TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe

Dev · 13.04.2010, 21:00

Ich könnte eine CD brennen, ja.

Dann setz ich wohl die neue Referenz in Sachen Trojanerbekämpfung

Hier der aktuelle Avenger Log:

Zitat:

Logfile of The Avenger Version 2.0, (c) by Swandog46
hxxp://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\atapi.sys|C:\windows\system32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Larusso · 13.04.2010, 21:02

ging ja flott

Gmer Logfile bitte. (Ja ich weis ich nerve damit)

Sehe ich mir dann morgen an und melde mich mit neuen Instructions. Muss um 4 auf

n8

Dev · 13.04.2010, 21:19

Um die Uhrzeit gehen normale Leute/Studenten ins Bett

Vielleicht sollte man ein Skript schreiben, dass GMER automatisch ausführt und den Log speichert

Hier der Log:

Zitat:

GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-04-13 22:17:50
Windows 6.1.7600
Running: swzl5i3v.exe; Driver: C:\Users\Tobi\AppData\Local\Temp\kxddqpow.sys

---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E23AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E23104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E233F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E0B634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E0B898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E231DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E23958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E236F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E23F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E241A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82E835C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EA8052 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? system32\drivers\jehd.sys Das System kann den angegebenen Pfad nicht finden. !
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90E26000, 0x2D5378, 0xE8000020]
.text peauth.sys 9A55CC9D 28 Bytes [4F, CF, B3, 6F, D5, BF, DB, ...]
.text peauth.sys 9A55CCC1 28 Bytes [4F, CF, B3, 6F, D5, BF, DB, ...]
PAGE peauth.sys 9A562B9B 72 Bytes [E7, 9F, 89, BF, 8B, D5, 5B, ...]
PAGE peauth.sys 9A562BEC 111 Bytes [D0, AC, 0B, 4F, 9F, 19, 37, ...]
PAGE peauth.sys 9A562E20 101 Bytes [A4, D7, 3D, 59, 12, C3, AF, ...]
PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtProtectVirtualMemory 777F5360 5 Bytes JMP 0024000A
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtWriteVirtualMemory 777F5EE0 5 Bytes JMP 0025000A
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!KiUserExceptionDispatcher 777F6448 5 Bytes JMP 0023000A
.text C:\Windows\system32\svchost.exe[996] ole32.dll!CoCreateInstance 767E57FC 5 Bytes JMP 00A1000A
.text C:\Windows\system32\svchost.exe[996] USER32.dll!GetCursorPos 7657C198 5 Bytes JMP 00A3000A
.text C:\Windows\Explorer.EXE[3024] ntdll.dll!NtProtectVirtualMemory 777F5360 5 Bytes JMP 003F000A
.text C:\Windows\Explorer.EXE[3024] ntdll.dll!NtWriteVirtualMemory 777F5EE0 5 Bytes JMP 0040000A
.text C:\Windows\Explorer.EXE[3024] ntdll.dll!KiUserExceptionDispatcher 777F6448 5 Bytes JMP 000C000A
.text C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe[3652] kernel32.dll!CreateFileW 76420B7D 5 Bytes JMP 019E2930 C:\Program Files\Common Files\PPLiveNetwork\TipsClient.dll
.text C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe[3652] kernel32.dll!CreateFileA 7642291C 5 Bytes JMP 019E28D0 C:\Program Files\Common Files\PPLiveNetwork\TipsClient.dll
.text C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe[3652] USER32.dll!ShowWindow 7658147A 2 Bytes JMP 019E2750 C:\Program Files\Common Files\PPLiveNetwork\TipsClient.dll
.text C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe[3652] USER32.dll!ShowWindow + 3 7658147D 2 Bytes [46, 8B]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74582494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74565624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [745656E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7458250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74578573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74574D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [745750CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [745751A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [745766D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [745782CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74578819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7457907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7457E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74574C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8663FAC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00225f0cf667
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00225f0cf667@0021fb0c295f 0x12 0xEC 0xF5 0x88 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE7 0x3E 0xC9 0x8D ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00225f0cf667 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00225f0cf667@0021fb0c295f 0x12 0xEC 0xF5 0x88 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE7 0x3E 0xC9 0x8D ...

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Larusso · 14.04.2010, 15:28

Ich habe jetzt noch eine letzte Idee

Kurz für Dich als zwischenInfo. Die folgende Datei wird von Windows geladen wenn er die atapi.sys laden will. Da aber die atapi's von dir (anscheinend alle) infiziert sind, hat TDSS killer den Pfad ersetzt und eine Datei erstellt. Somit wird die Datei nicht mehr geladen und dadurch hast Du auch keine Probleme mehr

Gmer sieht jedoch die infizierte Datei.

Aber bevor da jetzt was in die Hose geht und ich falsch liege, checken wir das vorher durch

Scan mit SystemLook

Lade SystemLook von jpshortstuff von einem der folgenden Spiegel herunter und speichere das Tool auf dem Desktop.

Download Mirror #1 - Download Mirror #2

Doppelklick auf die SystemLook.exe, um das Tool zu starten.
Vista-User mit Rechtsklick und als Administrator starten.
Kopiere den Inhalt der folgenden Codebox in das Textfeld des Tools:
Code:
ATTFilter
```
:filefind
C:\Windows\system32\drivers\tskBE01.tmp /md5
         
```
Klicke nun auf den Button Look, um den Scan zu starten.
Wenn der Suchlauf beendet ist, wird sich Dein Editor mit den Ergebnissen öffnen, diese hier in den Thread posten.
Die Ergebnisse werden auf dem Desktop als SystemLook.txt gespeichert.

Kannst Du mir die Logfile von Hitman Pro einmal posten bitte

Dev · 14.04.2010, 16:37

Hier der Systemlook Log:

Zitat:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 17:21 on 14/04/2010 by Tobi (Administrator - Elevation successful)

========== filefind ==========

Searching for "C:\Windows\system32\drivers\tskBE01.tmp /md5"
No files found.

-=End Of File=-

Hitman Pro hat keine "Anzahl an infizierten Spuren" gefunden. (gibt es noch irgendwo nen ausführliches Logfile oder reicht das?)

Larusso · 14.04.2010, 16:53

Ne reicht mir wenn hitman pro sagt es hat nichts gefunden.

Ich muss aber denoch noch ein wenig suchen

Bitte Systemlook nochmal starten

Code:

ATTFilter

:filefind
tskBE01.tmp /md5

schritt 2

Navigiere bitte nach C:\windows und führe die mbr.exe als Admin aus
Der scan dauert nicht lange.
unter C:\windows findest du dann eine mbr.log
Poste mir bitte den inhalt der Logdatei

schritt 3

Wir brauchen ne livecd

Ok diese Anleitung ist groß. Drucke sie dir aus damit du weißt was du tun must.

Zwei Programme sind zu downloaden.

Schritt 1

ISOBurner
Dies wird dir erlauben die OTLPE ISO auf eine CD zu brennen und sie bootfähig zu machen. Du brauchst das Tool nur zu installieren, der Rest läuft automatisch. Wie brenne ich eine ISO Datei auf CD/DVD

Schritt 2

Download OTLPE.iso und brenne es mit ISOBurner auf eine CD. NOTE: Die Datei ist 292MB groß und wird deshalb ein wenig dauern bis du sie gedownloadet hast.
Wenn der Download fertig ist mache ein doppel Klick auf die Datei, was ISOBurner öffnet um es auf die CD zu brennen.
Langsamste Brenngeschwindigkeit
Starte dein System neu und boote von der CD die du gerade erstellt hast.
Note : Wenn du nicht weist wie du deinen Computer dazu bringst von der CD zu booten, dann folge diesen Schritten hier
Dein System sollte jetzt einen REATOGO-X-PE Desktop anzeigen.
Mache einen doppel Klick auf das OTLPE Icon.
Wenn du gefragt wirst "Do you wish to load the remote registry", dann wähle Yes.
Wenn du gefragt wirst "Do you wish to load remote user profile(s) for scanning", dann wähle Yes.
Entsichere die Box "Automatically Load All Remaining Users" wenn sie gewählt ist und drücke OK.
OTL sollte nun starten. Ändere die folgenden Einstellungen
Drücke Run Scan um den Scan zu starten.
Wenn er fertig ist werden die Dateien in C:\_OTL\MovedFiles gesichert
Kopiere diesen Ordner auf deinen USB-Stick wenn du keine Internetverbindung auf diesem System hast.
Bitte poste den Inhalt der OTL.txt Datei in diesen Thread.

Dev · 14.04.2010, 17:07

So hier nochmal neues Systemlook Log:

Zitat:

stemLook v1.0 by jpshortstuff (11.01.10)
Log created at 18:01 on 14/04/2010 by Tobi (Administrator - Elevation successful)

========== filefind ==========

Searching for "tskBE01.tmp /md5"
No files found.

-=End Of File=-

und mbr Log:

Zitat:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, hxxp://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Werde mich nu mal an die CD machen. Noch ne Frage zu dem Punkt

Zitat:

OTL sollte nun starten. Ändere die folgenden Einstellungen

. Also keine Einstellungen ändern? Kommt nehme ich an wegen Standardanleitung, die nicht verändert werden musste?

Larusso · 14.04.2010, 17:34

Ja genau, einfach nichts vornehmen. ich hab da was raus editiert und wohl diesen Teil vergessen

Dev · 14.04.2010, 20:04

Hmmm, kann es sein, dass es mit einer DVD nicht funktioniert? Hab nun 2 Mal gebrannt (und vorher auch 2 Mal die Datei runtergeladen), aber wenn ich es von der DVD booten möchte, wird angezeigt: "no operating system found".

Falls es nur per CD geht, muss ich es morgen Abend nochmal versuchen...

StLB · 14.04.2010, 20:39

*kurz zu Wort meld*

Funktioniert nur mit einer CD-R.

&out

Dev · 15.04.2010, 17:40

Hmm eben die CD gebrannt und gestartet. Hat diesmal auch geklappt. Beim starten der OTLPE Datei, sollte ich erst den/die(?

) windows directory wählen (c:\windows ist hoffentlich die richtige Wahl), bei Do you wish to load remote user profile(s) for scanning hab ich den Eintrag mit meinem Benutzernamen gewählt und unten den Haken entfernt. Nach dem Scan steht zwar completed, aber in dem Ordner der in der Anleitung sind nur ältere Files, eine OTL.txt finde ich auch nicht. Oder soll ich nun nochmal mit normalem Windows Boot OTL durchlaufen lassen?

Larusso · 15.04.2010, 19:21

Hab gerade Email bekommen

schritt 1
Gmer dürfte die Datei die ich suche jetzt finden.

Lade Dir bitte eine neue Version von GMER herunter. Gehe sicher, das section angehakt ist. Wenn nicht, dies bitte ändern.
Ansonsten lass die Einstellungen wie sie sind.

Poste mir bitte die Logfile

schritt 2

Die OTLPE Log würde mich denoch intresieren.

Der Pfad scheint sich geändert zu haben. Siehe bitte unter C: nach einer OTL.txt nach. Wenn nicht vorhanden, dann führe folgendes aus.

Windows + R Taste --> notepad (reinschreiben) --> OK
Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument

Code:

ATTFilter

cd \
dir /s /b OTL.txt > log.txt
notepad log.txt
del %0

Speichere diese unter file.bat auf Deinem Desktop.
Wähle bei Dateityp alle Dateien aus.
Doppelklich auf die file.bat, poste mir den Inhalt des Textdokuments.
Vista- User: Mit Rechtsklick "als Administrator starten"

Poste mir den Inhalt der log.txt

schritt 3

Lösche die vorhanden Version von Combofix.
BleepingComputer - ForoSpyware

Vergiss bitte nicht vor dem Start von CF deine Anti Virensoftware abzustellen.

Bitte poste in Deiner nächsten Antwort
Gmer.txt
log.txt
Combofix.txt

Dev · 15.04.2010, 20:22

So finally:

GMER

Zitat:

GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-04-15 20:59:29
Windows 6.1.7600
Running: kz2ufo7c.exe; Driver: C:\Users\Tobi\AppData\Local\Temp\kxddqpow.sys

---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1BAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1B104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1B3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E03634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E03898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1B1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1B958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1B6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1BF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1C1A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E7B599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E9FF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90809000, 0x2D5378, 0xE8000020]
.text peauth.sys 9BC10C9D 28 Bytes [04, AF, 77, F0, A0, 55, 44, ...]
.text peauth.sys 9BC10CC1 28 Bytes [04, AF, 77, F0, A0, 55, 44, ...]
PAGE peauth.sys 9BC16B9B 72 Bytes [60, FF, 4D, C0, 75, DE, 4D, ...]
PAGE peauth.sys 9BC16BEC 111 Bytes [EE, AE, 0B, 4F, 9F, 19, 37, ...]
PAGE peauth.sys 9BC16E20 101 Bytes [09, A6, DB, 40, 20, A7, 67, ...]
PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[988] ntdll.dll!NtProtectVirtualMemory 770C5360 5 Bytes JMP 0017000A
.text C:\Windows\system32\svchost.exe[988] ntdll.dll!NtWriteVirtualMemory 770C5EE0 5 Bytes JMP 0024000A
.text C:\Windows\system32\svchost.exe[988] ntdll.dll!KiUserExceptionDispatcher 770C6448 5 Bytes JMP 0016000A
.text C:\Windows\system32\svchost.exe[988] ole32.dll!CoCreateInstance 764D57FC 5 Bytes JMP 00F0000A
.text C:\Windows\system32\svchost.exe[988] USER32.dll!GetCursorPos 7662C198 5 Bytes JMP 00F9000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2748] ntdll.dll!NtProtectVirtualMemory 770C5360 5 Bytes JMP 0039000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2748] ntdll.dll!NtWriteVirtualMemory 770C5EE0 5 Bytes JMP 0048000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2748] ntdll.dll!KiUserExceptionDispatcher 770C6448 5 Bytes JMP 0037000A
.text C:\Program Files\Winamp Remote\bin\Orb.exe[2776] kernel32.dll!SetUnhandledExceptionFilter 76363162 5 Bytes JMP 00402CD0 C:\Program Files\Winamp Remote\bin\Orb.exe (Orb Application/Orb Networks, Inc.)
.text C:\Program Files\Winamp Remote\bin\OrbTray.exe[3104] kernel32.dll!SetUnhandledExceptionFilter 76363162 5 Bytes JMP 00413C70 C:\Program Files\Winamp Remote\bin\OrbTray.exe (Orb/Orb Networks)
.text C:\Windows\Explorer.EXE[3144] ntdll.dll!NtProtectVirtualMemory 770C5360 5 Bytes JMP 001A000A
.text C:\Windows\Explorer.EXE[3144] ntdll.dll!NtWriteVirtualMemory 770C5EE0 5 Bytes JMP 002B000A
.text C:\Windows\Explorer.EXE[3144] ntdll.dll!KiUserExceptionDispatcher 770C6448 5 Bytes JMP 0019000A
.text C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe[3580] kernel32.dll!CreateFileW 76360B7D 5 Bytes JMP 01FC2930 C:\Program Files\Common Files\PPLiveNetwork\TipsClient.dll
.text C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe[3580] kernel32.dll!CreateFileA 7636291C 5 Bytes JMP 01FC28D0 C:\Program Files\Common Files\PPLiveNetwork\TipsClient.dll
.text C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe[3580] USER32.dll!ShowWindow 7663147A 2 Bytes JMP 01FC2750 C:\Program Files\Common Files\PPLiveNetwork\TipsClient.dll
.text C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe[3580] USER32.dll!ShowWindow + 3 7663147D 2 Bytes [99, 8B]
.text C:\Program Files\Internet Explorer\iexplore.exe[4160] ntdll.dll!NtProtectVirtualMemory 770C5360 5 Bytes JMP 001E000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4160] ntdll.dll!NtWriteVirtualMemory 770C5EE0 5 Bytes JMP 001F000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4160] ntdll.dll!KiUserExceptionDispatcher 770C6448 5 Bytes JMP 000A000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4160] USER32.dll!UnhookWindowsHookEx 7662CC7B 5 Bytes JMP 6BBB82FA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4160] USER32.dll!CallNextHookEx 7662CC8F 5 Bytes JMP 6BB99D00 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4160] USER32.dll!CreateWindowExW 76630E51 5 Bytes JMP 6BBA80F7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4160] USER32.dll!SetWindowsHookExW 7663210A 5 Bytes JMP 6BB545DB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4160] USER32.dll!DialogBoxIndirectParamW 76654AA7 5 Bytes JMP 6BCCF218 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4160] USER32.dll!DialogBoxParamW 7665564A 5 Bytes JMP 6BAC4B7F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4160] USER32.dll!DialogBoxParamA 7666CF6A 5 Bytes JMP 6BCCF1B5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4160] USER32.dll!DialogBoxIndirectParamA 7666D29C 5 Bytes JMP 6BCCF27B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4160] USER32.dll!MessageBoxIndirectA 7667E8C9 5 Bytes JMP 6BCCF14A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4160] USER32.dll!MessageBoxIndirectW 7667E9C3 5 Bytes JMP 6BCCF0DF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4160] USER32.dll!MessageBoxExA 7667EA29 5 Bytes JMP 6BCCF07D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4160] USER32.dll!MessageBoxExW 7667EA4D 5 Bytes JMP 6BCCF01B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4160] ole32.dll!OleLoadFromStream 76485B88 5 Bytes JMP 6BCCF576 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4160] ole32.dll!CoCreateInstance 764D57FC 5 Bytes JMP 6BBA8BE5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4440] ntdll.dll!NtProtectVirtualMemory 770C5360 5 Bytes JMP 000B000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4440] ntdll.dll!NtWriteVirtualMemory 770C5EE0 5 Bytes JMP 0017000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4440] ntdll.dll!KiUserExceptionDispatcher 770C6448 5 Bytes JMP 000A000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4440] USER32.dll!CreateWindowExW 76630E51 5 Bytes JMP 6BBA80F7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4440] USER32.dll!DialogBoxIndirectParamW 76654AA7 5 Bytes JMP 6BCCF218 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4440] USER32.dll!DialogBoxParamW 7665564A 5 Bytes JMP 6BAC4B7F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4440] USER32.dll!DialogBoxParamA 7666CF6A 5 Bytes JMP 6BCCF1B5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4440] USER32.dll!DialogBoxIndirectParamA 7666D29C 5 Bytes JMP 6BCCF27B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4440] USER32.dll!MessageBoxIndirectA 7667E8C9 5 Bytes JMP 6BCCF14A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4440] USER32.dll!MessageBoxIndirectW 7667E9C3 5 Bytes JMP 6BCCF0DF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4440] USER32.dll!MessageBoxExA 7667EA29 5 Bytes JMP 6BCCF07D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4440] USER32.dll!MessageBoxExW 7667EA4D 5 Bytes JMP 6BCCF01B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[3144] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73F62494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3144] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73F45624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3144] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73F456E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3144] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73F6250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3144] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73F58573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3144] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73F54D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3144] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73F550CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3144] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73F551A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3144] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73F566D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3144] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73F582CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3144] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73F58819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3144] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73F5907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3144] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73F5E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3144] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73F54C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[4964] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [020E7376] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[4964] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [020E73CC] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[4964] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [020E73CC] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[4964] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [020E73CC] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[4964] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [020E7376] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[4964] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [020E7376] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[4964] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [020E7376] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[4964] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [020E73CC] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[4964] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [020E7376] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[4964] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [020E73CC] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[4964] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [020E7376] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[4964] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [020E73CC] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[4964] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [020E7376] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8645BAC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00225f0cf667
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00225f0cf667@0021fb0c295f 0x12 0xEC 0xF5 0x88 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE7 0x3E 0xC9 0x8D ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00225f0cf667 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00225f0cf667@0021fb0c295f 0x12 0xEC 0xF5 0x88 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE7 0x3E 0xC9 0x8D ...

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

und Combofix

Zitat:

ComboFix 10-04-14.04 - Tobi 15.04.2010 21:09:19.6.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.49.1031.18.3067.2135 [GMT 2:00]
ausgeführt von:: c:\users\Tobi\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((( Dateien erstellt von 2010-03-15 bis 2010-04-15 ))))))))))))))))))))))))))))))
.

2010-04-15 19:16 . 2010-04-15 19:16 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-12 19:57 . 2010-04-12 20:17 -------- d-----w- C:\Combo-Fix
2010-04-11 10:26 . 2010-04-15 18:36 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-11 10:26 . 2010-04-14 15:31 -------- d-----w- c:\programdata\Hitman Pro
2010-04-11 10:26 . 2010-04-11 10:26 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-10 23:08 . 2010-04-10 23:08 -------- d-----w- C:\_OTL
2010-04-10 17:21 . 2010-04-10 17:21 -------- d-----w- c:\users\Tobi\AppData\Roaming\Avira
2010-04-10 16:18 . 2010-04-10 16:18 -------- d-----w- c:\programdata\Avira
2010-04-10 16:18 . 2010-03-01 07:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-10 16:18 . 2009-05-11 09:49 51992 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-10 16:18 . 2009-05-11 09:49 17016 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-10 15:51 . 2010-03-29 22:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-10 15:51 . 2010-03-29 22:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-10 11:53 . 2010-04-10 11:54 -------- d-----w- c:\program files\trend micro
2010-04-10 11:53 . 2010-04-10 11:53 -------- d-----w- C:\rsit
2010-04-09 08:52 . 2010-04-09 08:52 -------- d-----w- c:\users\Tobi\AppData\Roaming\Malwarebytes
2010-04-09 08:52 . 2010-04-09 08:52 -------- d-----w- c:\programdata\Malwarebytes
2010-04-09 08:52 . 2010-04-11 17:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-09 08:51 . 2010-04-09 08:51 -------- d-----w- c:\program files\CCleaner
2010-03-31 13:17 . 2010-02-23 07:56 977920 ----a-w- c:\windows\system32\wininet.dll
2010-03-30 15:30 . 2010-03-30 15:30 -------- d-----w- c:\program files\Common Files\Skype
2010-03-26 17:59 . 2010-03-26 18:02 -------- d-----w- c:\program files\Common Files\3DO Shared
2010-03-26 17:59 . 2010-03-26 18:02 -------- d-----w- c:\program files\3DO
2010-03-26 17:58 . 1998-10-29 15:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-03-24 08:04 . 2010-03-24 18:17 952768 ----a-w- c:\programdata\Adobe\Reader\9.3\ARM\24269\AdobeARM.exe
2010-03-24 08:04 . 2010-03-24 18:17 70584 ----a-w- c:\programdata\Adobe\Reader\9.3\ARM\24269\AdobeExtractFiles.dll
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\programdata\Adobe\Reader\9.3\ARM\24269\ReaderUpdater.exe
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\programdata\Adobe\Reader\9.3\ARM\24269\AcrobatUpdater.exe
2010-03-23 18:42 . 2010-03-22 09:25 780288 ----a-w- c:\users\Tobi\AppData\Roaming\Octoshape\Octoshape Streaming Services\pmv306a-1003220-0-libOctoshapeClient.dll
2010-03-21 11:11 . 2010-03-21 11:11 -------- d-----w- c:\users\Tobi\AppData\Local\Zattoo
2010-03-21 11:09 . 2010-03-21 11:09 -------- d-----w- c:\program files\Zattoo4
2010-03-17 15:59 . 2010-03-17 15:59 -------- d-----w- c:\users\Tobi\AppData\Local\AOL
2010-03-17 15:58 . 2010-04-03 11:21 -------- d-----w- c:\program files\ICQ7.0

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-15 19:16 . 2009-11-01 15:07 -------- d-----w- c:\users\Tobi\AppData\Roaming\Skype
2010-04-15 19:04 . 2009-11-18 18:34 -------- d-----w- c:\users\Tobi\AppData\Roaming\ICQ
2010-04-15 18:35 . 2009-11-01 15:08 -------- d-----w- c:\users\Tobi\AppData\Roaming\skypePM
2010-04-15 17:26 . 2009-07-14 08:47 643866 ----a-w- c:\windows\system32\perfh007.dat
2010-04-15 17:26 . 2009-07-14 08:47 126394 ----a-w- c:\windows\system32\perfc007.dat
2010-04-15 14:56 . 2009-11-01 14:04 -------- d-----w- c:\program files\Winamp Remote
2010-04-14 16:08 . 2010-04-14 16:08 -------- d-----w- c:\program files\LSoft Technologies
2010-04-14 16:08 . 2009-11-01 13:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-12 21:46 . 2009-11-01 21:03 -------- d-----w- c:\users\Tobi\AppData\Roaming\vlc
2010-04-12 14:38 . 2010-04-12 19:58 21584 ----a-w- c:\windows\system32\drivers\tskBE01.tmp
2010-04-11 17:55 . 2009-11-01 13:24 -------- d-----w- c:\program files\DellTPad
2010-04-10 16:16 . 2010-04-10 13:48 112 ----a-w- c:\programdata\5XAtt3xo2.dat
2010-03-26 17:20 . 2009-11-10 18:38 -------- d-----w- c:\program files\Garena
2010-03-22 15:57 . 2009-11-01 15:39 119506 ----a-w- c:\windows\War3Unin.dat
2010-03-18 11:09 . 2009-11-01 13:59 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-03-16 15:40 . 2010-03-12 17:11 -------- d-----w- c:\programdata\PPLive
2010-03-16 12:48 . 2010-03-12 21:28 -------- d-----w- c:\programdata\PPLiveVA
2010-03-16 12:48 . 2010-03-12 17:04 -------- d-----w- c:\users\Tobi\AppData\Roaming\PPLive
2010-03-16 12:48 . 2010-03-12 17:04 -------- d-----w- c:\program files\PPLive
2010-03-13 13:11 . 2010-03-13 13:11 -------- d-----w- c:\programdata\Jlcm
2010-03-13 13:11 . 2010-03-13 13:11 -------- d-----w- c:\program files\Common Files\PPLiveNetwork
2010-03-12 21:30 . 2010-03-12 21:29 12204184 ----a-w- c:\programdata\PPLive\cache\ppva\pptvsetup_2.4.1.0014_s2_hasppva.exe
2010-03-12 21:30 . 2010-03-12 17:13 12204184 ----a-w- c:\users\Tobi\AppData\Roaming\PPLive\Update\Update.exe
2010-03-12 17:20 . 2010-03-12 17:19 468480 ----a-w- c:\programdata\PPLive\test_vod1.dll
2010-03-12 16:32 . 2010-03-12 16:31 -------- d-----w- c:\program files\TVAnts
2010-03-08 21:33 . 2010-04-14 15:19 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-02-27 12:07 . 2010-04-14 16:49 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-27 12:07 . 2010-04-14 16:49 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-27 07:32 . 2010-04-14 15:19 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-27 07:32 . 2010-04-14 15:19 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-27 07:32 . 2010-04-14 15:19 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-26 19:33 . 2010-02-26 19:33 -------- d-----w- c:\programdata\TVU Networks
2010-02-26 19:33 . 2010-02-26 19:32 -------- d-----w- c:\program files\TVUPlayer
2010-02-26 19:30 . 2010-02-26 19:29 4519389 ----a-w- c:\users\Tobi\AppData\Roaming\TVU Networks\AutoUpgrade\TVUPlayer2.5.2.2.exe
2010-02-26 19:29 . 2010-02-26 19:29 -------- d-----w- c:\users\Tobi\AppData\Roaming\TVU Networks
2010-02-26 06:06 . 2010-02-26 06:06 2626360 begin_of_the_skype_highlighting**************06 2626360******end_of_the_skype_highlighting ----a-w- c:\users\Tobi\AppData\Roaming\Mozilla\Firefox\Profiles\ker0n89o.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
2010-02-24 09:16 . 2009-11-01 13:37 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-16 11:24 . 2009-11-10 17:22 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-11 07:10 . 2010-03-06 22:23 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-02-08 21:31 . 2009-11-03 19:35 71960 ----a-w- c:\users\Tobi\AppData\Roaming\Mozilla\Plugins\npoctoshape.dll
2010-02-05 12:38 . 2010-02-05 12:38 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-02-02 07:45 . 2010-02-24 09:54 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-01 12:24 . 2010-02-08 15:25 71960 ----a-w- c:\users\Tobi\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-1002010-0-npoctoshape.dll
2010-02-01 12:24 . 2010-02-08 15:25 417280 ----a-w- c:\users\Tobi\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-1002010-0-libOctoshapeClient.dll
2010-02-01 12:24 . 2010-02-08 15:25 124184 ----a-w- c:\users\Tobi\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-1002010-0-apoctoshape.dll
2010-01-18 23:29 . 2010-02-10 10:21 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-18 23:29 . 2010-02-10 10:21 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-18 23:29 . 2010-02-10 10:21 365568 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-18 23:29 . 2010-02-10 10:21 369152 ----a-w- c:\windows\system32\secproc.dll
2010-01-18 23:28 . 2010-02-10 10:21 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-18 23:28 . 2010-02-10 10:21 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-18 23:28 . 2010-02-10 10:21 320512 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-18 23:28 . 2010-02-10 10:21 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-04-11_16.26.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-14 15:19 . 2010-02-27 07:33 95744 c:\windows\winsxs\x86_microsoft-windows-smb20-minirdr_31bf3856ad364e35_6.1.7600.20655_none_8b5b5c1a041ebcac\mrxsmb20.sys
+ 2010-04-14 15:19 . 2010-02-27 07:32 95744 c:\windows\winsxs\x86_microsoft-windows-smb20-minirdr_31bf3856ad364e35_6.1.7600.16539_none_8aeb604eeaed4a5c\mrxsmb20.sys
+ 2009-11-01 13:44 . 2010-04-15 19:07 43742 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2010-04-15 19:07 47222 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-11-01 13:20 . 2010-04-15 14:57 10228 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1981820849-1269703919-3846408820-1001_UserData.bin
- 2010-04-11 00:27 . 2010-04-11 01:10 67584 c:\windows\System32\LogFiles\Srt\bootstat.dat
+ 2010-04-11 00:27 . 2010-04-15 15:10 67584 c:\windows\System32\LogFiles\Srt\bootstat.dat
+ 2009-11-01 13:06 . 2010-04-15 19:05 49152 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-04-06 19:05 . 2010-04-11 09:43 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2010-04-06 19:05 . 2010-04-15 18:34 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
- 2009-07-14 04:41 . 2010-04-11 16:14 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:41 . 2010-04-15 19:05 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-01 13:11 . 2010-04-15 19:06 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-01 13:11 . 2010-04-11 16:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:34 . 2010-04-15 14:45 83416 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2009-07-14 04:34 . 2010-04-10 23:40 83416 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2009-11-01 13:11 . 2010-04-11 16:17 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-01 13:11 . 2010-04-15 19:06 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-01 13:11 . 2010-04-15 19:06 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-01 13:11 . 2010-04-11 16:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-01 13:20 . 2010-04-15 19:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-01 13:20 . 2010-04-11 16:14 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-03 18:04 . 2010-04-15 19:00 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-03 18:04 . 2010-04-11 16:13 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-03 18:04 . 2010-04-15 19:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
- 2009-11-03 18:04 . 2010-04-11 16:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2009-11-03 18:04 . 2010-04-15 19:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2009-11-03 18:04 . 2010-04-11 16:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
+ 2009-11-01 13:20 . 2010-04-15 19:05 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-01 13:20 . 2010-04-11 16:14 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-01 13:20 . 2010-04-15 19:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-01 13:20 . 2010-04-11 16:14 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-04-15 19:05 . 2010-04-15 19:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-04-11 16:14 . 2010-04-11 16:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-04-11 16:14 . 2010-04-11 16:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-04-15 19:05 . 2010-04-15 19:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-04-14 16:49 . 2009-12-29 07:11 172032 c:\windows\winsxs\x86_microsoft-windows-wintrust-dll_31bf3856ad364e35_6.1.7600.20605_none_f064afe014413504\wintrust.dll
+ 2010-04-14 16:49 . 2009-12-29 06:55 172032 c:\windows\winsxs\x86_microsoft-windows-wintrust-dll_31bf3856ad364e35_6.1.7600.16493_none_ef77c14efb6e60de\wintrust.dll
+ 2010-04-14 15:19 . 2010-02-27 07:33 123392 c:\windows\winsxs\x86_microsoft-windows-smbminirdr_31bf3856ad364e35_6.1.7600.20655_none_8011d3b3cb764ad9\mrxsmb.sys
+ 2010-04-14 15:19 . 2010-02-27 07:32 123392 c:\windows\winsxs\x86_microsoft-windows-smbminirdr_31bf3856ad364e35_6.1.7600.16539_none_7fa1d7e8b244d889\mrxsmb.sys
+ 2010-04-14 15:19 . 2010-02-27 07:33 221696 c:\windows\winsxs\x86_microsoft-windows-smb10-minirdr_31bf3856ad364e35_6.1.7600.20655_none_8924f207c5c7893b\mrxsmb10.sys
+ 2010-04-14 15:19 . 2010-02-27 07:32 221696 c:\windows\winsxs\x86_microsoft-windows-smb10-minirdr_31bf3856ad364e35_6.1.7600.16539_none_88b4f63cac9616eb\mrxsmb10.sys
+ 2010-04-14 15:19 . 2010-03-08 21:39 427520 c:\windows\winsxs\x86_microsoft-windows-scripting-vbscript_31bf3856ad364e35_6.1.7600.20662_none_48cc9903a84aaeeb\vbscript.dll
+ 2010-04-14 15:19 . 2010-03-08 21:33 427520 c:\windows\winsxs\x86_microsoft-windows-scripting-vbscript_31bf3856ad364e35_6.1.7600.16546_none_485c9d388f193c9b\vbscript.dll
+ 2010-04-14 07:21 . 2010-01-09 06:49 132608 c:\windows\winsxs\x86_microsoft-windows-cabview_31bf3856ad364e35_6.1.7600.20613_none_38abfbd35bb8e7a9\cabview.dll
+ 2010-04-14 07:21 . 2010-01-09 06:52 132608 c:\windows\winsxs\x86_microsoft-windows-cabview_31bf3856ad364e35_6.1.7600.16500_none_382a2e164295dfe9\cabview.dll
+ 2010-04-14 16:49 . 2009-12-29 06:55 172032 c:\windows\System32\wintrust.dll
- 2009-07-14 02:05 . 2010-04-10 08:16 607190 c:\windows\System32\perfh009.dat
+ 2009-07-14 02:05 . 2010-04-15 17:26 607190 c:\windows\System32\perfh009.dat
+ 2009-07-14 02:05 . 2010-04-15 17:26 103568 c:\windows\System32\perfc009.dat
- 2009-07-14 02:05 . 2010-04-10 08:16 103568 c:\windows\System32\perfc009.dat
- 2009-11-01 13:12 . 2010-04-11 16:14 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-11-01 13:12 . 2010-04-15 18:34 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-11-01 13:06 . 2010-04-11 16:14 622592 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-01 13:06 . 2010-04-15 19:05 622592 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-04-14 07:21 . 2010-01-09 06:52 132608 c:\windows\System32\cabview.dll
+ 2009-07-14 04:47 . 2010-04-14 16:37 400656 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2010-04-11 22:02 . 2010-04-14 16:37 400656 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1981820849-1269703919-3846408820-1001-12288.dat
+ 2010-04-14 16:49 . 2010-02-27 11:46 3899784 c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.20655_none_6cb0c81f2e7bee1e\ntoskrnl.exe
+ 2010-04-14 16:49 . 2010-02-27 11:46 3954568 c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.20655_none_6cb0c81f2e7bee1e\ntkrnlpa.exe
+ 2010-04-14 16:49 . 2010-02-27 12:07 3899280 c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16539_none_6c40cc54154a7bce\ntoskrnl.exe
+ 2010-04-14 16:49 . 2010-02-27 12:07 3954568 c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16539_none_6c40cc54154a7bce\ntkrnlpa.exe
- 2009-07-14 02:03 . 2010-04-11 11:01 6815744 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:03 . 2010-04-15 17:41 6815744 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2009-07-14 04:34 . 2010-04-10 19:03 3897560 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-07-14 04:34 . 2010-04-15 08:32 3897560 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-07-14 08:45 . 2010-04-14 15:21 26024886 c:\windows\winsxs\ManifestCache\e4e8be02b8fae2a7_blobs.bin
+ 2009-11-02 20:02 . 2010-04-06 17:52 31971272 c:\windows\System32\MRT.exe
.
-- Snapshot auf jetziges Datum zurückgesetzt --
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
"Octoshape Streaming Services"="c:\users\Tobi\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-08 70936]
"Steam"="c:\spiele\Steam\\Steam.exe" [2010-02-22 1217872]
"PPAP"="c:\program files\Common Files\PPLiveNetwork\PPAP.exe" [2010-02-04 173512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-02 3563520]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-01 149280]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-6-5 752168]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-11-1 813584]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-7-9 1616976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 11:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer4"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 135664]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-01-29 29736]
R3 GarenaPEngine;GarenaPEngine;c:\users\Tobi\AppData\Local\Temp\RZNF628.tmp [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_c8e33401effad09d\aestsrv.exe [2008-02-28 73728]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]
S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2007-12-18 54784]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-01-29 203264]
S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\DRIVERS\OA001Ufd.sys [2008-06-03 144672]
S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\DRIVERS\OA001Vid.sys [2008-05-13 277504]

.
Inhalt des "geplante Tasks" Ordners

2010-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 12:08]

2010-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 12:08]
.
.
------- Zusätzlicher Suchlauf -------
.
uInternet Settings,ProxyOverride = *.local
IE: Bild an &Bluetooth-Gerät senden... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Seite an &Bluetooth-Gerät senden... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{88EB38EF-4D2C-436D-ABD3-56B232674062} - c:\program files\ICQ7.0\ICQ.exe
FF - ProfilePath - c:\users\Tobi\AppData\Roaming\Mozilla\Firefox\Profiles\ker0n89o.default\
FF - prefs.js: browser.startup.homepage - www.t-online.de
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Tobi\AppData\Roaming\Mozilla\Firefox\Profiles\ker0n89o.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\users\Tobi\AppData\Roaming\Mozilla\Firefox\Profiles\ker0n89o.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\users\Tobi\AppData\Roaming\Mozilla\plugins\npoctoshape.dll

---- FIREFOX Richtlinien ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "hxxp://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, hxxp://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86470AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
SecurityProcedure -> 0x853cae88
QueryNameProcedure -> 0x853ca018
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\atapi]
"ImagePath"="system32\drivers\tskBE01.tmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\GarenaPEngine]
"ImagePath"="\??\c:\users\Tobi\AppData\Local\Temp\RZNF628.tmp"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'Explorer.exe'(4412)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\btmmhook.dll
.
Zeit der Fertigstellung: 2010-04-15 21:19:43
ComboFix-quarantined-files.txt 2010-04-15 19:19
ComboFix2.txt 2010-04-12 20:17
ComboFix3.txt 2010-04-12 15:53
ComboFix4.txt 2010-04-11 18:25
ComboFix5.txt 2010-04-15 19:02

Vor Suchlauf: 29 Verzeichnis(se), 47.912.816.640 Bytes frei
Nach Suchlauf: 30 Verzeichnis(se), 47.881.850.880 Bytes frei

- - End Of File - - 90855A417311213F389254585C8645F5

OTL als Zip im Anhang

Larusso · 15.04.2010, 20:56

schritt 1

Downloade Dir bitte Filelister

Speichere die Datei auf dem Desktop.
Rechtsklick und Extrahiere alle Dateien auf deinem Desktop.
Öffne den File Lister Ordner.
[color=green]Belasse die FileLister.vbe in dem Ordner
Rechtsklick auf die .vbe und wähle öffnen

(Vista und Win7 User mit Rechtsklick "Als Admin ausführen" )

Wenn der Scan beendet ist, wird C:\files.txt erstellt. Poste mir bitte den Inhalt.

schritt 2

Speichere folgendes aus der Codebox als scan.txt auf deinem Desktop

Code:

ATTFilter

c:\windows\system32\drivers\*.sys /90
/md5start
atikmdag.sys
atapi.sys
disk.sys
CLASSPNP.SYS
/md5stop

Starte wieder mit OTLPE. Klicke in die CustomScan Box und wähle im Explorer die scan.txt von deinem Desktop --> öffnen und klicke Run Scan

Die Log wird zum hochladen

Dev · 16.04.2010, 10:31

Der Log von Filelister ist bei mir leer (gut, schlecht, oder Bedienungsfehler?).

Bei OTLPE hab ich das Problem, dass er beim scannen jedes Mal bei "getting folder structure" hängen bleibt und irgendwann der Fehler "out of memory" kommt.

13.04.2010, 21:02	#32
Larusso /// Selecta Jahrusso	$TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe - Standard$ TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe ging ja flott Gmer Logfile bitte. (Ja ich weis ich nerve damit) Sehe ich mir dann morgen an und melde mich mit neuen Instructions. Muss um 4 auf n8 __________________ __________________

14.04.2010, 20:39	#40
StLB /// Helfer-Team	$TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe - Standard$ TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe kurz zu Wort meld Funktioniert nur mit einer CD-R. &out __________________ Gruß, Julian Kein Support per PM! Spendemöglichkeit: Make a Donation

TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe

Plagegeister aller Art und deren Bekämpfung: TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe