Konnte es leider erst heute machen.. GMER Logfile:
Code:
Alles auswählen Aufklappen ATTFilter
GMER 1.0.15.15640 - GMER - Rootkit Detector and Remover
Rootkit scan 2011-06-24 17:29:58
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\ahcix861 Hitachi_ rev.FB4O
Running: hkbudw1y.exe; Driver: C:\DOKUME~1\Caro\LOKALE~1\Temp\kxroqpow.sys
---- System - GMER 1.0.15 ----
SSDT F7BA7A36 ZwCreateKey
SSDT F7BA7A2C ZwCreateThread
SSDT F7BA7A3B ZwDeleteKey
SSDT F7BA7A45 ZwDeleteValueKey
SSDT F7BA7A4A ZwLoadKey
SSDT F7BA7A18 ZwOpenProcess
SSDT F7BA7A1D ZwOpenThread
SSDT F7BA7A54 ZwReplaceKey
SSDT F7BA7A4F ZwRestoreKey
SSDT F7BA7A40 ZwSetValueKey
SSDT F7BA7A27 ZwTerminateProcess
---- Kernel code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xA8C34000, 0x1C8326, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\svchost.exe[1288] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 00E4000A
.text C:\WINDOWS\System32\svchost.exe[1288] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 00E5000A
.text C:\WINDOWS\System32\svchost.exe[1288] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 00E3000C
.text C:\WINDOWS\System32\svchost.exe[1288] USER32.dll!GetCursorPos 7E37974E 5 Bytes JMP 019B000A
.text C:\WINDOWS\System32\svchost.exe[1288] USER32.dll!WindowFromPoint 7E379766 5 Bytes JMP 019C000A
.text C:\WINDOWS\System32\svchost.exe[1288] USER32.dll!GetForegroundWindow 7E379823 5 Bytes JMP 019D000A
.text C:\WINDOWS\System32\svchost.exe[1288] ole32.dll!CoCreateInstance 774CF1AC 5 Bytes JMP 0193000A
.text C:\WINDOWS\Explorer.EXE[1656] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 00BC000A
.text C:\WINDOWS\Explorer.EXE[1656] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[1656] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 00BB000C
.text C:\WINDOWS\system32\SearchIndexer.exe[3240] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
Device \Driver\ahcix86 -> DriverStartIo \Device\Scsi\ahcix861 8965E31B
Device \Driver\ahcix86 -> DriverStartIo \Device\Scsi\ahcix861Port0Path0TargetaLun0 8965E31B
Device \Driver\ahcix86 -> DriverStartIo \Device\Scsi\ahcix861Port0Path0Target1Lun0 8965E31B
Device \Driver\ahcix86 -> DriverStartIo \Device\Scsi\ahcix861Port0Path0Target0Lun0 8965E31B
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
---- EOF - GMER 1.0.15 ----
--- --- ---
24.06.2011, 16:31
Baum-Darstellung