Das ist das Protokoll vom Gmer
Code:
Alles auswählen Aufklappen ATTFilter
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-07 16:44:38
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
SSDT BA76A136 ZwCreateKey
SSDT BA76A12C ZwCreateThread
SSDT BA76A13B ZwDeleteKey
SSDT BA76A145 ZwDeleteValueKey
SSDT BA76A14A ZwLoadKey
SSDT BA76A118 ZwOpenProcess
SSDT BA76A11D ZwOpenThread
SSDT BA76A154 ZwReplaceKey
SSDT BA76A14F ZwRestoreKey
SSDT BA76A140 ZwSetValueKey
SSDT BA76A127 ZwTerminateProcess
Code 8A323F08 ZwEnumerateKey
Code 89B14860 ZwFlushInstructionCache
Code 89CF7B3E IofCallDriver
Code 8A4606C6 IofCompleteRequest
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 89CF7B43
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 8A4606CB
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 89B14864
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 5 Bytes JMP 8A323F0C
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\system32\drivers\gxvxcwahqnoxpbpptmppuiqltivasrprujovm.sys (*** hidden *** ) [SYSTEM] gxvxcserv.sys <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcwahqnoxpbpptmppuiqltivasrprujovm.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcwahqnoxpbpptmppuiqltivasrprujovm.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcfyqjxjlqjbargsamiorobrxnsoqpxevd.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcwahqnoxpbpptmppuiqltivasrprujovm.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcwahqnoxpbpptmppuiqltivasrprujovm.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcfyqjxjlqjbargsamiorobrxnsoqpxevd.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\gxvxccbowpjdsniwxddeayxoxseajvugkxded.sys 37888 bytes executable
File C:\WINDOWS\system32\drivers\gxvxcnodyirwvvmybwibqnutokmlqjstkvobu.sys 37888 bytes executable
File C:\WINDOWS\system32\drivers\gxvxcrndltoigijoehtkaorxnloumxdyemvim.sys 37888 bytes executable
File C:\WINDOWS\system32\drivers\gxvxctydmejlrgvwmjaoarmkaovaqcuspfjgo.sys 37888 bytes executable
File C:\WINDOWS\system32\drivers\gxvxcwahqnoxpbpptmppuiqltivasrprujovm.sys 37888 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\gxvxcwwgqghdlhnofonvtieupirpvskcyqtgf.sys 37888 bytes executable
File C:\WINDOWS\system32\gxvxccounter 4 bytes
File C:\WINDOWS\system32\gxvxcfyqjxjlqjbargsamiorobrxnsoqpxevd.dll 26625 bytes executable
---- EOF - GMER 1.0.15 ----
07.07.2009, 15:48
Baum-Darstellung