, 29, 66, 3D, 01, 00, 74, ...]
PAGE ntkrnlpa.exe!RtlDecompressChunks + 61 805E7D6D 53 Bytes [00, 00, 8B, 45, 08, 8B, 75, ...]
PAGE ntkrnlpa.exe!RtlDecompressChunks + 97 805E7DA3 52 Bytes [83, E1, 03, 83, 65, 1C, 00, ...]
PAGE ntkrnlpa.exe!RtlDecompressChunks + CC 805E7DD8 80 Bytes [00, 8B, 45, 08, 53, FF, 75, ...]
PAGE ntkrnlpa.exe!RtlDecompressChunks + 11D 805E7E29 13 Bytes CALL 805E7BDD \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlDecompressChunks + 12B 805E7E37 83 Bytes [8B, 55, F0, 8B, 4D, 14, 3B, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlCompressChunks + 16 805E7EE6 73 Bytes CALL AC4651EF
PAGE ntkrnlpa.exe!RtlCompressChunks + 60 805E7F30 23 Bytes [75, 06, 83, 65, FC, 00, EB, ...]
PAGE ntkrnlpa.exe!RtlCompressChunks + 78 805E7F48 52 Bytes JMP 0C04724F
PAGE ntkrnlpa.exe!RtlCompressChunks + AD 805E7F7D 12 Bytes [75, FC, 8B, 75, 14, 8B, 4D, ...]
PAGE ntkrnlpa.exe!RtlCompressChunks + BA 805E7F8A 52 Bytes [F8, 04, 89, 0A, 8B, 4D, 18, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlCreateSystemVolumeInformationFolder + 18 805E83E2 1 Byte [5D]
PAGE ntkrnlpa.exe!RtlCreateSystemVolumeInformationFolder + 18 805E83E2 46 Bytes CALL 0BC5441A
PAGE ntkrnlpa.exe!RtlCreateSystemVolumeInformationFolder + 47 805E8411 29 Bytes [8B, 45, F0, 83, C0, 02, 66, ...]
PAGE ntkrnlpa.exe!RtlCreateSystemVolumeInformationFolder + 65 805E842F 31 Bytes JMP 805E857E \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlCreateSystemVolumeInformationFolder + 85 805E844F 82 Bytes [F3, A4, 66, 8B, 1B, 66, 89, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlFindMessage + 2 805E858C 43 Bytes [55, 8B, EC, 83, EC, 0C, 8B, ...]
PAGE ntkrnlpa.exe!RtlFindMessage + 2F 805E85B9 13 Bytes [85, C0, 7C, 3C, 6A, 00, 8D, ...] {TEST EAX, EAX; JL 0x40; PUSH 0x0; LEA EAX, [EBP+0x10]; PUSH EAX; PUSH DWORD [EBP+0xc]}
PAGE ntkrnlpa.exe!RtlFindMessage + 3D 805E85C7 20 Bytes CALL 805D8D8C \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlFindMessage + 52 805E85DC 65 Bytes [04, 74, 14, 8B, 55, 14, 49, ...]
PAGE ntkrnlpa.exe!RtlStringFromGUID + 2 805E861E 252 Bytes [55, 8B, EC, 56, 8B, 75, 0C, ...]
PAGE ntkrnlpa.exe!RtlStringFromGUID + FF 805E871B 84 Bytes [EB, 53, 4E, 83, 7D, 08, 00, ...]
PAGE ntkrnlpa.exe!RtlStringFromGUID + 154 805E8770 237 Bytes [85, F6, 75, A9, 83, 45, FC, ...]
PAGE ntkrnlpa.exe!RtlIsValidOemCharacter + C 805E885E 122 Bytes [00, 8B, 45, 08, 0F, B7, 00, ...]
PAGE ntkrnlpa.exe!RtlIsValidOemCharacter + 88 805E88DA 30 Bytes [00, 8B, 35, 24, C7, 67, 80, ...]
PAGE ntkrnlpa.exe!RtlIsValidOemCharacter + A7 805E88F9 10 Bytes [10, 0F, B7, C9, 03, C8, A1, ...]
PAGE ntkrnlpa.exe!RtlIsValidOemCharacter + B2 805E8904 11 Bytes [0F, B7, 04, 48, EB, 0A, 8B, ...]
PAGE ntkrnlpa.exe!RtlIsValidOemCharacter + BE 805E8910 54 Bytes [0F, B7, 04, 41, 66, 8B, D0, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlIsNameLegalDOS8Dot3 + D 805E8AB9 47 Bytes [56, 8B, 75, 0C, 89, 45, FC, ...]
PAGE ntkrnlpa.exe!RtlIsNameLegalDOS8Dot3 + 3D 805E8AE9 50 Bytes [8D, 75, E0, 89, 4D, E4, 66, ...]
PAGE ntkrnlpa.exe!RtlIsNameLegalDOS8Dot3 + 70 805E8B1C 10 Bytes [F9, 02, 75, 1C, 8B, 46, 04, ...] {STC ; ADD DH, [EBP+0x1c]; MOV EAX, [ESI+0x4]; CMP BYTE [EAX], 0x2e}
PAGE ntkrnlpa.exe!RtlIsNameLegalDOS8Dot3 + 7B 805E8B27 94 Bytes [14, 80, 78, 01, 2E, 75, 0E, ...]
PAGE ntkrnlpa.exe!RtlIsNameLegalDOS8Dot3 + DA 805E8B86 168 Bytes [43, EB, 61, 80, F9, 80, 73, ...]
PAGE ntkrnlpa.exe!RtlGenerate8dot3Name + 1 805E8C2F 15 Bytes [FF, 55, 8B, EC, 83, EC, 30, ...]
PAGE ntkrnlpa.exe!RtlGenerate8dot3Name + 11 805E8C3F 33 Bytes [53, 8B, 5D, 10, 56, 89, 45, ...]
PAGE ntkrnlpa.exe!RtlGenerate8dot3Name + 33 805E8C61 18 Bytes [C6, 45, EB, 01, 75, 04, C6, ...]
PAGE ntkrnlpa.exe!RtlGenerate8dot3Name + 47 805E8C75 36 Bytes [66, 8B, 37, 83, 4D, E4, FF, ...]
PAGE ntkrnlpa.exe!RtlGenerate8dot3Name + 6C 805E8C9A 168 Bytes [75, D0, EB, 11, 66, 3D, 2E, ...]
PAGE ...
PAGE ntkrnlpa.exe!RtlLockBootStatusData + 19 805E9073 33 Bytes [00, 56, 89, 45, FC, 8D, 85, ...]
PAGE ntkrnlpa.exe!RtlLockBootStatusData + 3B 805E9095 13 Bytes [2B, F0, 56, 8D, 85, F8, FD, ...]
PAGE ntkrnlpa.exe!RtlLockBootStatusData + 49 805E90A3 21 Bytes CALL 8053B928 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlLockBootStatusData + 5F 805E90B9 21 Bytes CALL 8052E787 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlLockBootStatusData + 75 805E90CF 6 Bytes [56, 8D, 85, CC, FD, FF]
PAGE ...
PAGE ntkrnlpa.exe!RtlUnlockBootStatusData + 2 805E913A 28 Bytes [55, 8B, EC, 83, EC, 0C, 33, ...]
PAGE ntkrnlpa.exe!RtlUnlockBootStatusData + 1F 805E9157 40 Bytes [75, 08, 89, 45, FC, E8, 6B, ...]
PAGE ntkrnlpa.exe!RtlGetSetBootStatusData + 2 805E9180 201 Bytes [55, 8B, EC, 83, EC, 44, 53, ...]
PAGE ntkrnlpa.exe!RtlGetSetBootStatusData + CC 805E924A 38 Bytes CALL 80500B84 \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlGetSetBootStatusData + F3 805E9271 6 Bytes [CC, CC, CC, CC, CC, 8B]
PAGE ntkrnlpa.exe!RtlGetVersion + 2 805E9278 7 Bytes [55, 8B, EC, A1, 98, A8, 55]
PAGE ntkrnlpa.exe!RtlGetVersion + A 805E9280 19 Bytes [56, 8B, 75, 08, 89, 46, 04, ...]
PAGE ntkrnlpa.exe!RtlGetVersion + 1E 805E9294 67 Bytes [25, FF, 3F, 00, 00, 81, 3E, ...]
PAGE ntkrnlpa.exe!RtlGetVersion + 62 805E92D8 84 Bytes CALL 805EAD8D \WINDOWS\system32\ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntkrnlpa.exe!RtlNtStatusToDosError + 2D 805E932D 26 Bytes [4D, FC, FF, FF, 75, 08, E8, ...]
PAGE ntkrnlpa.exe!RtlRandom + 2 805E9348 13 Bytes [55, 8B, EC, 53, 56, 8B, 75, ...]
PAGE ntkrnlpa.exe!RtlRandom + 10 805E9356 86 Bytes [FF, 7F, 57, B9, C3, FF, FF, ...]
PAGE ntkrnlpa.exe!RtlTimeToElapsedTimeFields + 15 805E93AD 145 Bytes [2F, 71, F4, FF, 8B, 45, 08, ...]
PAGE ntkrnlpa.exe!RtlTimeToElapsedTimeFields + A9 805E9441 5 Bytes [8B, 07, 3B, 03, 0F]
PAGE ntkrnlpa.exe!RtlTimeToElapsedTimeFields + AF 805E9447 32 Bytes [66, 01, 00, 00, B0, 01, E9, ...]
PAGE ntkrnlpa.exe!RtlTimeToElapsedTimeFields + D0 805E9468 30 Bytes [0F, 84, 43, 01, 00, 00, 66, ...]
PAGE ntkrnlpa.exe!RtlTimeToElapsedTimeFields + EF 805E9487 7 Bytes [89, 45, F0, 0F, 85, D7, 00]
PAGE ...
PAGE ntkrnlpa.exe!NtAdjustPrivilegesToken + 4B 805EBB61 8 Bytes [5D, FC, 80, 7D, 0C, 00, 75, ...] {POP EBP; CLD ; CMP BYTE [EBP+0xc], 0x0; JNZ 0x56}
PAGE ntkrnlpa.exe!NtAdjustPrivilegesToken + 54 805EBB6A 29 Bytes [75, D0, 83, 65, D0, 03, 74, ...]
PAGE ntkrnlpa.exe!NtAdjustPrivilegesToken + 72 805EBB88 27 Bytes [7C, 5B, FD, 8D, 3C, BD, 10, ...]
PAGE ntkrnlpa.exe!NtAdjustPrivilegesToken + 8E 805EBBA4 41 Bytes [03, FE, 3B, FE, 72, 08, 3B, ...]
PAGE ntkrnlpa.exe!NtAdjustPrivilegesToken + B8 805EBBCE 1 Byte [39]
PAGE ...
PAGE ntkrnlpa.exe!ZwAdjustGroupsToken + 66 805EBF24 41 Bytes [FE, 74, 1D, 6A, 04, FF, 75, ...]
PAGE ntkrnlpa.exe!ZwAdjustGroupsToken + 91 805EBF4F 4 Bytes [8B, 00, 89, 45]
PAGE ntkrnlpa.exe!ZwAdjustGroupsToken + 96 805EBF54 61 Bytes [33, C0, 40, C3, 8B, 65, E8, ...]
PAGE ntkrnlpa.exe!ZwAdjustGroupsToken + D4 805EBF92 73 Bytes [00, 89, 45, C4, 3B, C6, 0F, ...]
PAGE ntkrnlpa.exe!ZwAdjustGroupsToken + 11E 805EBFDC 10 Bytes [89, 45, BC, 33, C0, 40, C3, ...] {MOV [EBP-0x44], EAX; XOR EAX, EAX; INC EAX; RET ; MOV ESP, [EBP-0x18]}
PAGE ...
? spjb.sys Das System kann die angegebene Datei nicht finden. !
.text USBPORT.SYS!DllUnload B8A368AC 5 Bytes JMP 8A8F01D8
.rsrc C:\WINDOWS\system32\DRIVERS\serial.sys entry point in ".rsrc" section [0xBA0D5094]
.text win32k.sys!EngSetLastError + 34D5 BF81FE00 3 Bytes JMP BF81FECE \SystemRoot\System32\win32k.sys (Mehrbenutzer-Win32-Treiber/Microsoft Corporation)
.text win32k.sys!EngSetLastError + 34D9 BF81FE04 1 Byte [00]
.text win32k.sys!EngSetLastError + 34D9 BF81FE04 18 Bytes [00, 00, 8B, 45, 08, F6, 40, ...]
.text win32k.sys!EngSetLastError + 34EC BF81FE17 5 Bytes [50, E8, 12, D4, 04]
.text win32k.sys!EngSetLastError + 34F2 BF81FE1D 209 Bytes [0F, B7, C0, EB, 20, 90, 90, ...]
.text ...
.text win32k.sys!CLIPOBJ_bEnum + 51 BF824343 11 Bytes JMP 8D3A8B04
.text win32k.sys!CLIPOBJ_bEnum + 5D BF82434F 88 Bytes [00, 00, 2B, D7, 8B, 7A, 04, ...]
.text win32k.sys!CLIPOBJ_bEnum + B6 BF8243A8 61 Bytes [8B, 51, 30, A5, A5, A5, A5, ...]
.text win32k.sys!CLIPOBJ_bEnum + F4 BF8243E6 81 Bytes [3E, 89, 51, 44, EB, E8, 8B, ...]
.text win32k.sys!CLIPOBJ_bEnum + 146 BF824438 43 Bytes [C1, EB, ED, 83, C0, FC, 8B, ...]
.text ...
.text win32k.sys!EngLpkInstalled + 1 BF825866 12 Bytes [0D, BC, 7B, 9A, BF, 33, C0, ...]
.text win32k.sys!EngLpkInstalled + E BF825873 20 Bytes [0F, 95, C0, C3, 90, 90, 90, ...]
.text win32k.sys!EngLpkInstalled + 23 BF825888 137 Bytes [91, B0, 00, 00, 00, 89, 10, ...]
.text win32k.sys!EngLpkInstalled + AD BF825912 27 Bytes [81, F9, FF, 00, 00, 00, 74, ...]
.text win32k.sys!EngLpkInstalled + C9 BF82592E 32 Bytes [40, EB, F9, 90, 90, 90, 90, ...]
.text ...
.text win32k.sys!EngBitBlt + 42 BF827284 101 Bytes [47, 1C, 52, 52, 51, 8D, 4D, ...]
.text win32k.sys!EngBitBlt + A8 BF8272EA 38 Bytes [3D, 55, 55, 00, 00, 0F, 84, ...]
.text win32k.sys!EngBitBlt + CF BF827311 8 Bytes [FF, 75, 1C, 57, E8, 3C, 1D, ...]
.text win32k.sys!EngBitBlt + D8 BF82731A 27 Bytes [33, C0, 40, 5F, 5E, 5B, C9, ...]
.text win32k.sys!EngBitBlt + F4 BF827336 2 Bytes [45, 1C]
.text ...
.text win32k.sys!EngPaint + 2 BF8281DD 78 Bytes [55, 8B, EC, 8B, 45, 18, 8B, ...]
.text win32k.sys!EngPaint + 51 BF82822C 5 Bytes [90, 90, 90, 90, 90] {NOP ; NOP ; NOP ; NOP ; NOP }
.text win32k.sys!EngPaint + 57 BF828232 62 Bytes [FF, 55, 8B, EC, 56, 8B, F1, ...]
.text win32k.sys!EngPaint + 96 BF828271 9 Bytes [8B, F0, 85, F6, 74, 24, 83, ...]
.text win32k.sys!EngPaint + A0 BF82827B 69 Bytes [74, CF, FF, 75, 08, 56, E8, ...]
.text ...
.text win32k.sys!EngCopyBits + 1 BF838873 63 Bytes [FF, 55, 8B, EC, 81, EC, FC, ...]
.text win32k.sys!EngCopyBits + 41 BF8388B3 20 Bytes [83, 65, 0C, 00, F6, 40, 4A, ...]
.text win32k.sys!EngCopyBits + 56 BF8388C8 11 Bytes [75, 1C, FF, 75, 18, 57, FF, ...] {JNZ 0x1e; PUSH DWORD [EBP+0x18]; PUSH EDI; PUSH DWORD [EBP+0x10]; PUSH EBX; PUSH ESI}
.text win32k.sys!EngCopyBits + 62 BF8388D4 11 Bytes [55, 08, 8B, D8, 8D, 4D, 0C, ...]
.text win32k.sys!EngCopyBits + 6E BF8388E0 39 Bytes [8B, C3, 5F, 5E, 5B, C9, C2, ...]
.text ...
.text win32k.sys!EngLockSurface + 1 BF8393CA 11 Bytes [FF, 55, 8B, EC, 51, 83, 65, ...]
.text win32k.sys!EngLockSurface + D BF8393D6 9 Bytes CALL BF8137EF \SystemRoot\System32\win32k.sys (Mehrbenutzer-Win32-Treiber/Microsoft Corporation)
.text win32k.sys!EngLockSurface + 17 BF8393E0 44 Bytes [75, FC, 85, F6, 74, 1A, 57, ...]
.text win32k.sys!EngLockSurface + 44 BF83940D 59 Bytes [EC, 8B, 55, 14, 53, 8B, 5D, ...]
.text win32k.sys!EngLockSurface + 80 BF839449 73 Bytes [D1, 85, C0, 74, 12, 50, E8, ...]
.text ...
.text win32k.sys!EngMapFontFileFD + 22 BF83CA6E 33 Bytes [EC, 8B, 45, 08, 85, C0, 74, ...]
.text win32k.sys!EngMapFontFileFD + 44 BF83CA90 3 Bytes [F8, 89, 7D]
.text win32k.sys!EngMapFontFileFD + 48 BF83CA94 31 Bytes JMP BF83CB5C \SystemRoot\System32\win32k.sys (Mehrbenutzer-Win32-Treiber/Microsoft Corporation)
.text win32k.sys!EngMapFontFileFD + 68 BF83CAB4 233 Bytes [6A, 02, 8D, 4D, 08, 51, 8D, ...]
.text win32k.sys!EngMapFontFileFD + 152 BF83CB9E 58 Bytes [FF, 6A, 02, 68, 00, 00, 40, ...]
.text ...
.text win32k.sys!EngUnmapFontFileFD + 4 BF83CC6B 59 Bytes [EC, 83, EC, 20, 53, FF, 35, ...]
.text win32k.sys!EngUnmapFontFileFD + 40 BF83CCA7 8 Bytes [8D, 45, E0, 50, E8, 78, 85, ...]
.text win32k.sys!EngUnmapFontFileFD + 49 BF83CCB0 8 Bytes [EB, F1, 85, C9, 0F, 84, 2E, ...]
.text win32k.sys!EngUnmapFontFileFD + 53 BF83CCBA 64 Bytes [F6, C1, 01, 0F, 85, 25, 03, ...]
.text win32k.sys!EngUnmapFontFileFD + 94 BF83CCFB 53 Bytes [4D, 0C, 85, C9, 0F, 84, A5, ...]
.text ...
.text win32k.sys!EngCreateBitmap + 1B BF83DA49 72 Bytes CALL BF814219 \SystemRoot\System32\win32k.sys (Mehrbenutzer-Win32-Treiber/Microsoft Corporation)
.text win32k.sys!EngCreateBitmap + 64 BF83DA92 89 Bytes [1D, 8B, 55, 10, 8B, 4D, 0C, ...]
.text win32k.sys!EngCreateBitmap + BE BF83DAEC 140 Bytes CALL BF83D997 \SystemRoot\System32\win32k.sys (Mehrbenutzer-Win32-Treiber/Microsoft Corporation)
.text win32k.sys!EngCreateBitmap + 14B BF83DB79 28 Bytes [55, 8B, EC, 83, EC, 14, 53, ...]
.text win32k.sys!EngCreateBitmap + 168 BF83DB96 17 Bytes [00, 00, 39, 43, 0C, 0F, 85, ...]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[644] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[644] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[644] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 0099000C
.text C:\WINDOWS\System32\svchost.exe[644] ole32.dll!CoCreateInstance 774D057E 5 Bytes JMP 00E5000A
.text C:\WINDOWS\Explorer.EXE[1744] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1744] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[1744] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\system32\wuauclt.exe[3208] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\wuauclt.exe[3208] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\system32\wuauclt.exe[3208] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 0099000C

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA9040] spjb.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA913C] spjb.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA90BE] spjb.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA97FC] spjb.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA96D2] spjb.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A93B1F8

AttachedDevice \FileSystem\Ntfs \Ntfs szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)

Device \FileSystem\MacOpen \MacOpenCd 8A8CE1F8
Device \FileSystem\MacOpen \MacOpen 8A8CE1F8
Device \Driver\usbstor \Device\0000009b 89D91388
Device \Driver\usbstor \Device\0000009c 89D91388

AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)

Device \Driver\usbstor \Device\0000009d 89D91388
Device \Driver\usbstor \Device\0000009e 89D91388
Device \Driver\usbuhci \Device\USBPDO-0 8A6491F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A8C31F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A8C31F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A8C31F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A8C31F8
Device \Driver\usbuhci \Device\USBPDO-1 8A6491F8
Device \Driver\usbuhci \Device\USBPDO-2 8A6491F8
Device \Driver\usbehci \Device\USBPDO-3 8A6021F8
Device \Driver\usbuhci \Device\USBPDO-4 8A6491F8

AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)

Device \Driver\usbuhci \Device\USBPDO-5 8A6491F8
Device \Driver\usbuhci \Device\USBPDO-6 8A6491F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A8A41F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis)

Device \Driver\usbehci \Device\USBPDO-7 8A6021F8
Device \Driver\Cdrom \Device\CdRom0 8A4FC1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A8A41F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume3 8A8A41F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation)

Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-2f [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-10 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort4 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort5 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-1c [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP3T1L0-24 [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP5T0L0-3a [B9DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Ftdisk \Device\HarddiskVolume4 8A8A41F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume5 8A8A41F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume6 8A8A41F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 tdrpm147.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation)

Device \Driver\NetBT \Device\NetBt_Wins_Export 89EBD500
Device \Driver\NetBT \Device\NetbiosSmb 89EBD500

AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)

Device \Driver\NetBT \Device\NetBT_Tcpip_{69F97877-8014-439F-9E28-C81CEEA5E4DA} 89EBD500
Device \Driver\usbuhci \Device\USBFDO-0 8A6491F8
Device \Driver\usbstor \Device\00000099 89D91388
Device \Driver\usbuhci \Device\USBFDO-1 8A6491F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89E27500
Device \Driver\usbuhci \Device\USBFDO-2 8A6491F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89E27500
Device \Driver\usbehci \Device\USBFDO-3 8A6021F8
Device \Driver\usbuhci \Device\USBFDO-4 8A6491F8
Device \Driver\Ftdisk \Device\FtControl 8A8A41F8
Device \Driver\usbuhci \Device\USBFDO-5 8A6491F8
Device \Driver\usbuhci \Device\USBFDO-6 8A6491F8
Device \Driver\usbehci \Device\USBFDO-7 8A6021F8
Device \Driver\usbstor \Device\0000009a 89D91388

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation)

Device \FileSystem\Fastfat \Fat 874A71F8
Device \FileSystem\Fastfat \Fat A258C297

AttachedDevice \FileSystem\Fastfat \Fat szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 89E37500
Device -> \Driver\atapi \Device\Harddisk0\DR0 8A530EC5

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@LicenseKey H5D0-56B3-DA23-009B
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@NumberOfcdroms 3
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@ServiceBinary C:\WINDOWS\system32\drivers\vbev5mp.sys
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@Group SCSI Miniport
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@ImagePath System32\Drivers\vbev5mp.sys
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@Start 1
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@Type 1
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp@Tag 66
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\DrvInstaller (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\DrvInstaller\Error (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\DrvInstaller\Error@
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\DrvInstaller\Result (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\DrvInstaller\Result@ 0
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\Enum (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\Enum@0 ROOT\SCSIADAPTER\0000
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\Enum@Count 1
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\Enum@NextInstance 1
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\parameters\pnpinterface (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\vbev5mp\parameters\pnpinterface@1 1
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@LicenseKey H5D0-56B3-DA23-009B
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@NumberOfcdroms 3
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@ServiceBinary C:\WINDOWS\system32\drivers\vbev5mp.sys
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@Group SCSI Miniport
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@ImagePath System32\Drivers\vbev5mp.sys
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@Start 1
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp@Tag 66
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\DrvInstaller (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\DrvInstaller\Error (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\DrvInstaller\Error@
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\DrvInstaller\Result (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\DrvInstaller\Result@ 0
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\Enum (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\Enum@0 ROOT\SCSIADAPTER\0000
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\Enum@Count 1
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\Enum@NextInstance 1
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\parameters\pnpinterface (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vbev5mp\parameters\pnpinterface@1 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 6F2A49C98638B9D2D727ECDED6EB32A8B0FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7F D869164D67949DB7CE019D40AA5CBA7FD869164D6794A8566D9058DD216FD032E9B997302F064346536927F9F0C8B26EA11AF4556B30999138D2DAE70ACEB58A33404FD65731EB1D816263 3E7DCE68FAD64217C39E101E5DE142F8B572DA892B5EF09136C53ECB2A6CFCADFCB29C93CDC22762A3BD6F538724D0FA86389FCDB0B3189F2FF3E16A7D897DD858452B5E0727A460F75DB4 29E0AD9542DEEA0BD73EEC244CE80EB320A83F4D4E39A05EC94AB83AAC09C42863BC9E4ABE09CF6E5078B8267D4CF8AD9B436A758AC8E378263EA010F9E26EF818F48E4BF692DC80B289BA D73009C62FDD68D9A81E7760A29B107B6C8ED68B3636E5081C86CBC15DD01F8A13F211437DBDB4D2B8ACF71DE8A36D5ABD40F77E567AEF866299C9DD81506A325669196A3F64CC8C9EEDC1 54BB0F0CC293001E5F34F9F6FEE6F4E5C450A8A032C4CA1D6FFECE56B476AF10F56FFEA1AD24CD66780B9CE455196CBD400FA5FD7C25615936ACCFFB6900D06123BCEA6B88473EAFCA7C1D 26650A6CB14DE9EA3C77620DD1D81D0D6D3F1DC6F933BF9DA8B37AFA9F898F8D2BFBEFF1679AEDEAA0FE8BC14BA40580DB3FD897DFAE78369C045E411E1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\serial.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Noch eine Frage: Kann/darf ich ComboFix wieder deinstallieren?

noch nicht, machen wir zum schluss
so und nu gehts los :-)
kaspersky tdss killer
Wie werden Schadprogramme der Familie Rootkit.Win32.TDSS bekämpft?
ausführen, log posten

Ok. Mit der Voreinstellung "cure" nehme ich an!?

ja, genau.

Nun hier der TDSKiller Report:

2010/08/06 13:06:04.0765 TDSS rootkit removing tool 2.4.1.0 Aug 4 2010 15:06:41
2010/08/06 13:06:04.0765 ================================================================================
2010/08/06 13:06:04.0765 SystemInfo:
2010/08/06 13:06:04.0765
2010/08/06 13:06:04.0765 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/06 13:06:04.0765 Product type: Workstation
2010/08/06 13:06:04.0765 ComputerName: XXXXXXX
2010/08/06 13:06:04.0765 UserName: xxxxxxx xxx
2010/08/06 13:06:04.0765 Windows directory: C:\WINDOWS
2010/08/06 13:06:04.0765 System windows directory: C:\WINDOWS
2010/08/06 13:06:04.0765 Processor architecture: Intel x86
2010/08/06 13:06:04.0765 Number of processors: 2
2010/08/06 13:06:04.0765 Page size: 0x1000
2010/08/06 13:06:04.0765 Boot type: Normal boot
2010/08/06 13:06:04.0765 ================================================================================
2010/08/06 13:06:05.0625 Initialize success
2010/08/06 13:06:15.0171 ================================================================================
2010/08/06 13:06:15.0171 Scan started
2010/08/06 13:06:15.0171 Mode: Manual;
2010/08/06 13:06:15.0171 ================================================================================
2010/08/06 13:06:16.0265 ACPI (ac407f1a62c3a300b4f2b5a9f1d55b2c) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/06 13:06:16.0328 ACPIEC (9e1ca3160dafb159ca14f83b1e317f75) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/08/06 13:06:16.0421 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/08/06 13:06:16.0468 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/06 13:06:16.0703 AnyDVD (82ce157ff3701ab50769b2654d0b0215) C:\WINDOWS\system32\Drivers\AnyDVD.sys
2010/08/06 13:06:16.0750 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/08/06 13:06:16.0890 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/06 13:06:16.0937 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/06 13:06:17.0015 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/06 13:06:17.0093 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/06 13:06:17.0125 AVMCOWAN (0bcb6b3df2e248c8e8f2ffc6f58d1341) C:\WINDOWS\system32\DRIVERS\AVMCOWAN.sys
2010/08/06 13:06:17.0156 AVMWAN (c997af59c54d69232fb7bbea4dad86e2) C:\WINDOWS\system32\DRIVERS\avmwan.sys
2010/08/06 13:06:17.0171 bdfm (ced6717bd8b67284afcf692b9316b464) C:\WINDOWS\system32\drivers\bdfm.sys
2010/08/06 13:06:17.0234 bdfsfltr (70975049e22b2efec260816cf505e6e7) C:\WINDOWS\system32\drivers\bdfsfltr.sys
2010/08/06 13:06:17.0343 bdftdif (a7bdb1958d9b8245a0ba83f46abb630c) C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Firewall\bdftdif.sys
2010/08/06 13:06:17.0359 BDSelfPr (5eaf583c0b1cc2499761ea3b065f5db2) C:\Programme\BitDefender\BitDefender 2009\bdselfpr.sys
2010/08/06 13:06:17.0421 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/06 13:06:17.0484 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/06 13:06:17.0562 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/06 13:06:17.0625 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/06 13:06:17.0687 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/06 13:06:17.0906 cxbu0wdm (ee1d91022fc0df4f0434ec11c65e6649) C:\WINDOWS\system32\DRIVERS\cxbu0wdm.sys
2010/08/06 13:06:18.0015 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/06 13:06:18.0078 dmboot (0dcfc8395a99fecbb1ef771cec7fe4ea) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/06 13:06:18.0156 dmio (53720ab12b48719d00e327da470a619a) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/06 13:06:18.0187 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/06 13:06:18.0281 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/06 13:06:18.0343 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/06 13:06:18.0390 dsltestSp5 (c6b2e10cfe79169c72f0269087b9a603) C:\WINDOWS\system32\Drivers\dsltestSp5.sys
2010/08/06 13:06:18.0437 E1000 (4de4bae4accb5a49fa85801d4f226355) C:\WINDOWS\system32\DRIVERS\e1000325.sys
2010/08/06 13:06:18.0484 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2010/08/06 13:06:18.0531 ElbyCDFL (ce37e3d51912e59c80c6d84337c0b4cd) C:\WINDOWS\system32\Drivers\ElbyCDFL.sys
2010/08/06 13:06:18.0578 ElbyCDIO (309ac30471a0f1c3a89dee1c81230576) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
2010/08/06 13:06:18.0625 ENUM1394 (80d1b490b60e74e002dc116ec5d41748) C:\WINDOWS\system32\DRIVERS\enum1394.sys
2010/08/06 13:06:18.0687 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/06 13:06:18.0718 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/08/06 13:06:18.0781 Fips (b0678a548587c5f1967b0d70bacad6c1) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/06 13:06:18.0828 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/08/06 13:06:18.0875 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/08/06 13:06:18.0953 fpcibase (25baa9e7e21ca204b3202637c4f0d44e) C:\WINDOWS\system32\DRIVERS\fpcibase.sys
2010/08/06 13:06:19.0000 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/06 13:06:19.0046 Ftdisk (8f1955ce42e1484714b542f341647778) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/06 13:06:19.0140 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/06 13:06:19.0171 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/08/06 13:06:19.0218 HECI (cc2c8c23417cc7ddf5eddb17e60a14db) C:\WINDOWS\system32\DRIVERS\HECI.sys
2010/08/06 13:06:19.0281 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/06 13:06:19.0406 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/06 13:06:19.0562 i8042prt (e283b97cfbeb86c1d86baed5f7846a92) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/06 13:06:19.0625 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/06 13:06:19.0781 intelppm (4c7d2750158ed6e7ad642d97bffae351) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/08/06 13:06:19.0828 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/08/06 13:06:19.0875 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/06 13:06:19.0921 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/06 13:06:19.0968 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/06 13:06:20.0000 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/06 13:06:20.0046 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
2010/08/06 13:06:20.0078 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/06 13:06:20.0156 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
2010/08/06 13:06:20.0203 is3srv (8fe4ecc7877fcfe4e59414708898073d) C:\WINDOWS\system32\drivers\is3srv.sys
2010/08/06 13:06:20.0281 isapnp (6dfb88f64135c525433e87648bda30de) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/06 13:06:20.0328 Kbdclass (1704d8c4c8807b889e43c649b478a452) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/06 13:06:20.0375 kbdhid (b6d6c117d771c98130497265f26d1882) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/08/06 13:06:20.0437 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/06 13:06:20.0468 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/06 13:06:20.0562 MacOpen (f1d23f78dcd65c8132c908b1e72e9143) C:\WINDOWS\system32\drivers\MacOpen.sys
2010/08/06 13:06:20.0625 MagicTune (f627e9da4d3d8dc05a15b68944302f14) C:\WINDOWS\system32\drivers\MTiCtwl.sys
2010/08/06 13:06:20.0687 MaxtorFrontPanel1 (dad2801f46631b625fb4fb37265fbe6e) C:\WINDOWS\system32\DRIVERS\mxofwfp.sys
2010/08/06 13:06:20.0750 MLPTDR_B (124aaf5d2a58e00c05019b0fb77c0966) C:\WINDOWS\system32\MLPTDR_B.sys
2010/08/06 13:06:20.0812 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/06 13:06:20.0875 Modem (6fb74ebd4ec57a6f1781de3852cc3362) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/06 13:06:20.0937 motmodem (54fee02961c70fd9d4d7e2f87afa23fa) C:\WINDOWS\system32\DRIVERS\motmodem.sys
2010/08/06 13:06:20.0984 Mouclass (b24ce8005deab254c0251e15cb71d802) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/06 13:06:21.0015 mouhid (66a6f73c74e1791464160a7065ce711a) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/06 13:06:21.0062 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/06 13:06:21.0156 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/06 13:06:21.0203 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/06 13:06:21.0265 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/06 13:06:21.0312 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/06 13:06:21.0375 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/06 13:06:21.0421 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/06 13:06:21.0500 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/06 13:06:21.0562 MTXPAR (0f83a76c82d5b9f672b33923759b2b12) C:\WINDOWS\system32\DRIVERS\MTXPARM.sys
2010/08/06 13:06:21.0703 MTXPARH (6dda78a0be692b61b668fab860f276cf) C:\WINDOWS\system32\DRIVERS\MTXPARHM.sys
2010/08/06 13:06:21.0734 Mtxparmx (a9948d5ed30db457ff92239802d97e34) C:\WINDOWS\system32\DRIVERS\Mtxparmx.sys
2010/08/06 13:06:21.0765 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/06 13:06:21.0812 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/06 13:06:21.0859 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/06 13:06:21.0890 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/06 13:06:21.0921 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/06 13:06:21.0968 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/06 13:06:22.0000 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/06 13:06:22.0046 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/06 13:06:22.0093 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/08/06 13:06:22.0140 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/06 13:06:22.0187 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/06 13:06:22.0265 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/06 13:06:22.0312 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/06 13:06:22.0359 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/06 13:06:22.0390 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/08/06 13:06:22.0437 Parport (f84785660305b9b903fb3bca8ba29837) C:\WINDOWS\system32\drivers\Parport.sys
2010/08/06 13:06:22.0468 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/06 13:06:22.0531 ParVdm (c2bf987829099a3eaa2ca6a0a90ecb4f) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/06 13:06:22.0593 PCANDIS5 (d0084a9ade989fe703e4f22171f4e4dc) C:\PROGRA~1\GEMEIN~1\T-Com\DSLCheck\PCANDIS5.SYS
2010/08/06 13:06:22.0640 PCI (387e8dedc343aa2d1efbc30580273acd) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/06 13:06:22.0718 PCIIde (59ba86d9a61cbcf4df8e598c331f5b82) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/08/06 13:06:22.0781 Pcmcia (a2a966b77d61847d61a3051df87c8c97) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/06 13:06:23.0171 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/06 13:06:23.0203 Processor (2cb55427c58679f49ad600fccba76360) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/08/06 13:06:23.0265 Profos (1bfe86c679a43994e36e623fb6898cdb) C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Threat Scanner\profos.sys
2010/08/06 13:06:23.0312 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/06 13:06:23.0343 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/06 13:06:23.0421 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/08/06 13:06:23.0703 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/06 13:06:23.0750 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2010/08/06 13:06:23.0796 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/06 13:06:23.0843 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/06 13:06:23.0906 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/06 13:06:23.0968 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/06 13:06:24.0000 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/06 13:06:24.0078 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/08/06 13:06:24.0156 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/06 13:06:24.0234 redbook (ed761d453856f795a7fe056e42c36365) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/06 13:06:24.0312 sbp2port (b244960e5a1db8e9d5d17086de37c1e4) C:\WINDOWS\system32\DRIVERS\sbp2port.sys
2010/08/06 13:06:24.0359 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/06 13:06:24.0406 Sentinel (7e5c2c58fc4e3862e7bf88bfb809a9b0) C:\WINDOWS\System32\Drivers\SENTINEL.SYS
2010/08/06 13:06:24.0484 serenum (5944622925d74268228222298e14dcaa) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/08/06 13:06:24.0546 Serial (ab6aa911ad51766e28c1339464809699) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/08/06 13:06:24.0546 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\serial.sys. Real md5: ab6aa911ad51766e28c1339464809699, Fake md5: cf24eb4f0412c82bcd1f4f35a025e31d
2010/08/06 13:06:24.0546 Serial - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/08/06 13:06:24.0609 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2010/08/06 13:06:24.0656 sfng32 (76bd55922b3179fa7b5bd528839e6fb4) C:\WINDOWS\system32\drivers\sfng32.sys
2010/08/06 13:06:24.0718 snapman380 (5ce1cf27620b144e212d407cdb14d339) C:\WINDOWS\system32\DRIVERS\snman380.sys
2010/08/06 13:06:24.0828 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/06 13:06:24.0875 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\system32\Drivers\sptd.sys
2010/08/06 13:06:24.0875 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 71e276f6d189413266ea22171806597b
2010/08/06 13:06:24.0875 sptd - detected Locked file (1)
2010/08/06 13:06:24.0906 sr (50fa898f8c032796d3b1b9951bb5a90f) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/06 13:06:24.0937 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/06 13:06:25.0062 STHDA (527fd7d6919734c2a61c8aa3d5740e61) C:\WINDOWS\system32\drivers\sthda.sys
2010/08/06 13:06:25.0140 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/06 13:06:25.0187 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/06 13:06:25.0437 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/06 13:06:25.0500 szkg5 (8fe4ecc7877fcfe4e59414708898073d) C:\WINDOWS\system32\DRIVERS\szkg.sys
2010/08/06 13:06:25.0546 szkgfs (410a02a920fa9daeec56364e839597c1) C:\WINDOWS\system32\drivers\szkgfs.sys
2010/08/06 13:06:25.0593 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/06 13:06:25.0671 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/06 13:06:25.0718 tdrpman147 (be7b1a73272648622b39be3c610e3ca0) C:\WINDOWS\system32\DRIVERS\tdrpm147.sys
2010/08/06 13:06:25.0765 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/06 13:06:25.0828 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/06 13:06:25.0906 tifsfilter (6dcb8ddb481cd3c40fa68593723b4d89) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
2010/08/06 13:06:25.0953 timounter (394fc70b88b7958fa85798bbc76d140a) C:\WINDOWS\system32\DRIVERS\timntr.sys
2010/08/06 13:06:26.0078 Trufos (b16d66a71de03285e14e9f165b59eda4) C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Threat Scanner\trufos.sys
2010/08/06 13:06:26.0125 TSMPacket (7c1367bff5587cf49c0ed2e664f6eac0) C:\WINDOWS\system32\DRIVERS\tsmpkt.sys
2010/08/06 13:06:26.0187 TuneUpUtilitiesDrv (f2107c9d85ec0df116939ccce06ae697) C:\Programme\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys
2010/08/06 13:06:26.0234 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/06 13:06:26.0343 UltraMonUtility (5a5bd0f66e84eb039cb227520d49908c) C:\Programme\Gemeinsame Dateien\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys
2010/08/06 13:06:26.0390 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/06 13:06:26.0437 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/06 13:06:26.0468 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/06 13:06:26.0500 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/06 13:06:26.0546 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/08/06 13:06:26.0578 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/08/06 13:06:26.0625 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/08/06 13:06:26.0703 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\DRIVERS\usbser.sys
2010/08/06 13:06:26.0734 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/06 13:06:26.0812 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/08/06 13:06:26.0859 VClone (9bf2ea54e5ed5acdf96f1dec84c117c4) C:\WINDOWS\system32\DRIVERS\VClone.sys
2010/08/06 13:06:26.0937 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/06 13:06:27.0046 VolSnap (a5a712f4e880874a477af790b5186e1d) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/06 13:06:27.0093 wacommousefilter (427a8bc96f16c40df81c2d2f4edd32dd) C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
2010/08/06 13:06:27.0140 wacomvhid (73e6f16a1f187d71fb26af308551e54a) C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
2010/08/06 13:06:27.0156 WacomVKHid (889459833432b161cb99cfdf84a1a9bb) C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys
2010/08/06 13:06:27.0250 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/06 13:06:27.0296 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/08/06 13:06:27.0390 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/06 13:06:27.0437 WinDriver6 (2c7d830e86b378771af5dafeae428a09) C:\WINDOWS\system32\drivers\windrvr6.sys
2010/08/06 13:06:27.0531 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/08/06 13:06:27.0593 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/08/06 13:06:27.0843 ================================================================================
2010/08/06 13:06:27.0843 Scan finished
2010/08/06 13:06:27.0843 ================================================================================
2010/08/06 13:06:27.0859 Detected object count: 2
2010/08/06 13:07:53.0906 Serial (ab6aa911ad51766e28c1339464809699) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/08/06 13:07:53.0906 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\serial.sys. Real md5: ab6aa911ad51766e28c1339464809699, Fake md5: cf24eb4f0412c82bcd1f4f35a025e31d
2010/08/06 13:07:55.0125 Backup copy found, using it..
2010/08/06 13:07:55.0140 C:\WINDOWS\system32\DRIVERS\serial.sys - will be cured after reboot
2010/08/06 13:07:55.0140 Rootkit.Win32.TDSS.tdl3(Serial) - User select action: Cure
2010/08/06 13:07:55.0140 Locked file(sptd) - User select action: Skip

Gerade hat Firefox unerwünscht/automatisch eine Seite namens "texasboy" aufgerufen ...
Neustart noch nicht durchgeführt.
Soll ich jetzt?

ja außer natürlich dir gefällt die werbung so gut das du sie gar nicht mehr los werden willst *g*

Mach' ich – ich bin doch nicht
Bis gleich.

Neustart durchgeführt.
Lauere, was der Feuerfuchs jetzt tut ...

Bei dem Scan hatte Kaspersky's TDSS-Killer ein Objekt identifiziert, welches immer noch moniert wird:
[IMG]www.sach-fach.de/fordownloads/Screenshot%20Kasp1.jpg[/IMG]