Email Programm öffnet sich selbstständig Sorry, war 2 Tage untgerwegs, hier ist der
GMER Log. Während dem Scan war Internet deaktiviert, und ich habe den PC nicht genutzt, trotzdem ist Outlook geöffnet worden
GMER Logfile:
Code:
Alles auswählen Aufklappen ATTFilter
GMER 1.0.15.15627 - GMER - Rootkit Detector and Remover
Rootkit scan 2011-05-11 19:58:11
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 WDC_WD2500BEVS-22UST0 rev.01.01A01
Running: s2f16foc.exe; Driver: C:\Users\Michael\AppData\Local\Temp\uwliifow.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x99FEB780]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x99FEB830]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x99FEB8D0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x99FEB970]
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKey + 13C1 82A45339 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A7ED52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 139F 82A86094 4 Bytes [80, B7, FE, 99]
.text ntkrnlpa.exe!KeRemoveQueueEx + 166F 82A86364 8 Bytes [30, B8, FE, 99, D0, B8, FE, ...]
.text ntkrnlpa.exe!KeRemoveQueueEx + 16E3 82A863D8 4 Bytes [70, B9, FE, 99]
? System32\Drivers\spmf.sys Das System kann den angegebenen Pfad nicht finden. !
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8F63A000, 0x2D5378, 0xE8000020]
.text USBPORT.SYS!DllUnload 91244DB9 5 Bytes JMP 861314E0
.text a3t03h31.SYS 90AE4000 12 Bytes [44, E8, E1, 82, EE, E6, E1, ...]
.text a3t03h31.SYS 90AE400D 9 Bytes [C7, E1, 82, 48, EB, E1, 82, ...]
.text a3t03h31.SYS 90AE4017 170 Bytes [00, DE, 87, DA, 88, E6, 85, ...]
.text a3t03h31.SYS 90AE40C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text a3t03h31.SYS 90AE40CE 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL}
.text ...
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 A8843000 68 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 4FD5 A8843045 203 Bytes [8B, C6, F0, 0F, BA, 28, 00, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50A1 A8843111 17 Bytes [87, 01, 6A, 00, 6A, 20, A3, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 A8843123 629 Bytes [E5, 83, A8, FE, 05, 34, E5, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 A8843399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE ...
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [88CAC042] \SystemRoot\System32\Drivers\spmf.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [88CAC6D6] \SystemRoot\System32\Drivers\spmf.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [88CAC800] \SystemRoot\System32\Drivers\spmf.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [88CAC13E] \SystemRoot\System32\Drivers\spmf.sys
IAT \SystemRoot\System32\Drivers\a3t03h31.SYS[ataport.SYS!AtaPortNotification] 00147880
IAT \SystemRoot\System32\Drivers\a3t03h31.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75
IAT \SystemRoot\System32\Drivers\a3t03h31.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015
IAT \SystemRoot\System32\Drivers\a3t03h31.SYS[ataport.SYS!AtaPortStallExecution] C25DC033
IAT \SystemRoot\System32\Drivers\a3t03h31.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008
IAT \SystemRoot\System32\Drivers\a3t03h31.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08
IAT \SystemRoot\System32\Drivers\a3t03h31.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24
IAT \SystemRoot\System32\Drivers\a3t03h31.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8
IAT \SystemRoot\System32\Drivers\a3t03h31.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800
IAT \SystemRoot\System32\Drivers\a3t03h31.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000
IAT \SystemRoot\System32\Drivers\a3t03h31.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008
IAT \SystemRoot\System32\Drivers\a3t03h31.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC
IAT \SystemRoot\System32\Drivers\a3t03h31.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC
IAT \SystemRoot\System32\Drivers\a3t03h31.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC
IAT \SystemRoot\System32\Drivers\a3t03h31.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55
IAT \SystemRoot\System32\Drivers\a3t03h31.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B
IAT \SystemRoot\System32\Drivers\a3t03h31.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B
IAT \SystemRoot\System32\Drivers\a3t03h31.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A
IAT \SystemRoot\System32\Drivers\a3t03h31.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500
IAT \SystemRoot\System32\Drivers\a3t03h31.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B
IAT \SystemRoot\System32\Drivers\a3t03h31.SYS[ataport.SYS!AtaPortInitialize] 157B805E
IAT \SystemRoot\System32\Drivers\a3t03h31.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500
IAT \SystemRoot\System32\Drivers\a3t03h31.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 84C7B1F8
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
Device \Driver\NetBT \Device\NetBT_Tcpip_{1163B06B-31BA-4F6F-89D8-492B995E3962} 85CE01F8
Device \Driver\volmgr \Device\VolMgrControl 84C771F8
Device \Driver\usbohci \Device\USBPDO-0 85EFD1F8
Device \Driver\usbohci \Device\USBPDO-1 85EFD1F8
Device \Driver\usbehci \Device\USBPDO-2 861031F8
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\volmgr \Device\HarddiskVolume1 84C771F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\sptd \Device\4183385166 spmf.sys
Device \Driver\PCI_PNP7165 \Device\00000058 spmf.sys
Device \Driver\volmgr \Device\HarddiskVolume2 84C771F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\cdrom \Device\CdRom0 85C291F8
Device \Driver\atapi \Device\Ide\IdePort0 84C791F8
Device \Driver\atapi \Device\Ide\IdePort1 84C791F8
Device \Driver\atapi \Device\Ide\IdePort2 84C791F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 84C791F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-5 84C791F8
Device \Driver\volmgr \Device\HarddiskVolume3 84C771F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\cdrom \Device\CdRom1 85C291F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 85CE01F8
Device \Driver\ACPI_HAL \Device\0000004f halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbohci \Device\USBFDO-0 85EFD1F8
Device \Driver\usbohci \Device\USBFDO-1 85EFD1F8
Device \Driver\usbehci \Device\USBFDO-2 861031F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{7874792B-AD90-47A6-809A-3C770C9AF03A} 85CE01F8
Device \Driver\a3t03h31 \Device\Scsi\a3t03h311 85E661F8
Device \Driver\a3t03h31 \Device\Scsi\a3t03h311Port4Path0Target0Lun0 85E661F8
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Programme\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x31 0xCC 0x61 0x5E ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xAD 0x07 0xBB 0x91 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x0A 0x30 0x6F 0x6C ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Programme\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x31 0xCC 0x61 0x5E ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xAD 0x07 0xBB 0x91 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x0A 0x30 0x6F 0x6C ...
---- EOF - GMER 1.0.15 ----
--- --- ---
Geändert von TheBlubb (11.05.2011 um 19:08 Uhr)
11.05.2011, 18:59
Baum-Darstellung