GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-09-22 14:53:48 Windows 6.1.7600 Running: sb5sq240.exe; Driver: C:\Users\Jan\AppData\Local\Temp\uwldypow.sys ---- System - GMER 1.0.15 ---- INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2DAF8 INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2D104 INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2D3F4 INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E15634 INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E15898 INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2D1DC INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2D958 INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2D6F8 INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2DF2C INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2E1A8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A46579 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A6AF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ? System32\Drivers\spoz.sys Das System kann den angegebenen Pfad nicht finden. ! ? System32\Drivers\fflinf.sys Ein an das System angeschlossenes Gerät funktioniert nicht. ! .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x94A09000, 0x31BA76, 0xE8000020] .text USBPORT.SYS!DllUnload 90BA2CA0 5 Bytes JMP 867D04E0 .text a7bd5vr5.SYS 94444000 12 Bytes [44, 88, E1, 82, EE, 86, E1, ...] .text a7bd5vr5.SYS 9444400D 9 Bytes [67, E1, 82, 48, 8B, E1, 82, ...] {LOOPZW 0xffffffffffffff85; DEC EAX; MOV ESP, ECX; ADD BYTE [EAX], 0x0} .text a7bd5vr5.SYS 94444017 170 Bytes [00, DE, 47, 70, 83, E6, 45, ...] .text a7bd5vr5.SYS 944440C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL} .text a7bd5vr5.SYS 944440CE 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL} .text ... .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0x985B0300, 0x3B6D8, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x985F3300, 0x1BEE, 0xE8000020] .text peauth.sys 9DE3CC9D 28 Bytes [4F, AD, 6B, C8, D0, B5, CF, ...] .text peauth.sys 9DE3CCC1 28 Bytes [4F, AD, 6B, C8, D0, B5, CF, ...] PAGE peauth.sys 9DE42B9B 72 Bytes [E7, 8E, B7, C3, 73, D2, 55, ...] PAGE peauth.sys 9DE42BEC 111 Bytes [D0, 5A, 0C, 41, 83, 21, 47, ...] PAGE peauth.sys 9DE42E20 101 Bytes [A4, BD, F5, 1C, 98, 02, 80, ...] PAGE ... PAGE spsys.sys!?SPRevision@@3PADA + 4F90 ADC27000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...] PAGE spsys.sys!?SPRevision@@3PADA + 50B3 ADC27123 629 Bytes [25, C2, AD, FE, 05, 34, 25, ...] PAGE spsys.sys!?SPRevision@@3PADA + 5329 ADC27399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...] PAGE spsys.sys!?SPRevision@@3PADA + 538F ADC273FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...] PAGE spsys.sys!?SPRevision@@3PADA + 543B ADC274AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...] PAGE ... ---- User code sections - GMER 1.0.15 ---- ? C:\Windows\System32\svchost.exe[3316] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: OLEAUT32.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4624] ntdll.dll!LdrLoadDll 77D9F585 5 Bytes JMP 00D313F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4624] WS2_32.dll!closesocket 77133BED 5 Bytes JMP 65EC1895 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4624] WS2_32.dll!socket 77133F00 5 Bytes JMP 65EC0EA6 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4624] WS2_32.dll!recv 771347DF 5 Bytes JMP 65EC1B86 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4624] WS2_32.dll!connect 771348BE 5 Bytes JMP 65EC0F36 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4624] WS2_32.dll!getaddrinfo 77136737 5 Bytes JMP 65EC1037 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4624] WS2_32.dll!send 7713C4C8 5 Bytes JMP 65EC130D C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [83608042] \SystemRoot\System32\Drivers\spoz.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [836086D6] \SystemRoot\System32\Drivers\spoz.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [83608800] \SystemRoot\System32\Drivers\spoz.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8360813E] \SystemRoot\System32\Drivers\spoz.sys IAT \SystemRoot\System32\Drivers\a7bd5vr5.SYS[ataport.SYS!AtaPortNotification] 00147880 IAT \SystemRoot\System32\Drivers\a7bd5vr5.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75 IAT \SystemRoot\System32\Drivers\a7bd5vr5.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015 IAT \SystemRoot\System32\Drivers\a7bd5vr5.SYS[ataport.SYS!AtaPortStallExecution] C25DC033 IAT \SystemRoot\System32\Drivers\a7bd5vr5.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008 IAT \SystemRoot\System32\Drivers\a7bd5vr5.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08 IAT \SystemRoot\System32\Drivers\a7bd5vr5.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24 IAT \SystemRoot\System32\Drivers\a7bd5vr5.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8 IAT \SystemRoot\System32\Drivers\a7bd5vr5.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800 IAT \SystemRoot\System32\Drivers\a7bd5vr5.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000 IAT \SystemRoot\System32\Drivers\a7bd5vr5.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008 IAT \SystemRoot\System32\Drivers\a7bd5vr5.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC IAT \SystemRoot\System32\Drivers\a7bd5vr5.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC IAT \SystemRoot\System32\Drivers\a7bd5vr5.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC IAT \SystemRoot\System32\Drivers\a7bd5vr5.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55 IAT \SystemRoot\System32\Drivers\a7bd5vr5.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B IAT \SystemRoot\System32\Drivers\a7bd5vr5.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B IAT \SystemRoot\System32\Drivers\a7bd5vr5.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A IAT \SystemRoot\System32\Drivers\a7bd5vr5.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500 IAT \SystemRoot\System32\Drivers\a7bd5vr5.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B IAT \SystemRoot\System32\Drivers\a7bd5vr5.SYS[ataport.SYS!AtaPortInitialize] 157B805E IAT \SystemRoot\System32\Drivers\a7bd5vr5.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500 IAT \SystemRoot\System32\Drivers\a7bd5vr5.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[1292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74BE250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74BE2494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74BC5624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74BC56E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74BD8573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74BD4D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74BD50CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74BD51A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74BD66D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74BD82CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74BD8819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74BD907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74BDE21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74BD4C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[1576] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75DE5D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[1576] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75DE5D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[1576] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75DE5D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[1576] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75DE5D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation) IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__wgetmainargs] 01A6B6E9 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_exit] 5409E800 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_XcptFilter] 68500000 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [msvcrt.dll!exit] 0F6DEAD8 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_initterm] 00113EE8 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_amsg_exit] F8BD8D00 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__setusermatherr] E81394A3 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [msvcrt.dll!memcpy] 00000C58 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_controlfp] 59756668 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_except_handler4_common] 04C76661 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [msvcrt.dll!?terminate@@YAXXZ] 838FFE24 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__set_app_type] 66F9FFC6 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__p__fmode] 0CE1BA0F IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__p__commode] 85C330F5 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_cexit] 12CEE9FE IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 00458F24 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!CloseHandle] 042444C6 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] 8D9C9C92 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetProcAddress] E9302464 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetLastError] 000053DA IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 005BE7E9 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 514EE900 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryExA] 35E90000 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!InterlockedExchange] 9C0001AD IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!Sleep] 892434FF IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] 6604247C IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetModuleHandleA] 0C89CF0F IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] A0B98D24 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetTickCount] F7B8C753 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 24BC8DD7 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] BA86FAAB IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!DeactivateActCtx] BA0F669C IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 879C0AFF IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ActivateActCtx] 0F66242C IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrcmpW] 5304E5BA IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegCloseKey] 8DC7D366 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegOpenKeyExW] 5F73E52C IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!HeapSetInformation] CFD3E1F2 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] FF896652 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrlenW] 35FF6056 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LCMapStringW] [004011C5] C:\Windows\System32\svchost.exe (Hostprozess für Windows-Dienste/Microsoft Corporation) IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegQueryValueExW] 1C24448F IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ReleaseActCtx] 005638E9 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!CreateActCtxW] F6F5F800 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] C4F766D2 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] ED831B48 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ExitProcess] FCEC8302 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetProcessAffinityUpdateMode] 54A0800F IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegDisablePredefinedCacheEx] D0200000 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 81E85024 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetErrorMode] 9C00000D IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObjectEx] 2824448F IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LocalFree] 2474FF50 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!HeapFree] 00458F2C IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 2489669C IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] E8000053 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 0000510A IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] C450E9D5 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 74FF0001 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlCopySid] 458F0424 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 60579C00 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlInitializeCriticalSection] 24648D9C IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSetProcessIsCritical] 5318E934 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 8B660000 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] 56B1E900 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [ntdll.dll!EtwEventWrite] 7E270000 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [ntdll.dll!EtwEventEnabled] C421E9B1 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [ntdll.dll!EtwEventRegister] C3300001 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlFreeHeap] 005A4AE9 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] D6F7C5D3 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 00090AE8 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] 242C8700 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] EAB60F66 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 4AE8F960 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] D0000014 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] 89DC88E0 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 83D084E8 IAT C:\Windows\System32\svchost.exe[3316] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerListen] E99C02ED ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 867E5F30 Device \FileSystem\Ntfs \Ntfs 857421F8 Device \FileSystem\fastfat \FatCdrom 858961F8 Device \Driver\sptd \Device\2244562818 spoz.sys Device \Driver\volmgr \Device\VolMgrControl 8573E1F8 Device \Driver\usbohci \Device\USBPDO-0 86A2F500 Device \Driver\NetBT \Device\NetBT_Tcpip_{0A9F17B7-A77F-44E6-913A-A37A05334D30} 8698F1F8 Device \Driver\usbohci \Device\USBPDO-1 86A2F500 Device \Driver\usbehci \Device\USBPDO-2 86A681F8 Device \Driver\usbohci \Device\USBPDO-3 86A2F500 Device \Driver\usbohci \Device\USBPDO-4 86A2F500 Device \Driver\usbehci \Device\USBPDO-5 86A681F8 Device \Driver\PCI_PNP4817 \Device\00000056 spoz.sys Device \Driver\usbohci \Device\USBPDO-6 86A2F500 Device \Driver\volmgr \Device\HarddiskVolume1 8573E1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\volmgr \Device\HarddiskVolume2 8573E1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom0 868C41F8 Device \Driver\volmgr \Device\HarddiskVolume3 8573E1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom1 868C41F8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 857401F8 Device \Driver\atapi \Device\Ide\IdePort0 857401F8 Device \Driver\atapi \Device\Ide\IdePort1 857401F8 Device \Driver\atapi \Device\Ide\IdePort2 857401F8 Device \Driver\atapi \Device\Ide\IdePort3 857401F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 857401F8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-6 857401F8 Device \Driver\USBSTOR \Device\00000073 85775398 Device \Driver\volmgr \Device\HarddiskVolume4 8573E1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom2 868C41F8 Device \Driver\USBSTOR \Device\00000074 85775398 Device \Driver\USBSTOR \Device\00000083 85775398 Device \Driver\BTHUSB \Device\00000077 bthport.sys (Bluetooth-Bustreiber/Microsoft Corporation) Device \Driver\NetBT \Device\NetBt_Wins_Export 8698F1F8 Device \Driver\USBSTOR \Device\00000084 85775398 Device \Driver\BTHUSB \Device\00000079 bthport.sys (Bluetooth-Bustreiber/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\0000004d halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\NetBT \Device\NetBT_Tcpip_{E8B91AAD-1A7E-4D45-86DF-08D121B2E97C} 8698F1F8 Device \Driver\usbohci \Device\USBFDO-0 86A2F500 Device \Driver\usbohci \Device\USBFDO-1 86A2F500 Device \Driver\usbehci \Device\USBFDO-2 86A681F8 Device \Driver\usbohci \Device\USBFDO-3 86A2F500 Device \Driver\usbohci \Device\USBFDO-4 86A2F500 Device \Driver\usbehci \Device\USBFDO-5 86A681F8 Device \Driver\usbohci \Device\USBFDO-6 86A2F500 Device \Driver\NetBT \Device\NetBT_Tcpip_{5D2AC3A2-4250-492F-A923-F014EEC1024F} 8698F1F8 Device \Driver\VClone \Device\Scsi\VClone1 86B3F1F8 Device \Driver\a7bd5vr5 \Device\Scsi\a7bd5vr51 86B0D1F8 Device \Driver\a7bd5vr5 \Device\Scsi\a7bd5vr51Port5Path0Target0Lun0 86B0D1F8 Device \Driver\VClone \Device\Scsi\VClone1Port4Path0Target0Lun0 86B3F1F8 Device \FileSystem\fastfat \Fat 858961F8 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation) ---- Threads - GMER 1.0.15 ---- Thread System [4:5900] ADC34F2E ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158307c65a Reg HKLM\SYSTEM\CurrentControlSet\services\fflinf@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\fflinf@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\fflinf@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\services\fflinf@Group Boot Bus Extender Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDD 0xE5 0xA8 0x73 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x75 0xD7 0x17 0x1B ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC5 0x9E 0x99 0x74 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xFC 0xE6 0x5F 0x81 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0xF8 0xAE 0xA7 0x1F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158307c65a (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\fflinf@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\fflinf@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\fflinf@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet002\services\fflinf@Group Boot Bus Extender Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDD 0xE5 0xA8 0x73 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x75 0xD7 0x17 0x1B ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC5 0x9E 0x99 0x74 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xFC 0xE6 0x5F 0x81 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0xF8 0xAE 0xA7 0x1F ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Jan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Electronic Arts\Aufstieg des Hexenkönigs\x2122\Der Herr der Ringe\x2122, Aufstieg des Hexenkönigs\x2122-Weltenbauer.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Electronic Arts\Aufstieg des Hexenkönigs\x2122\Der Herr der Ringe\x2122, Aufstieg des Hexenkönigs\x2122-Weltenbauer.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Jan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Electronic Arts\Aufstieg des Hexenkönigs\x2122\Elektronische Registrierung.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Electronic Arts\Aufstieg des Hexenkönigs\x2122\Elektronische Registrierung.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Jan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Electronic Arts\Aufstieg des Hexenkönigs\x2122\Online nach Update suchen.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Electronic Arts\Aufstieg des Hexenkönigs\x2122\Online nach Update suchen.lnk 1 ---- Files - GMER 1.0.15 ---- File J:\RECYCLER 0 bytes File J:\RECYCLER\S-1-5-21-1292428093-926492609-1417001333-1003 0 bytes File J:\RECYCLER\S-1-5-21-1292428093-926492609-1417001333-1003\desktop.ini 65 bytes File J:\RECYCLER\S-1-5-21-1292428093-926492609-1417001333-1003\INFO2 20 bytes File J:\RECYCLER\S-1-5-21-1659004503-287218729-725345543-1001 0 bytes File J:\RECYCLER\S-1-5-21-1659004503-287218729-725345543-1001\desktop.ini 65 bytes File J:\RECYCLER\S-1-5-21-1659004503-287218729-725345543-1001\INFO2 20 bytes File J:\$RECYCLE.BIN\S-1-5-20 0 bytes File J:\$RECYCLE.BIN\S-1-5-20\desktop.ini 129 bytes File J:\$RECYCLE.BIN\S-1-5-21-2570516643-2303911503-1101146954-1000\$ILDUZ1Z 544 bytes File J:\$RECYCLE.BIN\S-1-5-21-2570516643-2303911503-1101146954-1000\$RLDUZ1Z 0 bytes File J:\$RECYCLE.BIN\S-1-5-21-2570516643-2303911503-1101146954-1000\$RLDUZ1Z\Windows 7 Professional (x86) - DVD (German) 0 bytes File J:\$RECYCLE.BIN\S-1-5-21-2570516643-2303911503-1101146954-1000\$RLDUZ1Z\Windows 7 Professional (x86) - DVD (German)\de_windows_7_professional_x86_dvd_x15-65812.iso 715738212 bytes File J:\$RECYCLE.BIN\S-1-5-21-905570476-3587705358-1342959373-1001 0 bytes File J:\$RECYCLE.BIN\S-1-5-21-905570476-3587705358-1342959373-1001\desktop.ini 129 bytes /*************************************************************************************************************************************************** ==== Ab hier dann ein haufen Files auf meiner Externen die ich aus Datenschutzgründen ausblenden muss ==== ***************************************************************************************************************************************************/ 10987059 bytes ---- EOF - GMER 1.0.15 ----