AVAST: Rootkit-Warnung bei Windows Update oder Fehlalarm ?
Liste der Anhänge anzeigen (Anzahl: 2) Hallo zusammen,
Während des heutigen Windows-Updates poppte eine Rootkit-Warnung "Win32:Aluroot-B [Rtk]" von Avast auf.
Im Virus Container werden mehrere Dateien angezeigt, allerdings mit der Meldung "kein Virus".
Ist das ein Fehlalarm?
Bisher habe ich auch keine Auffälligkeiten bemerkt.
Da ich die dazugehörige Liste des Virus Containers nicht als Text-Datei anfügen konnte sind diese Ergebnisse als jpg-Dateien angehängt.
Mein System: Windows 7 SP1 Home Premium 32bit
Heute Mittag wurde mit Malwarebytes und Avast gescannt:
Malwarebytes Code:
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org
Datenbank Version: v2013.04.09.03
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 10.0.9200.16521
User :: USER-PC [Administrator]
09.04.2013 10:51:55
mbam-log-2013-04-09 (10-51-55).txt
Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 298346
Laufzeit: 40 Minute(n), 31 Sekunde(n)
Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)
Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)
Infizierte Dateien: 0
(Keine bösartigen Objekte gefunden)
(Ende)
Avast Code:
*
* avast! Bericht
* Diese Berichtdatei wurde automatisch erstellt
*
* Prüfungsname: Vollständige Überprüfung
* Start: Dienstag, 9. April 2013 11:59:23
* VPS: 130409-0, 09.04.2013
*
C:\$Extend\$RmMetadata\$TxfLog\$Tops [E] Zugriff verweigert (5)
C:\hiberfil.sys [E] Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird (32)
C:\pagefile.sys [E] Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird (32)
D:\$Extend\$RmMetadata\$TxfLog\$Tops [E] Zugriff verweigert (5)
\\?\Volume{563206b9-8203-11e2-bf10-806e6f6e6963}\d2d\patch\MODULES\WINCRE\WOP0001204D0TC017.SWM|>photomaker.chm14|>embim66.png|> [E] ARJ-Archiv ist beschädigt. (42120)
\\?\Volume{563206ba-8203-11e2-bf10-806e6f6e6963}\$Extend\$RmMetadata\$TxfLog\$Tops [E] Zugriff verweigert (5)
Infizierte Dateien: 0
Dateien gesamt: 376992
Ordner gesamt: 16446
Gesamtgröße: 88,1 GB
*
* Prüfung beendet: Dienstag, 9. April 2013 12:43:12
* Laufzeit war 43 Minute(n), 49 Sekunde(n)
*
Desweiteren wurden die Schritte zur Eröffnung eines Themas unternommen.
defogger Code:
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 21:20 on 09/04/2013 (User)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
OTL
OTL Logfile: Code:
OTL logfile created on: 09.04.2013 21:10:30 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Johannes\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16540)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
2,87 Gb Total Physical Memory | 2,23 Gb Available Physical Memory | 77,73% Memory free
5,75 Gb Paging File | 5,08 Gb Available in Paging File | 88,40% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 234,28 Gb Total Space | 163,61 Gb Free Space | 69,84% Space Free | Partition Type: NTFS
Drive D: | 53,95 Gb Total Space | 53,79 Gb Free Space | 99,71% Space Free | Partition Type: NTFS
Computer Name: USER-PC | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2013.04.09 21:05:49 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Johannes\Desktop\OTL.exe
PRC - [2013.03.07 01:32:44 | 004,767,304 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastUI.exe
PRC - [2013.03.07 01:32:44 | 000,045,248 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastSvc.exe
PRC - [2012.11.23 04:48:41 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2011.02.25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009.08.18 03:36:36 | 000,348,160 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2009.08.18 03:36:08 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
========== Modules (No Company Name) ==========
========== Services (SafeList) ==========
SRV - [2013.04.02 23:43:10 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013.03.07 01:32:44 | 000,045,248 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Programme\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2011.07.20 06:18:24 | 000,440,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2010.11.20 05:17:58 | 001,121,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc)
SRV - [2009.08.18 03:36:08 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2009.07.14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2006.10.26 15:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose)
========== Driver Services (SafeList) ==========
DRV - [2013.03.07 01:33:24 | 000,765,736 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2013.03.07 01:33:24 | 000,368,176 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2013.03.07 01:33:24 | 000,164,736 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\aswVmm.sys -- (aswVmm)
DRV - [2013.03.07 01:33:24 | 000,062,376 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2013.03.07 01:33:24 | 000,049,248 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\aswRvrt.sys -- (aswRvrt)
DRV - [2013.03.07 01:33:23 | 000,066,336 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2013.03.07 01:33:23 | 000,060,656 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr2.sys -- (aswRdr)
DRV - [2013.03.07 01:33:22 | 000,029,816 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2012.08.23 16:44:32 | 000,014,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV - [2012.08.23 16:40:25 | 000,049,664 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2009.10.05 17:31:50 | 001,221,632 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2009.08.18 04:48:06 | 004,994,560 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2009.07.14 01:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
DRV - [2009.07.14 00:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\k57nd60x.sys -- (k57nd60x)
DRV - [2006.08.04 19:39:10 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF - prefs.js..extensions.enabledAddons: %7Ba0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7%7D:20130402
FF - prefs.js..extensions.enabledAddons: %7B73a6fe31-595d-460b-a920-fcc0f8843232%7D:2.6.5.9
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:20.0
FF - user.js - File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2013.03.14 22:14:05 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013.04.02 23:43:12 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
[2013.03.01 12:06:42 | 000,000,000 | ---D | M] (No name found) -- C:\Users\User\AppData\Roaming\Mozilla\Extensions
[2013.04.02 23:43:31 | 000,000,000 | ---D | M] (No name found) -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\xtdtbbfm.default\extensions
[2013.04.02 23:43:31 | 000,000,000 | ---D | M] (WOT) -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\xtdtbbfm.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2013.04.02 23:43:31 | 000,531,916 | ---- | M] () (No name found) -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\xtdtbbfm.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
[2013.03.01 12:07:34 | 000,817,280 | ---- | M] () (No name found) -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\xtdtbbfm.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2013.04.02 23:42:54 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
[2013.04.02 23:43:12 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2013.03.07 17:45:15 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2013.03.07 17:45:15 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2013.03.07 17:45:15 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2013.03.07 17:45:15 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2013.03.07 17:45:15 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2013.03.07 17:45:15 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
O1 HOSTS File: ([2009.06.10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2CD201FE-9896-48B6-8AEC-A9EE64B8C749}: DhcpNameServer = 129.69.252.252 129.69.252.212 129.69.252.202 129.69.252.232
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3A634B0C-B468-4FB4-969B-A8B29D2FADE2}: DhcpNameServer = 192.168.178.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
========== Files/Folders - Created Within 30 Days ==========
[2013.04.02 23:42:52 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013.03.26 00:42:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Canneverbe Limited
[2013.03.18 21:34:06 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Adobe
========== Files - Modified Within 30 Days ==========
[2013.04.09 20:46:00 | 000,001,132 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-705806964-636823041-625069164-1001UA.job
[2013.04.09 20:19:26 | 000,014,928 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013.04.09 20:19:26 | 000,014,928 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013.04.09 20:16:27 | 000,654,166 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2013.04.09 20:16:27 | 000,616,008 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013.04.09 20:16:27 | 000,130,006 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2013.04.09 20:16:27 | 000,106,388 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013.04.09 20:12:05 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.04.09 20:11:59 | 2313,965,568 | -HS- | M] () -- C:\hiberfil.sys
[2013.04.09 19:57:02 | 000,310,080 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2013.03.28 17:46:00 | 000,001,080 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-705806964-636823041-625069164-1001Core.job
[2013.03.14 22:14:07 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2013.03.12 20:48:10 | 000,025,185 | ---- | M] () -- C:\Windows\System32\ieuinit.inf
[2013.03.10 21:34:36 | 000,001,106 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
========== Files Created - No Company Name ==========
[2013.03.12 20:48:10 | 000,025,185 | ---- | C] () -- C:\Windows\System32\ieuinit.inf
[2013.03.04 22:26:10 | 000,164,736 | ---- | C] () -- C:\Windows\System32\drivers\aswVmm.sys
[2013.03.04 22:26:09 | 000,049,248 | ---- | C] () -- C:\Windows\System32\drivers\aswRvrt.sys
[2013.03.01 02:05:33 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
========== ZeroAccess Check ==========
[2009.07.14 06:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 06:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.20 05:19:04 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009.07.14 03:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
========== LOP Check ==========
[2013.03.05 21:38:57 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Softland
========== Purity Check ==========
< End of report >
--- --- ---
[/CODE]
OTL Logfile: Code:
OTL Extras logfile created on: 09.04.2013 21:10:30 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Johannes\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16540)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
2,87 Gb Total Physical Memory | 2,23 Gb Available Physical Memory | 77,73% Memory free
5,75 Gb Paging File | 5,08 Gb Available in Paging File | 88,40% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 234,28 Gb Total Space | 163,61 Gb Free Space | 69,84% Space Free | Partition Type: NTFS
Drive D: | 53,95 Gb Total Space | 53,79 Gb Free Space | 99,71% Space Free | Partition Type: NTFS
Computer Name: USER-PC | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0438E4CE-6FF7-42DC-AE70-C6F4702DAEBA}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{64F08C92-00B0-41DB-A3EF-8B566A8FAF41}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_HOMESTUDENTR_{928D7B99-2BEA-49F9-83B8-20FA57860643}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_HOMESTUDENTR_{A23BFC95-4A73-410F-9248-4C2B48E38C49}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_HOMESTUDENTR_{A6353E8F-5B8D-47CC-8737-DFF032ED3973}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"avast" = avast! Free Antivirus
"CCleaner" = CCleaner
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFAOR2C06_118" = HDAUDIO Soft Data Fax Modem with SmartCP
"doPDF 7 printer_is1" = doPDF 7.3 printer
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.70.0.1100
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Mozilla Firefox 20.0 (x86 de)" = Mozilla Firefox 20.0 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Personal Backup 5_is1" = Personal Backup 5.4
"SumatraPDF" = SumatraPDF
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 28.02.2013 20:44:03 | Computer Name = User-PC | Source = EventSystem | ID = 4621
Description =
Error - 02.03.2013 12:58:29 | Computer Name = User-PC | Source = VSS | ID = 8194
Description =
Error - 05.03.2013 23:10:29 | Computer Name = User-PC | Source = ESENT | ID = 215
Description = WinMail (3560) WindowsMail0: Die Sicherung wurde abgebrochen, weil
sie vom Client angehalten wurde, oder weil die Verbindung mit dem Client unterbrochen
wurde.
Error - 21.03.2013 17:30:18 | Computer Name = User-PC | Source = Windows Backup | ID = 4103
Description =
Error - 25.03.2013 18:52:07 | Computer Name = User-PC | Source = Application Hang | ID = 1002
Description = Programm cdbxpp.exe, Version 4.5.1.3868 kann nicht mehr unter Windows
ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung,
um nach weiteren Informationen zum Problem zu suchen. Prozess-ID: e18 Startzeit:
01ce29a9fdb5b245 Endzeit: 0 Anwendungspfad: C:\Program Files\CDBurnerXP\cdbxpp.exe
Berichts-ID:
62bdfb5d-959e-11e2-a96e-001f16b672c9
[ System Events ]
Error - 09.04.2013 04:50:11 | Computer Name = User-PC | Source = atikmdag | ID = 52236
Description = CPLIB :: General - Invalid Parameter
Error - 09.04.2013 04:50:11 | Computer Name = User-PC | Source = atikmdag | ID = 43029
Description = Display is not active
Error - 09.04.2013 05:58:09 | Computer Name = User-PC | Source = atikmdag | ID = 52236
Description = CPLIB :: General - Invalid Parameter
Error - 09.04.2013 05:58:09 | Computer Name = User-PC | Source = atikmdag | ID = 43029
Description = Display is not active
Error - 09.04.2013 12:13:53 | Computer Name = User-PC | Source = atikmdag | ID = 52236
Description = CPLIB :: General - Invalid Parameter
Error - 09.04.2013 12:13:53 | Computer Name = User-PC | Source = atikmdag | ID = 43029
Description = Display is not active
Error - 09.04.2013 13:56:57 | Computer Name = User-PC | Source = atikmdag | ID = 52236
Description = CPLIB :: General - Invalid Parameter
Error - 09.04.2013 13:56:57 | Computer Name = User-PC | Source = atikmdag | ID = 43029
Description = Display is not active
Error - 09.04.2013 14:12:05 | Computer Name = User-PC | Source = atikmdag | ID = 52236
Description = CPLIB :: General - Invalid Parameter
Error - 09.04.2013 14:12:05 | Computer Name = User-PC | Source = atikmdag | ID = 43029
Description = Display is not active
< End of report >
--- --- ---
Gmer
[CODE]
GMER Logfile: Code:
GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-04-09 21:42:42
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-22ZCT0 rev.11.01A11 298,09GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\User\AppData\Local\Temp\kgldapob.sys
---- System - GMER 2.1 ----
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8EE1C59C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x904D0388]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8EE1D02E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8EE287F2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8EE2883E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8EE289D8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8EE28760]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x904D0720]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8EE287A8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0x8EE1D52C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0x8EE1D748]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8EE28992]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x8EE1DDE4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8EE1C602]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0x8EE215C2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x904D0450]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x904CE9B4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8EE1C668]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8EE2198C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8EE1E874]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8EE2881C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8EE28860]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8EE289FC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8EE28786]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0x8EE20EA8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8EE28910]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8EE287D0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0x8EE2129A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8EE289B6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x904D05B0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8EE1E740]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThreadEx [0x8EE1E44E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8EE1C6CE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8EE1C734]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0x8EE1DC5E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8EE1C284]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8EE1C45A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8EE1C3E8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x8EE1DFAE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x8EE1E110]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8EE1C4E2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x904D0678]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x8EE1DC3E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0x904CE9E4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8EE1C79A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x904D04FC]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x904E9BA0]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject
---- Kernel code sections - GMER 2.1 ----
.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82A8BA09 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AC51F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82ACC220 4 Bytes [9C, C5, E1, 8E]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82ACC248 4 Bytes [88, 03, 4D, 90] {MOV [EBX], AL; DEC EBP; NOP }
.text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82ACC2A8 4 Bytes [2E, D0, E1, 8E]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82ACC2FC 8 Bytes [F2, 87, E2, 8E, 3E, 88, E2, ...]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82ACC308 4 Bytes [D8, 89, E2, 8E]
.text ...
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82C59D3D 5 Bytes JMP 904E6A3A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject + 27 82C72380 5 Bytes JMP 904E856C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82C874DF 4 Bytes CALL 8EE1EF37 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82CA1333 4 Bytes CALL 8EE1EF4D \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 82D2B224 7 Bytes JMP 904E9BA4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90E32000, 0x2D5378, 0xE8000020]
.text autochk.exe 004F11D1 7 Bytes [56, 8B, 75, 08, 6A, 38, 6A]
.text autochk.exe 004F11D9 4 Bytes [56, E8, FF, D4]
.text autochk.exe 004F11DF 1 Byte [83]
.text autochk.exe 004F11DF 5 Bytes [83, 00, 40, 79, 8A] {ADD DWORD [EAX], 0x40; JNS 0xffffff8f}
.text autochk.exe 004F11E5 1 Byte [E0]
.text ...
.text kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
---- User code sections - GMER 2.1 ----
.text C:\Windows\system32\csrss.exe[400] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Windows\system32\wininit.exe[472] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Windows\system32\csrss.exe[480] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Windows\system32\services.exe[528] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text ...
.text C:\Windows\system32\svchost.exe[720] ntdll.dll!LdrUnloadDll 7773C86E 5 Bytes JMP 000E03FC
.text C:\Windows\system32\svchost.exe[720] ntdll.dll!LdrLoadDll 7774223E 5 Bytes JMP 000E01F8
.text C:\Windows\system32\svchost.exe[720] KERNEL32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[720] USER32.dll!UnhookWindowsHookEx 75F4ADF9 5 Bytes JMP 00100A08
.text C:\Windows\system32\svchost.exe[720] USER32.dll!UnhookWinEvent 75F4B750 5 Bytes JMP 001003FC
.text C:\Windows\system32\svchost.exe[720] USER32.dll!SetWindowsHookExW 75F4E30C 5 Bytes JMP 00100804
.text C:\Windows\system32\svchost.exe[720] USER32.dll!SetWinEventHook 75F524DC 5 Bytes JMP 001001F8
.text C:\Windows\system32\svchost.exe[720] USER32.dll!SetWindowsHookExA 75F76D0C 5 Bytes JMP 00100600
.text C:\Windows\system32\svchost.exe[788] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Windows\system32\atiesrxx.exe[832] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Windows\System32\svchost.exe[916] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Windows\System32\svchost.exe[972] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1016] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text ...
.text C:\Windows\system32\taskhost.exe[1196] ntdll.dll!LdrUnloadDll 7773C86E 5 Bytes JMP 000D03FC
.text C:\Windows\system32\taskhost.exe[1196] ntdll.dll!LdrLoadDll 7774223E 5 Bytes JMP 000D01F8
.text C:\Windows\system32\taskhost.exe[1196] KERNEL32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Windows\system32\taskhost.exe[1196] USER32.dll!UnhookWindowsHookEx 75F4ADF9 5 Bytes JMP 000E0A08
.text C:\Windows\system32\taskhost.exe[1196] USER32.dll!UnhookWinEvent 75F4B750 5 Bytes JMP 000E03FC
.text C:\Windows\system32\taskhost.exe[1196] USER32.dll!SetWindowsHookExW 75F4E30C 5 Bytes JMP 000E0804
.text C:\Windows\system32\taskhost.exe[1196] USER32.dll!SetWinEventHook 75F524DC 5 Bytes JMP 000E01F8
.text C:\Windows\system32\taskhost.exe[1196] USER32.dll!SetWindowsHookExA 75F76D0C 5 Bytes JMP 000E0600
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1356] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1376] ntdll.dll!LdrUnloadDll 7773C86E 5 Bytes JMP 000E03FC
.text C:\Windows\system32\svchost.exe[1376] ntdll.dll!LdrLoadDll 7774223E 5 Bytes JMP 000E01F8
.text C:\Windows\system32\svchost.exe[1376] KERNEL32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1376] USER32.dll!UnhookWindowsHookEx 75F4ADF9 5 Bytes JMP 00100A08
.text C:\Windows\system32\svchost.exe[1376] USER32.dll!UnhookWinEvent 75F4B750 5 Bytes JMP 001003FC
.text C:\Windows\system32\svchost.exe[1376] USER32.dll!SetWindowsHookExW 75F4E30C 5 Bytes JMP 00100804
.text C:\Windows\system32\svchost.exe[1376] USER32.dll!SetWinEventHook 75F524DC 5 Bytes JMP 001001F8
.text C:\Windows\system32\svchost.exe[1376] USER32.dll!SetWindowsHookExA 75F76D0C 5 Bytes JMP 00100600
.text C:\Windows\System32\spoolsv.exe[1500] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1544] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Windows\system32\DRIVERS\xaudio.exe[1800] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Windows\system32\atieclxx.exe[2144] ntdll.dll!LdrUnloadDll 7773C86E 5 Bytes JMP 001E03FC
.text C:\Windows\system32\atieclxx.exe[2144] ntdll.dll!LdrLoadDll 7774223E 5 Bytes JMP 001E01F8
.text C:\Windows\system32\atieclxx.exe[2144] KERNEL32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Windows\system32\atieclxx.exe[2144] USER32.dll!UnhookWindowsHookEx 75F4ADF9 5 Bytes JMP 001F0A08
.text C:\Windows\system32\atieclxx.exe[2144] USER32.dll!UnhookWinEvent 75F4B750 5 Bytes JMP 001F03FC
.text C:\Windows\system32\atieclxx.exe[2144] USER32.dll!SetWindowsHookExW 75F4E30C 5 Bytes JMP 001F0804
.text C:\Windows\system32\atieclxx.exe[2144] USER32.dll!SetWinEventHook 75F524DC 5 Bytes JMP 001F01F8
.text C:\Windows\system32\atieclxx.exe[2144] USER32.dll!SetWindowsHookExA 75F76D0C 5 Bytes JMP 001F0600
.text C:\Windows\System32\svchost.exe[2568] ntdll.dll!LdrUnloadDll 7773C86E 5 Bytes JMP 000703FC
.text C:\Windows\System32\svchost.exe[2568] ntdll.dll!LdrLoadDll 7774223E 5 Bytes JMP 000701F8
.text C:\Windows\System32\svchost.exe[2568] KERNEL32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Windows\System32\svchost.exe[2568] USER32.dll!UnhookWindowsHookEx 75F4ADF9 5 Bytes JMP 00090A08
.text C:\Windows\System32\svchost.exe[2568] USER32.dll!UnhookWinEvent 75F4B750 5 Bytes JMP 000903FC
.text C:\Windows\System32\svchost.exe[2568] USER32.dll!SetWindowsHookExW 75F4E30C 5 Bytes JMP 00090804
.text C:\Windows\System32\svchost.exe[2568] USER32.dll!SetWinEventHook 75F524DC 5 Bytes JMP 000901F8
.text C:\Windows\System32\svchost.exe[2568] USER32.dll!SetWindowsHookExA 75F76D0C 5 Bytes JMP 00090600
.text C:\Windows\system32\SearchIndexer.exe[2620] ntdll.dll!LdrUnloadDll 7773C86E 5 Bytes JMP 000E03FC
.text C:\Windows\system32\SearchIndexer.exe[2620] ntdll.dll!LdrLoadDll 7774223E 5 Bytes JMP 000E01F8
.text C:\Windows\system32\SearchIndexer.exe[2620] KERNEL32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Windows\system32\SearchIndexer.exe[2620] USER32.dll!UnhookWindowsHookEx 75F4ADF9 5 Bytes JMP 00100A08
.text C:\Windows\system32\SearchIndexer.exe[2620] USER32.dll!UnhookWinEvent 75F4B750 5 Bytes JMP 001003FC
.text C:\Windows\system32\SearchIndexer.exe[2620] USER32.dll!SetWindowsHookExW 75F4E30C 5 Bytes JMP 00100804
.text C:\Windows\system32\SearchIndexer.exe[2620] USER32.dll!SetWinEventHook 75F524DC 5 Bytes JMP 001001F8
.text C:\Windows\system32\SearchIndexer.exe[2620] USER32.dll!SetWindowsHookExA 75F76D0C 5 Bytes JMP 00100600
.text C:\Windows\system32\AUDIODG.EXE[2704] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3084] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Users\Johannes\Desktop\gmer_2.1.19163.exe[3116] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Windows\System32\svchost.exe[3444] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Windows\Explorer.EXE[3448] ntdll.dll!LdrUnloadDll 7773C86E 5 Bytes JMP 000E03FC
.text C:\Windows\Explorer.EXE[3448] ntdll.dll!LdrLoadDll 7774223E 5 Bytes JMP 000E01F8
.text C:\Windows\Explorer.EXE[3448] KERNEL32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Windows\Explorer.EXE[3448] USER32.dll!UnhookWindowsHookEx 75F4ADF9 5 Bytes JMP 00100A08
.text C:\Windows\Explorer.EXE[3448] USER32.dll!UnhookWinEvent 75F4B750 5 Bytes JMP 001003FC
.text C:\Windows\Explorer.EXE[3448] USER32.dll!SetWindowsHookExW 75F4E30C 5 Bytes JMP 00100804
.text C:\Windows\Explorer.EXE[3448] USER32.dll!SetWinEventHook 75F524DC 5 Bytes JMP 001001F8
.text C:\Windows\Explorer.EXE[3448] USER32.dll!SetWindowsHookExA 75F76D0C 5 Bytes JMP 00100600
.text C:\Windows\system32\Dwm.exe[3460] ntdll.dll!LdrUnloadDll 7773C86E 5 Bytes JMP 001203FC
.text C:\Windows\system32\Dwm.exe[3460] ntdll.dll!LdrLoadDll 7774223E 5 Bytes JMP 001201F8
.text C:\Windows\system32\Dwm.exe[3460] KERNEL32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Windows\system32\Dwm.exe[3460] USER32.dll!UnhookWindowsHookEx 75F4ADF9 5 Bytes JMP 00130A08
.text C:\Windows\system32\Dwm.exe[3460] USER32.dll!UnhookWinEvent 75F4B750 5 Bytes JMP 001303FC
.text C:\Windows\system32\Dwm.exe[3460] USER32.dll!SetWindowsHookExW 75F4E30C 5 Bytes JMP 00130804
.text C:\Windows\system32\Dwm.exe[3460] USER32.dll!SetWinEventHook 75F524DC 5 Bytes JMP 001301F8
.text C:\Windows\system32\Dwm.exe[3460] USER32.dll!SetWindowsHookExA 75F76D0C 5 Bytes JMP 00130600
.text C:\Windows\system32\DllHost.exe[3500] ntdll.dll!LdrUnloadDll 7773C86E 5 Bytes JMP 000603FC
.text C:\Windows\system32\DllHost.exe[3500] ntdll.dll!LdrLoadDll 7774223E 5 Bytes JMP 000601F8
.text C:\Windows\system32\DllHost.exe[3500] KERNEL32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Windows\system32\DllHost.exe[3500] USER32.dll!UnhookWindowsHookEx 75F4ADF9 5 Bytes JMP 00170A08
.text C:\Windows\system32\DllHost.exe[3500] USER32.dll!UnhookWinEvent 75F4B750 5 Bytes JMP 001703FC
.text C:\Windows\system32\DllHost.exe[3500] USER32.dll!SetWindowsHookExW 75F4E30C 5 Bytes JMP 00170804
.text C:\Windows\system32\DllHost.exe[3500] USER32.dll!SetWinEventHook 75F524DC 5 Bytes JMP 001701F8
.text C:\Windows\system32\DllHost.exe[3500] USER32.dll!SetWindowsHookExA 75F76D0C 5 Bytes JMP 00170600
.text C:\Users\Johannes\AppData\Local\Google\Update\GoogleUpdate.exe[3568] ntdll.dll!LdrUnloadDll 7773C86E 5 Bytes JMP 000F03FC
.text C:\Users\Johannes\AppData\Local\Google\Update\GoogleUpdate.exe[3568] ntdll.dll!LdrLoadDll 7774223E 5 Bytes JMP 000F01F8
.text C:\Users\Johannes\AppData\Local\Google\Update\GoogleUpdate.exe[3568] KERNEL32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62]
.text C:\Users\Johannes\AppData\Local\Google\Update\GoogleUpdate.exe[3568] USER32.dll!UnhookWindowsHookEx 75F4ADF9 5 Bytes JMP 00110A08
.text C:\Users\Johannes\AppData\Local\Google\Update\GoogleUpdate.exe[3568] USER32.dll!UnhookWinEvent 75F4B750 5 Bytes JMP 001103FC
.text C:\Users\Johannes\AppData\Local\Google\Update\GoogleUpdate.exe[3568] USER32.dll!SetWindowsHookExW 75F4E30C 5 Bytes JMP 00110804
.text C:\Users\Johannes\AppData\Local\Google\Update\GoogleUpdate.exe[3568] USER32.dll!SetWinEventHook 75F524DC 5 Bytes JMP 001101F8
.text C:\Users\Johannes\AppData\Local\Google\Update\GoogleUpdate.exe[3568] USER32.dll!SetWindowsHookExA 75F76D0C 5 Bytes JMP 00110600
---- Devices - GMER 2.1 ----
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
---- EOF - GMER 2.1 ----
--- --- ---
Für etwaige Fehler möchte ich mich gleich entschuldigen und bedanke mich für die Unterstützung.
Gruß
Edit:
Ich bin anscheinend nicht der einzige mit dem Problem :balla: :
hxxp://forum.avast.com/index.php?topic=120791.0 :MS Patch Tuesday updates |
