GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2010-11-12 17:03:28 Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-5 SAMSUNG_HD502HI rev.1AG01118 Running: zrlkr8kx.exe; Driver: C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\awriakod.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0x9FB886B8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0x9FB88574] SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwCreatePagingFile [0xF7470C70] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0x9FB88A52] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0x9FB8814C] SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwEnumerateKey [0xF74714FE] SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwEnumerateValueKey [0xF747CD50] SSDT d346bus.sys (PnP BIOS Extension/ ) ZwOpenFile [0xF7497A60] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0x9FB8864E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0x9FB8808C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0x9FB880F0] SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwQueryKey [0xF747151E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0x9FB8876E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0x9FB8872E] SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwSetSystemPowerState [0xF747C4F0] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0x9FB888AE] INT 0x63 ? 8A950BF8 INT 0xA4 ? 8A5EABF8 INT 0xB4 ? 8A5EABF8 INT 0xB4 ? 8A5EABF8 INT 0xB4 ? 8A5EABF8 ---- Kernel code sections - GMER 1.0.15 ---- ? spmv.sys Das System kann die angegebene Datei nicht finden. ! .text USBPORT.SYS!DllUnload B902262C 5 Bytes JMP 8A5EA1D8 .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8BE6000, 0x1CBE76, 0xE8000020] .reloc C:\WINDOWS\system32\drivers\acedrv11.sys section is executable [0x9CFDC600, 0x25B0C, 0xE0000060] .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0x9CEF4300, 0x3ACC8, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xF77EF300, 0x1B7E, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] kernel32.dll!LoadResource 7C809FC5 7 Bytes JMP 28001E20 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] kernel32.dll!FindResourceExW 7C80AC98 7 Bytes JMP 28001C60 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] kernel32.dll!FindResourceW 7C80BBDE 7 Bytes JMP 28001BE0 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] kernel32.dll!SizeofResource 7C80BC79 7 Bytes JMP 28001EE0 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] kernel32.dll!FindResourceA 7C80BE99 7 Bytes JMP 28001CF0 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] kernel32.dll!LockResource 7C80CCA7 5 Bytes JMP 28001F50 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] kernel32.dll!CreateEventA 7C8308C9 5 Bytes JMP 28001840 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] kernel32.dll!FindResourceExA 7C835FC0 7 Bytes JMP 28001D80 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] ADVAPI32.dll!CryptDeriveKey 77DBA1A5 7 Bytes JMP 28001000 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] ADVAPI32.dll!CryptDecrypt 77DBA2D1 7 Bytes JMP 28001060 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] USER32.dll!GetWindowLongW 7E3688A6 7 Bytes JMP 28006A70 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] USER32.dll!PeekMessageW 7E36929B 5 Bytes JMP 28004630 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] USER32.dll!CreateWindowExW 7E36FC25 5 Bytes JMP 28003C60 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] USER32.dll!SetWindowRgn 7E36FFB2 7 Bytes JMP 28005F50 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] USER32.dll!LoadIconW 7E370894 5 Bytes JMP 280068D0 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] USER32.dll!LoadImageW 7E372CFE 5 Bytes JMP 280066E0 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] USER32.dll!CreateDialogParamW 7E377D4F 5 Bytes JMP 28006090 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] USER32.dll!SetWindowPlacement 7E37D84C 5 Bytes JMP 28005E10 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] USER32.dll!MessageBoxIndirectW 7E3B62AB 5 Bytes JMP 28006280 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] USER32.dll!TrackPopupMenuEx 7E3BCD28 5 Bytes JMP 28004F10 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] WS2_32.dll!send 71A1428A 5 Bytes JMP 2800B4A0 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] WS2_32.dll!WSARecv 71A14318 5 Bytes JMP 2800B280 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] WS2_32.dll!recv 71A1615A 5 Bytes JMP 2800B0E0 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] WS2_32.dll!WSASend 71A16233 5 Bytes JMP 2800B680 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] WS2_32.dll!closesocket 71A19639 5 Bytes JMP 2800B8C0 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] SHELL32.dll!Shell_NotifyIconW 7E6D1BEA 5 Bytes JMP 280033B0 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] ole32.dll!CoInitializeEx 774CEF6B 5 Bytes JMP 28002260 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] ole32.dll!CoCreateInstance 774CFAC3 5 Bytes JMP 28002600 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] ole32.dll!CoRegisterClassObject 774E8720 5 Bytes JMP 28002360 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] WININET.dll!InternetReadFile 408C654B 5 Bytes JMP 2800A090 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] WININET.dll!InternetCloseHandle 408C9088 5 Bytes JMP 2800A240 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] WININET.dll!HttpOpenRequestA 408CD508 5 Bytes JMP 28009F00 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Windows Live\Messenger\msnmsgr.exe[1056] WININET.dll!HttpSendRequestA 408DEE89 5 Bytes JMP 2800A170 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software) .text C:\Programme\Mozilla Firefox\plugin-container.exe[3292] USER32.dll!TrackPopupMenu 7E3B50EE 5 Bytes JMP 10405CF5 C:\Programme\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Programme\Mozilla Firefox\firefox.exe[3840] ntdll.dll!LdrLoadDll 7C925CBB 5 Bytes JMP 004013F0 C:\Programme\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8A94E1F8 AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\NetBT \Device\NetBT_Tcpip_{52522DAE-4300-475D-AAAA-8B5595F2E94B} 89B08500 Device \Driver\usbohci \Device\USBPDO-0 8A7871F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A9C41F8 Device \Driver\dmio \Device\DmControl\DmConfig 8A9C41F8 Device \Driver\dmio \Device\DmControl\DmPnP 8A9C41F8 Device \Driver\dmio \Device\DmControl\DmInfo 8A9C41F8 Device \Driver\usbehci \Device\USBPDO-1 8A77E1F8 Device \Driver\usbohci \Device\USBPDO-2 8A7871F8 Device \Driver\usbehci \Device\USBPDO-3 8A77E1F8 AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\Ftdisk \Device\HarddiskVolume1 8A9511F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8A9511F8 Device \Driver\Cdrom \Device\CdRom0 8A4BC358 Device \FileSystem\Rdbss \Device\FsWrap 89F70940 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-11 8A4BC800 Device \Driver\atapi \Device\Ide\IdePort0 8A4BC800 Device \Driver\atapi \Device\Ide\IdePort1 8A4BC800 Device \Driver\atapi \Device\Ide\IdePort2 8A4BC800 Device \Driver\atapi \Device\Ide\IdePort3 8A4BC800 Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-5 8A4BC800 Device \Driver\atapi \Device\Ide\IdeDeviceP3T1L0-19 8A4BC800 Device \Driver\Ftdisk \Device\HarddiskVolume3 8A9511F8 Device \Driver\Cdrom \Device\CdRom1 8A4BC358 Device \Driver\Ftdisk \Device\HarddiskVolume4 8A9511F8 Device \Driver\Cdrom \Device\CdRom2 8A4BC358 Device \Driver\mcdbus \Device\00000080 8A4594D0 Device \Driver\Ftdisk \Device\HarddiskVolume5 8A9511F8 Device \Driver\Cdrom \Device\CdRom3 8A4BC358 Device \Driver\Cdrom \Device\CdRom4 8A4BC358 Device \Driver\NetBT \Device\NetBt_Wins_Export 89B08500 Device \Driver\NetBT \Device\NetbiosSmb 89B08500 Device \FileSystem\Srv \Device\LanmanServer 8A8979C0 Device \Driver\mcdbus \Device\mcdbus 8A4594D0 AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\usbohci \Device\USBFDO-0 8A7871F8 Device \Driver\usbehci \Device\USBFDO-1 8A77E1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89933500 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A6CD320 Device \Driver\usbohci \Device\USBFDO-2 8A7871F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 89933500 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A6CD320 Device \Driver\usbehci \Device\USBFDO-3 8A77E1F8 Device \FileSystem\Npfs \Device\NamedPipe 89DE68D8 Device \Driver\Ftdisk \Device\FtControl 8A9511F8 Device \FileSystem\Msfs \Device\Mailslot 89E2D850 Device \Driver\VClone \Device\Scsi\VClone1Port6Path0Target0Lun0 8A422B90 Device \Driver\VClone \Device\Scsi\VClone1 8A422B90 Device \Driver\d346prt \Device\Scsi\d346prt1 89925F00 Device \Driver\Vax347s \Device\Scsi\Vax347s1 8A49E350 Device \Driver\d346prt \Device\Scsi\d346prt1Port7Path0Target0Lun0 89925F00 Device \Driver\Vax347s \Device\Scsi\Vax347s1Port4Path0Target0Lun0 8A49E350 Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 8A852488 Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 8A852488 Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 8A852488 Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 8A852488 Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 8A852488 Device \FileSystem\Cdfs \Cdfs 8989F500 Device \FileSystem\Cdfs \Cdfs 8A568A88 ---- Modules - GMER 1.0.15 ---- Module _________ BA703000-BA71B000 (98304 bytes) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\d346prt\Cfg\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\d346prt\Cfg\0Jf40@khjeh 0x20 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\d346prt\Cfg\0Jf40@hj34z0 0x6D 0x51 0xE2 0xA9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\d346prt\Cfg\0Jf40@hj34z1 0xBE 0x51 0xE2 0xA9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\d346prt\Cfg\0Jf40@hj34z2 0xBE 0x51 0xE2 0xA9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\d346prt\Cfg\0Jf40@hj34z3 0xBE 0x51 0xE2 0xA9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\d346prt\Cfg\0Jf40@hj34z4 0xBE 0x51 0xE2 0xA9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xBD 0x2F 0xE0 0x5E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40@ujdew 0x20 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40@ljej40 0x01 0x58 0x73 0x93 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg41 Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg41@ujdew 0x20 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg41@ljej40 0x7B 0xC0 0xCD 0xFF ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xBD 0x2F 0xE0 0x5E ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{56CA5D3B-3002-4E7B-90FE-071D8FDF3814}@DisplayName DAEMON Tools Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}@DisplayName Alcohol 120% Reg HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6@ProductName Alcohol 120% Reg HKLM\SOFTWARE\Classes\Installer\Products\B3D5AC652003B7E409EF70D1F8FD8341@ProductName DAEMON Tools ---- EOF - GMER 1.0.15 ----