Windows Security Alert Problem

#1 Hallo Leute,

ich hab ein Problem mit einem Virus auf meinem PC. Ich hab diverse Foren durchgeforstet und denke ich sollte ein Logfile von Hijackthis schicken. Ich hoffe ihr könnt mir helfen.

Hijackthis-logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:33:32, on 28.08.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Dokumente und Einstellungen\Salih\ms18_word.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\msdrive32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Programme\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wiwow64.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\49.tmp
C:\WINDOWS\system32\4A.tmp
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\sofatnet.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\sc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wiawow32.sys
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.speedbit.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Programme\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Programme\AVG\AVG8\avgssie.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Programme\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [14627] C:\WINDOWS\system32\49.tmp.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [ms18_word] C:\WINDOWS\system32\ms18_word.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AntiSpyware Service] C:\DOKUME~1\Salih\LOKALE~1\Temp\wr19jr .exe
O4 - HKCU\..\Run: [12CFG214-K641-12SF-N85P] C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe
O4 - HKCU\..\Run: [ms18_word] C:\Dokumente und Einstellungen\Salih\ms18_word.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Security Center] C:\WINDOWS\sc.exe
O4 - HKCU\..\Run: [Protection System] C:\Programme\Protection System\psystem.exe
O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Driver Setup] C:\WINDOWS\msdrive32.exe
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Dokumente und Einstellungen\Salih\reader_s.exe (User 'Default user')
O8 - Extra context menu item: &Download All by FlashGet - C:\Programme\FlashGet Network\FlashGet universal\ComDlls\Bhoall.htm
O8 - Extra context menu item: &Download by FlashGet - C:\Programme\FlashGet Network\FlashGet universal\ComDlls\Bholink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Programme\kikin\ie_kikin.dll
O9 - Extra 'Tools' menuitem: My kikin - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Programme\kikin\ie_kikin.dll
O9 - Extra button: Add to TimeLeft Auction Watch - {21196042-830F-419f-A594-F9D456A6C29A} - C:\Programme\TimeLeft3\TLIntergIE.html
O9 - Extra 'Tools' menuitem: Add to TimeLeft Auction Watch - {21196042-830F-419f-A594-F9D456A6C29A} - C:\Programme\TimeLeft3\TLIntergIE.html
O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: In Windows Live Writer in &Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra 'Tools' menuitem: Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: HP Intelligente Auswahl - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Programme\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {070CA17A-4BD2-4612-83B4-32B1B9159B47} - http://uc.sina.com.cn/download/live/weblive2.4.0.0.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://tky09.celartem.com/en/download/data/djvu_autoinstall/DjVuControl_de_DE.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6F3AC18F-3DCB-4C8E-A1DE-F48E19739576} (SesliSistem Control) - http://www.seslisistem.com/newcab/ss.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://icq.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EE3C3BE-4DB7-4878-AE2B-721911662E30}: NameServer = 195.50.140.248 195.50.140.114
O17 - HKLM\System\CS3\Services\Tcpip\..\{1EE3C3BE-4DB7-4878-AE2B-721911662E30}: NameServer = 195.50.140.248 195.50.140.114
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intelligenter Hintergrundübertragungsdienst (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Update Service (gupdate1c98661365edd8a) (gupdate1c98661365edd8a) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: sofatnet Service (sofatnet) - Sigma Designs In - C:\WINDOWS\system32\sofatnet.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: Usbest Service Zero (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: Automatische Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 9886 bytes


Dankeschön schonmal im Voraus

Lg Alexa

#2 hi und willkommen
http://board.protecus.de/t23187.htm
abarbeiten, logs posten.

#3 Hey,

so endlich mal alles gemacht

Malwarebytes-Bericht:

Malwarebytes' Anti-Malware 1.39
Datenbank Version: 2421
Windows 5.1.2600 Service Pack 3

30.08.2009 22:55:04
mbam-log-2009-08-30 (22-55-00).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 90153
Laufzeit: 11 minute(s), 16 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 7
Infizierte Registrierungswerte: 17
Infizierte Dateiobjekte der Registrierung: 1
Infizierte Verzeichnisse: 2
Infizierte Dateien: 24

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\evdoserver (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\evdoserver (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\evdoserver (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\protect (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\protect (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Protection System (Rogue.ProtectionSystem) -> No action taken.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12cfg214-k641-12sf-n85p (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Backdoor.Bot) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\id (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\host (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\security center (Trojan.FakeAlert) -> No action taken.

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Infizierte Verzeichnisse:
C:\Programme\Protection System (Rogue.ProtectionSystem) -> No action taken.
C:\Dokumente und Einstellungen\Salih\Startmenü\Programme\Protection System (Rogue.ProtectionSystem) -> No action taken.

Infizierte Dateien:
c:\WINDOWS\system32\EvdoServer.dll (Backdoor.Bot) -> No action taken.
c:\WINDOWS\system32\EvdoServer.dllx (Backdoor.Bot) -> No action taken.
c:\WINDOWS\system32\drivers\protect.sys (Rootkit.Agent) -> No action taken.
c:\dokumente und einstellungen\Salih\startmenü\programme\protection system\Live Support.lnk (Rogue.ProtectionSystem) -> No action taken.
c:\dokumente und einstellungen\Salih\startmenü\programme\protection system\Protection System.lnk (Rogue.ProtectionSystem) -> No action taken.
c:\dokumente und einstellungen\Salih\startmenü\programme\protection system\Uninstall.lnk (Rogue.ProtectionSystem) -> No action taken.
C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\4.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\5.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\6.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\7.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\8.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\9.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\A.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\B.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\C.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\D.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\E.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\F.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\wiwow64.exe (Backdoor.Bot) -> No action taken.
C:\Dokumente und Einstellungen\Salih\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> No action taken.
C:\WINDOWS\system32\wiawow32.sys (Backdoor.Bot) -> No action taken.
C:\WINDOWS\sc.exe (Trojan.FakeAlert) -> No action taken.

Gmer-Bericht:

GMER 1.0.15.15077 [22m7zc8d.exe] - http://www.gmer.net
Rootkit scan 2009-08-30 22:55:51
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

INT 0x62 ? 8A890BF8
INT 0x63 ? 8A890BF8
INT 0x63 ? 8A890BF8
INT 0x63 ? 8A5E4BF8
INT 0x63 ? 8A5E4BF8
INT 0x63 ? 8A890BF8
INT 0x82 ? 8A890BF8
INT 0x84 ? 8A5E4BF8
INT 0x94 ? 8A5E4BF8
INT 0xA4 ? 8A5E4BF8
INT 0xB1 ? 8A822BF8
INT 0xB1 ? 8A822BF8

Code 8A7137E8 ZwEnumerateKey
Code 8A7137B0 ZwFlushInstructionCache
Code 8A44137E ZwSaveKey
Code 8A4AB25E ZwSaveKeyEx
Code 8A448B8E IofCallDriver
Code 8A492EBE IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E13A7 5 Bytes JMP 8A448B93
.text ntoskrnl.exe!IofCompleteRequest 804E17BD 5 Bytes JMP 8A492EC3
PAGE ntoskrnl.exe!ZwEnumerateKey 80578E14 5 Bytes JMP 8A7137EC
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80587BFB 5 Bytes JMP 8A7137B4
PAGE ntoskrnl.exe!ZwSetTimerResolution + 1EA82 80609E00 16 Bytes [FF, 75, 14, 52, 52, 52, 52, ...]
PAGE ntoskrnl.exe!ZwSetTimerResolution + 1EA93 80609E11 136 Bytes [8D, 46, 14, 89, 45, E8, 66, ...]
PAGE ntoskrnl.exe!ZwSetTimerResolution + 1EB1C 80609E9A 89 Bytes [75, 65, 72, 79, 52, 65, 67, ...]
PAGE ntoskrnl.exe!ZwSetTimerResolution + 1EB76 80609EF4 90 Bytes [FF, 90, 41, 00, 63, 00, 74, ...]
PAGE ntoskrnl.exe!ZwSetTimerResolution + 1EBD1 80609F4F 56 Bytes [0F, 84, EF, 41, FD, FF, 8D, ...]
PAGE ...
PAGE ntoskrnl.exe!CcMdlRead + 76 8061BBBF 5 Bytes [CC, FF, 75, D8, 57] {INT 3 ; PUSH DWORD [EBP-0x28]; PUSH EDI}
PAGE ntoskrnl.exe!CcMdlRead + 7C 8061BBC5 3 Bytes CALL 804F1D86 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!CcMdlRead + 80 8061BBC9 19 Bytes [F6, 46, 02, 02, 74, 17, 83, ...] {TEST BYTE [ESI+0x2], 0x2; JZ 0x1d; CMP DWORD [ESI+0x44], 0x0; JNZ 0x1d; PUSH DWORD [EBP+0x10]; MOV EDI, [EBP+0xc]; PUSH EDI}
PAGE ntoskrnl.exe!CcMdlRead + 94 8061BBDD 12 Bytes CALL 8050228D \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!CcMdlRead + A1 8061BBEA 15 Bytes [05, 80, F5, 55, 80, C7, 05, ...] {ADD EAX, 0x8055f580; MOV DWORD [0x80553028], 0x8055f578}
PAGE ...
PAGE ntoskrnl.exe!CcMdlReadComplete + E 8061BE0A 200 Bytes [48, 08, 8B, 49, 28, 85, C9, ...]
PAGE ntoskrnl.exe!CmUnRegisterCallback + 3C 8061BED3 32 Bytes CALL 8064C8C6 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!CmUnRegisterCallback + 5D 8061BEF4 82 Bytes CALL 8064CAA4 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!CmUnRegisterCallback + B1 8061BF48 12 Bytes [CC, CC, CC, CC, CC, CC, 90, ...]
PAGE ntoskrnl.exe!CmRegisterCallback + 2 8061BF55 67 Bytes [55, 8B, EC, 51, 53, 56, 57, ...]
PAGE ntoskrnl.exe!CmRegisterCallback + 46 8061BF99 2 Bytes [76, 10] {JBE 0x12}
PAGE ntoskrnl.exe!CmRegisterCallback + 4A 8061BF9D 2 Bytes CALL 805511E8 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!CmRegisterCallback + 4D 8061BFA0 6 Bytes [57, 56, E8, 3F, 52, F3]
PAGE ntoskrnl.exe!CmRegisterCallback + 54 8061BFA7 21 Bytes JMP 8061C042 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!FsRtlMdlReadDev + 7 8061C190 38 Bytes CALL 804E2E83 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!FsRtlMdlReadDev + 2E 8061C1B7 37 Bytes [45, D4, 13, 4B, 04, 89, 4D, ...]
PAGE ntoskrnl.exe!FsRtlMdlReadDev + 54 8061C1DD 66 Bytes CALL 804E195E \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!FsRtlMdlReadDev + 97 8061C220 64 Bytes [53, 57, 8B, 45, E0, FF, 50, ...]
PAGE ntoskrnl.exe!FsRtlMdlReadDev + D8 8061C261 47 Bytes [45, 1C, C7, 00, 11, 00, 00, ...]
PAGE ...
PAGE ntoskrnl.exe!FsRtlPrepareMdlWriteDev + 95 8061C49C 3 Bytes CALL 804E1961 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!FsRtlPrepareMdlWriteDev + 99 8061C4A0 1 Byte [C6]
PAGE ntoskrnl.exe!FsRtlPrepareMdlWriteDev + 99 8061C4A0 4 Bytes [C6, 45, E4, 01] {MOV BYTE [EBP-0x1c], 0x1}
PAGE ntoskrnl.exe!FsRtlPrepareMdlWriteDev + 9E 8061C4A5 23 Bytes [0A, 6A, 01, FF, 76, 08, E8, ...]
PAGE ntoskrnl.exe!FsRtlPrepareMdlWriteDev + B7 8061C4BE 20 Bytes [1C, 89, 4D, D8, 8B, FB, 33, ...]
PAGE ...
PAGE ntoskrnl.exe!FsRtlPrepareMdlWrite + 11 8061C818 89 Bytes [F0, 8B, 46, 08, 8B, 40, 28, ...]
PAGE ntoskrnl.exe!FsRtlPrepareMdlWrite + 6B 8061C872 30 Bytes [75, 10, FF, 75, 0C, 57, E8, ...]
PAGE ntoskrnl.exe!FsRtlMdlWriteCompleteDev + 2 8061C891 78 Bytes [55, 8B, EC, 8B, 45, 08, F6, ...]
PAGE ntoskrnl.exe!FsRtlIncrementCcFastReadNotPossible 8061C8E1 34 Bytes [64, A1, 20, 00, 00, 00, FF, ...]
PAGE ntoskrnl.exe!FsRtlCopyRead + 7 8061C904 15 Bytes CALL 804E2E83 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!FsRtlCopyRead + 17 8061C914 26 Bytes [0F, 00, 00, 8B, 4D, 10, 8D, ...]
PAGE ntoskrnl.exe!FsRtlCopyRead + 32 8061C92F 19 Bytes [8B, 3B, 8B, 53, 04, 33, C0, ...] {MOV EDI, [EBX]; MOV EDX, [EBX+0x4]; XOR EAX, EAX; OR ESI, -0x1; SUB ESI, EDI; MOV ECX, 0x7fffffff; SBB ECX, EDX}
PAGE ntoskrnl.exe!FsRtlCopyRead + 46 8061C943 22 Bytes [C8, 7F, 1B, 7C, 05, 3B, 75, ...]
PAGE ntoskrnl.exe!FsRtlCopyRead + 5D 8061C95A 1 Byte [32]
PAGE ...
PAGE ntoskrnl.exe!FsRtlCopyWrite + 6C 8061CC6F 20 Bytes [89, 48, 04, 85, C9, 0F, 84, ...]
PAGE ntoskrnl.exe!FsRtlCopyWrite + 81 8061CC84 39 Bytes [00, 00, 80, 7D, 14, 00, 0F, ...]
PAGE ntoskrnl.exe!FsRtlCopyWrite + A9 8061CCAC 92 Bytes CALL 804E195E \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!FsRtlCopyWrite + 106 8061CD09 178 Bytes [00, 8A, 4E, 05, 84, C9, 0F, ...]
PAGE ntoskrnl.exe!FsRtlCopyWrite + 1B9 8061CDBC 13 Bytes [8B, 48, 08, 8B, 49, 28, 8B, ...]
PAGE ...
PAGE ntoskrnl.exe!FsRtlMdlWriteComplete + 2 8061D329 39 Bytes [55, 8B, EC, 56, 57, 8B, 7D, ...]
PAGE ntoskrnl.exe!FsRtlMdlWriteComplete + 2A 8061D351 57 Bytes [75, 10, FF, 75, 0C, 57, FF, ...]
PAGE ntoskrnl.exe!FsRtlMdlWriteComplete + 64 8061D38B 33 Bytes [5F, 5E, 5D, C2, 0C, 00, 90, ...]
PAGE ntoskrnl.exe!FsRtlInitializeMcb + 2 8061D3AD 8 Bytes [55, 8B, EC, 5D, E9, A4, E8, ...]
PAGE ntoskrnl.exe!FsRtlInitializeMcb + B 8061D3B6 101 Bytes [CC, CC, CC, CC, CC, 90, 90, ...]
PAGE ntoskrnl.exe!FsRtlSyncVolumes + 5 8061D41C 23 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!FsRtlSyncVolumes + 1D 8061D434 58 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!FsRtlSyncVolumes + 58 8061D46F 3 Bytes CALL 804E17BE \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!FsRtlSyncVolumes + 5C 8061D473 32 Bytes [5D, C2, 08, 00, CC, CC, CC, ...]
PAGE ntoskrnl.exe!FsRtlSyncVolumes + 7D 8061D494 83 Bytes [08, 3B, F7, 75, 16, BE, E3, ...]
PAGE ...
PAGE ntoskrnl.exe!FsRtlDeregisterUncProvider + C 8061D683 34 Bytes [74, 77, 57, 33, FF, 3B, F7, ...]
PAGE ntoskrnl.exe!FsRtlDeregisterUncProvider + 2F 8061D6A6 29 Bytes [3B, 35, 18, A0, 69, 80, 75, ...]
PAGE ntoskrnl.exe!FsRtlDeregisterUncProvider + 4D 8061D6C4 4 Bytes [A1, 14, A0, 69]
PAGE ntoskrnl.exe!FsRtlDeregisterUncProvider + 52 8061D6C9 23 Bytes [83, F8, FF, 74, 0D, 50, E8, ...]
PAGE ntoskrnl.exe!FsRtlDeregisterUncProvider + 6A 8061D6E1 6 Bytes [FF, FF, 0D, 28, A0, 69]
PAGE ...
PAGE ntoskrnl.exe!FsRtlDissectDbcs + 5E 8061D76A 143 Bytes [83, 3C, 53, 00, 74, 01, 47, ...]
PAGE ntoskrnl.exe!FsRtlDoesDbcsContainWildCards + 45 8061D7FA 100 Bytes [0F, BE, C9, 0F, B6, 0C, 39, ...]
PAGE ntoskrnl.exe!FsRtlIsDbcsInExpression + 38 8061D85F 28 Bytes [FF, 0F, 84, F6, 03, 00, 00, ...]
PAGE ntoskrnl.exe!FsRtlIsDbcsInExpression + 55 8061D87C 10 Bytes [00, 8B, 48, 04, 80, 39, 2A, ...]
PAGE ntoskrnl.exe!FsRtlIsDbcsInExpression + 60 8061D887 1 Byte [00]
PAGE ntoskrnl.exe!FsRtlIsDbcsInExpression + 60 8061D887 177 Bytes [00, 00, 8B, 08, 8B, 40, 04, ...]
PAGE ntoskrnl.exe!FsRtlIsDbcsInExpression + 112 8061D939 129 Bytes [4D, 0C, 66, 8B, 45, A8, 66, ...]
PAGE ...
PAGE ntoskrnl.exe!FsRtlIsHpfsDbcsLegal + 1B 8061DCA3 126 Bytes [4D, 0C, 74, 2A, 66, 83, FA, ...]
PAGE ntoskrnl.exe!FsRtlIsHpfsDbcsLegal + 9A 8061DD22 18 Bytes [FF, FF, 84, C0, 74, 14, 66, ...]
PAGE ntoskrnl.exe!FsRtlIsHpfsDbcsLegal + AD 8061DD35 93 Bytes [66, 81, FA, FF, 00, 76, 04, ...]
PAGE ntoskrnl.exe!FsRtlIsHpfsDbcsLegal + 10B 8061DD93 115 Bytes [0F, B6, D0, 0F, B6, 14, 1A, ...]
PAGE ntoskrnl.exe!FsRtlIsHpfsDbcsLegal + 17F 8061DE07 10 Bytes [CC, CC, CC, 90, 90, 90, 90, ...] {INT 3 ; INT 3 ; INT 3 ; NOP ; NOP ; NOP ; NOP ; NOP ; MOV EDI, EDI}
PAGE ntoskrnl.exe!FsRtlNotifyChangeDirectory + 3 8061DE12 7 Bytes [8B, EC, 33, C0, 50, 50, 50] {MOV EBP, ESP; XOR EAX, EAX; PUSH EAX; PUSH EAX; PUSH EAX}
PAGE ntoskrnl.exe!FsRtlNotifyChangeDirectory + C 8061DE1B 6 Bytes [20, FF, 75, 1C, 6A, 01] {AND BH, BH; JNZ 0x20; PUSH 0x1}
PAGE ntoskrnl.exe!FsRtlNotifyChangeDirectory + 14 8061DE23 43 Bytes [18, FF, 75, 10, FF, 75, 0C, ...]
PAGE ntoskrnl.exe!FsRtlNotifyFullChangeDirectory + 8 8061DE4F 17 Bytes [75, 2C, FF, 75, 28, FF, 75, ...] {JNZ 0x2e; PUSH DWORD [EBP+0x28]; PUSH DWORD [EBP+0x24]; PUSH DWORD [EBP+0x20]; PUSH DWORD [EBP+0x1c]; PUSH DWORD [EBP+0x18]}
PAGE ntoskrnl.exe!FsRtlNotifyFullChangeDirectory + 1A 8061DE61 116 Bytes [75, 14, FF, 75, 10, FF, 75, ...]
PAGE ntoskrnl.exe!FsRtlNotifyFullReportChange + 17 8061DED6 74 Bytes [75, 14, FF, 75, 10, FF, 75, ...]
PAGE ntoskrnl.exe!FsRtlNotifyFullReportChange + 62 8061DF21 75 Bytes [45, 18, 76, 03, 89, 45, 18, ...]
PAGE ntoskrnl.exe!FsRtlNotifyFullReportChange + AE 8061DF6D 101 Bytes [03, C8, 13, 55, FC, 83, C1, ...]
PAGE ntoskrnl.exe!FsRtlNotifyFullReportChange + 114 8061DFD3 105 Bytes [32, 45, 08, 88, 59, 03, 24, ...]
PAGE ntoskrnl.exe!FsRtlNotifyFullReportChange + 17E 8061E03D 21 Bytes CALL 804FCA10 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!IoSetPartitionInformation + 2 8061E1ED 27 Bytes [55, 8B, EC, 83, EC, 40, 53, ...]
PAGE ntoskrnl.exe!IoSetPartitionInformation + 1E 8061E209 195 Bytes [73, 03, 89, 5D, F8, 8B, 55, ...]
PAGE ntoskrnl.exe!IoSetPartitionInformation + E2 8061E2CD 95 Bytes [03, 01, 00, 00, 75, 10, 56, ...]
PAGE ntoskrnl.exe!IoSetPartitionInformation + 142 8061E32D 5 Bytes [74, 0B, FF, 45, F0] {JZ 0xd; INC DWORD [EBP-0x10]}
PAGE ntoskrnl.exe!IoSetPartitionInformation + 148 8061E333 62 Bytes [4D, 08, 39, 4D, F0, 74, 0D, ...]
PAGE ...
PAGE ntoskrnl.exe!IoWritePartitionTable + 1 8061E460 159 Bytes [FF, 55, 8B, EC, 83, EC, 6C, ...]
PAGE ntoskrnl.exe!IoWritePartitionTable + A1 8061E500 27 Bytes [88, 45, FD, 75, 4C, 80, 7E, ...]
PAGE ntoskrnl.exe!IoWritePartitionTable + BD 8061E51C 101 Bytes CALL 38686E23
PAGE ntoskrnl.exe!IoWritePartitionTable + 123 8061E582 58 Bytes [C4, 50, FF, 75, EC, 0F, 94, ...]
PAGE ntoskrnl.exe!IoWritePartitionTable + 15E 8061E5BD 5 Bytes [3D, 03, 01, 00, 00] {CMP EAX, 0x103}
PAGE ...
PAGE ntoskrnl.exe!IoWritePartitionTableEx + 1C 8061F6B6 26 Bytes [3B, C3, 0F, 8C, DD, 00, 00, ...]
PAGE ntoskrnl.exe!IoWritePartitionTableEx + 38 8061F6D2 3 Bytes JMP 8061F78A \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoWritePartitionTableEx + 3C 8061F6D6 43 Bytes [00, 00, 8D, 45, 08, 50, 53, ...]
PAGE ntoskrnl.exe!IoWritePartitionTableEx + 68 8061F702 56 Bytes [00, 00, 8B, 5D, 08, 8B, 53, ...]
PAGE ntoskrnl.exe!IoWritePartitionTableEx + A1 8061F73B 28 Bytes [75, FC, A5, A5, A5, A5, E8, ...]
PAGE ...
PAGE ntoskrnl.exe!IoVerifyPartitionTable + 26 8061F7DA 7 Bytes [8B, F0, 85, F6, 7C, 25, 8B]
PAGE ntoskrnl.exe!IoVerifyPartitionTable + 2E 8061F7E2 32 Bytes CALL C8796BE7
PAGE ntoskrnl.exe!IoVerifyPartitionTable + 4F 8061F803 9 Bytes CALL 805C0ABA \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoVerifyPartitionTable + 59 8061F80D 5 Bytes [C6, 5E, 5D, C2, 08]
PAGE ntoskrnl.exe!IoVerifyPartitionTable + 5F 8061F813 13 Bytes [CC, CC, CC, CC, CC, 90, 90, ...] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; NOP ; NOP ; NOP ; NOP ; NOP ; MOV EDI, EDI; PUSH EBP}
PAGE ...
PAGE ntoskrnl.exe!IoCreateDisk 8061F9A7 179 Bytes [8B, FF, 55, 8B, EC, 8B, 45, ...]
PAGE ntoskrnl.exe!IoSetPartitionInformationEx + 5D 8061FA5B 20 Bytes [FF, EB, 13, 0F, B6, 40, 08, ...]
PAGE ntoskrnl.exe!IoSetPartitionInformationEx + 72 8061FA70 170 Bytes [FF, 8B, F0, 85, FF, 74, 06, ...]
PAGE ntoskrnl.exe!IoSetPartitionInformationEx + 11E 8061FB1C 16 Bytes [FF, 75, 08, FF, 15, 98, 80, ...] {PUSH DWORD [EBP+0x8]; CALL [0x804d8098]; MOV [EBX+0x8], EAX; MOVZX EAX, BYTE [EBP+0x23]}
PAGE ntoskrnl.exe!IoSetPartitionInformationEx + 12F 8061FB2D 2 Bytes [43, 04]
PAGE ntoskrnl.exe!IoSetPartitionInformationEx + 132 8061FB30 11 Bytes [45, 10, 89, 43, 0C, C7, 45, ...] {INC EBP; ADC [ECX+0x45c70c43], CL; OR AL, 0x20; ADD [EAX], EAX}
PAGE ...
PAGE ntoskrnl.exe!IoCheckQuotaBufferValidity + 6 8061FC9A 22 Bytes [45, 08, 03, 56, 8B, 75, 08, ...]
PAGE ntoskrnl.exe!IoCheckQuotaBufferValidity + 1D 8061FCB1 77 Bytes [80, EB, 4D, 53, EB, 37, 8D, ...]
PAGE ntoskrnl.exe!IoCheckQuotaBufferValidity + 6B 8061FCFF 79 Bytes [C0, 5B, 5F, 5E, 5D, C2, 0C, ...]
PAGE ntoskrnl.exe!IoCheckQuotaBufferValidity + BB 8061FD4F 1 Byte [75]
PAGE ntoskrnl.exe!IoCheckQuotaBufferValidity + BB 8061FD4F 46 Bytes [75, 08, 33, DB, 66, 83, 3E, ...]
PAGE ...
PAGE ntoskrnl.exe!IoEnqueueIrp + 2B 8061FFB3 15 Bytes [32, FF, 15, 30, 80, 4D, 80, ...] {XOR BH, BH; ADC EAX, 0x804d8030; POP EDI; POP ESI; POP EBP; RET 0x4; INT 3 ; INT 3 }
PAGE ntoskrnl.exe!IoEnqueueIrp + 3B 8061FFC3 33 Bytes [CC, CC, CC, 90, 90, 90, 90, ...]
PAGE ntoskrnl.exe!IoFastQueryNetworkAttributes + 1A 8061FFE5 21 Bytes [FC, 8B, 45, 08, 57, 89, 85, ...]
PAGE ntoskrnl.exe!IoFastQueryNetworkAttributes + 30 8061FFFB 7 Bytes [F3, AB, 8B, 45, 10, 0D, 00]
PAGE ntoskrnl.exe!IoFastQueryNetworkAttributes + 38 80620003 10 Bytes [20, 00, 33, DB, 43, 89, 85, ...]
PAGE ntoskrnl.exe!IoFastQueryNetworkAttributes + 43 8062000E 4 Bytes [8D, 85, 6C, FF]
PAGE ntoskrnl.exe!IoFastQueryNetworkAttributes + 48 80620013 9 Bytes [FF, 66, C7, 85, 04, FF, FF, ...]
PAGE ...
PAGE ntoskrnl.exe!IoIsValidNameGraftingBuffer + 2 806200D2 46 Bytes [55, 8B, EC, 83, EC, 54, A1, ...]
PAGE ntoskrnl.exe!IoIsValidNameGraftingBuffer + 31 80620101 31 Bytes [40, 60, 8B, 40, 04, 85, C0, ...]
PAGE ntoskrnl.exe!IoIsValidNameGraftingBuffer + 52 80620122 71 Bytes [66, 83, 7B, 08, 00, 75, F2, ...]
PAGE ntoskrnl.exe!IoIsValidNameGraftingBuffer + 9A 8062016A 1 Byte [43]
PAGE ntoskrnl.exe!IoIsValidNameGraftingBuffer + 9A 8062016A 202 Bytes [43, 14, 66, 83, F8, 2E, 74, ...]
PAGE ...
PAGE ntoskrnl.exe!IoRegisterLastChanceShutdownNotification + 18 8062061B 222 Bytes [75, 07, B8, 9A, 00, 00, C0, ...]
PAGE ntoskrnl.exe!IoSetInformation + 9B 806206FA 20 Bytes [8B, F0, 3B, F7, 75, 11, 57, ...]
PAGE ntoskrnl.exe!IoSetInformation + B0 8062070F 84 Bytes [00, 00, 89, 5E, 64, 64, A1, ...]
PAGE ntoskrnl.exe!IoSetInformation + 105 80620764 4 Bytes [15, 2C, 80, 4D]
PAGE ntoskrnl.exe!IoSetInformation + 10A 80620769 132 Bytes [8B, 56, 50, 81, C2, 10, 02, ...]
PAGE ntoskrnl.exe!IoSetInformation + 18F 806207EE 5 Bytes [EB, 1F, 83, F8, 0A] {JMP 0x21; CMP EAX, 0xa}
PAGE ...
PAGE ntoskrnl.exe!IoUnregisterFsRegistrationChange + 27 8062093B 10 Bytes [08, 8B, 50, 0C, 3B, 55, 0C, ...]
PAGE ntoskrnl.exe!IoUnregisterFsRegistrationChange + 32 80620946 92 Bytes [3B, C1, 74, 16, EB, EB, EB, ...]
PAGE ntoskrnl.exe!IoVerifyVolume + 1F 806209A3 3 Bytes CALL 804DC401 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoVerifyVolume + 23 806209A7 56 Bytes [8B, 46, 24, F6, 40, 04, 01, ...]
PAGE ntoskrnl.exe!IoVerifyVolume + 5C 806209E0 7 Bytes [75, FC, FF, 15, 88, B7, 55]
PAGE ntoskrnl.exe!IoVerifyVolume + 64 806209E8 123 Bytes [8B, D0, 3B, D3, 75, 0A, BF, ...]
PAGE ntoskrnl.exe!IoVerifyVolume + E0 80620A64 131 Bytes CALL 805BE6B2 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoCancelFileOpen + 1F 80620AE8 49 Bytes CALL 68620AED
PAGE ntoskrnl.exe!IoCancelFileOpen + 51 80620B1A 98 Bytes CALL 804F2874 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoCancelFileOpen + B4 80620B7D 51 Bytes CALL 8053281E \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoCancelFileOpen + E8 80620BB1 62 Bytes [89, 7F, 04, 89, 3F, FF, 15, ...]
PAGE ntoskrnl.exe!IoQueryFileDosDeviceName + 16 80620BF1 16 Bytes [FC, 50, EB, 30, 8D, 45, FC, ...] {CLD ; PUSH EAX; JMP 0x34; LEA EAX, [EBP-0x4]; PUSH EAX; PUSH DWORD [EBP-0x4]; PUSH ESI; PUSH 0x1; PUSH 0x1}
PAGE ntoskrnl.exe!IoQueryFileDosDeviceName + 27 80620C02 18 Bytes CALL 8058AA03 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoQueryFileDosDeviceName + 3A 80620C15 60 Bytes [05, F3, FF, 81, 7D, F8, 05, ...]
PAGE ntoskrnl.exe!IoEnumerateRegisteredFiltersList + 1 80620C52 2 Bytes [FF, 55]
PAGE ntoskrnl.exe!IoEnumerateRegisteredFiltersList + 4 80620C55 49 Bytes [EC, 51, 53, 56, 57, 6A, 01, ...]
PAGE ntoskrnl.exe!IoEnumerateRegisteredFiltersList + 36 80620C87 57 Bytes [45, 10, 89, 38, 76, 07, C7, ...]
PAGE ntoskrnl.exe!IoEnumerateRegisteredFiltersList + 70 80620CC1 3 Bytes CALL 804DC59A \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoEnumerateRegisteredFiltersList + 74 80620CC5 82 Bytes [8B, 45, FC, 5F, 5E, 5B, C9, ...]
PAGE ...
PAGE ntoskrnl.exe!IoAttachDevice + 2B 80620DFA 2 Bytes [DC, 18] {FCOMP QWORD [EAX]}
PAGE ntoskrnl.exe!IoAttachDevice + 2E 80620DFD 1 Byte [00]
PAGE ntoskrnl.exe!IoAttachDevice + 31 80620E00 27 Bytes CALL 80621005 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoAttachDevice + 4D 80620E1C 51 Bytes [50, 56, FF, 35, 58, 0D, 56, ...]
PAGE ntoskrnl.exe!IoAttachDevice + 81 80620E50 19 Bytes CALL 804E190C \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!ZwOpenIoCompletion + 20 806210F3 43 Bytes [88, 45, E0, 8B, 75, 08, 3A, ...]
PAGE ntoskrnl.exe!ZwOpenIoCompletion + 4C 8062111F 14 Bytes CALL 8057027C \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwOpenIoCompletion + 5B 8062112E 42 Bytes [45, FC, 01, 00, 00, 00, 8B, ...]
PAGE ntoskrnl.exe!ZwOpenIoCompletion + 86 80621159 15 Bytes [8B, 45, DC, EB, 24, 90, 90, ...] {MOV EAX, [EBP-0x24]; JMP 0x29; NOP ; NOP ; NOP ; NOP ; NOP ; MOV EAX, [EBP-0x14]; MOV EAX, [EAX]}
PAGE ntoskrnl.exe!ZwOpenIoCompletion + 96 80621169 121 Bytes CALL 805E13B3 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwQueryIoCompletion + 4F 806211E3 3 Bytes [D4, 7E, 56] {AAM 0x7e; PUSH ESI}
PAGE ntoskrnl.exe!ZwQueryIoCompletion + 53 806211E7 22 Bytes [3B, C8, 72, 02, 89, 38, 8B, ...]
PAGE ntoskrnl.exe!ZwQueryIoCompletion + 6A 806211FE 37 Bytes [7D, 14, 04, 74, 0E, B8, 04, ...]
PAGE ntoskrnl.exe!ZwQueryIoCompletion + 91 80621225 10 Bytes CALL 8056C557 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwQueryIoCompletion + 9C 80621230 36 Bytes [75, DC, 89, 75, C4, 89, 45, ...]
PAGE ...
PAGE ntoskrnl.exe!NtQueryEaFile + 47 80621367 39 Bytes [03, 89, 03, 8B, 43, 04, 89, ...]
PAGE ntoskrnl.exe!NtQueryEaFile + 6F 8062138F 14 Bytes [01, EB, 02, 8B, 00, 89, 45, ...]
PAGE ntoskrnl.exe!NtQueryEaFile + 7E 8062139E 61 Bytes [00, 00, 8B, 7D, 20, 3B, FE, ...]
PAGE ntoskrnl.exe!NtQueryEaFile + BC 806213DC 3 Bytes CALL 804E8763 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!NtQueryEaFile + C0 806213E0 30 Bytes [89, 45, E0, 8B, 4D, 20, 8B, ...]
PAGE ...
PAGE ntoskrnl.exe!NtSetEaFile + 2F 80621896 91 Bytes [8B, 75, 0C, 3B, F0, 72, 02, ...]
PAGE ntoskrnl.exe!NtSetEaFile + 8B 806218F2 2 Bytes [65, E8]
PAGE ntoskrnl.exe!NtSetEaFile + 8E 806218F5 5 Bytes [75, CC, E9, 4B, 02]
PAGE ntoskrnl.exe!NtSetEaFile + 94 806218FB 43 Bytes [00, 8B, 75, 0C, 53, 8D, 45, ...]
PAGE ntoskrnl.exe!NtSetEaFile + C0 80621927 91 Bytes [46, 33, C0, 40, 8D, 4F, 44, ...]
PAGE ...
PAGE ntoskrnl.exe!NtSetQuotaInformationFile + 8 80621BB7 58 Bytes [75, 14, FF, 75, 10, FF, 75, ...]
PAGE ntoskrnl.exe!NtQueryQuotaInformationFile + 1B 80621BF2 68 Bytes [7D, D8, 64, A1, 24, 01, 00, ...]
PAGE ntoskrnl.exe!NtQueryQuotaInformationFile + 60 80621C37 145 Bytes [5D, 24, 85, DB, 74, 47, 8D, ...]
PAGE ntoskrnl.exe!NtQueryQuotaInformationFile + F2 80621CC9 355 Bytes [89, 45, E0, 89, 45, D8, 8B, ...]
PAGE ntoskrnl.exe!NtQueryQuotaInformationFile + 256 80621E2D 12 Bytes [45, E6, 50, 8B, 43, 2C, C1, ...]
PAGE ntoskrnl.exe!NtQueryQuotaInformationFile + 263 80621E3A 85 Bytes [FF, 50, FF, 75, DC, 53, E8, ...]
PAGE ...
PAGE ntoskrnl.exe!NtSetVolumeInformationFile + 43 80622130 1 Byte [88]
PAGE ntoskrnl.exe!NtSetVolumeInformationFile + 43 80622130 13 Bytes [88, 45, BB, 84, C0, 74, 6A, ...]
PAGE ntoskrnl.exe!NtSetVolumeInformationFile + 52 8062213F 26 Bytes [00, 8A, 86, 94, 24, 62, 80, ...]
PAGE ntoskrnl.exe!NtSetVolumeInformationFile + 6D 8062215A 13 Bytes JMP 80622481 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!NtSetVolumeInformationFile + 7B 80622168 72 Bytes [3B, C8, 72, 02, 89, 38, 8B, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwReadFileScatter + 7E 8062252D 56 Bytes [41, 2C, 83, F8, 08, 74, 22, ...]
PAGE ntoskrnl.exe!ZwReadFileScatter + B7 80622566 85 Bytes CALL 0A522877
PAGE ntoskrnl.exe!ZwReadFileScatter + 10D 806225BC 8 Bytes [ED, CB, 02, 00, A1, D4, 7E, ...]
PAGE ntoskrnl.exe!ZwReadFileScatter + 116 806225C5 7 Bytes [8B, 4D, 24, 3B, C8, 72, 02] {MOV ECX, [EBP+0x24]; CMP ECX, EAX; JB 0x9}
PAGE ntoskrnl.exe!ZwReadFileScatter + 11E 806225CD 187 Bytes [18, 8B, 01, 89, 45, 9C, 8B, ...]
PAGE ...
PAGE ntoskrnl.exe!IoReleaseRemoveLockAndWaitEx + 1F 806247DC 26 Bytes [33, FF, 85, C9, 7E, 0D, 57, ...]
PAGE ntoskrnl.exe!IoReleaseRemoveLockAndWaitEx + 3A 806247F7 64 Bytes CALL 805511E4 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoAssignResources + 25 80624838 132 Bytes [F6, 40, 7E, 02, 0F, 85, 51, ...]
PAGE ntoskrnl.exe!IoAssignResources + AA 806248BD 13 Bytes [40, 14, 3B, C3, 0F, 84, BD, ...]
PAGE ntoskrnl.exe!IoAssignResources + B9 806248CC 9 Bytes CALL 80532DBF \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoAssignResources + C3 806248D6 2 Bytes [00, 00] {ADD [EAX], AL}
PAGE ntoskrnl.exe!IoAssignResources + C6 806248D9 15 Bytes [40, 14, 05, 94, 00, 00, 00, ...]
PAGE ...
PAGE ntoskrnl.exe!IoPnPDeliverServicePowerNotification + 19 8062531F 7 Bytes [00, 68, 50, 70, 20, 20, 68]
PAGE ntoskrnl.exe!IoPnPDeliverServicePowerNotification + 21 80625327 1 Byte [04]
PAGE ntoskrnl.exe!IoPnPDeliverServicePowerNotification + 21 80625327 3 Bytes [04, 00, 00]
PAGE ntoskrnl.exe!IoPnPDeliverServicePowerNotification + 25 8062532B 1 Byte [01]
PAGE ntoskrnl.exe!IoPnPDeliverServicePowerNotification + 25 8062532B 5 Bytes [01, E8, D4, BC, F2]
PAGE ...
PAGE ntoskrnl.exe!IoReportTargetDeviceChange + 54 80625447 28 Bytes [3B, F0, 74, 4D, 57, 50, 56, ...]
PAGE ntoskrnl.exe!IoReportTargetDeviceChange + 71 80625464 32 Bytes [3B, F0, 74, 30, 57, 50, 56, ...]
PAGE ntoskrnl.exe!IoReportTargetDeviceChange + 92 80625485 154 Bytes [12, 8B, 4B, 18, 83, F9, FF, ...]
PAGE ntoskrnl.exe!IoReportTargetDeviceChange + 12D 80625520 11 Bytes [89, 45, D4, 8B, 45, 10, 53, ...]
PAGE ntoskrnl.exe!IoReportTargetDeviceChange + 139 8062552C 41 Bytes [89, 45, D8, FF, 15, 18, 81, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwSaveKey 8065616E 5 Bytes JMP 8A441382
PAGE ntoskrnl.exe!ZwSaveKeyEx 80656259 5 Bytes JMP 8A4AB262
? splg.sys Das System kann die angegebene Datei nicht finden. !
.text USBPORT.SYS!DllUnload BAD558AC 5 Bytes JMP 8A5E41D8

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\winlogon.exe[280] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes CALL 7FFA491A
.text C:\WINDOWS\system32\winlogon.exe[280] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes CALL 7FFA49A9
.text C:\WINDOWS\system32\winlogon.exe[280] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes CALL 7FFA49B6
.text C:\WINDOWS\system32\winlogon.exe[280] ntdll.dll!NtDeviceIoControlFile 7C91D27E 5 Bytes CALL 7FFA4C3A
.text C:\WINDOWS\system32\winlogon.exe[280] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes CALL 7FFA499F
.text C:\WINDOWS\system32\winlogon.exe[280] ntdll.dll!NtQueryInformationProcess 7C91D7FE 5 Bytes CALL 7FFA49F7
.text C:\WINDOWS\system32\services.exe[324] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes CALL 7FFA491A
.text C:\WINDOWS\system32\services.exe[324] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes CALL 7FFA49A9
.text C:\WINDOWS\system32\services.exe[324] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes CALL 7FFA49B6
.text C:\WINDOWS\system32\services.exe[324] ntdll.dll!NtDeviceIoControlFile 7C91D27E 5 Bytes CALL 7FFA4C3A
.text C:\WINDOWS\system32\services.exe[324] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes CALL 7FFA499F
.text C:\WINDOWS\system32\services.exe[324] ntdll.dll!NtQueryInformationProcess 7C91D7FE 5 Bytes CALL 7FFA49F7
.text C:\WINDOWS\system32\lsass.exe[340] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes CALL 7FF9491A
.text C:\WINDOWS\system32\lsass.exe[340] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes CALL 7FF949A9
.text C:\WINDOWS\system32\lsass.exe[340] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes CALL 7FF949B6
.text C:\WINDOWS\system32\lsass.exe[340] ntdll.dll!NtDeviceIoControlFile 7C91D27E 5 Bytes CALL 7FF94C3A
.text C:\WINDOWS\system32\lsass.exe[340] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes CALL 7FF9499F
.text C:\WINDOWS\system32\lsass.exe[340] ntdll.dll!NtQueryInformationProcess 7C91D7FE 5 Bytes CALL 7FF949F7
.rsrc C:\WINDOWS\system32\svchost.exe[496] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\system32\svchost.exe[496] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x0100A34F]
.rsrc C:\WINDOWS\system32\svchost.exe[620] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\system32\svchost.exe[620] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x0100A34F]
.text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes CALL 7FFA491A
.text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes CALL 7FFA49A9
.text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes CALL 7FFA49B6
.text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtDeviceIoControlFile 7C91D27E 5 Bytes CALL 7FFA4C3A
.text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes CALL 7FFA499F
.text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtQueryInformationProcess 7C91D7FE 5 Bytes CALL 7FFA49F7
.text C:\Programme\Lavasoft\Ad-Aware\AAWService.exe[692] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes CALL 7FFA491A
.text C:\Programme\Lavasoft\Ad-Aware\AAWService.exe[692] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes CALL 7FFA49A9
.text C:\Programme\Lavasoft\Ad-Aware\AAWService.exe[692] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes CALL 7FFA49B6
.text C:\Programme\Lavasoft\Ad-Aware\AAWService.exe[692] ntdll.dll!NtDeviceIoControlFile 7C91D27E 5 Bytes CALL 7FFA4C3A
.text C:\Programme\Lavasoft\Ad-Aware\AAWService.exe[692] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes CALL 7FFA499F
.text C:\Programme\Lavasoft\Ad-Aware\AAWService.exe[692] ntdll.dll!NtQueryInformationProcess 7C91D7FE 5 Bytes CALL 7FFA49F7
.rsrc C:\WINDOWS\system32\svchost.exe[744] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\system32\svchost.exe[744] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x0100A34F]
.text C:\WINDOWS\system32\svchost.exe[744] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes CALL 7FFA491A
.text C:\WINDOWS\system32\svchost.exe[744] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes CALL 7FFA49A9
.text C:\WINDOWS\system32\svchost.exe[744] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes CALL 7FFA49B6
.text C:\WINDOWS\system32\svchost.exe[744] ntdll.dll!NtDeviceIoControlFile 7C91D27E 5 Bytes CALL 7FFA4C3A
.text C:\WINDOWS\system32\svchost.exe[744] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes CALL 7FFA499F
.text C:\WINDOWS\system32\svchost.exe[744] ntdll.dll!NtQueryInformationProcess 7C91D7FE 5 Bytes CALL 7FFA49F7
.text C:\WINDOWS\system32\wbem\unsecapp.exe[848] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes CALL 7FFA491A
.text C:\WINDOWS\system32\wbem\unsecapp.exe[848] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes CALL 7FFA49A9
.text C:\WINDOWS\system32\wbem\unsecapp.exe[848] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes CALL 7FFA49B6
.text C:\WINDOWS\system32\wbem\unsecapp.exe[848] ntdll.dll!NtDeviceIoControlFile 7C91D27E 5 Bytes CALL 7FFA4C3A
.text C:\WINDOWS\system32\wbem\unsecapp.exe[848] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes CALL 7FFA499F
.text C:\WINDOWS\system32\wbem\unsecapp.exe[848] ntdll.dll!NtQueryInformationProcess 7C91D7FE 5 Bytes CALL 7FFA49F7
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[936] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes CALL 7FFA491A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[936] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes CALL 7FFA49A9
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[936] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes CALL 7FFA49B6
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[936] ntdll.dll!NtDeviceIoControlFile 7C91D27E 5 Bytes CALL 7FFA4C3A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[936] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes CALL 7FFA499F
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[936] ntdll.dll!NtQueryInformationProcess 7C91D7FE 5 Bytes CALL 7FFA49F7
.reloc C:\WINDOWS\Explorer.EXE[1232] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0x8800, 0xE0000040]
.reloc C:\WINDOWS\Explorer.EXE[1232] C:\WINDOWS\Explorer.EXE entry point in ".reloc" section [0x010FE940]
.text C:\WINDOWS\Explorer.EXE[1232] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes CALL 7FFA491A
.text C:\WINDOWS\Explorer.EXE[1232] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes CALL 7FFA49A9
.text C:\WINDOWS\Explorer.EXE[1232] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes CALL 7FFA49B6
.text C:\WINDOWS\Explorer.EXE[1232] ntdll.dll!NtDeviceIoControlFile 7C91D27E 5 Bytes CALL 7FFA4C3A
.text C:\WINDOWS\Explorer.EXE[1232] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes CALL 7FFA499F
.text C:\WINDOWS\Explorer.EXE[1232] ntdll.dll!NtQueryInformationProcess 7C91D7FE 5 Bytes CALL 7FFA49F7
.text C:\Dokumente und Einstellungen\Salih\Desktop\22m7zc8d.exe[1400] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes CALL 7FFA491A
.text C:\Dokumente und Einstellungen\Salih\Desktop\22m7zc8d.exe[1400] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes CALL 7FFA49A9
.text C:\Dokumente und Einstellungen\Salih\Desktop\22m7zc8d.exe[1400] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes CALL 7FFA49B6
.text C:\Dokumente und Einstellungen\Salih\Desktop\22m7zc8d.exe[1400] ntdll.dll!NtDeviceIoControlFile 7C91D27E 5 Bytes CALL 7FFA4C3A
.text C:\Dokumente und Einstellungen\Salih\Desktop\22m7zc8d.exe[1400] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes CALL 7FFA499F
.text C:\Dokumente und Einstellungen\Salih\Desktop\22m7zc8d.exe[1400] ntdll.dll!NtQueryInformationProcess 7C91D7FE 5 Bytes CALL 7FFA49F7

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8A8222D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F750A93C] splg.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F750A990] splg.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74DB040] splg.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74DB13C] splg.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74DB0BE] splg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74DB7FC] splg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74DB6D2] splg.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8A5E42D8
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74EAD92] splg.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A88F1F8
Device \FileSystem\Fastfat \FatCdrom 8A30F1F8
Device \FileSystem\Udfs \UdfsCdRom 8A309500
Device \FileSystem\Udfs \UdfsDisk 8A309500
Device \Driver\NDIS \Device\Ndis [8A5F0984] NDIS.sys[.reloc]
Device \Driver\usbuhci \Device\USBPDO-0 8A6EF1F8
Device \Driver\usbuhci \Device\USBPDO-1 8A6EF1F8
Device \Driver\usbuhci \Device\USBPDO-2 8A6EF1F8
Device \Driver\usbuhci \Device\USBPDO-3 8A6EF1F8
Device \Driver\usbehci \Device\USBPDO-4 8A7A53A8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A8201F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A8201F8
Device \Driver\Cdrom \Device\CdRom0 8A7B7408
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A8201F8
Device \Driver\Cdrom \Device\CdRom1 8A7B7408
Device \Driver\Cdrom \Device\CdRom2 8A7B7408
Device \Driver\Cdrom \Device\CdRom3 8A7B7408
Device \Driver\usbstor \Device\00000081 8A41D500
Device \Driver\Cdrom \Device\CdRom4 8A7B7408
Device \Driver\Cdrom \Device\CdRom5 8A7B7408
Device \Driver\sptd \Device\520438528 splg.sys
Device \Driver\Cdrom \Device\CdRom6 8A7B7408
Device \Driver\usbstor \Device\00000084 8A41D500
Device \Driver\usbstor \Device\00000085 8A41D500
Device \Driver\PCI_PNP3528 \Device\0000004c splg.sys
Device \Driver\PCI_PNP3528 \Device\0000004c splg.sys
Device \Driver\usbstor \Device\00000086 8A41D500
Device \Driver\PCI_PNP3528 \Device\0000004d splg.sys
Device \Driver\PCI_PNP3528 \Device\0000004d splg.sys
Device \Driver\usbstor \Device\00000087 8A41D500
Device \Driver\usbuhci \Device\USBFDO-0 8A6EF1F8
Device \Driver\usbuhci \Device\USBFDO-1 8A6EF1F8
Device \Driver\sptd \Device\520594778 splg.sys
Device \Driver\usbuhci \Device\USBFDO-2 8A6EF1F8
Device \Driver\usbuhci \Device\USBFDO-3 8A6EF1F8
Device \Driver\usbehci \Device\USBFDO-4 8A7A53A8
Device \Driver\Ftdisk \Device\FtControl 8A8201F8
Device \Driver\ajzievs9 \Device\Scsi\ajzievs91Port4Path0Target3Lun0 8A5AB1F8
Device \Driver\ajzievs9 \Device\Scsi\ajzievs91Port4Path0Target0Lun0 8A5AB1F8
Device \Driver\ajzievs9 \Device\Scsi\ajzievs91 8A5AB1F8
Device \Driver\ajzievs9 \Device\Scsi\ajzievs91Port4Path0Target2Lun0 8A5AB1F8
Device \Driver\a5s4f91n \Device\Scsi\a5s4f91n1 8A7A3500
Device \Driver\ajzievs9 \Device\Scsi\ajzievs91Port4Path0Target1Lun0 8A5AB1F8
Device \Driver\a5s4f91n \Device\Scsi\a5s4f91n1Port5Path0Target0Lun0 8A7A3500
Device \FileSystem\Fastfat \Fat 8A30F1F8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 8A3001F8

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\kbiwkmeoirpjbg.sys (*** hidden *** ) [SYSTEM] kbiwkmoyunqjwq <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\3\Shell@WinPos800x600(1).left 88
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\3\Shell@WinPos800x600(1).top 116
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\3\Shell@WinPos800x600(1).right 688
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\3\Shell@WinPos800x600(1).bottom 520
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\4\Shell@WinPos800x600(1).left 88
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\4\Shell@WinPos800x600(1).top 116
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\4\Shell@WinPos800x600(1).right 688
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\4\Shell@WinPos800x600(1).bottom 520
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\4\Shell@FFlags 1
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\4\Shell@Vid {65F125E5-7BE1-4810-BA9D-D271C8432CE3}
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\4\Shell@Mode 6
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\4\Shell@ScrollPos800x600(1).y 2
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\41\Shell@WinPos800x600(1).left 44
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\41\Shell@WinPos800x600(1).top 58
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\41\Shell@WinPos800x600(1).right 644
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\41\Shell@WinPos800x600(1).bottom 462

---- EOF - GMER 1.0.15 ----

Hijackthis-Logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:33:12, on 31.08.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Programme\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\msdrive32.exe
C:\Dokumente und Einstellungen\Salih\ms18_word.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\TEMP\VRT6.tmp
C:\WINDOWS\TEMP\VRT5.tmp
C:\WINDOWS\System32\reader_s.exe
C:\Programme\AVG\AVG8\avgui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\AVG\AVG8\avgscanx.exe
C:\Programme\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Dokumente und Einstellungen\Salih\reader_s.exe
C:\WINDOWS\system32\sofatnet.exe
C:\WINDOWS\system32\wiawow32.sys
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\AVG\AVG8\avgcsrvx.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.speedbit.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Programme\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Programme\AVG\AVG8\avgssie.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Programme\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ms18_word] C:\WINDOWS\system32\ms18_word.exe
O4 - HKLM\..\Run: [14627] C:\WINDOWS\system32\49.tmp.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AntiSpyware Service] C:\DOKUME~1\Salih\LOKALE~1\Temp\wr19jr .exe
O4 - HKCU\..\Run: [ms18_word] C:\Dokumente und Einstellungen\Salih\ms18_word.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [12CFG214-K641-12SF-N85P] C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe
O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Driver Setup] C:\WINDOWS\msdrive32.exe
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Dokumente und Einstellungen\Salih\reader_s.exe (User 'Default user')
O8 - Extra context menu item: &Download All by FlashGet - C:\Programme\FlashGet Network\FlashGet universal\ComDlls\Bhoall.htm
O8 - Extra context menu item: &Download by FlashGet - C:\Programme\FlashGet Network\FlashGet universal\ComDlls\Bholink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Programme\kikin\ie_kikin.dll
O9 - Extra 'Tools' menuitem: My kikin - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Programme\kikin\ie_kikin.dll
O9 - Extra button: Add to TimeLeft Auction Watch - {21196042-830F-419f-A594-F9D456A6C29A} - C:\Programme\TimeLeft3\TLIntergIE.html
O9 - Extra 'Tools' menuitem: Add to TimeLeft Auction Watch - {21196042-830F-419f-A594-F9D456A6C29A} - C:\Programme\TimeLeft3\TLIntergIE.html
O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: In Windows Live Writer in &Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra 'Tools' menuitem: Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: HP Intelligente Auswahl - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Programme\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {070CA17A-4BD2-4612-83B4-32B1B9159B47} - http://uc.sina.com.cn/download/live/weblive2.4.0.0.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://tky09.celartem.com/en/download/data/djvu_autoinstall/DjVuControl_de_DE.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6F3AC18F-3DCB-4C8E-A1DE-F48E19739576} (SesliSistem Control) - http://www.seslisistem.com/newcab/ss.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://icq.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EE3C3BE-4DB7-4878-AE2B-721911662E30}: NameServer = 195.50.140.248 195.50.140.114
O17 - HKLM\System\CS4\Services\Tcpip\..\{1EE3C3BE-4DB7-4878-AE2B-721911662E30}: NameServer = 195.50.140.248 195.50.140.114
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intelligenter Hintergrundübertragungsdienst (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Update Service (gupdate1c98661365edd8a) (gupdate1c98661365edd8a) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: sofatnet Service (sofatnet) - Sigma Designs In - C:\WINDOWS\system32\sofatnet.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: Usbest Service Zero (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: Automatische Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 9950 bytes

Uninstall-Liste:

32 Bit HP CIO Components Installer
3GP Flash Video Converter V1.33
Ad-Aware
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.3 - Deutsch
Adobe Shockwave Player 11.5
Avanquest update
AVG Free 8.5
Backgammon Pro für Windows V1.5
Backspin Billiards
Batak 4 Ýhaleli
Calc 3D
CCleaner (remove only)
ClearProg 1.6.0 Final
Convert Doc
DivX Player
DivX Web Player
EphPod
Ext2 IFS 1.11 for Windows XP
FlashGet 2.0
FlvGrabber
FM Modifier 2.22
FMRTE
Football Manager 2009
Football Manager 2009 Türkçe
Foto-Mosaik 4.1.0
GIMP 2.4.0
Google Earth
Google Earth Plugin
Google Update Helper
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix für Windows XP (KB952287)
HP Customer Participation Program 10.0
HP Document Manager 1.0
HP Foto- und Bildbearbeitung 2.0 - All-in-One
HP Foto und Bildbearbeitung 2.0 - hp psc 1200 series
HP Foto- und Bildbearbeitung 2.0 All-in-One Treiber
HP Imaging Device Functions 10.0
HP Officejet J4500 Series
hp psc 1200 series
HP Smart Web Printing
HP Solution Center 10.0
HP Speicher-Disc
HP Update
ICQ Away Reader 1.4
ICQ6.5
ImageBlizzard 1.0
iPodLibrary v1.2b
IrfanView (remove only)
IsoBuster 2.4
iTunes
Java(TM) 6 Update 3
Java(TM) 6 Update 5
JellyFish Light 3.5
kikin Plugin (JDownloader Edition) 1.11
K-Lite Codec Pack 3.5.3 Full
Lizardtech DjVu Control (autoinstall)
Malwarebytes' Anti-Malware
Messenger Plus! Live
Microsoft .NET Framework 2.0 Language Pack - DEU
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office PowerPoint Viewer 2003
Microsoft Reader
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Windows-Journal-Viewer
MinuteMan
Mozilla Firefox (3.0.13)
MSN
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Nero 7 Ultra Edition
neroxml
NET Installation Assistance for VB6 App (Runtime Only)
Nuclear Coffee - VideoGet
NVIDIA Drivers
OCR Software by I.R.I.S. 10.0
Okey+ 2.1
OpenOffice.org 2.3
Opera 9.50
Oxin's Style! 3D Sexvilla 2 ever lust
Picasa 2
Pop Art Studio 3.0
PowerQuest PartitionMagic 8.0
PowerQuest PartitionMagic 8.0
Pretty Good Solitaire version 12.0.1
Pro Evolution Soccer 2009
QuickTime
Real Alternative 1.8.0
Realtek High Definition Audio Driver
Shop for HP Supplies
Sicherheitsupdate für Windows Internet Explorer 8 (KB972260)
Sicherheitsupdate für Windows Media Player (KB973540)
Sicherheitsupdate für Windows XP (KB938464)
Sicherheitsupdate für Windows XP (KB946648)
Sicherheitsupdate für Windows XP (KB950759)
Sicherheitsupdate für Windows XP (KB950762)
Sicherheitsupdate für Windows XP (KB950974)
Sicherheitsupdate für Windows XP (KB951066)
Sicherheitsupdate für Windows XP (KB951376)
Sicherheitsupdate für Windows XP (KB951376-v2)
Sicherheitsupdate für Windows XP (KB951698)
Sicherheitsupdate für Windows XP (KB951748)
Sicherheitsupdate für Windows XP (KB952954)
Sicherheitsupdate für Windows XP (KB953838)
Sicherheitsupdate für Windows XP (KB956744)
Sicherheitsupdate für Windows XP (KB960859)
Sicherheitsupdate für Windows XP (KB961371)
Sicherheitsupdate für Windows XP (KB961501)
Sicherheitsupdate für Windows XP (KB968537)
Sicherheitsupdate für Windows XP (KB969897)
Sicherheitsupdate für Windows XP (KB969898)
Sicherheitsupdate für Windows XP (KB970238)
Sicherheitsupdate für Windows XP (KB971557)
Sicherheitsupdate für Windows XP (KB971633)
Sicherheitsupdate für Windows XP (KB971657)
Sicherheitsupdate für Windows XP (KB972260)
Sicherheitsupdate für Windows XP (KB973346)
Sicherheitsupdate für Windows XP (KB973354)
Sicherheitsupdate für Windows XP (KB973507)
Sicherheitsupdate für Windows XP (KB973869)
Sony Ericsson Media Manager 1.0
Sony Ericsson PC Suite 3.209.00
SopCast 1.1.2
SPEED-LINK DUAL SHOCK ADAPTER
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
Sweepi 5.4.00
The Godfather™ The Game
thriXXX VirtuallyJenna-029.002
TimeLeft
Total Video Converter 3.10
Trust WB-1400T Webcam
Trust WB-3400T Webcam
TuneUp Utilities 2008
TuneUp Utilities 2009
TVAnts 1.0
TVUPlayer 2.3.5.4
UltraISO Premium V9.3
UltraStar 0.6.1
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update für Windows Internet Explorer 8 (KB972636)
Update für Windows XP (KB968389)
Update für Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.762
Veetle TV 0.9.14
Veoh Player
VeryPDF PDF2TXT v3.2
VideoLAN VLC media player 0.8.4a
Virtualdub 1.4.9
Wheel of Fortune (remove only)
Winamp
Windows Internet Explorer 8
Windows Live Anmelde-Assistent
Windows Live installer
Windows Live Messenger
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinRAR

So, ich hoffe ihr könnt mir mit meinem Problem weiterhelfen

Lg Alexa

#4 Ok da ist noch einiges was da nicht hin soll

Combofix downloaden und anwenden,anschliesend das Logfile posten.
Hier ist eine Anleitung
http://virus-protect.org/artikel/tools/combofix.html
__________
Leet´s get ready to SUCK IT !!!

#5 Bitte update doch erst einmal MalwareBytes, dieses Programm war nicht auf dem neuesten Stand, dann full Scan und die Funde löschen, poste das Log. Danach kannst du Combofix anwenden, benenne es aber um in rejklli.exe
da du ein Rootkit auf dem System hast, könnte das sonst Schwierigkeiten geben, wenn du CF nicht umbenennst.
Zu bedenken gebe ich weiterhin, wenn du Onlinebanking betreibst oder sonstige Geschäfte am PC solltest du deiner Bank das Problem mitteilen und über ein Formatieren deines PC'S nachdenken, teile mit, wie du verfahren möchtest.