| theexciter | 01.12.2012 10:43 |
Windows 7 32bit - GVU Trojaner 11.3 - Trojan.Wheelsof.gen
Hi,
habe hier ein Win7 32bit System auf dem sich schon zum 2x mal ein GVU-Trojaner eingeschlichen hat (trotz installiertem Avast) :-(
Der erste GVU-Trojaner hat sich im Juli eingeschlichen, und wurde mit Hilfe von mwav und Malwarebytes entfernt....
Nun ist laut Bildinfo von forum.botfrei.de der GVU Trojaner 1.13 drauf (gewesen)...
Habe mit Malwarebytes das Teil in Quarantäne geschickt, so dass das System ohne den Sperrbildschirm ins Netz gelangt,
aber trotzdem ist das ganze System nicht wirklich clean (Anzeige Dateinamenerweiterung ist nach jedem Reboot wieder deaktiviert)
Ich poste mal die Logdateien aus den verschiedenen Scans:
OTL.txt - Extra.txt wurde nicht erstellt
OTL Logfile: Code:
OTL logfile created on: 01.12.2012 09:47:37 - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Hobbit\Desktop
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
2,87 Gb Total Physical Memory | 1,74 Gb Available Physical Memory | 60,65% Memory free
5,73 Gb Paging File | 4,58 Gb Available in Paging File | 79,92% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232,79 Gb Total Space | 190,06 Gb Free Space | 81,64% Space Free | Partition Type: NTFS
Drive F: | 14,84 Gb Total Space | 14,54 Gb Free Space | 98,00% Space Free | Partition Type: FAT32
Computer Name: PC | User Name: Hobbit | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2012.12.01 09:09:01 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Hobbit\Desktop\OTL.exe
PRC - [2012.11.30 19:51:47 | 006,527,128 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\Setup\avast.setup
PRC - [2012.10.30 23:50:59 | 004,297,136 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2012.10.30 23:50:59 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2012.08.31 15:10:30 | 006,952,872 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version7\TeamViewer.exe
PRC - [2012.08.31 15:10:30 | 002,759,080 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
PRC - [2012.08.31 14:55:18 | 000,106,408 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version7\tv_w32.exe
PRC - [2012.08.20 18:37:58 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2012.04.08 23:20:52 | 000,134,416 | ---- | M] (Synaptics Incorporated) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2011.11.01 12:19:00 | 000,936,208 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe
PRC - [2011.11.01 12:03:54 | 000,481,552 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
PRC - [2011.05.26 19:43:12 | 000,328,040 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
PRC - [2011.04.20 10:04:40 | 000,130,920 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\tphkload.exe
PRC - [2011.04.19 02:52:00 | 000,143,360 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWMEWSVC.exe
PRC - [2011.04.19 02:52:00 | 000,062,824 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\ThinkPad\Utilities\SCHTASK.EXE
PRC - [2011.04.04 11:43:36 | 000,135,528 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\tpnumlkd.exe
PRC - [2011.03.29 13:41:08 | 000,064,952 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
PRC - [2011.02.25 06:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010.12.06 06:55:30 | 000,805,032 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2010.11.29 16:32:44 | 000,069,560 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
PRC - [2010.11.20 13:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010.10.29 20:25:12 | 000,142,696 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\tpnumlk.exe
PRC - [2009.09.05 17:29:06 | 000,385,024 | ---- | M] (shbox.de) -- C:\Program Files\FreePDF_XP\fpassist.exe
========== Modules (No Company Name) ==========
MOD - [2011.04.19 02:52:00 | 000,053,248 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\GR\PWMRT32V.DLL
MOD - [2011.03.16 23:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
========== Services (SafeList) ==========
SRV - [2012.10.30 23:50:59 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2012.10.30 12:37:19 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012.10.08 19:55:11 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012.09.20 13:28:48 | 030,785,672 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)
SRV - [2012.08.31 15:10:30 | 002,759,080 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe -- (TeamViewer7)
SRV - [2012.05.11 16:02:38 | 000,034,104 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)
SRV - [2012.03.10 12:41:36 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2011.11.01 12:19:00 | 000,936,208 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)
SRV - [2011.11.01 12:03:54 | 000,481,552 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)
SRV - [2011.10.20 17:33:22 | 000,103,184 | ---- | M] (Intel(R) Corporation) [Auto | Stopped] -- C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe -- (BTHSSecurityMgr)
SRV - [2011.10.19 13:24:54 | 000,510,464 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe -- (AMPPALR3)
SRV - [2011.04.20 10:04:40 | 000,130,920 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\HOTKEY\tphkload.exe -- (TPHKLOAD)
SRV - [2011.04.19 02:52:00 | 000,143,360 | ---- | M] () [Auto | Running] -- C:\Program Files\ThinkPad\Utilities\PWMEWSVC.exe -- (PwmEWSvc)
SRV - [2011.04.19 02:52:00 | 000,083,304 | ---- | M] (Lenovo) [On_Demand | Stopped] -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe -- (Power Manager DBC Service)
SRV - [2011.04.04 10:27:20 | 000,045,496 | ---- | M] (Lenovo Group Limited) [Disabled | Stopped] -- C:\Program Files\Lenovo\HOTKEY\micmute.exe -- (LENOVO.MICMUTE)
SRV - [2011.03.29 13:41:08 | 000,064,952 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe -- (TPHKSVC)
SRV - [2010.12.20 19:17:07 | 003,246,040 | ---- | M] (Acronis) [Disabled | Stopped] -- C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe -- (afcdpsrv)
SRV - [2010.12.06 06:55:30 | 000,805,032 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2010.11.06 17:29:38 | 000,008,192 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\srvany.exe -- (KMService)
SRV - [2010.08.05 16:47:52 | 000,628,000 | ---- | M] (Broadcom Corporation.) [On_Demand | Stopped] -- C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe -- (btwdins)
SRV - [2010.02.19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2009.07.14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009.07.14 02:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009.07.14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
========== Driver Services (SafeList) ==========
DRV - [2012.10.30 23:51:58 | 000,738,504 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012.10.30 23:51:58 | 000,361,032 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012.10.30 23:51:58 | 000,054,232 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012.10.30 23:51:57 | 000,058,680 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2012.10.30 23:51:56 | 000,021,256 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2012.10.15 17:59:28 | 000,044,784 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr2.sys -- (aswRdr)
DRV - [2011.12.28 21:48:24 | 000,129,352 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\ApsX86.sys -- (Shockprf)
DRV - [2011.12.28 21:48:24 | 000,022,344 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\ApsHM86.sys -- (TPDIGIMN)
DRV - [2011.12.27 02:10:35 | 000,033,080 | ---- | M] (Lenovo Information Product(ShenZhen China) Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\psadd.sys -- (psadd)
DRV - [2011.12.16 16:53:28 | 000,013,304 | ---- | M] (TeamViewer GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TVMonitor.sys -- (MonitorFunction)
DRV - [2011.10.31 14:56:36 | 007,522,304 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETwNs32.sys -- (NETwNs32)
DRV - [2011.10.19 13:18:38 | 000,140,800 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AmpPal.sys -- (AMPPALP)
DRV - [2011.10.19 13:18:38 | 000,140,800 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AmpPal.sys -- (AMPPAL)
DRV - [2011.04.19 02:52:00 | 000,013,424 | ---- | M] (Lenovo Group Limited) [Kernel | System | Running] -- C:\Windows\System32\drivers\TPPWR32V.SYS -- (TPPWRIF)
DRV - [2010.12.20 19:17:07 | 000,167,968 | ---- | M] (Acronis) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\afcdp.sys -- (afcdp)
DRV - [2010.12.20 19:17:05 | 000,752,128 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\tdrpm273.sys -- (tdrpman273)
DRV - [2010.12.20 19:17:00 | 000,600,928 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\timntr.sys -- (timounter)
DRV - [2010.12.20 19:16:58 | 000,170,528 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\snapman.sys -- (snapman)
DRV - [2010.12.13 10:30:50 | 000,144,472 | ---- | M] (JMicron Technology Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\jmcr.sys -- (JMCR)
DRV - [2010.11.20 13:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2010.11.20 13:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010.11.20 13:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
DRV - [2010.11.20 11:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010.11.20 11:21:14 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV - [2010.11.20 10:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010.11.20 10:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010.09.07 14:09:06 | 000,013,680 | ---- | M] (Lenovo Group Limited) [Kernel | System | Running] -- C:\Windows\System32\drivers\smiif32.sys -- (lenovo.smi)
DRV - [2010.08.18 10:53:42 | 000,045,736 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\btusbflt.sys -- (btusbflt)
DRV - [2009.07.14 00:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
DRV - [2009.07.10 06:44:52 | 000,122,880 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = F6 6B C5 47 B2 7D CB 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF - prefs.js..browser.startup.homepage: "www.google.de"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..network.proxy.type: 0
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_4_402_287.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw_1167637.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.2: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: File not found
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\Alwil Software\Avast5\WebRep\FF [2012.11.30 19:53:44 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.10.30 12:37:20 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.10.30 12:37:16 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.10.30 12:37:20 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.10.30 12:37:16 | 000,000,000 | ---D | M]
[2010.11.06 15:49:29 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Hobbit\AppData\Roaming\mozilla\Extensions
[2012.10.23 20:07:41 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Hobbit\AppData\Roaming\mozilla\Firefox\Profiles\7m5wtwu1.default\extensions
[2012.07.30 15:03:18 | 000,741,958 | ---- | M] () (No name found) -- C:\Users\Hobbit\AppData\Roaming\mozilla\firefox\profiles\7m5wtwu1.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2012.10.30 12:37:15 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012.10.30 12:37:20 | 000,261,600 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010.11.06 16:02:48 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012.02.11 20:02:13 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.09.22 15:03:25 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012.02.11 20:02:13 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2012.02.11 20:02:13 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.02.11 20:02:13 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.02.11 20:02:13 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
O1 HOSTS File: ([2010.11.07 11:37:40 | 000,002,119 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [FreePDF Assistant] C:\Program Files\FreePDF_XP\fpassist.exe (shbox.de)
O4 - HKLM..\Run: [PWMTRV] C:\Program Files\ThinkPad\Utilities\PWMTR32V.DLL (Lenovo Group Limited)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 153
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInternetOpenWith = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 153
O8 - Extra context menu item: Bild an &Bluetooth-Gerät senden... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Seite an &Bluetooth-Gerät senden... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: @C:\Program Files\ThinkPad\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @C:\Program Files\ThinkPad\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C54B7CAA-A761-4993-A767-FD25B066DBBD}: DhcpNameServer = 192.168.1.100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F97B27A2-D4C4-43B7-96EB-226448A695E0}: DhcpNameServer = 192.168.0.100
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{39d0da97-f4a8-11df-bd4b-60eb690bc809}\Shell - "" = AutoRun
O33 - MountPoints2\{39d0da97-f4a8-11df-bd4b-60eb690bc809}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{d5942036-e9b3-11df-a05e-60eb690bc809}\Shell - "" = AutoRun
O33 - MountPoints2\{d5942036-e9b3-11df-a05e-60eb690bc809}\Shell\AutoRun\command - "" = E:\Set-up.exe
O33 - MountPoints2\{f1152d68-ea78-11df-8668-60eb690bc809}\Shell - "" = AutoRun
O33 - MountPoints2\{f1152d68-ea78-11df-8668-60eb690bc809}\Shell\AutoRun\command - "" = G:\AutoRun.exe
O33 - MountPoints2\{f1152d77-ea78-11df-8668-60eb690bc809}\Shell - "" = AutoRun
O33 - MountPoints2\{f1152d77-ea78-11df-8668-60eb690bc809}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\AutoRun.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
========== Files/Folders - Created Within 30 Days ==========
[2012.12.01 09:11:40 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Hobbit\Desktop\OTL.exe
[2012.11.30 23:47:28 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012.11.30 22:42:02 | 000,000,000 | ---D | C] -- C:\Windows\rundll16.exe
[2012.11.30 22:42:02 | 000,000,000 | ---D | C] -- C:\Windows\logo1_.exe
[2012.11.30 21:26:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012.11.30 21:26:29 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012.11.30 21:26:28 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012.11.13 21:22:23 | 000,000,000 | ---D | C] -- C:\ProgramData\vhpthzabkxttqln
[2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2012.12.01 09:45:53 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.12.01 09:35:04 | 000,014,416 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.12.01 09:35:04 | 000,014,416 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.12.01 09:33:01 | 000,680,532 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2012.12.01 09:33:01 | 000,636,962 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012.12.01 09:33:01 | 000,141,240 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2012.12.01 09:33:01 | 000,114,864 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012.12.01 09:12:19 | 000,000,000 | ---- | M] () -- C:\Users\Hobbit\defogger_reenable
[2012.12.01 09:09:01 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Hobbit\Desktop\OTL.exe
[2012.12.01 09:08:38 | 000,050,477 | ---- | M] () -- C:\Users\Hobbit\Desktop\Defogger.exe
[2012.12.01 08:54:09 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012.12.01 07:43:17 | 003,703,568 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012.11.30 23:40:33 | 000,037,414 | ---- | M] () -- C:\Users\Hobbit\Documents\pinfect.zip
[2012.11.30 22:40:53 | 000,000,056 | ---- | M] () -- C:\Windows\Lic.xxx
[2012.11.30 21:26:33 | 000,001,036 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012.11.30 19:53:45 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2012.11.13 21:22:23 | 000,076,348 | ---- | M] () -- C:\ProgramData\qpzyugiwsiayhaj
[2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ]
========== Files Created - No Company Name ==========
[2012.12.01 09:43:52 | 000,302,592 | ---- | C] () -- C:\Users\Hobbit\Desktop\gmer.exe
[2012.12.01 09:12:19 | 000,000,000 | ---- | C] () -- C:\Users\Hobbit\defogger_reenable
[2012.12.01 09:11:40 | 000,050,477 | ---- | C] () -- C:\Users\Hobbit\Desktop\Defogger.exe
[2012.11.30 23:44:03 | 000,000,003 | ---- | C] () -- C:\Windows\System32\drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf
[2012.11.30 23:43:24 | 000,000,003 | ---- | C] () -- C:\Windows\System32\drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf
[2012.11.30 21:26:33 | 000,001,036 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012.11.13 21:22:18 | 000,076,348 | ---- | C] () -- C:\ProgramData\qpzyugiwsiayhaj
[2012.07.11 16:07:27 | 001,048,576 | ---- | C] () -- C:\Windows\System32\syndata.bin
[2012.07.03 12:52:20 | 004,503,728 | ---- | C] () -- C:\ProgramData\l_u0_0.pad
[2011.06.10 06:34:52 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2011.05.14 14:23:09 | 000,080,896 | ---- | C] () -- C:\Windows\System32\RDVGHelper.exe
[2011.05.14 14:22:00 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2010.12.29 13:47:42 | 000,000,156 | ---- | C] () -- C:\Windows\WDP_Server.INI
========== ZeroAccess Check ==========
[2009.07.14 05:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 05:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.20 13:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009.07.14 02:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
========== LOP Check ==========
[2010.12.20 19:17:07 | 000,000,000 | ---D | M] -- C:\Users\Hobbit\AppData\Roaming\6A30878C-029A-48A8-810A-CDEB93CC02CC
[2010.12.20 19:39:35 | 000,000,000 | ---D | M] -- C:\Users\Hobbit\AppData\Roaming\Acronis
[2011.05.14 16:15:08 | 000,000,000 | ---D | M] -- C:\Users\Hobbit\AppData\Roaming\PwrMgr
[2012.09.29 19:42:22 | 000,000,000 | ---D | M] -- C:\Users\Hobbit\AppData\Roaming\TeamViewer
[2012.07.11 17:05:19 | 000,000,000 | ---D | M] -- C:\Users\Hobbit\AppData\Roaming\TuneUp Software
[2010.11.07 15:06:42 | 000,000,000 | ---D | M] -- C:\Users\Hobbit\AppData\Roaming\XnView
========== Purity Check ==========
< End of report >
--- --- ---
defogger_disable.log Code:
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 09:44 on 01/12/2012 (Hobbit)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
Eine Gmer Logdatei konnte ich nicht erstellen, gab nen BSOD :-( Code:
==================================================
Dump File : 120112-15771-01.dmp
Crash Time : 01.12.2012 10:17:59
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x82f22ee9
Parameter 3 : 0xba979a78
Parameter 4 : 0x00000000
Caused By Driver : ntkrnlpa.exe
Caused By Address : ntkrnlpa.exe+121ee9
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.17944 (win7sp1_gdr.120830-0333)
Processor : 32-bit
Crash Address : ntkrnlpa.exe+121ee9
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\120112-15771-01.dmp
Processors Count : 2
Major Version : 15
Minor Version : 7601
Dump File Size : 146.352
==================================================
Hier mal die erste Log vom Malwarebytesscan im Juli: Code:
Malwarebytes Anti-Malware 1.62.0.1100
www.malwarebytes.org
Datenbank Version: v2012.07.11.05
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Hobbit :: PC [Administrator]
11.07.2012 14:51:20
mbam-log-2012-07-11 (14-51-20).txt
Art des Suchlaufs: Vollständiger Suchlauf (C:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 316964
Laufzeit: 1 Stunde(n), 16 Minute(n), 5 Sekunde(n)
Infizierte Speicherprozesse: 1
C:\Windows\KMService.exe (RiskWare.Tool.CK) -> 2276 -> Löschen bei Neustart.
Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)
Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)
Infizierte Dateien: 3
C:\Windows\KMService.exe (RiskWare.Tool.CK) -> Löschen bei Neustart.
C:\Users\Hobbit\AppData\Local\Temp\0_0u_l.exe.mwt (Spyware.Zbot.DG) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Hobbit\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk (Trojan.Ransom.Gen) -> Erfolgreich gelöscht und in Quarantäne gestellt.
(Ende)
Und hier der von gestern Abend: Code:
Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org
Datenbank Version: v2012.11.26.07
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Hobbit :: PC [Administrator]
30.11.2012 21:28:14
mbam-log-2012-11-30 (21-28-14).txt
Art des Suchlaufs: Vollständiger Suchlauf (C:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 312847
Laufzeit: 1 Stunde(n), 4 Minute(n), 53 Sekunde(n)
Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)
Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)
Infizierte Dateien: 1
C:\Users\Hobbit\0.9368733570250305.exe (Trojan.Weelsof.gen) -> Erfolgreich gelöscht und in Quarantäne gestellt.
(Ende)
EDIT:
Warum klappt das mit der codebox net?
Hier nun noch die log vom gmer Scan:
[codebox]
GMER Logfile:
GMER Logfile: Code:
GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-12-01 10:44:02
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.02.0
Running: gmer.exe; Driver: C:\Users\Hobbit\AppData\Local\Temp\fxlcyuoc.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x9004C4BA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x916AEC22]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x9004CED6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x90057FA8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x90057FF4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x90058176]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x90057F16]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x916AEFA6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x90057F5E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0x9004D11C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0x9004D2F4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x90058130]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x9004D93E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x9004C508]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x916AECEA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x916AD3EC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x9004C556]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x90051534]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x9004E3A6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x90057FD2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x90058016]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x9005819A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x90057F3C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x900580BA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x90057F86]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x90058154]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x916AEE4A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x9004E272]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThreadEx [0x9004DF86]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x9004C5A4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x9004C5F2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0x9004D7BE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x9004C1FA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x9004C3AA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x9004C350]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x9004DAF8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x9004DC54]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x9004C41A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x916AEEFE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x9004D636]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0x916AD41C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x9004C640]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x916AED96]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x916C7E56]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82E55A49 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E8F4D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82E96500 4 Bytes [BA, C4, 04, 90]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82E96528 4 Bytes [22, EC, 6A, 91] {AND CH, AH; PUSH -0x6f}
.text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82E96588 4 Bytes [D6, CE, 04, 90] {SALC ; INTO ; ADD AL, 0x90}
.text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82E965DC 2 Bytes [A8, 7F] {TEST AL, 0x7f}
.text ntkrnlpa.exe!KeRemoveQueueEx + 11AA 82E965DF 5 Bytes [90, F4, 7F, 05, 90] {NOP ; HLT ; JG 0x9; NOP }
.text ...
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 83024C88 5 Bytes JMP 916C4CF6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject + 27 8303D2B0 5 Bytes JMP 916C6828 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 830523F7 4 Bytes CALL 9004EA8D \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 8306C20E 4 Bytes CALL 9004EAA3 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 830F610E 7 Bytes JMP 916C7E5A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 BDA35000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 BDA35123 629 Bytes [05, A3, BD, FE, 05, 34, 05, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 BDA35399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F BDA353FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 543B BDA354AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]
PAGE ...
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[736] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[764] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001703FC
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[764] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001701F8
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[764] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[764] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 00180A08
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[764] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 001803FC
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[764] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 00180804
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[764] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 001801F8
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[764] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 00180600
.text C:\Windows\system32\csrss.exe[788] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[824] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\system32\wininit.exe[828] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\system32\csrss.exe[840] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\system32\services.exe[876] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text ...
.text C:\Windows\system32\SearchIndexer.exe[1520] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 002203FC
.text C:\Windows\system32\SearchIndexer.exe[1520] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 002201F8
.text C:\Windows\system32\SearchIndexer.exe[1520] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\system32\SearchIndexer.exe[1520] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 00240A08
.text C:\Windows\system32\SearchIndexer.exe[1520] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 002403FC
.text C:\Windows\system32\SearchIndexer.exe[1520] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 00240804
.text C:\Windows\system32\SearchIndexer.exe[1520] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 002401F8
.text C:\Windows\system32\SearchIndexer.exe[1520] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 00240600
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1556] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[1560] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001703FC
.text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[1560] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001701F8
.text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[1560] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[1560] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 002F0A08
.text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[1560] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 002F03FC
.text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[1560] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 002F0804
.text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[1560] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 002F01F8
.text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[1560] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 002F0600
.text C:\Windows\system32\svchost.exe[1612] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1720] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1752] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\system32\igfxext.exe[1788] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001703FC
.text C:\Windows\system32\igfxext.exe[1788] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001701F8
.text C:\Windows\system32\igfxext.exe[1788] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\system32\igfxext.exe[1788] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 00180A08
.text C:\Windows\system32\igfxext.exe[1788] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 001803FC
.text C:\Windows\system32\igfxext.exe[1788] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 00180804
.text C:\Windows\system32\igfxext.exe[1788] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 001801F8
.text C:\Windows\system32\igfxext.exe[1788] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 00180600
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1824] kernel32.dll!SetUnhandledExceptionFilter 7790F4FB 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1824] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\system32\WLANExt.exe[1832] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\system32\conhost.exe[1840] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1856] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001E03FC
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1856] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001E01F8
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1856] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1856] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 001F0A08
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1856] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 001F03FC
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1856] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 001F0804
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1856] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 001F01F8
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1856] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 001F0600
.text C:\Windows\System32\spoolsv.exe[2000] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[2028] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\system32\Dwm.exe[2224] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\system32\taskhost.exe[2232] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\Explorer.EXE[2284] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text ...
.text C:\Windows\System32\TpShocks.exe[2412] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 002E03FC
.text C:\Windows\System32\TpShocks.exe[2412] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 002E01F8
.text C:\Windows\System32\TpShocks.exe[2412] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\System32\TpShocks.exe[2412] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 002F0A08
.text C:\Windows\System32\TpShocks.exe[2412] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 002F03FC
.text C:\Windows\System32\TpShocks.exe[2412] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 002F0804
.text C:\Windows\System32\TpShocks.exe[2412] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 002F01F8
.text C:\Windows\System32\TpShocks.exe[2412] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 002F0600
.text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2448] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\system32\igfxsrvc.exe[2460] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001E03FC
.text C:\Windows\system32\igfxsrvc.exe[2460] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001E01F8
.text C:\Windows\system32\igfxsrvc.exe[2460] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\system32\igfxsrvc.exe[2460] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 001F0A08
.text C:\Windows\system32\igfxsrvc.exe[2460] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 001F03FC
.text C:\Windows\system32\igfxsrvc.exe[2460] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 001F0804
.text C:\Windows\system32\igfxsrvc.exe[2460] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 001F01F8
.text C:\Windows\system32\igfxsrvc.exe[2460] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 001F0600
.text C:\Program Files\Microsoft SQL Server\MSSQL$WDP30\Binn\sqlservr.exe[3076] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001603FC
.text C:\Program Files\Microsoft SQL Server\MSSQL$WDP30\Binn\sqlservr.exe[3076] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001601F8
.text C:\Program Files\Microsoft SQL Server\MSSQL$WDP30\Binn\sqlservr.exe[3076] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Program Files\Microsoft SQL Server\MSSQL$WDP30\Binn\sqlservr.exe[3076] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 00180A08
.text C:\Program Files\Microsoft SQL Server\MSSQL$WDP30\Binn\sqlservr.exe[3076] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 001803FC
.text C:\Program Files\Microsoft SQL Server\MSSQL$WDP30\Binn\sqlservr.exe[3076] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 00180804
.text C:\Program Files\Microsoft SQL Server\MSSQL$WDP30\Binn\sqlservr.exe[3076] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 001801F8
.text C:\Program Files\Microsoft SQL Server\MSSQL$WDP30\Binn\sqlservr.exe[3076] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 00180600
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3108] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001E03FC
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3108] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001E01F8
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3108] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3108] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 00200A08
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3108] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 002003FC
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3108] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 00200804
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3108] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 002001F8
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3108] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 00200600
.text C:\Windows\system32\svchost.exe[3132] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[3132] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[3132] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[3132] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 000D0A08
.text C:\Windows\system32\svchost.exe[3132] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 000D03FC
.text C:\Windows\system32\svchost.exe[3132] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 000D0804
.text C:\Windows\system32\svchost.exe[3132] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 000D01F8
.text C:\Windows\system32\svchost.exe[3132] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 000D0600
.text C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe[3192] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 000E03FC
.text C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe[3192] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 000E01F8
.text C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe[3192] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe[3192] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 000F0A08
.text C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe[3192] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 000F03FC
.text C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe[3192] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 000F0804
.text C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe[3192] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 000F01F8
.text C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe[3192] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 000F0600
.text C:\Windows\system32\vssvc.exe[3236] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001203FC
.text C:\Windows\system32\vssvc.exe[3236] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001201F8
.text C:\Windows\system32\vssvc.exe[3236] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\system32\vssvc.exe[3236] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 00140A08
.text C:\Windows\system32\vssvc.exe[3236] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 001403FC
.text C:\Windows\system32\vssvc.exe[3236] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 00140804
.text C:\Windows\system32\vssvc.exe[3236] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 001401F8
.text C:\Windows\system32\vssvc.exe[3236] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 00140600
.text C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE[3324] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001703FC
.text C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE[3324] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001701F8
.text C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE[3324] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE[3324] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 00190A08
.text C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE[3324] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 001903FC
.text C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE[3324] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 00190804
.text C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE[3324] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 001901F8
.text C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE[3324] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 00190600
.text C:\Windows\system32\wbem\unsecapp.exe[3592] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 000703FC
.text C:\Windows\system32\wbem\unsecapp.exe[3592] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 000701F8
.text C:\Windows\system32\wbem\unsecapp.exe[3592] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\system32\wbem\unsecapp.exe[3592] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 00080A08
.text C:\Windows\system32\wbem\unsecapp.exe[3592] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 000803FC
.text C:\Windows\system32\wbem\unsecapp.exe[3592] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 00080804
.text C:\Windows\system32\wbem\unsecapp.exe[3592] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 000801F8
.text C:\Windows\system32\wbem\unsecapp.exe[3592] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 00080600
.text C:\Users\Hobbit\Desktop\gmer.exe[3600] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\system32\wbem\wmiprvse.exe[3684] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 000E03FC
.text C:\Windows\system32\wbem\wmiprvse.exe[3684] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 000E01F8
.text C:\Windows\system32\wbem\wmiprvse.exe[3684] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\system32\wbem\wmiprvse.exe[3684] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 00200A08
.text C:\Windows\system32\wbem\wmiprvse.exe[3684] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 002003FC
.text C:\Windows\system32\wbem\wmiprvse.exe[3684] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 00200804
.text C:\Windows\system32\wbem\wmiprvse.exe[3684] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 002001F8
.text C:\Windows\system32\wbem\wmiprvse.exe[3684] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 00200600
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4024] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001E03FC
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4024] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001E01F8
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4024] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4024] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 00200A08
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4024] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 002003FC
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4024] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 00200804
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4024] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 002001F8
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4024] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 00200600
.text C:\Windows\System32\rundll32.exe[4040] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001303FC
.text C:\Windows\System32\rundll32.exe[4040] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001301F8
.text C:\Windows\System32\rundll32.exe[4040] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\System32\rundll32.exe[4040] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 00140A08
.text C:\Windows\System32\rundll32.exe[4040] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 001403FC
.text C:\Windows\System32\rundll32.exe[4040] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 00140804
.text C:\Windows\System32\rundll32.exe[4040] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 001401F8
.text C:\Windows\System32\rundll32.exe[4040] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 00140600
.text C:\Program Files\FreePDF_XP\fpassist.exe[4088] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001D03FC
.text C:\Program Files\FreePDF_XP\fpassist.exe[4088] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001D01F8
.text C:\Program Files\FreePDF_XP\fpassist.exe[4088] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Program Files\FreePDF_XP\fpassist.exe[4088] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 001E0A08
.text C:\Program Files\FreePDF_XP\fpassist.exe[4088] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 001E03FC
.text C:\Program Files\FreePDF_XP\fpassist.exe[4088] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 001E0804
.text C:\Program Files\FreePDF_XP\fpassist.exe[4088] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 001E01F8
.text C:\Program Files\FreePDF_XP\fpassist.exe[4088] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 001E0600
.text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4196] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4220] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 001E03FC
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4220] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 001E01F8
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4220] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4220] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 001F0A08
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4220] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 001F03FC
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4220] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 001F0804
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4220] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 001F01F8
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4220] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 001F0600
.text C:\Windows\System32\mobsync.exe[4252] ntdll.dll!LdrUnloadDll 779FC86E 5 Bytes JMP 000F03FC
.text C:\Windows\System32\mobsync.exe[4252] ntdll.dll!LdrLoadDll 77A0223E 5 Bytes JMP 000F01F8
.text C:\Windows\System32\mobsync.exe[4252] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\System32\mobsync.exe[4252] USER32.dll!UnhookWindowsHookEx 7640ADF9 5 Bytes JMP 00110A08
.text C:\Windows\System32\mobsync.exe[4252] USER32.dll!UnhookWinEvent 7640B750 5 Bytes JMP 001103FC
.text C:\Windows\System32\mobsync.exe[4252] USER32.dll!SetWindowsHookExW 7640E30C 5 Bytes JMP 00110804
.text C:\Windows\System32\mobsync.exe[4252] USER32.dll!SetWinEventHook 764124DC 5 Bytes JMP 001101F8
.text C:\Windows\System32\mobsync.exe[4252] USER32.dll!SetWindowsHookExA 76436D0C 5 Bytes JMP 00110600
.text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[4396] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[4556] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\system32\sppsvc.exe[4608] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Program Files\Lenovo\System Update\SUService.exe[4640] KERNEL32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
.text C:\Windows\system32\taskeng.exe[5620] kernel32.dll!GetBinaryTypeW + 70 779269F4 1 Byte [62]
---- Devices - GMER 1.0.15 ----
Device aswSP.SYS (avast! self protection module/AVAST Software)
Device Ntfs.sys (NT-Dateisystemtreiber/Microsoft Corporation)
AttachedDevice tdrpm273.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
Device fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\00000051 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
Device volmgr.sys (Volume Manager Driver/Microsoft Corporation)
AttachedDevice fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\78dd08a7b88c
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\78dd08a7b88c (not active ControlSet)
---- EOF - GMER 1.0.15 ----
--- --- ---
--- --- ---
[/codebox]
Frag mich gerade, ob es nicht gleich besser ist das System neu aufzusetzen??!!
Wie würdet Ihr vorgehen?
Gruß
theexciter |
