Code:
Alles auswählen Aufklappen ATTFilter
GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-01-25 20:15:06
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD1600BEVS-22RST0 rev.04.01G04
Running: nbxrj9v3.exe; Driver: C:\Users\MR\AppData\Local\Temp\pxldypoc.sys
---- System - GMER 1.0.15 ----
SSDT 8DF0812E ZwCreateSection
SSDT 8DF08138 ZwRequestWaitReplyPort
SSDT 8DF08133 ZwSetContextThread
SSDT 8DF0813D ZwSetSecurityObject
SSDT 8DF08142 ZwSystemDebugControl
SSDT 8DF080CF ZwTerminateProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A8D5D9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AB2092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 370 82AB99B0 4 Bytes [2E, 81, F0, 8D]
.text ntkrnlpa.exe!RtlSidHashLookup + 6CC 82AB9D0C 4 Bytes [38, 81, F0, 8D]
.text ntkrnlpa.exe!RtlSidHashLookup + 710 82AB9D50 4 Bytes [33, 81, F0, 8D]
.text ntkrnlpa.exe!RtlSidHashLookup + 78C 82AB9DCC 4 Bytes [3D, 81, F0, 8D]
.text ntkrnlpa.exe!RtlSidHashLookup + 7E0 82AB9E20 4 Bytes [42, 81, F0, 8D]
.text ...
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Real\RealPlayer\realplay.exe[376] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75085E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Program Files\Real\RealPlayer\realplay.exe[376] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75085E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Program Files\Real\RealPlayer\realplay.exe[376] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75085E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Program Files\Real\RealPlayer\realplay.exe[376] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75085E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Program Files\Real\RealPlayer\realplay.exe[376] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [75085E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Program Files\Real\RealPlayer\realplay.exe[376] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [75085E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\0000004c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
Code:
Alles auswählen Aufklappen ATTFilter
Report of OSAM : Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 20:23:06 on 25.01.2012
OS: Windows 7 (Build 7600), 32-bit
Default Browser: Mozilla Corporation Firefox 9.0.1
Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures
Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries
[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"FlashPlayerCPLApp.cpl" - "Adobe Systems Incorporated" - C:\Windows\system32\FlashPlayerCPLApp.cpl
"prefscpl.cpl" - "RealNetworks, Inc." - C:\Windows\system32\prefscpl.cpl
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"QuickTime" - "Apple Inc." - C:\Program Files\QuickTime\QTSystem\QuickTime.cpl
[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"AVerMedia USB Polaris Series Capture Service" (AVerPola) - "AVerMedia TECHNOLOGIES, Inc." - C:\Windows\System32\DRIVERS\AVerPola.sys
"AVerMedia USB Polaris Series Custom IR Service" (AVPolCIR) - "AVerMedia TECHNOLOGIES, Inc." - C:\Windows\System32\DRIVERS\AVPolCIR.sys
"avgntflt" (avgntflt) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avgntflt.sys
"avipbb" (avipbb) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avipbb.sys
"avkmgr" (avkmgr) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avkmgr.sys
"catchme" (catchme) - ? - C:\Users\MR\AppData\Local\Temp\catchme.sys (File not found)
"MBAMProtector" (MBAMProtector) - "Malwarebytes Corporation" - C:\Windows\system32\drivers\mbam.sys
"pxldypoc" (pxldypoc) - ? - C:\Users\MR\AppData\Local\Temp\pxldypoc.sys (Hidden registry entry, rootkit activity | File not found)
"ssmdrv" (ssmdrv) - "Avira GmbH" - C:\Windows\System32\DRIVERS\ssmdrv.sys
[Explorer]
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" - "The Document Foundation" - C:\Program Files\LibreOffice 3.4\Basis\program\shlxthdl\shlxthdl.dll
-----( HKLM\Software\Classes\Protocols\Handler )-----
{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - C:\Program Files\7-Zip\7-zip.dll
{AE424E85-F6DF-4910-A6A9-438797986431} "LibreOffice Property Handler" - "The Document Foundation" - C:\Program Files\LibreOffice 3.4\Basis\program\shlxthdl\propertyhdl.dll
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "OpenOffice.org Column Handler" - "The Document Foundation" - C:\Program Files\LibreOffice 3.4\Basis\program\shlxthdl\shlxthdl.dll
{087B3AE3-E237-4467-B8DB-5A38AB959AC9} "OpenOffice.org Infotip Handler" - "The Document Foundation" - C:\Program Files\LibreOffice 3.4\Basis\program\shlxthdl\shlxthdl.dll
{63542C48-9552-494A-84F7-73AA6A7C99C1} "OpenOffice.org Property Sheet Handler" - "The Document Foundation" - C:\Program Files\LibreOffice 3.4\Basis\program\shlxthdl\shlxthdl.dll
{3B092F0C-7696-40E3-A80F-68D74DA84210} "OpenOffice.org Thumbnail Viewer" - "The Document Foundation" - C:\Program Files\LibreOffice 3.4\Basis\program\shlxthdl\shlxthdl.dll
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "Avira Operations GmbH & Co. KG" - C:\Program Files\Avira\AntiVir Desktop\shlext.dll
[Internet Explorer]
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
ITBar7Height "ITBar7Height" - ? - (File not found | COM-object registry key not found)
<binary data> "ITBar7Layout" - ? - (File not found | COM-object registry key not found)
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} "Java Plug-in 1.7.0_01" - "Oracle Corporation" - C:\Program Files\Java\jre7\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.7.0_01" - "Oracle Corporation" - C:\Program Files\Java\jre7\bin\npjpi170_01.dll / hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 10.1.0" - "Oracle Corporation" - C:\Program Files\Java\jre7\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
{7530BFB8-7293-4D34-9923-61A11451AFC5} "OnlineScanner Control" - "ESET" - C:\PROGRA~1\ESET\ESETON~1\ONLINE~1.OCX / hxxp://download.eset.com/special/eos/OnlineScanner.cab
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "Adobe PDF Reader" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
{DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Oracle Corporation" - C:\Program Files\Java\jre7\bin\jp2ssv.dll
[Logon]
-----( %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"desktop.ini" - ? - C:\Users\MR\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
-----( %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"desktop.ini" - ? - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
"McAfee Security Scan Plus.lnk" - "McAfee, Inc." - C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (Shortcut exists | File exists)
"AutoStart IR.lnk" - "Hauppauge Computer Works" - C:\Program Files\WinTV\Ir.exe (Shortcut exists | File exists)
"WinTV Recording Status..lnk" - "Hauppauge Computer Works, Inc." - C:\Program Files\WinTV\WinTV7\WinTVTray.exe (Shortcut exists | File exists)
-----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )-----
"uTorrent" - "BitTorrent, Inc." - "C:\Program Files\uTorrent\uTorrent.exe" /MINIMIZED
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"Adobe Reader Speed Launcher" - "Adobe Systems Incorporated" - "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"APSDaemon" - "Apple Inc." - "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
"avgnt" - "Avira Operations GmbH & Co. KG" - "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
"HP Software Update" - "Hewlett-Packard" - C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
"Malwarebytes' Anti-Malware" - "Malwarebytes Corporation" - "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
"QCDriverInstaller" - "Logitech Inc." - C:\PROGRA~1\COMMON~1\Logitech\QCDriver\Lqdsw.exe /addrun /l 1031 /LaunchAtStart
"QuickTime Task" - "Apple Inc." - "C:\Program Files\QuickTime\QTTask.exe" -atboottime
"RealTray" - "RealNetworks, Inc." - C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
[Print Monitors]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----
"HP Discovery Port Monitor (HP Deskjet 3050 J610 series)" - "Hewlett-Packard Co." - C:\Windows\system32\HPDiscoPM9311.dll
[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"Avira Echtzeit Scanner" (AntiVirService) - "Avira Operations GmbH & Co. KG" - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
"Avira Planer" (AntiVirSchedulerService) - "Avira Operations GmbH & Co. KG" - C:\Program Files\Avira\AntiVir Desktop\sched.exe
"HauppaugeTVServer" (HauppaugeTVServer) - "Hauppauge Computer Works" - C:\PROGRA~1\WinTV\TVServer\HAUPPA~1.EXE
"MBAMService" (MBAMService) - "Malwarebytes Corporation" - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
"McAfee Security Scan Component Host Service" (McComponentHostService) - "McAfee, Inc." - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
"Microsoft .NET Framework NGEN v4.0.30319_X86" (clr_optimization_v4.0.30319_32) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
===[ Logfile end ]=========================================[ Logfile end ]===
If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru
aswmbr folgt noch. =)
25.01.2012, 20:26
Baum-Darstellung