Zu 4 logfile maleware: Malwarebytes' Anti-Malware 1.44 Datenbank Version: 3709 Windows 6.1.7600 Internet Explorer 8.0.7600.16385 08.02.2010 22:29:33 Scan 2010-02-08 (22-29-21).txt Scan-Methode: Quick-Scan Durchsuchte Objekte: 111128 Laufzeit: 4 minute(s), 37 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 6 Infizierte Registrierungswerte: 3 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 1 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: HKEY_CLASSES_ROOT\sp (TrojanProxy.Agent) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{96afbe69-c3b0-4b00-8578-d933d2896ee2} (TrojanProxy.Agent) -> No action taken. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\GoogleUpdateBeta (Backdoor.IRCBot) -> No action taken. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RkHit (Rogue.SpywareCease) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\sp (TrojanProxy.Agent) -> No action taken. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SPService (TrojanProxy.Agent) -> No action taken. Infizierte Registrierungswerte: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cleanup (Trojan.Banker) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96afbe69-c3b0-4b00-8578-d933d2896ee2} (TrojanProxy.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvc (TrojanProxy.Agent) -> No action taken. Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: C:\Users\Jürgen\AppData\Roaming\addon.dat (Malware.Trace) -> No action taken. 5. LOGFILE GMER: GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-02-08 22:57:25 Windows 6.1.7600 Running: jyx6zo6s.exe; Driver: C:\Users\JRGEN~1\AppData\Local\Temp\ufldipow.sys ---- System - GMER 1.0.15 ---- SSDT 8CAC22FC ZwCreateThread SSDT 8CAC22E8 ZwOpenProcess SSDT 8CAC22ED ZwOpenThread SSDT 8CAC22F7 ZwTerminateProcess INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A31AF8 INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A31104 INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A313F4 INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1A2D8 INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A311DC INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A31958 INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A316F8 INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A31F2C INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A321A8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A91579 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AB5F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 34C 82ABD84C 4 Bytes [FC, 22, AC, 8C] .text ntkrnlpa.exe!RtlSidHashLookup + 4E8 82ABD9E8 4 Bytes CALL 7438860F .text ntkrnlpa.exe!RtlSidHashLookup + 508 82ABDA08 4 Bytes [ED, 22, AC, 8C] .text ntkrnlpa.exe!RtlSidHashLookup + 7B8 82ABDCB8 4 Bytes [F7, 22, AC, 8C] ? System32\drivers\qkbugkog.sys Das System kann den angegebenen Pfad nicht finden. ! ? System32\Drivers\spsx.sys Das System kann den angegebenen Pfad nicht finden. ! .text USBPORT.SYS!DllUnload 8D845CA0 5 Bytes JMP 85B1F1D8 .text a8w5o6qs.SYS 8D9A5000 12 Bytes [44, C8, A1, 82, EE, C6, A1, ...] .text a8w5o6qs.SYS 8D9A500D 9 Bytes [A7, A1, 82, 48, CB, A1, 82, ...] {CMPSD ; MOV EAX, [0xa1cb4882]; ADD BYTE [EAX], 0x0} .text a8w5o6qs.SYS 8D9A5017 170 Bytes [00, DE, 67, 94, 87, E6, 65, ...] .text a8w5o6qs.SYS 8D9A50C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL} .text a8w5o6qs.SYS 8D9A50CE 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL} .text ... .reloc C:\Windows\system32\drivers\acedrv11.sys section is executable [0x99389300, 0x25D4C, 0xE0000060] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x993F3300, 0x1BCE, 0xE8000020] .text peauth.sys 99834C9D 28 Bytes [D5, 05, 60, DE, FC, ED, 7F, ...] .text peauth.sys 99834CC1 28 Bytes [D5, 05, 60, DE, FC, ED, 7F, ...] ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\svchost.exe[644] ole32.dll!CoCreateInstance 75E057FC 5 Bytes JMP 0063000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4864] ntdll.dll!LdrLoadDll 7772F585 5 Bytes JMP 000413F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8783C042] \SystemRoot\System32\Drivers\spsx.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8783C6D6] \SystemRoot\System32\Drivers\spsx.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8783C800] \SystemRoot\System32\Drivers\spsx.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8783C13E] \SystemRoot\System32\Drivers\spsx.sys IAT \SystemRoot\System32\Drivers\a8w5o6qs.SYS[ataport.SYS!AtaPortNotification] 000003E3 IAT \SystemRoot\System32\Drivers\a8w5o6qs.SYS[ataport.SYS!AtaPortQuerySystemTime] [8B24568B] \SystemRoot\system32\drivers\afd.sys (Ancillary Function Driver for WinSock/Microsoft Corporation) IAT \SystemRoot\System32\Drivers\a8w5o6qs.SYS[ataport.SYS!AtaPortReadPortUchar] 50522046 IAT \SystemRoot\System32\Drivers\a8w5o6qs.SYS[ataport.SYS!AtaPortStallExecution] FFEC9FE8 IAT \SystemRoot\System32\Drivers\a8w5o6qs.SYS[ataport.SYS!AtaPortWritePortUchar] 08C483FF IAT \SystemRoot\System32\Drivers\a8w5o6qs.SYS[ataport.SYS!AtaPortWritePortUlong] 0874FF85 IAT \SystemRoot\System32\Drivers\a8w5o6qs.SYS[ataport.SYS!AtaPortGetPhysicalAddress] FF53006A IAT \SystemRoot\System32\Drivers\a8w5o6qs.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 08C483D7 IAT \SystemRoot\System32\Drivers\a8w5o6qs.SYS[ataport.SYS!AtaPortGetScatterGatherList] 81107D8B IAT \SystemRoot\System32\Drivers\a8w5o6qs.SYS[ataport.SYS!AtaPortGetParentBusType] 0003E5FF IAT \SystemRoot\System32\Drivers\a8w5o6qs.SYS[ataport.SYS!AtaPortRequestCallback] 0F840F00 IAT \SystemRoot\System32\Drivers\a8w5o6qs.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 81000001 IAT \SystemRoot\System32\Drivers\a8w5o6qs.SYS[ataport.SYS!AtaPortGetUnCachedExtension] 0003E3FF IAT \SystemRoot\System32\Drivers\a8w5o6qs.SYS[ataport.SYS!AtaPortCompleteRequest] EC840F00 IAT \SystemRoot\System32\Drivers\a8w5o6qs.SYS[ataport.SYS!AtaPortCopyMemory] 8B000000 IAT \SystemRoot\System32\Drivers\a8w5o6qs.SYS[ataport.SYS!AtaPortEtwTraceLog] 0001F88E IAT \SystemRoot\System32\Drivers\a8w5o6qs.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] FC8E0B00 IAT \SystemRoot\System32\Drivers\a8w5o6qs.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 0F000001 IAT \SystemRoot\System32\Drivers\a8w5o6qs.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 0000DA84 IAT \SystemRoot\System32\Drivers\a8w5o6qs.SYS[ataport.SYS!AtaPortReadPortBufferUshort] ECD8E800 IAT \SystemRoot\System32\Drivers\a8w5o6qs.SYS[ataport.SYS!AtaPortInitialize] 8E8BFFFF IAT \SystemRoot\System32\Drivers\a8w5o6qs.SYS[ataport.SYS!AtaPortGetDeviceBase] 000001F8 IAT \SystemRoot\System32\Drivers\a8w5o6qs.SYS[ataport.SYS!AtaPortDeviceStateChange] 01E08E01 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\system32\msiexec.exe[5648] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75775D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation) IAT C:\Windows\system32\msiexec.exe[5648] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75775D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation) IAT C:\Windows\system32\msiexec.exe[5648] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75775D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation) IAT C:\Windows\system32\msiexec.exe[5648] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75775D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation) IAT C:\Windows\system32\msiexec.exe[5648] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [75775D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation) IAT C:\Windows\system32\msiexec.exe[5648] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [75775D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 855A91F8 Device \FileSystem\fastfat \FatCdrom 85B47500 Device \Driver\volmgr \Device\VolMgrControl 849111F8 Device \Driver\ACPI_HAL \Device\00000051 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\usbohci \Device\USBPDO-0 85B201F8 Device \Driver\usbehci \Device\USBPDO-1 85B211F8 Device \Driver\volmgr \Device\HarddiskVolume1 849111F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\volmgr \Device\HarddiskVolume2 849111F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom0 85A601F8 Device \Driver\volmgr \Device\HarddiskVolume3 849111F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom1 85A601F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 849131F8 Device \Driver\atapi \Device\Ide\IdePort0 849131F8 Device \Driver\atapi \Device\Ide\IdePort1 849131F8 Device \Driver\atapi \Device\Ide\IdePort2 849131F8 Device \Driver\atapi \Device\Ide\IdePort3 849131F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 849131F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-4 849131F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-5 849131F8 Device \Driver\volmgr \Device\HarddiskVolume4 849111F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom2 85A601F8 Device \Driver\volmgr \Device\HarddiskVolume5 849111F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom3 85A601F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 85AC11F8 Device \Driver\PCI_PNP1632 \Device\0000005b spsx.sys Device \Driver\nvstor \Device\RaidPort0 849141F8 Device \Driver\sptd \Device\1609746632 spsx.sys Device \Driver\nvstor \Device\0000006c 849141F8 Device \Driver\usbohci \Device\USBFDO-0 85B201F8 Device \Driver\nvstor \Device\0000006d 849141F8 Device \Driver\usbehci \Device\USBFDO-1 85B211F8 Device \Driver\USBSTOR \Device\0000007b 8622B1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{B0D6FA91-4E52-44B2-B3DC-68CEC1F5420C} 85AC11F8 Device \Driver\USBSTOR \Device\0000007c 8622B1F8 Device \Driver\a8w5o6qs \Device\Scsi\a8w5o6qs1 85A81500 Device \Driver\a8w5o6qs \Device\Scsi\a8w5o6qs1Port6Path0Target0Lun0 85A81500 Device \FileSystem\fastfat \Fat 85B47500 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x24 0xBD 0x06 0x61 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x47 0x3B 0xD3 0x51 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x4A 0xF0 0xA8 0x67 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0xE0 0xE4 0x84 0xD8 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x24 0xBD 0x06 0x61 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x47 0x3B 0xD3 0x51 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x4A 0xF0 0xA8 0x67 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0xE0 0xE4 0x84 0xD8 ... Reg HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\Users\J?rgen\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_Microsoft Window_bd5996727e9ea1acda90841fa2c99a88df4fb9d6_09987063 ---- EOF - GMER 1.0.15 ----