carty1968 | 24.02.2015 00:20 | Teil 2 Code:
GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2015-02-23 23:22:48
Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002f TOSHIBA_MQ01ABD100 rev.AX0A4M 931,51GB
Running: Gmer-19357.exe; Driver: C:\Users\Home\AppData\Local\Temp\uxldipog.sys
---- User code sections - GMER 2.1 ----
.text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe5141169a 4 bytes [41, 51, FE, 7F]
.text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe514116a2 4 bytes [41, 51, FE, 7F]
.text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe5141181a 4 bytes [41, 51, FE, 7F]
.text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe51411832 4 bytes [41, 51, FE, 7F]
.text C:\Windows\system32\atieclxx.exe[744] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe5141169a 4 bytes [41, 51, FE, 7F]
.text C:\Windows\system32\atieclxx.exe[744] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe514116a2 4 bytes [41, 51, FE, 7F]
.text C:\Windows\system32\atieclxx.exe[744] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe5141181a 4 bytes [41, 51, FE, 7F]
.text C:\Windows\system32\atieclxx.exe[744] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe51411832 4 bytes [41, 51, FE, 7F]
.text C:\Windows\system32\WLANExt.exe[1188] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe5141169a 4 bytes [41, 51, FE, 7F]
.text C:\Windows\system32\WLANExt.exe[1188] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe514116a2 4 bytes [41, 51, FE, 7F]
.text C:\Windows\system32\WLANExt.exe[1188] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe5141181a 4 bytes [41, 51, FE, 7F]
.text C:\Windows\system32\WLANExt.exe[1188] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe51411832 4 bytes [41, 51, FE, 7F]
.text C:\Windows\System32\spoolsv.exe[1324] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe5141169a 4 bytes [41, 51, FE, 7F]
.text C:\Windows\System32\spoolsv.exe[1324] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe514116a2 4 bytes [41, 51, FE, 7F]
.text C:\Windows\System32\spoolsv.exe[1324] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe5141181a 4 bytes [41, 51, FE, 7F]
.text C:\Windows\System32\spoolsv.exe[1324] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe51411832 4 bytes [41, 51, FE, 7F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1452] C:\Windows\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffe47861f6a 4 bytes [86, 47, FE, 7F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1452] C:\Windows\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffe47861f82 4 bytes [86, 47, FE, 7F]
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1676] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe5141169a 4 bytes [41, 51, FE, 7F]
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1676] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe514116a2 4 bytes [41, 51, FE, 7F]
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1676] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe5141181a 4 bytes [41, 51, FE, 7F]
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1676] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe51411832 4 bytes [41, 51, FE, 7F]
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1676] C:\Windows\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffe47861f6a 4 bytes [86, 47, FE, 7F]
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1676] C:\Windows\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffe47861f82 4 bytes [86, 47, FE, 7F]
.text C:\Windows\system32\mfevtps.exe[1300] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 506 00007ffe5141169a 4 bytes [41, 51, FE, 7F]
.text C:\Windows\system32\mfevtps.exe[1300] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 514 00007ffe514116a2 4 bytes [41, 51, FE, 7F]
.text C:\Windows\system32\mfevtps.exe[1300] C:\Windows\system32\psapi.dll!QueryWorkingSet + 118 00007ffe5141181a 4 bytes [41, 51, FE, 7F]
.text C:\Windows\system32\mfevtps.exe[1300] C:\Windows\system32\psapi.dll!QueryWorkingSet + 142 00007ffe51411832 4 bytes [41, 51, FE, 7F]
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1592] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe5141169a 4 bytes [41, 51, FE, 7F]
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1592] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe514116a2 4 bytes [41, 51, FE, 7F]
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1592] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe5141181a 4 bytes [41, 51, FE, 7F]
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1592] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe51411832 4 bytes [41, 51, FE, 7F]
.text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2164] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe5141169a 4 bytes [41, 51, FE, 7F]
.text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2164] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe514116a2 4 bytes [41, 51, FE, 7F]
.text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2164] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe5141181a 4 bytes [41, 51, FE, 7F]
.text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2164] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe51411832 4 bytes [41, 51, FE, 7F]
.text C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe[2404] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe5141169a 4 bytes [41, 51, FE, 7F]
.text C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe[2404] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe514116a2 4 bytes [41, 51, FE, 7F]
.text C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe[2404] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe5141181a 4 bytes [41, 51, FE, 7F]
.text C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe[2404] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe51411832 4 bytes [41, 51, FE, 7F]
.text C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe[2504] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe5141169a 4 bytes [41, 51, FE, 7F]
.text C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe[2504] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe514116a2 4 bytes [41, 51, FE, 7F]
.text C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe[2504] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe5141181a 4 bytes [41, 51, FE, 7F]
.text C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe[2504] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe51411832 4 bytes [41, 51, FE, 7F]
.text C:\Windows\system32\wbem\wmiprvse.exe[2988] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe5141169a 4 bytes [41, 51, FE, 7F]
.text C:\Windows\system32\wbem\wmiprvse.exe[2988] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe514116a2 4 bytes [41, 51, FE, 7F]
.text C:\Windows\system32\wbem\wmiprvse.exe[2988] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe5141181a 4 bytes [41, 51, FE, 7F]
.text C:\Windows\system32\wbem\wmiprvse.exe[2988] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe51411832 4 bytes [41, 51, FE, 7F]
.text C:\Windows\Explorer.EXE[3688] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe5141169a 4 bytes [41, 51, FE, 7F]
.text C:\Windows\Explorer.EXE[3688] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe514116a2 4 bytes [41, 51, FE, 7F]
.text C:\Windows\Explorer.EXE[3688] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe5141181a 4 bytes [41, 51, FE, 7F]
.text C:\Windows\Explorer.EXE[3688] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe51411832 4 bytes [41, 51, FE, 7F]
.text C:\Program Files\iTunes\iTunesHelper.exe[4348] C:\Windows\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffe47861f6a 4 bytes [86, 47, FE, 7F]
.text C:\Program Files\iTunes\iTunesHelper.exe[4348] C:\Windows\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffe47861f82 4 bytes [86, 47, FE, 7F]
.text C:\Program Files\Common Files\McAfee\Platform\Core\mchost.exe[3140] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe5141169a 4 bytes [41, 51, FE, 7F]
.text C:\Program Files\Common Files\McAfee\Platform\Core\mchost.exe[3140] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe514116a2 4 bytes [41, 51, FE, 7F]
.text C:\Program Files\Common Files\McAfee\Platform\Core\mchost.exe[3140] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe5141181a 4 bytes [41, 51, FE, 7F]
.text C:\Program Files\Common Files\McAfee\Platform\Core\mchost.exe[3140] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe51411832 4 bytes [41, 51, FE, 7F]
---- Threads - GMER 2.1 ----
Thread C:\Windows\system32\csrss.exe [664:688] fffff96000976b90
---- Processes - GMER 2.1 ----
Process C:\Users\Home\AppData\Roaming\8121205F-1423940649-F142-8B62-CE2A6494D244\JOSrv.exe (*** suspicious ***) @ C:\Users\Home\AppData\Roaming\8121205F-1423940649-F142-8B62-CE2A6494D244\JOSrv.exe [2056](2015-02-14 18:04:36) 0000000000300000
Process C:\Users\Home\AppData\Local\Temp\nsw518D.tmp (*** suspicious ***) @ C:\Users\Home\AppData\Local\Temp\nsw518D.tmp [5696] ( / )(2015-02-23 22:06:00) 0000000000400000
Library C:\Users\Home\AppData\Local\Temp\IS4563~1\1612212_stp\RAM.dll (*** suspicious ***) @ C:\Users\Home\AppData\Local\Temp\nsw518D.tmp [5696](2014-02-25 09:55:26) 0000000004350000
Library C:\Users\Home\AppData\Local\Temp\IS4563~1\1612184_stp\icc.dll (*** suspicious ***) @ C:\Users\Home\AppData\Local\Temp\nsw518D.tmp [5696](2015-02-16 12:59:32) 0000000004380000
Library C:\Users\Home\AppData\Local\Temp\IS4563~1\161218~1\sqlite3.dll (*** suspicious ***) @ C:\Users\Home\AppData\Local\Temp\nsw518D.tmp [5696](2014-12-02 15:09:00) 0000000006aa0000
---- Disk sectors - GMER 2.1 ----
Disk \Device\Harddisk0\DR0 unknown MBR code
---- EOF - GMER 2.1 ---- Code:
Malwarebytes Anti-Malware
www.malwarebytes.org
Update, 23.02.2015 20:44:44, SYSTEM, NOTEBOOK-ONE, Scheduler, Rootkit Database, 2015.2.20.1, 2015.2.22.1,
Update, 23.02.2015 20:45:00, SYSTEM, NOTEBOOK-ONE, Scheduler, Malware Database, 2015.2.21.5, 2015.2.23.7,
Protection, 23.02.2015 20:45:00, SYSTEM, NOTEBOOK-ONE, Protection, Refresh, Starting,
Protection, 23.02.2015 20:45:00, SYSTEM, NOTEBOOK-ONE, Protection, Malicious Website Protection, Stopping,
Protection, 23.02.2015 20:45:00, SYSTEM, NOTEBOOK-ONE, Protection, Malicious Website Protection, Stopped,
Protection, 23.02.2015 20:47:24, SYSTEM, NOTEBOOK-ONE, Protection, Refresh, Success,
Protection, 23.02.2015 20:47:24, SYSTEM, NOTEBOOK-ONE, Protection, Malicious Website Protection, Starting,
Protection, 23.02.2015 20:47:24, SYSTEM, NOTEBOOK-ONE, Protection, Malicious Website Protection, Started,
Detection, 23.02.2015 20:59:18, SYSTEM, NOTEBOOK-ONE, Protection, Malware Protection, File, PUP.Optional.PhraseFinder.A, C:\Users\Home\AppData\Local\Temp\is45637729\108878679_stp\phrasefinder-setup-1.10.0.8.exe, Quarantine, [3ba860c12d5db086eb80d747db27ef11]
Detection, 23.02.2015 21:00:08, SYSTEM, NOTEBOOK-ONE, Protection, Malware Protection, File, PUP.Optional.SkyTech.A, C:\Users\Home\AppData\Local\Temp\158AF40F-387C-4D75-B9F1-9186769876B9mp\cleanup.dll, Quarantine, [16cd061b672363d3295ab04e966b9f61]
Protection, 23.02.2015 21:16:54, SYSTEM, NOTEBOOK-ONE, Protection, Malware Protection, Starting,
Protection, 23.02.2015 21:16:55, SYSTEM, NOTEBOOK-ONE, Protection, Malware Protection, Started,
Protection, 23.02.2015 21:16:55, SYSTEM, NOTEBOOK-ONE, Protection, Malicious Website Protection, Starting,
Protection, 23.02.2015 21:16:56, SYSTEM, NOTEBOOK-ONE, Protection, Malicious Website Protection, Started,
Detection, 23.02.2015 21:26:40, SYSTEM, NOTEBOOK-ONE, Protection, Malware Protection, File, PUP.Optional.SettingsManager.A, C:\Program Files (x86)\Assets Manager\smdmf\Uninstall.exe, Quarantine, [be25ef3263278fa720c27c1862a1966a]
Protection, 23.02.2015 22:40:52, SYSTEM, NOTEBOOK-ONE, Protection, Malware Protection, Starting,
Protection, 23.02.2015 22:40:52, SYSTEM, NOTEBOOK-ONE, Protection, Malware Protection, Started,
Protection, 23.02.2015 22:40:52, SYSTEM, NOTEBOOK-ONE, Protection, Malicious Website Protection, Starting,
Protection, 23.02.2015 22:40:52, SYSTEM, NOTEBOOK-ONE, Protection, Malicious Website Protection, Started,
Update, 23.02.2015 23:29:55, SYSTEM, NOTEBOOK-ONE, Scheduler, Malware Database, 2015.2.23.7, 2015.2.23.8,
Protection, 23.02.2015 23:29:55, SYSTEM, NOTEBOOK-ONE, Protection, Refresh, Starting,
Protection, 23.02.2015 23:29:55, SYSTEM, NOTEBOOK-ONE, Protection, Malicious Website Protection, Stopping,
Protection, 23.02.2015 23:29:55, SYSTEM, NOTEBOOK-ONE, Protection, Malicious Website Protection, Stopped,
Protection, 23.02.2015 23:32:13, SYSTEM, NOTEBOOK-ONE, Protection, Refresh, Success,
Protection, 23.02.2015 23:32:13, SYSTEM, NOTEBOOK-ONE, Protection, Malicious Website Protection, Starting,
Protection, 23.02.2015 23:32:13, SYSTEM, NOTEBOOK-ONE, Protection, Malicious Website Protection, Failed,
Error, 23.02.2015 23:32:13, SYSTEM, NOTEBOOK-ONE, Protection, MWAC::CreateList - Block List, 3221225473,
Protection, 23.02.2015 23:32:24, SYSTEM, NOTEBOOK-ONE, Protection, Malicious Website Protection, Starting,
Protection, 23.02.2015 23:32:24, SYSTEM, NOTEBOOK-ONE, Protection, Malicious Website Protection, Failed,
Error, 23.02.2015 23:32:24, SYSTEM, NOTEBOOK-ONE, Protection, MWAC::CreateList - Block List, 3221225473,
Protection, 23.02.2015 23:32:27, SYSTEM, NOTEBOOK-ONE, Protection, Malicious Website Protection, Starting,
Protection, 23.02.2015 23:32:27, SYSTEM, NOTEBOOK-ONE, Protection, Malicious Website Protection, Failed,
Error, 23.02.2015 23:32:27, SYSTEM, NOTEBOOK-ONE, Protection, MWAC::CreateList - Block List, 3221225473,
Protection, 23.02.2015 23:32:30, SYSTEM, NOTEBOOK-ONE, Protection, Malicious Website Protection, Starting,
Protection, 23.02.2015 23:32:30, SYSTEM, NOTEBOOK-ONE, Protection, Malicious Website Protection, Failed,
Error, 23.02.2015 23:32:30, SYSTEM, NOTEBOOK-ONE, Protection, MWAC::CreateList - Block List, 3221225473,
Protection, 23.02.2015 23:32:32, SYSTEM, NOTEBOOK-ONE, Protection, Malicious Website Protection, Starting,
Protection, 23.02.2015 23:32:32, SYSTEM, NOTEBOOK-ONE, Protection, Malicious Website Protection, Failed,
Error, 23.02.2015 23:32:32, SYSTEM, NOTEBOOK-ONE, Protection, MWAC::CreateList - Block List, 3221225473,
Protection, 23.02.2015 23:32:34, SYSTEM, NOTEBOOK-ONE, Protection, Malicious Website Protection, Starting,
Protection, 23.02.2015 23:32:34, SYSTEM, NOTEBOOK-ONE, Protection, Malicious Website Protection, Failed,
Error, 23.02.2015 23:32:34, SYSTEM, NOTEBOOK-ONE, Protection, MWAC::CreateList - Block List, 3221225473,
Protection, 23.02.2015 23:32:36, SYSTEM, NOTEBOOK-ONE, Protection, Malicious Website Protection, Starting,
Protection, 23.02.2015 23:32:36, SYSTEM, NOTEBOOK-ONE, Protection, Malicious Website Protection, Failed,
Error, 23.02.2015 23:32:36, SYSTEM, NOTEBOOK-ONE, Protection, MWAC::CreateList - Block List, 3221225473,
(end) |