|
Plagegeister aller Art und deren Bekämpfung: Ist mein System von Rootkits verseucht?!Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
11.07.2009, 21:08 | #1 |
Ist mein System von Rootkits verseucht?! Hallo. Bitte um Hilfe. Habe das Programm: "rootkit revealer" auf meinem PC laufen lassen mit dem Ergebniss, dass mehrere Einträge gefunden worden. Da ich aber nicht weiss ob es sich hier um wirkliche Rootkits handelt bitte ich um eure Hilfe. Merkwürdig ist es auch, dass schon zum zweiten mal plötzlich das Programm "Hijackthis" von meinem PC verschwunden ist, ohne das ich es deinstallierte. Die Angaben zu meinem System: Windows XP Home Edition. Anbei das log von *** und Rootkitrevealer. Logfile of Trend Micro ***This v2.0.2 Scan saved at 21:32:39, on 11.07.2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Panda Security\Panda Internet Security 2009\TPSrv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\PROGRAMME\PANDA SECURITY\PANDA INTERNET SECURITY 2009\WebProxy.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\Programme\a-squared ****\a2service.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Java\jre6\bin\jqs.exe C:\Programme\System Control Manager\MSIService.exe C:\Programme\Panda Security\Panda Internet Security 2009\PsCtrls.exe C:\Programme\Panda Security\Panda Internet Security 2009\PavFnSvr.exe C:\Programme\Gemeinsame Dateien\Panda Security\PavShld\pavprsrv.exe C:\Programme\Panda Security\Panda Internet Security 2009\PsImSvc.exe C:\Programme\Panda Security\Panda Internet Security 2009\PskSvc.exe C:\Programme\Panda Security\Panda Internet Security 2009\pavsrv51.exe C:\Programme\Panda Security\Panda Internet Security 2009\AVENGINE.EXE c:\programme\panda security\panda internet security 2009\firewall\PSHOST.EXE C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\Explorer.EXE C:\Programme\System Control Manager\MGSysCtrl.exe C:\PROGRAMME\A-SQUARED *****\a2guard.exe C:\Programme\IObit\IObit SmartDefrag\IObit SmartDefrag.exe C:\WINDOWS\RTHDCPL.EXE C:\Programme\Panda Security\Panda Internet Security 2009\APVXDWIN.EXE C:\WINDOWS\system32\wbem\unsecapp.exe C:\Programme\Java\jre6\bin\jusched.exe C:\Programme\IObit\Advanced SystemCare 3\AWC.exe C:\Programme\Panda Security\Panda Internet Security 2009\SRVLOAD.EXE C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Panda Security\Panda Internet Security 2009\PavJobs.exe C:\DOKUME~1\\LOKALE~1\Temp\Temporäres Verzeichnis 2 für RootkitRevealer.zip\RootkitRevealer.exe C:\WINDOWS\system32\rundll32.exe C:\DOKUME~1\\LOKALE~1\Temp\Temporäres Verzeichnis 4 für RootkitRevealer.zip\RootkitRevealer.exe C:\Programme\internet explorer\iexplore.exe C:\Programme\internet explorer\iexplore.exe C:\Programme\Trend Micro\****\****.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.targa.de R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [MGSysCtrl] C:\Programme\System Control Manager\MGSysCtrl.exe O4 - HKLM\..\Run: [a-squared] "C:\PROGRAMME\A-SQUARED ANTI-MALWARE\a2guard.exe" /d=60 O4 - HKLM\..\Run: [SmartDefrag] "C:\Programme\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [APVXDWIN] "C:\Programme\Panda Security\Panda Internet Security 2009\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [SCANINICIO] "C:\Programme\Panda Security\Panda Internet Security 2009\Inicio.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Programme\IObit\Advanced SystemCare 3\AWC.exe" /startup O4 - Startup: Secunia PSI.lnk = C:\Programme\Secunia\PSI\psi.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {0e921e80-267a-42aa-aee4-60b9a1222a44} - C:\Dokumente und Einstellungen\\Lokale Einstellungen\Anwendungsdaten\xp-AntiSpy\sponsoring\sponsor.html (HKCU) O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {0e921e80-267a-42aa-aee4-60b9a1222a44} - C:\Dokumente und Einstellungen\\Lokale Einstellungen\Anwendungsdaten\xp-AntiSpy\sponsoring\sponsor.html (HKCU) O14 - IERESET.INF: START_PAGE_URL=http://www.targa.de O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1241467984640 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1244644993109 O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Programme\a-squared Anti-Malware\a2service.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe O23 - Service: JDZXPCBGCK - Sysinternals - www.sysinternals.com - C:\DOKUME~1\...\LOKALE~1\Temp\JDZXPCBGCK.exe O23 - Service: Micro Star SCM - Unknown owner - C:\Programme\System Control Manager\MSIService.exe O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Programme\Panda Security\Panda Internet Security 2009\PsCtrls.exe O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Programme\Panda Security\Panda Internet Security 2009\PavFnSvr.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Programme\Gemeinsame Dateien\Panda Security\PavShld\pavprsrv.exe O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Programme\Panda Security\Panda Internet Security 2009\pavsrv51.exe O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\programme\panda security\panda internet security 2009\firewall\PSHOST.EXE O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Programme\Panda Security\Panda Internet Security 2009\PsImSvc.exe O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Programme\Panda Security\Panda Internet Security 2009\PskSvc.exe O23 - Service: RDFFA - Sysinternals - www.sysinternals.com - C:\DOKUME~1\Lord\LOKALE~1\Temp\RDFFA.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Programme\Panda Security\Panda Internet Security 2009\TPSrv.exe -- End of file - 7633 bytes Rootkit revealer: 1-5-21-1538484781-3946739223-2389412754-1006\Console 18.05.2009 16:06 0 bytes Security mismatch. HKLM\SECURITY\Policy\Secrets\SAC* 11.11.2008 02:12 0 bytes Key name contains embedded nulls (*) HKLM\SECURITY\Policy\Secrets\SAI* 11.11.2008 02:12 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 11.07.2009 20:44 80 bytes Data mismatch between Windows API and raw hive data. C:\Dokumente und Einstellungen\Lord\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\izenus77.default\Cache\04339ADFd01 11.07.2009 20:46 63.28 KB Hidden from Windows API. C:\Dokumente und Einstellungen\Lord\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\izenus77.default\Cache\15252311d01 11.07.2009 20:48 63.76 KB Hidden from Windows API. C:\Dokumente und Einstellungen\Lord\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\izenus77.default\Cache\204774C5d01 11.07.2009 20:51 152.26 KB Hidden from Windows API. C:\Dokumente und Einstellungen\Lord\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\izenus77.default\Cache\5B25A781d01 11.07.2009 20:52 103.08 KB Hidden from Windows API. C:\Dokumente und Einstellungen\Lord\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\izenus77.default\Cache\61AEC729d01 11.07.2009 20:52 22.41 KB Hidden from Windows API. C:\Dokumente und Einstellungen\Lord\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\izenus77.default\urlclassifier3.sqlite-journal 11.07.2009 20:47 8.56 MB Visible in Windows API, but not in MFT or directory index. C:\Programme\Panda Security\Panda Internet Security 2009\Downloads\IDProtSig\pavufts.sig 11.07.2009 20:48 63.92 KB Hidden from Windows API. C:\Programme\Panda Security\Panda Internet Security 2009\Downloads\PavExp\PavExp.sig 11.07.2009 20:48 3.81 KB Hidden from Windows API. C:\Programme\Panda Security\Panda Internet Security 2009\Temp\pav6B.tmp 11.07.2009 20:49 1.28 KB Visible in Windows API, but not in MFT or directory index. C:\System Volume Information\_restore{4AB9F269-3E9E-4C7F-87C9-D54EB9392040}\RP4\A0000257.INI 26.06.2009 12:25 3.38 KB Hidden from Windows API. C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll 05.05.2009 00:32 252.00 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll 05.05.2009 00:32 111.00 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll 05.05.2009 00:32 8.00 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\Prefetch\REGEDIT.EXE-1B606482.pf 11.07.2009 20:56 17.16 KB Visible in directory index, but not Windows API or MFT. C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 11.07.2009 20:40 64.00 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\Temp\cteng_1_1_211246988921.dat 11.07.2009 20:46 30.42 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_1_221247228937.dat 11.07.2009 20:46 25.86 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_1_231246881203.dat 11.07.2009 20:46 25.91 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_1_41246672830.dat 11.07.2009 20:46 30.63 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_1_71245874879.dat 11.07.2009 20:46 77.40 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_1_81246356455.dat 11.07.2009 20:46 31.36 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_1_91246593662.dat 11.07.2009 20:46 30.62 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_131247319499.dat 11.07.2009 20:46 258.35 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_141247184040.dat 11.07.2009 20:46 207.91 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_151247187636.dat 11.07.2009 20:46 256.89 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_161247334306.dat 11.07.2009 20:46 183.86 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_171246320046.dat 11.07.2009 20:46 182.90 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_181247259618.dat 11.07.2009 20:46 207.22 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_201247161136.dat 11.07.2009 20:46 213.80 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_211247218009.dat 11.07.2009 20:46 224.52 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_221246949136.dat 11.07.2009 20:46 224.11 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_231247240443.dat 11.07.2009 20:46 305.37 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_241246190449.dat 11.07.2009 20:46 226.46 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_251246346450.dat 11.07.2009 20:46 117.53 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_261245798016.dat 11.07.2009 20:46 213.25 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_271247166050.dat 11.07.2009 20:46 263.23 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_281247129444.dat 11.07.2009 20:46 243.97 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_291247270586.dat 11.07.2009 20:46 289.18 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_301247202044.dat 11.07.2009 20:46 238.33 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_311247132246.dat 11.07.2009 20:46 194.17 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_331246824032.dat 11.07.2009 20:46 140.85 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_341247335332.dat 11.07.2009 20:46 203.21 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_351246995684.dat 11.07.2009 20:46 260.01 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_361247248242.dat 11.07.2009 20:46 213.45 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_381247039982.dat 11.07.2009 20:46 209.17 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_391247335222.dat 11.07.2009 20:46 188.78 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_401247162835.dat 11.07.2009 20:46 304.56 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_411247323381.dat 11.07.2009 20:46 224.16 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_41247142318.dat 11.07.2009 20:46 189.21 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_421247303322.dat 11.07.2009 20:46 301.55 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_1_2_71247176825.dat 11.07.2009 20:46 234.93 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_3_2_11231224990.dat 11.07.2009 20:46 49.75 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_7_1_21247165104.dat 11.07.2009 20:46 123.58 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_7_1_31247164973.dat 11.07.2009 20:47 109.86 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_7_2_101247033128.dat 11.07.2009 20:47 252.34 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_7_2_111247256316.dat 11.07.2009 20:47 294.29 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_7_2_121247322654.dat 11.07.2009 20:47 242.65 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_7_2_131247244634.dat 11.07.2009 20:47 222.74 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_7_2_141247322523.dat 11.07.2009 20:47 240.60 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_7_2_151247177118.dat 11.07.2009 20:47 246.30 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_7_2_21247094310.dat 11.07.2009 20:47 219.59 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_7_2_31247322874.dat 11.07.2009 20:47 256.92 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_7_2_41247274332.dat 11.07.2009 20:47 217.28 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_7_2_51247322690.dat 11.07.2009 20:47 239.48 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_7_2_61247322744.dat 11.07.2009 20:47 255.57 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_7_2_71247322767.dat 11.07.2009 20:47 316.00 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_7_2_81247245548.dat 11.07.2009 20:47 221.60 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_7_2_91247090717.dat 11.07.2009 20:47 269.45 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_8_2_11223394495.dat 11.07.2009 20:47 16.41 KB Hidden from Windows API. C:\WINDOWS\Temp\cteng_8_2_21231227908.dat 11.07.2009 20:47 12.03 KB Hidden from Windows API. C:\WINDOWS\Temp\ct |
12.07.2009, 17:35 | #2 |
/// Helfer-Team | Ist mein System von Rootkits verseucht?! Hallo Donthackme
__________________- Die Anweisungen bitte gründlich lesen und immer streng einhalten, da ich die Reihenfolge nach bestimmten Kriterien vorbereitet habe: 1. ich brauche mehr `Übersicht` bzw Daten über einen längeren Zeitraum - dazu bitte Versteckte- und Systemdateien sichtbar machen:: - Klicke unter Start auf Arbeitsplatz. - Klicke im Menü Extras auf Ordneroptionen. - Dateien und Ordner/Erweiterungen bei bekannten Dateitypen ausblenden --> Haken entfernen - Geschützte und Systemdateien ausblenden --> Haken entfernen - Versteckte Dateien und Ordner/Alle Dateien und Ordner anzeigen --> Haken setzen. - Bei "Geschützte Systemdateien ausblenden" darf kein Häkchen sein und "Alle Dateien und Ordner anzeigen" muss aktiviert sein. 2. - lade Dir das filelist.zip auf deinen Desktop herunter - entpacke die Zip-Datei auf deinen Desktop - starte nun mit einem Doppelklick auf die Datei "filelist.bat" - Dein Editor (Textverarbeitungsprogramm) wird sich öffnen - kopiere aus die erzeugten Logfile alle 7 Verzeichnisse ("C\...") - aber nur die Einträge der letzten 6 Monate - hier in deinem Thread ** vor jedem Eintrag steht ein Datum, also Einträge, die älter als 6 Monate sind bitte herauslöschen! 3. Ich würde gerne noch all deine installierten Programme sehen: Lade dir das Tool CCleaner herunter installieren ("Füge CCleaner Yahoo! Toolbar hinzu" abwählen)-> starten-> unter Options settings-> "german" einstellen dann klick auf "Extra (um die installierten Programme auch anzuzeigen)-> weiter auf "Als Textdatei speichern..." wird eine Textdatei (*.txt) erstellt, kopiere dazu den Inhalt und füge ihn da ein 4. Um einen tieferen Einblick in dein System, um eine mögliche Infektion mit einem Rootkit/Info v.wikipedia.org) aufzuspüren, werden wir ein Tool - Gmer - einsetzen :
** keine Verbindung zu einem Netzwerk und Internet - WLAN nicht vergessen Wenn der Scan beendet ist, bitte alle Programme und Tools wieder aktivieren! 5.
am besten nutze den Code-Tags für deinen Post: vor dein log schreibst du:[code] hier kommt dein logfile rein dahinter:[/code] gruß Coverflow |
13.07.2009, 13:30 | #3 |
Ist mein System von Rootkits verseucht?! Hallo Coverflow!
__________________Vielen Dank für die Antwort! Toll, dass ihr uns Laien hier helft, Malware zu killen. Also, habe versucht alles nach deiner Anleitung auszuführen. Hoffe alles ist nach deinem Geschmack. Habe zufällig etwar über einen Trojaner "manifest" hier im Forum gelesen und auf meinem PC nach dateien mit diesem Namen gesucht. Kam einiges hoch. Kann man manifestieren ob das ein Trojaner ist oder ist das normal?!? LOG ZIP: ----- Root ----------------------------- Volume in Laufwerk C: hat keine Bezeichnung. Volumeseriennummer: 34F1-0D90 Verzeichnis von C:\ 13.07.2009 13:21 43 filelist.txt 13.07.2009 12:38 1.598.029.824 pagefile.sys 04.05.2009 22:06 211 boot.ini 11.11.2008 01:44 0 IO.SYS 11.11.2008 01:44 0 MSDOS.SYS 11.11.2008 01:44 0 CONFIG.SYS 11.11.2008 01:44 0 AUTOEXEC.BAT 11.11.2008 01:40 4.128 INFCACHE.1 14.04.2008 15:00 47.564 NTDETECT.COM 14.04.2008 15:00 251.712 ntldr 14.04.2008 15:00 4.952 bootfont.bin 27.01.2003 12:54 0 check.tag 12 Datei(en) 1.598.338.434 Bytes 0 Verzeichnis(se), 136.802.897.920 Bytes frei ----- Windows -------------------------- Volume in Laufwerk C: hat keine Bezeichnung. Volumeseriennummer: 34F1-0D90 Verzeichnis von C:\WINDOWS 13.07.2009 12:40 1.125.008 WindowsUpdate.log 13.07.2009 12:39 0 0.log 13.07.2009 12:38 2.048 bootstat.dat 01.07.2009 12:50 615 win.ini 28.06.2009 10:49 63 wininit.ini 13.06.2009 20:33 13.946 ModemLog_HUAWEI Mobile Connect - 3G Modem.txt 02.06.2009 20:18 9.286 ModemLog_HUAWEI Mobile Connect - 3G Modem #2.txt 18.05.2009 16:04 227 system.ini 14.05.2009 17:50 117.248 vFind.exe 08.05.2009 16:30 109 oodcnt.INI 07.05.2009 17:10 148 ptkfz.INI 05.05.2009 06:02 612 Recovery.hdt 04.05.2009 22:41 0 nsreg.dat 19.11.2008 09:24 32 CD_Start.INI 15.11.2008 05:25 61 smscfg.ini 15.11.2008 04:31 253.952 Setup1.exe 15.11.2008 04:31 74.752 ST6UNST.EXE 11.11.2008 02:05 10 csup.txt 11.11.2008 01:55 319.488 HideWin.exe 11.11.2008 01:44 0 control.ini 11.11.2008 01:44 316.640 WMSysPr9.prx 11.11.2008 01:44 4.161 ODBCINST.INI 11.11.2008 01:43 749 WindowsShell.Manifest 11.11.2008 01:42 37 vbaddin.ini 11.11.2008 01:42 36 vb.ini 09.09.2008 19:39 16.851.968 RTHDCPL.EXE 19.08.2008 14:26 77.824 SOUNDMAN.EXE 06.08.2008 16:51 1.200.128 RtlUpd.exe 29.07.2008 16:42 528.384 RtlExUpd.dll 14.07.2008 05:09 212.728 CMDLIC.DLL 14.07.2008 05:09 205.560 UNBOC.EXE 19.06.2008 17:42 2.808.832 ALCWZRD.EXE 19.06.2008 17:27 9.715.200 RTLCPL.EXE 19.06.2008 17:20 57.344 ALCMTR.EXE 23.05.2008 18:02 12.288 MSIECO 14.04.2008 15:00 26.582 Granit.bmp 14.04.2008 15:00 153.600 regedit.exe 14.04.2008 15:00 17.362 Rhododendron.bmp 14.04.2008 15:00 16.730 Feder.bmp 14.04.2008 15:00 26.680 F„cher.bmp 14.04.2008 15:00 65.954 Pr„riewind.bmp 14.04.2008 15:00 10.752 hh.exe 14.04.2008 15:00 70.144 NOTEPAD.EXE 14.04.2008 15:00 65.832 Santa Fe-Stuck.bmp 14.04.2008 15:00 9.522 Zapotek.bmp 14.04.2008 15:00 65.978 Seifenblase.bmp 14.04.2008 15:00 80 explorer.scf 14.04.2008 15:00 257.568 winhelp.exe 14.04.2008 15:00 1.036.800 explorer.exe 14.04.2008 15:00 1.405 msdfmap.ini 14.04.2008 15:00 2 desktop.ini 14.04.2008 15:00 48.680 winnt256.bmp 14.04.2008 15:00 17.336 Angler.bmp 14.04.2008 15:00 48.680 winnt.bmp 14.04.2008 15:00 15.872 TASKMAN.EXE 14.04.2008 15:00 94.800 twain.dll 14.04.2008 15:00 50.688 twain_32.dll 14.04.2008 15:00 49.680 twunk_16.exe 14.04.2008 15:00 25.600 twunk_32.exe 14.04.2008 15:00 17.062 Kaffeetasse.bmp 14.04.2008 15:00 1.272 Blaue Spitzen 16.bmp 14.04.2008 15:00 34.818 wmprfDEU.prx 14.04.2008 15:00 288.768 winhlp32.exe 14.04.2008 15:00 707 _default.pif 14.04.2008 15:00 18.944 vmmreg32.dll 14.04.2008 15:00 82.944 clock.avi 20.11.2007 19:15 1.826.816 SkyTel.exe 14.11.2007 16:18 553 USetup.iss 28.06.2007 17:44 2.165.760 MicCal.exe 16.08.2006 14:22 626.688 DBREG.dll 08.08.2006 10:31 131.584 DBReg.exe 04.08.2006 13:26 16.070 German2.ini 07.04.2006 14:29 29.798 corelpf.lrs 31.08.2000 08:00 98.816 sed.exe 31.08.2000 08:00 161.792 SWREG.exe 31.08.2000 08:00 80.412 grep.exe 31.08.2000 08:00 68.096 zip.exe 31.08.2000 08:00 136.704 SWSC.exe 78 Datei(en) 41.873.415 Bytes 0 Verzeichnis(se), 136.802.893.824 Bytes frei ----- System --- Volume in Laufwerk C: hat keine Bezeichnung. Volumeseriennummer: 34F1-0D90 Verzeichnis von C:\WINDOWS\system 14.04.2008 15:00 70.368 AVICAP.DLL 14.04.2008 15:00 109.504 AVIFILE.DLL 14.04.2008 15:00 33.744 COMMDLG.DLL 14.04.2008 15:00 2.000 KEYBOARD.DRV 14.04.2008 15:00 9.936 LZEXPAND.DLL 14.04.2008 15:00 73.760 MCIAVI.DRV 14.04.2008 15:00 25.296 MCISEQ.DRV 14.04.2008 15:00 28.160 MCIWAVE.DRV 14.04.2008 15:00 69.632 MMSYSTEM.DLL 14.04.2008 15:00 1.152 MMTASK.TSK 14.04.2008 15:00 2.032 MOUSE.DRV 14.04.2008 15:00 127.104 MSVIDEO.DLL 14.04.2008 15:00 82.944 OLECLI.DLL 14.04.2008 15:00 24.064 OLESVR.DLL 14.04.2008 15:00 59.167 setup.inf 14.04.2008 15:00 5.120 SHELL.DLL 14.04.2008 15:00 1.744 SOUND.DRV 14.04.2008 15:00 5.532 stdole.tlb 14.04.2008 15:00 3.360 SYSTEM.DRV 14.04.2008 15:00 19.200 TAPI.DLL 14.04.2008 15:00 4.048 TIMER.DRV 14.04.2008 15:00 9.200 VER.DLL 14.04.2008 15:00 2.176 VGA.DRV 14.04.2008 15:00 13.600 WFWNET.DRV 14.04.2008 15:00 146.944 WINSPOOL.DRV 25 Datei(en) 929.787 Bytes 0 Verzeichnis(se), 136.803.479.552 Bytes frei ----- System 32 (Achtung: Zeitfenster beachten!) --- Volume in Laufwerk C: hat keine Bezeichnung. Volumeseriennummer: 34F1-0D90 Verzeichnis von C:\WINDOWS\system32 11.07.2009 20:49 8.627 PAV_FOG.OPC 11.07.2009 12:38 1.158 wpa.dbl 07.07.2009 16:44 117.360 FNTCACHE.DAT 03.07.2009 08:48 433.332 perfh009.dat 03.07.2009 08:48 68.096 perfc009.dat 03.07.2009 08:48 449.966 perfh007.dat 03.07.2009 08:48 80.822 perfc007.dat 03.07.2009 08:48 1.044.576 PerfStringBackup.INI 26.06.2009 12:15 253 PavCPL.dat 01.06.2009 18:51 23.635.392 MRT.exe 21.05.2009 11:34 148.888 javaws.exe 21.05.2009 11:34 144.792 javaw.exe 21.05.2009 11:34 144.792 java.exe 21.05.2009 11:33 410.984 deploytk.dll 21.05.2009 09:35 73.728 javacpl.cpl 13.05.2009 07:02 915.456 wininet.dll 13.05.2009 07:02 5.936.128 mshtml.dll 08.05.2009 16:28 8.439 OODBS.lor 07.05.2009 17:32 348.160 localspl.dll 04.05.2009 22:06 1.518 $winnt$.inf 04.05.2009 22:05 5.208 pid.PNF 30.04.2009 23:13 1.985.024 iertutil.dll 30.04.2009 23:13 11.064.832 ieframe.dll 30.04.2009 23:12 1.469.440 inetcpl.cpl 30.04.2009 23:12 25.600 jsproxy.dll 30.04.2009 23:12 1.207.808 urlmon.dll 30.04.2009 23:12 385.536 iedkcs32.dll 30.04.2009 13:21 173.056 ie4uinit.exe 19.04.2009 21:46 1.847.296 win32k.sys 15.04.2009 16:51 585.216 rpcrt4.dll 21.03.2009 16:06 1.063.424 kernel32.dll 17.03.2009 18:07 87.296 PavLspHook.dll 08.03.2009 14:29 1.302.528 ieframe.dll.mui 08.03.2009 14:29 57.344 msrating.dll.mui 08.03.2009 14:28 2.560 mshta.exe.mui 08.03.2009 14:27 4.096 ie4uinit.exe.mui 08.03.2009 14:27 12.288 advpack.dll.mui 08.03.2009 14:27 81.920 iedkcs32.dll.mui 08.03.2009 04:35 385.024 html.iec 08.03.2009 04:34 208.384 WinFXDocObj.exe 08.03.2009 04:34 236.544 webcheck.dll 08.03.2009 04:34 43.008 licmgr10.dll 08.03.2009 04:34 105.984 url.dll 08.03.2009 04:34 193.536 msrating.dll 08.03.2009 04:34 109.568 occache.dll 08.03.2009 04:33 18.944 corpol.dll 08.03.2009 04:33 726.528 jscript.dll 08.03.2009 04:33 229.376 ieaksie.dll 08.03.2009 04:33 420.352 vbscript.dll 08.03.2009 04:33 125.952 ieakeng.dll 08.03.2009 04:32 72.704 admparse.dll 08.03.2009 04:32 163.840 ieakui.dll 08.03.2009 04:32 36.864 ieudinit.exe 08.03.2009 04:32 71.680 iesetup.dll 08.03.2009 04:32 55.808 iernonce.dll 08.03.2009 04:32 128.512 advpack.dll 08.03.2009 04:32 94.720 inseng.dll 08.03.2009 04:32 594.432 msfeeds.dll 08.03.2009 04:32 611.840 mstime.dll 08.03.2009 04:31 183.808 iepeers.dll 08.03.2009 04:31 13.312 msfeedssync.exe 08.03.2009 04:31 59.904 icardie.dll 08.03.2009 04:31 55.296 msfeedsbs.dll 08.03.2009 04:31 348.160 dxtmsft.dll 08.03.2009 04:31 34.816 imgutil.dll 08.03.2009 04:31 216.064 dxtrans.dll 08.03.2009 04:31 46.592 pngfilt.dll 08.03.2009 04:31 66.560 mshtmled.dll 08.03.2009 04:31 48.128 mshtmler.dll 08.03.2009 04:31 1.638.912 mshtml.tlb 08.03.2009 04:31 45.568 mshta.exe 08.03.2009 04:30 66.560 tdc.ocx 08.03.2009 04:22 164.352 ieui.dll 08.03.2009 04:22 156.160 msls31.dll 08.03.2009 04:15 57.667 ieuinit.inf 08.03.2009 04:11 445.952 ieapfltr.dll 06.03.2009 16:19 286.720 pdh.dll 20.02.2009 18:49 133.120 extmgr.dll 12.02.2009 22:20 6.873 IE8Eula.rtf 09.02.2009 13:21 2.026.496 ntkrnlpa.exe 09.02.2009 13:21 2.147.840 ntoskrnl.exe 09.02.2009 13:21 111.104 services.exe 09.02.2009 12:51 736.768 lsasrv.dll 09.02.2009 12:51 401.408 rpcss.dll 09.02.2009 12:51 678.400 advapi32.dll 09.02.2009 12:51 740.352 ntdll.dll 06.02.2009 21:07 3.698.584 ieapfltr.dat 06.02.2009 12:39 35.328 sc.exe 03.02.2009 21:57 56.832 secur32.dll 07.01.2009 18:21 121.856 xmllite.dll 07.01.2009 18:20 24.576 nlsdl.dll 07.01.2009 18:20 59.342 normidna.nls 07.01.2009 18:20 23.552 normaliz.dll 07.01.2009 18:20 26.112 idndl.dll 07.01.2009 18:20 45.794 normnfc.nls 07.01.2009 18:20 39.284 normnfd.nls 07.01.2009 18:20 60.294 normnfkd.nls 07.01.2009 18:20 66.384 normnfkc.nls 07.01.2009 18:20 18.464 spmsg.dll 07.01.2009 18:20 26.144 spupdsvc.exe 07.01.2009 18:20 8.798 icrav03.rat 07.01.2009 18:20 265.720 msdbg2.dll 21.12.2008 00:13 1.293.824 quartz.dll 16.12.2008 14:30 354.304 winhttp.dll 05.12.2008 08:55 144.896 schannel.dll 19.11.2008 09:33 333 $ncsp$.inf 11.11.2008 18:34 10.838.016 wmp.dll 11.11.2008 02:29 16.832 amcompat.tlb 11.11.2008 02:29 23.392 nscompat.tlb 11.11.2008 02:02 940.794 LoopyMusic.wav 11.11.2008 02:02 146.650 BuzzingBee.wav 11.11.2008 01:44 2.951 CONFIG.NT 11.11.2008 01:43 488 logonui.exe.manifest 11.11.2008 01:43 488 WindowsLogon.manifest 11.11.2008 01:43 749 sapi.cpl.manifest 11.11.2008 01:43 749 cdplayer.exe.manifest 11.11.2008 01:43 749 wuaucpl.cpl.manifest 11.11.2008 01:43 749 ncpa.cpl.manifest 11.11.2008 01:43 749 nwc.cpl.manifest 11.11.2008 01:42 21.740 emptyregdb.dat 11.11.2008 01:41 0 h323log.txt 24.10.2008 22:50 34.152 netathw.cat 23.10.2008 14:36 286.720 gdi32.dll 23.10.2008 12:06 62.976 tzchange.exe 21.10.2008 15:18 1.337.984 athw.sys 21.10.2008 15:17 163.204 netathw.inf 16.10.2008 14:13 1.809.944 wuaueng.dll 16.10.2008 14:12 202.776 wuweb.dll 16.10.2008 14:12 323.608 wucltui.dll 16.10.2008 14:12 561.688 wuapi.dll 16.10.2008 14:12 213.528 wuaucpl.cpl 16.10.2008 14:09 43.544 wups2.dll 16.10.2008 14:09 51.224 wuauclt.exe 16.10.2008 14:09 92.696 cdm.dll 16.10.2008 14:08 34.328 wups.dll 16.10.2008 14:08 31.768 wucltui.dll.mui 16.10.2008 14:08 27.672 wuaucpl.cpl.mui 16.10.2008 14:08 27.672 wuapi.dll.mui 16.10.2008 14:07 208.744 muweb.dll 16.10.2008 14:07 18.968 wuaueng.dll.mui 16.10.2008 14:06 268.648 mucltui.dll 16.10.2008 14:06 27.496 mucltui.dll.mui 15.10.2008 18:35 337.408 netapi32.dll 03.10.2008 12:03 247.326 strmdll.dll ----- Prefetch ------------------------- Volume in Laufwerk C: hat keine Bezeichnung. Volumeseriennummer: 34F1-0D90 Verzeichnis von C:\WINDOWS\Prefetch 13.07.2009 13:21 11.644 FIND.EXE-0EC32F1E.pf 13.07.2009 13:21 14.422 CMD.EXE-087B4001.pf 13.07.2009 13:21 24.720 VERCLSID.EXE-3667BD89.pf 13.07.2009 13:18 21.176 A2SERVICE.EXE-0190A05B.pf 13.07.2009 13:18 48.452 A2GUARD.EXE-147BDBBC.pf 13.07.2009 13:14 10.840 GWFEED.EXE-1A221CF6.pf 13.07.2009 13:11 57.902 CCLEANER.EXE-065E2F3F.pf 13.07.2009 13:09 25.304 WMIPRVSE.EXE-28F301A9.pf 13.07.2009 13:09 16.254 PLATASKS.EXE-07D942B4.pf 13.07.2009 13:04 61.730 A2SCAN.EXE-2D885BDB.pf 13.07.2009 12:44 122.190 UPGRADER.EXE-286D5E8E.pf 13.07.2009 12:42 18.430 WMIADAP.EXE-2DF425B2.pf 13.07.2009 12:41 153.302 FIREFOX.EXE-1D57670A.pf 13.07.2009 12:41 80.424 AVCIMAN.EXE-25761609.pf 13.07.2009 12:41 12.970 PSIMREAL.EXE-2C435AD3.pf 13.07.2009 12:41 14.802 SVCHOST.EXE-3530F672.pf 13.07.2009 12:40 22.212 RTHDCPL.EXE-06918CFA.pf 13.07.2009 12:40 48.980 AWC.EXE-0B49E328.pf 13.07.2009 12:40 22.796 PSI.EXE-1B18CA34.pf 13.07.2009 12:40 20.780 UNSECAPP.EXE-1A95A33B.pf 13.07.2009 12:40 30.386 MGSYSCTRL.EXE-161B5FD2.pf 13.07.2009 12:40 84.008 PAVBCKPT.EXE-11BBFA1C.pf 13.07.2009 12:40 65.096 IOBIT SMARTDEFRAG.EXE-0D1D9BBF.pf 13.07.2009 12:40 54.716 INICIO.EXE-1E7C6DA5.pf 13.07.2009 12:40 22.924 WUAUCLT.EXE-399A8E72.pf 13.07.2009 12:40 67.920 SRVLOAD.EXE-17D5D9D5.pf 13.07.2009 12:40 59.774 APVXDWIN.EXE-2F420686.pf 13.07.2009 12:40 5.958 PSCLEAN.EXE-2E6ABB78.pf 13.07.2009 12:40 29.198 USERINIT.EXE-30B18140.pf 13.07.2009 12:40 65.470 EXPLORER.EXE-082F38A9.pf 13.07.2009 01:22 88.212 PAVJOBS.EXE-2A645B8B.pf 13.07.2009 01:22 57.036 A2START.EXE-245D0830.pf 13.07.2009 00:14 21.556 FSBL.EXE-1248E9F0.pf 13.07.2009 00:06 72.018 WEBPROXY.EXE-01181049.pf 13.07.2009 00:06 80.288 PAVW.EXE-356A9B81.pf 13.07.2009 00:06 66.502 IFACE.EXE-07C00ADB.pf 13.07.2009 00:05 63.364 HIJACKTHIS.EXE-39024128.pf 12.07.2009 23:53 14.262 SSSTARS.SCR-2D6FC20D.pf 12.07.2009 23:28 15.270 5TH5CNFL.EXE-1EA87545.pf 12.07.2009 23:25 9.640 WSCNTFY.EXE-1B24F5EB.pf 12.07.2009 23:25 16.916 RUNDLL32.EXE-1218E1AC.pf 12.07.2009 23:19 12.986 JAVA.EXE-2167859B.pf 12.07.2009 23:15 13.172 JUSCHED.EXE-336229D9.pf 12.07.2009 19:22 59.354 LOGONUI.EXE-0AF22957.pf 12.07.2009 18:27 13.172 DFRGNTFS.EXE-269967DF.pf 12.07.2009 18:27 15.768 DEFRAG.EXE-273F131E.pf 12.07.2009 18:27 382.918 Layout.ini 12.07.2009 18:03 97.520 NOTEPAD.EXE-336351A9.pf 12.07.2009 17:27 15.624 NET.EXE-01A53C2F.pf 12.07.2009 17:27 17.696 NET1.EXE-029B9DB4.pf 12.07.2009 17:22 82.688 MBAM.EXE-11D8BBD8.pf 12.07.2009 16:37 65.298 HELPSVC.EXE-2878DDA2.pf 12.07.2009 15:44 22.486 MSHTA.EXE-331DF029.pf 12.07.2009 15:44 16.162 RUNDLL32.EXE-19F507BE.pf 12.07.2009 15:44 15.424 IGFXSRVC.EXE-2FB63FE8.pf 12.07.2009 15:04 36.136 SUP_DISKCLEANER.EXE-128913D9.pf 12.07.2009 14:58 31.454 SUS_SYSTEMFILESCAN.EXE-146827F1.pf 11.07.2009 23:49 37.396 AU_.EXE-0E7708CE.pf 11.07.2009 23:49 19.642 AVGARKT.EXE-36D0BE99.pf 11.07.2009 23:49 12.862 9MTRVJ.EXE-2BD94AF4.pf 11.07.2009 23:49 59.210 UNINSTALL.EXE-0462C863.pf 11.07.2009 23:48 64.762 REVOUNINSTALLER.EXE-061D4878.pf 11.07.2009 23:47 72.856 CLEANMGR.EXE-1F86EA8E.pf 11.07.2009 23:22 20.342 REGCLEANER.EXE-32B2B427.pf 11.07.2009 20:43 14.738 JQSNOTIFY.EXE-1E60A522.pf 11.07.2009 12:44 108.256 SOFFICE.BIN-1E52E616.pf 11.07.2009 12:43 20.828 SOFFICE.EXE-26427B3D.pf 19.11.2008 09:32 842.376 NTOSBOOT-B00DFAAD.pf 68 Datei(en) 3.970.970 Bytes 0 Verzeichnis(se), 136.803.344.384 Bytes frei ----- Tasks ---------------------------- Volume in Laufwerk C: hat keine Bezeichnung. Volumeseriennummer: 34F1-0D90 Verzeichnis von C:\WINDOWS\tasks 13.07.2009 12:38 6 SA.DAT 13.07.2009 01:24 32.566 SCHEDLGU.TXT 11.05.2009 21:54 414 Wise Disk Cleaner 4.job 14.04.2008 15:00 65 desktop.ini 4 Datei(en) 33.051 Bytes 0 Verzeichnis(se), 136.803.278.848 Bytes frei ----- Windows/Temp ----------------------- Volume in Laufwerk C: hat keine Bezeichnung. Volumeseriennummer: 34F1-0D90 Verzeichnis von C:\WINDOWS\Temp 13.07.2009 12:45 1.758 cteng_index.dat 13.07.2009 12:45 274.560 cteng_7_2_91247436321.dat 13.07.2009 12:45 224.400 cteng_7_2_81247447124.dat 13.07.2009 12:45 220.216 cteng_7_2_41247450720.dat 13.07.2009 12:45 206.916 cteng_7_2_21247439921.dat 13.07.2009 12:45 234.472 cteng_7_2_141247443522.dat 13.07.2009 12:45 220.724 cteng_7_2_131247457918.dat 13.07.2009 12:45 246.980 cteng_7_2_101247461526.dat 13.07.2009 12:45 248.324 cteng_1_2_71247478419.dat 13.07.2009 12:45 270.736 cteng_1_2_421247454028.dat 13.07.2009 12:45 239.616 cteng_1_2_411247446828.dat 13.07.2009 12:45 239.160 cteng_1_2_341247481863.dat 13.07.2009 12:45 242.408 cteng_1_2_261247478056.dat 13.07.2009 12:45 204.048 cteng_1_2_201247475384.dat 13.07.2009 12:45 180.384 cteng_1_2_171247443226.dat 13.07.2009 12:45 191.688 cteng_1_2_161247476441.dat 13.07.2009 12:45 25.084 cteng_1_1_201247450444.dat 13.07.2009 12:45 26.612 cteng_1_1_141247473478.dat 13.07.2009 12:45 31.492 cteng_1_1_121247471029.dat 13.07.2009 12:38 10.354.688 f4d4851e8935eebef0f2eb52b3212bc9PSK_PLUGINS_0 13.07.2009 12:38 16.384 Perflib_Perfdata_264.dat 12.07.2009 23:25 206 TechsManager.log 12.07.2009 23:20 26.659 PSSysChk.log 12.07.2009 23:20 250.724 cteng_7_2_61247425516.dat 12.07.2009 23:20 240.184 cteng_7_2_31247432717.dat 12.07.2009 23:20 263.192 cteng_7_2_111247429120.dat 12.07.2009 23:20 204.916 cteng_1_2_71247432419.dat 12.07.2009 23:20 244.704 cteng_1_2_411247429734.dat 12.07.2009 23:20 230.520 cteng_1_2_391247429271.dat 12.07.2009 23:20 218.384 cteng_1_2_361247412659.dat 12.07.2009 23:20 247.848 cteng_1_2_221247414991.dat 12.07.2009 23:20 243.248 cteng_1_2_211247429076.dat 12.07.2009 17:16 12.320 cteng_8_2_21231227908.dat 12.07.2009 17:16 16.804 cteng_8_2_11223394495.dat 12.07.2009 17:16 275.920 cteng_7_2_91247090717.dat 12.07.2009 17:16 226.920 cteng_7_2_81247245548.dat 12.07.2009 17:16 307.064 cteng_7_2_71247349921.dat 12.07.2009 17:16 228.936 cteng_7_2_51247404567.dat 12.07.2009 17:16 222.496 cteng_7_2_41247274332.dat 12.07.2009 17:16 213.240 cteng_7_2_21247353515.dat 12.07.2009 17:16 252.212 cteng_7_2_151247177118.dat 12.07.2009 17:16 256.072 cteng_7_2_141247404418.dat 12.07.2009 17:16 229.980 cteng_7_2_131247403881.dat 12.07.2009 17:16 248.472 cteng_7_2_121247322654.dat 12.07.2009 17:16 258.400 cteng_7_2_101247033128.dat 12.07.2009 17:16 112.492 cteng_7_1_31247164973.dat 12.07.2009 17:16 128.140 cteng_7_1_21247403573.dat 12.07.2009 17:16 50.948 cteng_3_2_11231224990.dat 12.07.2009 17:16 298.004 cteng_1_2_421247364036.dat 12.07.2009 17:16 218.908 cteng_1_2_41247398807.dat 12.07.2009 17:16 311.872 cteng_1_2_401247162835.dat 12.07.2009 17:16 214.188 cteng_1_2_381247039982.dat 12.07.2009 17:16 273.548 cteng_1_2_351247406645.dat 12.07.2009 17:16 208.084 cteng_1_2_341247335332.dat 12.07.2009 17:15 144.228 cteng_1_2_331246824032.dat 12.07.2009 17:15 182.976 cteng_1_2_311247382036.dat 12.07.2009 17:15 244.048 cteng_1_2_301247202044.dat 12.07.2009 17:15 296.124 cteng_1_2_291247270586.dat 12.07.2009 17:15 249.824 cteng_1_2_281247129444.dat 12.07.2009 17:15 269.548 cteng_1_2_271247166050.dat 12.07.2009 17:15 218.372 cteng_1_2_261245798016.dat 12.07.2009 17:15 120.348 cteng_1_2_251246346450.dat 12.07.2009 17:15 231.896 cteng_1_2_241246190449.dat 12.07.2009 17:15 312.700 cteng_1_2_231247240443.dat 12.07.2009 17:15 218.336 cteng_1_2_201247356823.dat 12.07.2009 17:15 212.196 cteng_1_2_181247259618.dat 12.07.2009 17:15 187.288 cteng_1_2_171246320046.dat 12.07.2009 17:15 188.268 cteng_1_2_161247334306.dat 12.07.2009 17:15 255.868 cteng_1_2_151247407391.dat 12.07.2009 17:15 212.896 cteng_1_2_141247184040.dat 12.07.2009 17:15 268.096 cteng_1_2_131247406861.dat 12.07.2009 17:15 31.352 cteng_1_1_91246593662.dat 12.07.2009 17:15 32.116 cteng_1_1_81246356455.dat 12.07.2009 17:15 79.260 cteng_1_1_71245874879.dat 12.07.2009 17:15 31.360 cteng_1_1_41246672830.dat 12.07.2009 17:15 26.528 cteng_1_1_231246881203.dat 12.07.2009 17:15 26.484 cteng_1_1_221247228937.dat 12.07.2009 17:15 31.152 cteng_1_1_211246988921.dat 12.07.2009 17:15 31.124 cteng_1_1_201247139288.dat 12.07.2009 17:15 31.924 cteng_1_1_181247060030.dat 12.07.2009 17:15 35.464 cteng_1_1_161247266835.dat 12.07.2009 17:15 23.428 cteng_1_1_141247353226.dat 12.07.2009 17:15 39.068 cteng_1_1_131247131555.dat 12.07.2009 17:15 24.724 cteng_1_1_121247346023.dat 12.07.2009 17:15 35.608 cteng_1_1_111246906844.dat 12.07.2009 17:15 47.092 cteng_1_1_101247394456.dat 11.07.2009 20:49 10.354.688 f4d4851e8935eebef0f2eb52b3212bc9PSK_PLUGINS_1 87 Datei(en) 35.330.639 Bytes 0 Verzeichnis(se), 136.803.201.024 Bytes frei |
13.07.2009, 13:33 | #4 |
Ist mein System von Rootkits verseucht?! ----- Windows/Temp ----------------------- Volume in Laufwerk C: hat keine Bezeichnung. Volumeseriennummer: 34F1-0D90 Verzeichnis von C:\WINDOWS\Temp 13.07.2009 12:45 1.758 cteng_index.dat 13.07.2009 12:45 274.560 cteng_7_2_91247436321.dat 13.07.2009 12:45 224.400 cteng_7_2_81247447124.dat 13.07.2009 12:45 220.216 cteng_7_2_41247450720.dat 13.07.2009 12:45 206.916 cteng_7_2_21247439921.dat 13.07.2009 12:45 234.472 cteng_7_2_141247443522.dat 13.07.2009 12:45 220.724 cteng_7_2_131247457918.dat 13.07.2009 12:45 246.980 cteng_7_2_101247461526.dat 13.07.2009 12:45 248.324 cteng_1_2_71247478419.dat 13.07.2009 12:45 270.736 cteng_1_2_421247454028.dat 13.07.2009 12:45 239.616 cteng_1_2_411247446828.dat 13.07.2009 12:45 239.160 cteng_1_2_341247481863.dat 13.07.2009 12:45 242.408 cteng_1_2_261247478056.dat 13.07.2009 12:45 204.048 cteng_1_2_201247475384.dat 13.07.2009 12:45 180.384 cteng_1_2_171247443226.dat 13.07.2009 12:45 191.688 cteng_1_2_161247476441.dat 13.07.2009 12:45 25.084 cteng_1_1_201247450444.dat 13.07.2009 12:45 26.612 cteng_1_1_141247473478.dat 13.07.2009 12:45 31.492 cteng_1_1_121247471029.dat 13.07.2009 12:38 10.354.688 f4d4851e8935eebef0f2eb52b3212bc9PSK_PLUGINS_0 13.07.2009 12:38 16.384 Perflib_Perfdata_264.dat 12.07.2009 23:25 206 TechsManager.log 12.07.2009 23:20 26.659 PSSysChk.log 12.07.2009 23:20 250.724 cteng_7_2_61247425516.dat 12.07.2009 23:20 240.184 cteng_7_2_31247432717.dat 12.07.2009 23:20 263.192 cteng_7_2_111247429120.dat 12.07.2009 23:20 204.916 cteng_1_2_71247432419.dat 12.07.2009 23:20 244.704 cteng_1_2_411247429734.dat 12.07.2009 23:20 230.520 cteng_1_2_391247429271.dat 12.07.2009 23:20 218.384 cteng_1_2_361247412659.dat 12.07.2009 23:20 247.848 cteng_1_2_221247414991.dat 12.07.2009 23:20 243.248 cteng_1_2_211247429076.dat 12.07.2009 17:16 12.320 cteng_8_2_21231227908.dat 12.07.2009 17:16 16.804 cteng_8_2_11223394495.dat 12.07.2009 17:16 275.920 cteng_7_2_91247090717.dat 12.07.2009 17:16 226.920 cteng_7_2_81247245548.dat 12.07.2009 17:16 307.064 cteng_7_2_71247349921.dat 12.07.2009 17:16 228.936 cteng_7_2_51247404567.dat 12.07.2009 17:16 222.496 cteng_7_2_41247274332.dat 12.07.2009 17:16 213.240 cteng_7_2_21247353515.dat 12.07.2009 17:16 252.212 cteng_7_2_151247177118.dat 12.07.2009 17:16 256.072 cteng_7_2_141247404418.dat 12.07.2009 17:16 229.980 cteng_7_2_131247403881.dat 12.07.2009 17:16 248.472 cteng_7_2_121247322654.dat 12.07.2009 17:16 258.400 cteng_7_2_101247033128.dat 12.07.2009 17:16 112.492 cteng_7_1_31247164973.dat 12.07.2009 17:16 128.140 cteng_7_1_21247403573.dat 12.07.2009 17:16 50.948 cteng_3_2_11231224990.dat 12.07.2009 17:16 298.004 cteng_1_2_421247364036.dat 12.07.2009 17:16 218.908 cteng_1_2_41247398807.dat 12.07.2009 17:16 311.872 cteng_1_2_401247162835.dat 12.07.2009 17:16 214.188 cteng_1_2_381247039982.dat 12.07.2009 17:16 273.548 cteng_1_2_351247406645.dat 12.07.2009 17:16 208.084 cteng_1_2_341247335332.dat 12.07.2009 17:15 144.228 cteng_1_2_331246824032.dat 12.07.2009 17:15 182.976 cteng_1_2_311247382036.dat 12.07.2009 17:15 244.048 cteng_1_2_301247202044.dat 12.07.2009 17:15 296.124 cteng_1_2_291247270586.dat 12.07.2009 17:15 249.824 cteng_1_2_281247129444.dat 12.07.2009 17:15 269.548 cteng_1_2_271247166050.dat 12.07.2009 17:15 218.372 cteng_1_2_261245798016.dat 12.07.2009 17:15 120.348 cteng_1_2_251246346450.dat 12.07.2009 17:15 231.896 cteng_1_2_241246190449.dat 12.07.2009 17:15 312.700 cteng_1_2_231247240443.dat 12.07.2009 17:15 218.336 cteng_1_2_201247356823.dat 12.07.2009 17:15 212.196 cteng_1_2_181247259618.dat 12.07.2009 17:15 187.288 cteng_1_2_171246320046.dat 12.07.2009 17:15 188.268 cteng_1_2_161247334306.dat 12.07.2009 17:15 255.868 cteng_1_2_151247407391.dat 12.07.2009 17:15 212.896 cteng_1_2_141247184040.dat 12.07.2009 17:15 268.096 cteng_1_2_131247406861.dat 12.07.2009 17:15 31.352 cteng_1_1_91246593662.dat 12.07.2009 17:15 32.116 cteng_1_1_81246356455.dat 12.07.2009 17:15 79.260 cteng_1_1_71245874879.dat 12.07.2009 17:15 31.360 cteng_1_1_41246672830.dat 12.07.2009 17:15 26.528 cteng_1_1_231246881203.dat 12.07.2009 17:15 26.484 cteng_1_1_221247228937.dat 12.07.2009 17:15 31.152 cteng_1_1_211246988921.dat 12.07.2009 17:15 31.124 cteng_1_1_201247139288.dat 12.07.2009 17:15 31.924 cteng_1_1_181247060030.dat 12.07.2009 17:15 35.464 cteng_1_1_161247266835.dat 12.07.2009 17:15 23.428 cteng_1_1_141247353226.dat 12.07.2009 17:15 39.068 cteng_1_1_131247131555.dat 12.07.2009 17:15 24.724 cteng_1_1_121247346023.dat 12.07.2009 17:15 35.608 cteng_1_1_111246906844.dat 12.07.2009 17:15 47.092 cteng_1_1_101247394456.dat 11.07.2009 20:49 10.354.688 f4d4851e8935eebef0f2eb52b3212bc9PSK_PLUGINS_1 87 Datei(en) 35.330.639 Bytes 0 Verzeichnis(se), 136.803.201.024 Bytes frei -07/13/09 14:18:52 [Info]: BlackLight Engine 2.2.1092 initialized 07/13/09 14:18:52 [Info]: OS: 5.1 build 2600 (Service Pack 3) 07/13/09 14:18:53 [Note]: 7019 4 07/13/09 14:18:53 [Note]: 7005 0 07/13/09 14:18:54 [Note]: 7006 0 07/13/09 14:18:54 [Note]: 7011 2080 07/13/09 14:18:55 [Note]: 7035 0 07/13/09 14:18:55 [Note]: 7026 0 07/13/09 14:18:55 [Note]: 7026 0 07/13/09 14:18:58 [Note]: FSRAW library version 1.7.1024 07/13/09 14:20:46 [Note]: 7007 0 LOG CCleaner: Adobe Flash Player 10 Plugin Adobe Reader 9.1.2 - Deutsch Advanced SystemCare 3 a-squared Anti-Malware 4.0 Atheros Client Installation Program CCleaner (remove only) CheckDrive CorelDRAW Essential Edition 3 DivX Codec EuroRoute 2008 Eusing Free Registry Cleaner HijackThis 2.0.2 Intel(R) Graphics Media Accelerator Driver Java(TM) 6 Update 13 Java(TM) 6 Update 14 Malwarebytes' Anti-Malware Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - DEU Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - DEU Microsoft .NET Framework 3.5 Language Pack SP1 - DEU Microsoft .NET Framework 3.5 SP1 Microsoft Visual C++ 2005 Redistributable Mozilla Firefox (3.5) MSXML 4.0 SP2 (KB954430) OpenOffice.org 3.1 Panda Internet Security 2009 PC-Trainer Kfz-Technik REALTEK GbE & FE Ethernet PCI-E NIC Driver Realtek High Definition Audio Driver Revo Uninstaller 1.83 Secunia PSI Shredder Classic 3 Smart Defrag 1.11 Sophos Anti-Rootkit 1.3.1 Spelling Dictionaries Support For Adobe Reader 9 Spyware Doctor 6.0 System Control Manager USB2.0 Card Reader Software VLC media player 0.9.9 Windows Genuine Advantage Validation Tool (KB892130) Windows Internet Explorer 8 Windows Live OneCare safety scanner Windows Media Format 11 runtime Windows Media Player 11 Wise Disk Cleaner 4.24 xp-AntiSpy 3.97-3 |
13.07.2009, 13:40 | #5 |
Ist mein System von Rootkits verseucht?! ok, gmer log kommt noch, muss in mini Teile aufteilen, weil das so gross ist. Hat aber nichts gefunden! |
13.07.2009, 17:51 | #6 |
Ist mein System von Rootkits verseucht?! GMER 1.0.15.14972 - http://www.gmer.net Rootkit scan 2009-07-13 14:11:38 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.15 ---- SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF737D514] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF736C282] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF736C474] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF737DD00] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF737DFB8] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF737C3FA] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF737E422] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF737D7D8] SSDT \??\C:\WINDOWS\system32\DRIVERS\PavProc.sys (Panda Protection driver/Panda Security, S.L.) ZwTerminateProcess [0xA9957A30] SSDT \??\C:\WINDOWS\system32\DRIVERS\PavProc.sys (Panda Protection driver/Panda Security, S.L.) ZwTerminateThread [0xA9956E50] ---- Kernel code sections - GMER 1.0.15 ---- ? C:\WINDOWS\system32\PavTPK.sys Das System kann die angegebene Datei nicht finden. ! ? C:\WINDOWS\system32\PavSRK.sys Das System kann die angegebene Datei nicht finden. ! ? system32\drivers\av5flt.sys Das System kann den angegebenen Pfad nicht finden. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Programme\Java\jre6\bin\jqs.exe[612] WS2_32.dll!sendto 71A12F51 6 Bytes JMP 5F100F5A .text C:\Programme\Java\jre6\bin\jqs.exe[612] WS2_32.dll!recvfrom 71A12FF7 6 Bytes JMP 5F0A0F5A .text C:\Programme\Java\jre6\bin\jqs.exe[612] WS2_32.dll!closesocket 71A13E2B 6 Bytes JMP 5F220F5A .text C:\Programme\Java\jre6\bin\jqs.exe[612] WS2_32.dll!connect 71A14A07 6 Bytes JMP 5F040F5A .text C:\Programme\Java\jre6\bin\jqs.exe[612] WS2_32.dll!send 71A14C27 6 Bytes JMP 5F0D0F5A .text C:\Programme\Java\jre6\bin\jqs.exe[612] WS2_32.dll!WSARecv 71A14CB5 6 Bytes JMP 5F160F5A .text C:\Programme\Java\jre6\bin\jqs.exe[612] WS2_32.dll!recv 71A1676F 6 Bytes JMP 5F070F5A .text C:\Programme\Java\jre6\bin\jqs.exe[612] WS2_32.dll!WSASend 71A168FA 6 Bytes JMP 5F1C0F5A .text C:\Programme\Java\jre6\bin\jqs.exe[612] WS2_32.dll!WSARecvFrom 71A1F66A 6 Bytes JMP 5F190F5A .text C:\Programme\Java\jre6\bin\jqs.exe[612] WS2_32.dll!WSASendTo 71A20AAD 6 Bytes JMP 5F1F0F5A .text C:\Programme\Java\jre6\bin\jqs.exe[612] WS2_32.dll!WSAConnect 71A20C81 6 Bytes JMP 5F130F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtClose 7C91CFEE 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtClose + 4 7C91CFF2 2 Bytes [44, 5F] {INC ESP; POP EDI} .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtCreateFile 7C91D0AE 1 Byte [FF] .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtCreateFile 7C91D0AE 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtCreateFile + 4 7C91D0B2 2 Bytes [65, 5F] .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtCreateKey 7C91D0EE 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtCreateKey + 4 7C91D0F2 2 Bytes [47, 5F] {INC EDI; POP EDI} .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtDeleteFile 7C91D23E 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtDeleteFile + 4 7C91D242 2 Bytes [68, 5F] .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtDeleteKey 7C91D24E 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtDeleteKey + 4 7C91D252 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtDeleteValueKey 7C91D26E 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtDeleteValueKey + 4 7C91D272 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtDuplicateObject 7C91D29E 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtDuplicateObject + 4 7C91D2A2 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtEnumerateKey 7C91D2CE 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtEnumerateKey + 4 7C91D2D2 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtEnumerateValueKey 7C91D2EE 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtEnumerateValueKey + 4 7C91D2F2 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtLoadDriver 7C91D46E 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtLoadDriver + 4 7C91D472 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtOpenFile 7C91D59E 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtOpenFile + 4 7C91D5A2 2 Bytes [6B, 5F] .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtQueryMultipleValueKey 7C91D86E 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtQueryMultipleValueKey + 4 7C91D872 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtQueryValueKey 7C91D96E 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtQueryValueKey + 4 7C91D972 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtReadFile 7C91D9CE 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtReadFile + 4 7C91D9D2 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtSetContextThread 7C91DBAE 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtSetContextThread + 4 7C91DBB2 2 Bytes [7A, 5F] {JP 0x61} .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtSetInformationFile 7C91DC5E 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtSetInformationFile + 4 7C91DC62 2 Bytes [71, 5F] {JNO 0x61} .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtSetValueKey 7C91DDCE 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtSetValueKey + 4 7C91DDD2 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtUnloadKey 7C91DECE 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtUnloadKey + 4 7C91DED2 2 Bytes [62, 5F] .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtWriteFile 7C91DF7E 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtWriteFile + 4 7C91DF82 2 Bytes [74, 5F] {JZ 0x61} .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] ntdll.dll!NtWriteVirtualMemory + 4 7C91DFB2 2 Bytes [77, 5F] {JA 0x61} .text C:\Programme\System Control Manager\MSIService.exe[1224] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F310F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F3A0F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F340F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [3E, 5F] .text C:\Programme\System Control Manager\MSIService.exe[1224] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [41, 5F] {INC ECX; POP EDI} .text C:\Programme\System Control Manager\MSIService.exe[1224] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F370F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FB50F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5F940F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 5FA60F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5F910F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] USER32.dll!CreateAcceleratorTableW 7E36D9BB 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] USER32.dll!CreateAcceleratorTableW + 4 7E36D9BF 2 Bytes [B0, 5F] {MOV AL, 0x5f} .text C:\Programme\System Control Manager\MSIService.exe[1224] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5FB20F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5FA00F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F970F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 5FA90F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] USER32.dll!BeginDeferWindowPos 7E37AFB9 6 Bytes JMP 5F8E0F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\Programme\System Control Manager\MSIService.exe[1224] USER32.dll!SetClipboardData 7E380F9E 6 Bytes JMP 5FB80F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F8B0F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5FAC0F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] USER32.dll!AttachThreadInput 7E381E52 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] USER32.dll!AttachThreadInput + 4 7E381E56 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\Programme\System Control Manager\MSIService.exe[1224] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5FA30F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] ole32.dll!CoCreateInstanceEx 774D0526 6 Bytes JMP 5F880F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] ole32.dll!CoGetClassObject 774E56C5 6 Bytes JMP 5F850F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] ole32.dll!CLSIDFromProgID 774E87F2 6 Bytes JMP 5F820F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] ole32.dll!CLSIDFromProgIDEx 7752620D 6 Bytes JMP 5F7F0F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] ADVAPI32.dll!CloseServiceHandle 77DB6CE5 6 Bytes JMP 5F100F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] ADVAPI32.dll!OpenServiceW 77DB6FFD 6 Bytes JMP 5F220F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] ADVAPI32.dll!StartServiceA 77DBFB58 6 Bytes JMP 5F250F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] ADVAPI32.dll!StartServiceW 77DC3E94 6 Bytes JMP 5F280F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] ADVAPI32.dll!ControlService 77DC4A09 6 Bytes JMP 5F130F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] ADVAPI32.dll!OpenServiceA 77DC4C66 6 Bytes JMP 5F1F0F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] ADVAPI32.dll!LsaAddAccountRights 77DEABF1 6 Bytes JMP 5F2B0F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] ADVAPI32.dll!LsaRemoveAccountRights 77DEAC91 6 Bytes JMP 5F2E0F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] ADVAPI32.dll!ChangeServiceConfigA 77E06E69 6 Bytes JMP 5F040F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] ADVAPI32.dll!ChangeServiceConfigW 77E07001 6 Bytes JMP 5F070F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] ADVAPI32.dll!ChangeServiceConfig2A 77E07101 6 Bytes JMP 5F0A0F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] ADVAPI32.dll!ChangeServiceConfig2W 77E07189 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MSIService.exe[1224] ADVAPI32.dll!ChangeServiceConfig2W + 4 77E0718D 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\Programme\System Control Manager\MSIService.exe[1224] ADVAPI32.dll!CreateServiceA 77E07211 6 Bytes JMP 5F160F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] ADVAPI32.dll!CreateServiceW 77E073A9 6 Bytes JMP 5F190F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] ADVAPI32.dll!DeleteService 77E074B1 6 Bytes JMP 5F1C0F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] WS2_32.dll!sendto 71A12F51 6 Bytes JMP 5FC70F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] WS2_32.dll!recvfrom 71A12FF7 6 Bytes JMP 5FC10F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] WS2_32.dll!closesocket 71A13E2B 6 Bytes JMP 5FD90F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] WS2_32.dll!connect 71A14A07 6 Bytes JMP 5FBB0F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] WS2_32.dll!send 71A14C27 6 Bytes JMP 5FC40F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] WS2_32.dll!WSARecv 71A14CB5 6 Bytes JMP 5FCD0F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] WS2_32.dll!recv 71A1676F 6 Bytes JMP 5FBE0F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] WS2_32.dll!WSASend 71A168FA 6 Bytes JMP 5FD30F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] WS2_32.dll!WSARecvFrom 71A1F66A 6 Bytes JMP 5FD00F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] WS2_32.dll!WSASendTo 71A20AAD 6 Bytes JMP 5FD60F5A .text C:\Programme\System Control Manager\MSIService.exe[1224] WS2_32.dll!WSAConnect 71A20C81 6 Bytes JMP 5FCA0F5A |
13.07.2009, 17:54 | #7 |
Ist mein System von Rootkits verseucht?! Continue GMER log .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ntdll.dll!NtSetInformationFile + 4 7C91DC62 2 Bytes [71, 5F] {JNO 0x61} .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ntdll.dll!NtSetValueKey 7C91DDCE 3 Bytes [FF, 25, 1E] .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ntdll.dll!NtSetValueKey + 4 7C91DDD2 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ntdll.dll!NtUnloadKey 7C91DECE 3 Bytes [FF, 25, 1E] .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ntdll.dll!NtUnloadKey + 4 7C91DED2 2 Bytes [62, 5F] .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ntdll.dll!NtWriteFile 7C91DF7E 3 Bytes [FF, 25, 1E] .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ntdll.dll!NtWriteFile + 4 7C91DF82 2 Bytes [74, 5F] {JZ 0x61} .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 3 Bytes [FF, 25, 1E] .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ntdll.dll!NtWriteVirtualMemory + 4 7C91DFB2 2 Bytes [77, 5F] {JA 0x61} .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DC0001 .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F310F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F3A0F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F340F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [3E, 5F] .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [FF, 25, 1E] .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [41, 5F] {INC ECX; POP EDI} .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F370F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FAF0F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5F8E0F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 5FA00F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5F8B0F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] USER32.dll!CreateAcceleratorTableW 7E36D9BB 3 Bytes [FF, 25, 1E] .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] USER32.dll!CreateAcceleratorTableW + 4 7E36D9BF 2 Bytes [AA, 5F] {STOSB ; POP EDI} .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5FAC0F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5F9A0F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F910F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 5FA30F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] USER32.dll!BeginDeferWindowPos 7E37AFB9 6 Bytes JMP 5F880F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [98, 5F] {CWDE ; POP EDI} .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] USER32.dll!SetClipboardData 7E380F9E 6 Bytes JMP 5FB20F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F850F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5FA60F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] USER32.dll!AttachThreadInput 7E381E52 3 Bytes [FF, 25, 1E] .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] USER32.dll!AttachThreadInput + 4 7E381E56 2 Bytes [95, 5F] {XCHG EBP, EAX; POP EDI} .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5F9D0F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ADVAPI32.dll!CloseServiceHandle 77DB6CE5 6 Bytes JMP 5F100F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ADVAPI32.dll!OpenServiceW 77DB6FFD 6 Bytes JMP 5F220F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ADVAPI32.dll!StartServiceA 77DBFB58 6 Bytes JMP 5F250F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ADVAPI32.dll!StartServiceW 77DC3E94 6 Bytes JMP 5F280F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ADVAPI32.dll!ControlService 77DC4A09 6 Bytes JMP 5F130F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ADVAPI32.dll!OpenServiceA 77DC4C66 6 Bytes JMP 5F1F0F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ADVAPI32.dll!LsaAddAccountRights 77DEABF1 6 Bytes JMP 5F2B0F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ADVAPI32.dll!LsaRemoveAccountRights 77DEAC91 6 Bytes JMP 5F2E0F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ADVAPI32.dll!ChangeServiceConfigA 77E06E69 6 Bytes JMP 5F040F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ADVAPI32.dll!ChangeServiceConfigW 77E07001 6 Bytes JMP 5F070F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ADVAPI32.dll!ChangeServiceConfig2A 77E07101 6 Bytes JMP 5F0A0F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ADVAPI32.dll!ChangeServiceConfig2W 77E07189 3 Bytes [FF, 25, 1E] .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ADVAPI32.dll!ChangeServiceConfig2W + 4 77E0718D 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ADVAPI32.dll!CreateServiceA 77E07211 6 Bytes JMP 5F160F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ADVAPI32.dll!CreateServiceW 77E073A9 6 Bytes JMP 5F190F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ADVAPI32.dll!DeleteService 77E074B1 6 Bytes JMP 5F1C0F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ole32.dll!CLSIDFromProgID 774E87F2 6 Bytes JMP 5F820F5A .text C:\Programme\Panda Security\Panda Internet Security 2009\PavBckPT.exe[2388] ole32.dll!CLSIDFromProgIDEx 7752620D 6 Bytes JMP 5F7F0F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtClose 7C91CFEE 3 Bytes [FF, 25, 1E] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtClose + 4 7C91CFF2 2 Bytes [44, 5F] {INC ESP; POP EDI} .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtCreateFile 7C91D0AE 1 Byte [FF] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtCreateFile 7C91D0AE 3 Bytes [FF, 25, 1E] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtCreateFile + 4 7C91D0B2 2 Bytes [65, 5F] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtCreateKey 7C91D0EE 3 Bytes [FF, 25, 1E] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtCreateKey + 4 7C91D0F2 2 Bytes [47, 5F] {INC EDI; POP EDI} .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtDeleteFile 7C91D23E 3 Bytes [FF, 25, 1E] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtDeleteFile + 4 7C91D242 2 Bytes [68, 5F] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtDeleteKey 7C91D24E 3 Bytes [FF, 25, 1E] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtDeleteKey + 4 7C91D252 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtDeleteValueKey 7C91D26E 3 Bytes [FF, 25, 1E] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtDeleteValueKey + 4 7C91D272 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtDuplicateObject 7C91D29E 3 Bytes [FF, 25, 1E] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtDuplicateObject + 4 7C91D2A2 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtEnumerateKey 7C91D2CE 3 Bytes [FF, 25, 1E] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtEnumerateKey + 4 7C91D2D2 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtEnumerateValueKey 7C91D2EE 3 Bytes [FF, 25, 1E] .text |
13.07.2009, 17:56 | #8 |
Ist mein System von Rootkits verseucht?! Continue GMER log: C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtEnumerateValueKey + 4 7C91D2F2 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtLoadDriver 7C91D46E 3 Bytes [FF, 25, 1E] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtLoadDriver + 4 7C91D472 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtOpenFile 7C91D59E 3 Bytes [FF, 25, 1E] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtOpenFile + 4 7C91D5A2 2 Bytes [6B, 5F] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtQueryMultipleValueKey 7C91D86E 3 Bytes [FF, 25, 1E] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtQueryMultipleValueKey + 4 7C91D872 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtQueryValueKey 7C91D96E 3 Bytes [FF, 25, 1E] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtQueryValueKey + 4 7C91D972 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtReadFile 7C91D9CE 3 Bytes [FF, 25, 1E] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtReadFile + 4 7C91D9D2 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtSetContextThread 7C91DBAE 3 Bytes [FF, 25, 1E] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtSetContextThread + 4 7C91DBB2 2 Bytes [7A, 5F] {JP 0x61} .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtSetInformationFile 7C91DC5E 3 Bytes [FF, 25, 1E] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtSetInformationFile + 4 7C91DC62 2 Bytes [71, 5F] {JNO 0x61} .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtSetValueKey 7C91DDCE 3 Bytes [FF, 25, 1E] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtSetValueKey + 4 7C91DDD2 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtUnloadKey 7C91DECE 3 Bytes [FF, 25, 1E] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtUnloadKey + 4 7C91DED2 2 Bytes [62, 5F] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtWriteFile 7C91DF7E 3 Bytes [FF, 25, 1E] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtWriteFile + 4 7C91DF82 2 Bytes [74, 5F] {JZ 0x61} .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 3 Bytes [FF, 25, 1E] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ntdll.dll!NtWriteVirtualMemory + 4 7C91DFB2 2 Bytes [77, 5F] {JA 0x61} .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F310F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F3A0F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F340F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [3E, 5F] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0045493D C:\Programme\a-squared Anti-Malware\a2service.exe (a-squared Service/Emsi Software GmbH) .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [FF, 25, 1E] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [41, 5F] {INC ECX; POP EDI} .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F370F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] advapi32.dll!CloseServiceHandle 77DB6CE5 6 Bytes JMP 5F100F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] advapi32.dll!OpenServiceW 77DB6FFD 6 Bytes JMP 5F220F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] advapi32.dll!StartServiceA 77DBFB58 6 Bytes JMP 5F250F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] advapi32.dll!StartServiceW 77DC3E94 6 Bytes JMP 5F280F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] advapi32.dll!ControlService 77DC4A09 6 Bytes JMP 5F130F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] advapi32.dll!OpenServiceA 77DC4C66 6 Bytes JMP 5F1F0F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] advapi32.dll!LsaAddAccountRights 77DEABF1 6 Bytes JMP 5F2B0F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] advapi32.dll!LsaRemoveAccountRights 77DEAC91 6 Bytes JMP 5F2E0F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] advapi32.dll!ChangeServiceConfigA 77E06E69 6 Bytes JMP 5F040F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] advapi32.dll!ChangeServiceConfigW 77E07001 6 Bytes JMP 5F070F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] advapi32.dll!ChangeServiceConfig2A 77E07101 6 Bytes JMP 5F0A0F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] advapi32.dll!ChangeServiceConfig2W 77E07189 3 Bytes [FF, 25, 1E] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] advapi32.dll!ChangeServiceConfig2W + 4 77E0718D 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] advapi32.dll!CreateServiceA 77E07211 6 Bytes JMP 5F160F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] advapi32.dll!CreateServiceW 77E073A9 6 Bytes JMP 5F190F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] advapi32.dll!DeleteService 77E074B1 6 Bytes JMP 5F1C0F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FB50F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5F940F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 5FA60F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5F910F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] USER32.dll!CreateAcceleratorTableW 7E36D9BB 3 Bytes [FF, 25, 1E] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] USER32.dll!CreateAcceleratorTableW + 4 7E36D9BF 2 Bytes [B0, 5F] {MOV AL, 0x5f} .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5FB20F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5FA00F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F970F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 5FA90F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] USER32.dll!BeginDeferWindowPos 7E37AFB9 6 Bytes JMP 5F8E0F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] USER32.dll!SetClipboardData 7E380F9E 6 Bytes JMP 5FB80F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F8B0F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5FAC0F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] USER32.dll!AttachThreadInput 7E381E52 3 Bytes [FF, 25, 1E] .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] USER32.dll!AttachThreadInput + 4 7E381E56 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5FA30F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ole32.dll!CoCreateInstanceEx 774D0526 6 Bytes JMP 5F880F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ole32.dll!CoGetClassObject 774E56C5 6 Bytes JMP 5F850F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ole32.dll!CLSIDFromProgID 774E87F2 6 Bytes JMP 5F820F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] ole32.dll!CLSIDFromProgIDEx 7752620D 6 Bytes JMP 5F7F0F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] WS2_32.dll!sendto 71A12F51 6 Bytes JMP 5FC70F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] WS2_32.dll!recvfrom 71A12FF7 6 Bytes JMP 5FC10F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] WS2_32.dll!closesocket 71A13E2B 6 Bytes JMP 5FD90F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] WS2_32.dll!connect 71A14A07 6 Bytes JMP 5FBB0F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] WS2_32.dll!send 71A14C27 6 Bytes JMP 5FC40F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] WS2_32.dll!WSARecv 71A14CB5 6 Bytes JMP 5FCD0F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] WS2_32.dll!recv 71A1676F 6 Bytes JMP 5FBE0F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] WS2_32.dll!WSASend 71A168FA 6 Bytes JMP 5FD30F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] WS2_32.dll!WSARecvFrom 71A1F66A 6 Bytes JMP 5FD00F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] WS2_32.dll!WSASendTo 71A20AAD 6 Bytes JMP 5FD60F5A .text C:\Programme\a-squared Anti-Malware\a2service.exe[2660] WS2_32.dll!WSAConnect 71A20C81 6 Bytes JMP 5FCA0F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtClose 7C91CFEE 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtClose + 4 7C91CFF2 2 Bytes [44, 5F] {INC ESP; POP EDI} .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtCreateFile 7C91D0AE 1 Byte [FF] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtCreateFile 7C91D0AE 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtCreateFile + 4 7C91D0B2 2 Bytes [65, 5F] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtCreateKey 7C91D0EE 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtCreateKey + 4 7C91D0F2 2 Bytes [47, 5F] {INC EDI; POP EDI} .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtDeleteFile 7C91D23E 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtDeleteFile + 4 7C91D242 2 Bytes [68, 5F] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtDeleteKey 7C91D24E 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtDeleteKey + 4 7C91D252 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtDeleteValueKey 7C91D26E 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtDeleteValueKey + 4 7C91D272 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtDuplicateObject 7C91D29E 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtDuplicateObject + 4 7C91D2A2 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtEnumerateKey 7C91D2CE 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtEnumerateKey + 4 7C91D2D2 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtEnumerateValueKey 7C91D2EE 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtEnumerateValueKey + 4 7C91D2F2 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtLoadDriver 7C91D46E 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtLoadDriver + 4 7C91D472 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtOpenFile 7C91D59E 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtOpenFile + 4 7C91D5A2 2 Bytes [6B, 5F] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtQueryMultipleValueKey 7C91D86E 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtQueryMultipleValueKey + 4 7C91D872 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtQueryValueKey 7C91D96E 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtQueryValueKey + 4 7C91D972 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtReadFile 7C91D9CE 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtReadFile + 4 7C91D9D2 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtSetContextThread 7C91DBAE 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtSetContextThread + 4 7C91DBB2 2 Bytes [7A, 5F] {JP 0x61} .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtSetInformationFile 7C91DC5E 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtSetInformationFile + 4 7C91DC62 2 Bytes [71, 5F] {JNO 0x61} .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtSetValueKey 7C91DDCE 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtSetValueKey + 4 7C91DDD2 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtUnloadKey 7C91DECE 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtUnloadKey + 4 7C91DED2 2 Bytes [62, 5F] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtWriteFile 7C91DF7E 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtWriteFile + 4 7C91DF82 2 Bytes [74, 5F] {JZ 0x61} .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 3 Bytes [FF, 25, 1E] |
13.07.2009, 17:57 | #9 |
Ist mein System von Rootkits verseucht?! .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ntdll.dll!NtWriteVirtualMemory + 4 7C91DFB2 2 Bytes [77, 5F] {JA 0x61} .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01CB0001 .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F310F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F3A0F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F340F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [3E, 5F] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [41, 5F] {INC ECX; POP EDI} .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F370F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ADVAPI32.dll!CloseServiceHandle 77DB6CE5 6 Bytes JMP 5F100F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ADVAPI32.dll!OpenServiceW 77DB6FFD 6 Bytes JMP 5F220F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ADVAPI32.dll!StartServiceA 77DBFB58 6 Bytes JMP 5F250F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ADVAPI32.dll!StartServiceW 77DC3E94 6 Bytes JMP 5F280F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ADVAPI32.dll!ControlService 77DC4A09 6 Bytes JMP 5F130F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ADVAPI32.dll!OpenServiceA 77DC4C66 6 Bytes JMP 5F1F0F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ADVAPI32.dll!LsaAddAccountRights 77DEABF1 6 Bytes JMP 5F2B0F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ADVAPI32.dll!LsaRemoveAccountRights 77DEAC91 6 Bytes JMP 5F2E0F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ADVAPI32.dll!ChangeServiceConfigA 77E06E69 6 Bytes JMP 5F040F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ADVAPI32.dll!ChangeServiceConfigW 77E07001 6 Bytes JMP 5F070F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ADVAPI32.dll!ChangeServiceConfig2A 77E07101 6 Bytes JMP 5F0A0F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ADVAPI32.dll!ChangeServiceConfig2W 77E07189 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ADVAPI32.dll!ChangeServiceConfig2W + 4 77E0718D 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ADVAPI32.dll!CreateServiceA 77E07211 6 Bytes JMP 5F160F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ADVAPI32.dll!CreateServiceW 77E073A9 6 Bytes JMP 5F190F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ADVAPI32.dll!DeleteService 77E074B1 6 Bytes JMP 5F1C0F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FB50F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5F940F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 5FA60F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5F910F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] USER32.dll!CreateAcceleratorTableW 7E36D9BB 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] USER32.dll!CreateAcceleratorTableW + 4 7E36D9BF 2 Bytes [B0, 5F] {MOV AL, 0x5f} .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5FB20F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5FA00F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F970F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 5FA90F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] USER32.dll!BeginDeferWindowPos 7E37AFB9 6 Bytes JMP 5F8E0F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] USER32.dll!SetClipboardData 7E380F9E 6 Bytes JMP 5FB80F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F8B0F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5FAC0F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] USER32.dll!AttachThreadInput 7E381E52 3 Bytes [FF, 25, 1E] .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] USER32.dll!AttachThreadInput + 4 7E381E56 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5FA30F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ole32.dll!CoCreateInstanceEx 774D0526 6 Bytes JMP 5F880F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ole32.dll!CoGetClassObject 774E56C5 6 Bytes JMP 5F850F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ole32.dll!CLSIDFromProgID 774E87F2 6 Bytes JMP 5F820F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] ole32.dll!CLSIDFromProgIDEx 7752620D 6 Bytes JMP 5F7F0F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] WS2_32.dll!sendto 71A12F51 6 Bytes JMP 5FC70F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] WS2_32.dll!recvfrom 71A12FF7 6 Bytes JMP 5FC10F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] WS2_32.dll!closesocket 71A13E2B 6 Bytes JMP 5FD90F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] WS2_32.dll!connect 71A14A07 6 Bytes JMP 5FBB0F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] WS2_32.dll!send 71A14C27 6 Bytes JMP 5FC40F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] WS2_32.dll!WSARecv 71A14CB5 6 Bytes JMP 5FCD0F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] WS2_32.dll!recv 71A1676F 6 Bytes JMP 5FBE0F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] WS2_32.dll!WSASend 71A168FA 6 Bytes JMP 5FD30F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] WS2_32.dll!WSARecvFrom 71A1F66A 6 Bytes JMP 5FD00F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] WS2_32.dll!WSASendTo 71A20AAD 6 Bytes JMP 5FD60F5A .text C:\Programme\System Control Manager\MGSysCtrl.exe[3060] WS2_32.dll!WSAConnect 71A20C81 6 Bytes JMP 5FCA0F5A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3096] WS2_32.dll!sendto 71A12F51 6 Bytes JMP 5F100F5A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3096] WS2_32.dll!recvfrom 71A12FF7 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3096] WS2_32.dll!closesocket 71A13E2B 6 Bytes JMP 5F220F5A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3096] WS2_32.dll!connect 71A14A07 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3096] WS2_32.dll!send 71A14C27 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3096] WS2_32.dll!WSARecv 71A14CB5 6 Bytes JMP 5F160F5A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3096] WS2_32.dll!recv 71A1676F 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3096] WS2_32.dll!WSASend 71A168FA 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3096] WS2_32.dll!WSARecvFrom 71A1F66A 6 Bytes JMP 5F190F5A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3096] WS2_32.dll!WSASendTo 71A20AAD 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3096] WS2_32.dll!WSAConnect 71A20C81 6 Bytes JMP 5F130F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtClose 7C91CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtClose + 4 7C91CFF2 2 Bytes [65, 5F] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtCreateFile 7C91D0AE 1 Byte [FF] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtCreateFile 7C91D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtCreateFile + 4 7C91D0B2 2 Bytes [86, 5F] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtCreateKey 7C91D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtCreateKey + 4 7C91D0F2 2 Bytes [68, 5F] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtDeleteFile 7C91D23E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtDeleteFile + 4 7C91D242 2 Bytes [89, 5F] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtDeleteKey 7C91D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtDeleteKey + 4 7C91D252 2 Bytes [6B, 5F] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtDeleteValueKey 7C91D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtDeleteValueKey + 4 7C91D272 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtDuplicateObject 7C91D29E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtDuplicateObject + 4 7C91D2A2 2 Bytes [71, 5F] {JNO 0x61} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtEnumerateKey 7C91D2CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtEnumerateKey + 4 7C91D2D2 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtEnumerateValueKey 7C91D2EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtEnumerateValueKey + 4 7C91D2F2 2 Bytes [77, 5F] {JA 0x61} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtLoadDriver 7C91D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtLoadDriver + 4 7C91D472 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtOpenFile 7C91D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtOpenFile + 4 7C91D5A2 2 Bytes [8C, 5F] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtQueryMultipleValueKey 7C91D86E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtQueryMultipleValueKey + 4 7C91D872 2 Bytes [7A, 5F] {JP 0x61} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtQueryValueKey 7C91D96E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtQueryValueKey + 4 7C91D972 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtReadFile 7C91D9CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtReadFile + 4 7C91D9D2 2 Bytes [8F, 5F] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtSetContextThread 7C91DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtSetContextThread + 4 7C91DBB2 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtSetInformationFile 7C91DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtSetInformationFile + 4 7C91DC62 2 Bytes [92, 5F] {XCHG EDX, EAX; POP EDI} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtSetValueKey 7C91DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtSetValueKey + 4 7C91DDD2 2 Bytes [80, 5F] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtUnloadKey 7C91DECE 3 Bytes [FF, 25, 1E] |
13.07.2009, 18:00 | #10 |
Ist mein System von Rootkits verseucht?! Continue GMER log .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtUnloadKey + 4 7C91DED2 2 Bytes [83, 5F] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtWriteFile 7C91DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtWriteFile + 4 7C91DF82 2 Bytes [95, 5F] {XCHG EBP, EAX; POP EDI} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ntdll.dll!NtWriteVirtualMemory + 4 7C91DFB2 2 Bytes [98, 5F] {CWDE ; POP EDI} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01370001 .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F520F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F5B0F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F550F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [62, 5F] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F580F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ADVAPI32.dll!CloseServiceHandle 77DB6CE5 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ADVAPI32.dll!OpenServiceW 77DB6FFD 6 Bytes JMP 5F430F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ADVAPI32.dll!StartServiceA 77DBFB58 6 Bytes JMP 5F460F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ADVAPI32.dll!StartServiceW 77DC3E94 6 Bytes JMP 5F490F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ADVAPI32.dll!ControlService 77DC4A09 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ADVAPI32.dll!OpenServiceA 77DC4C66 6 Bytes JMP 5F400F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ADVAPI32.dll!LsaAddAccountRights 77DEABF1 6 Bytes JMP 5F4C0F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ADVAPI32.dll!LsaRemoveAccountRights 77DEAC91 6 Bytes JMP 5F4F0F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ADVAPI32.dll!ChangeServiceConfigA 77E06E69 6 Bytes JMP 5F250F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ADVAPI32.dll!ChangeServiceConfigW 77E07001 6 Bytes JMP 5F280F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ADVAPI32.dll!ChangeServiceConfig2A 77E07101 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ADVAPI32.dll!ChangeServiceConfig2W 77E07189 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ADVAPI32.dll!ChangeServiceConfig2W + 4 77E0718D 2 Bytes [2F, 5F] {DAS ; POP EDI} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ADVAPI32.dll!CreateServiceA 77E07211 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ADVAPI32.dll!CreateServiceW 77E073A9 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ADVAPI32.dll!DeleteService 77E074B1 6 Bytes JMP 5F3D0F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ole32.dll!CLSIDFromProgID 774E87F2 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] ole32.dll!CLSIDFromProgIDEx 7752620D 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FD00F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5FAF0F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 5FC10F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5FAC0F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] USER32.dll!CreateAcceleratorTableW 7E36D9BB 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] USER32.dll!CreateAcceleratorTableW + 4 7E36D9BF 2 Bytes [CB, 5F] {RETF ; POP EDI} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5FCD0F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5FBB0F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5FB20F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 5FC40F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] USER32.dll!BeginDeferWindowPos 7E37AFB9 6 Bytes JMP 5FA90F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [B9, 5F] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] USER32.dll!SetClipboardData 7E380F9E 6 Bytes JMP 5FD30F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5FC70F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] USER32.dll!AttachThreadInput 7E381E52 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] USER32.dll!AttachThreadInput + 4 7E381E56 2 Bytes [B6, 5F] {MOV DH, 0x5f} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5FBE0F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] WS2_32.dll!sendto 71A12F51 6 Bytes JMP 5F100F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] WS2_32.dll!recvfrom 71A12FF7 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] WS2_32.dll!closesocket 71A13E2B 6 Bytes JMP 5F220F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] WS2_32.dll!connect 71A14A07 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] WS2_32.dll!send 71A14C27 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] WS2_32.dll!WSARecv 71A14CB5 6 Bytes JMP 5F160F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] WS2_32.dll!recv 71A1676F 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] WS2_32.dll!WSASend 71A168FA 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] WS2_32.dll!WSARecvFrom 71A1F66A 6 Bytes JMP 5F190F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] WS2_32.dll!WSASendTo 71A20AAD 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3192] WS2_32.dll!WSAConnect 71A20C81 6 Bytes JMP 5F130F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtClose 7C91CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtClose + 4 7C91CFF2 2 Bytes [44, 5F] {INC ESP; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtCreateFile 7C91D0AE 1 Byte [FF] .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtCreateFile 7C91D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtCreateFile + 4 7C91D0B2 2 Bytes [65, 5F] .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtCreateKey 7C91D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtCreateKey + 4 7C91D0F2 2 Bytes [47, 5F] {INC EDI; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtDeleteFile 7C91D23E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtDeleteFile + 4 7C91D242 2 Bytes [68, 5F] .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtDeleteKey 7C91D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtDeleteKey + 4 7C91D252 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtDeleteValueKey 7C91D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtDeleteValueKey + 4 7C91D272 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtDuplicateObject 7C91D29E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtDuplicateObject + 4 7C91D2A2 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtEnumerateKey 7C91D2CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtEnumerateKey + 4 7C91D2D2 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtEnumerateValueKey 7C91D2EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtEnumerateValueKey + 4 7C91D2F2 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtLoadDriver 7C91D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtLoadDriver + 4 7C91D472 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtOpenFile 7C91D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtOpenFile + 4 7C91D5A2 2 Bytes [6B, 5F] .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtQueryMultipleValueKey 7C91D86E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtQueryMultipleValueKey + 4 7C91D872 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtQueryValueKey 7C91D96E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtQueryValueKey + 4 7C91D972 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtReadFile 7C91D9CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtReadFile + 4 7C91D9D2 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtSetContextThread 7C91DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtSetContextThread + 4 7C91DBB2 2 Bytes [7A, 5F] {JP 0x61} .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtSetInformationFile 7C91DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtSetInformationFile + 4 7C91DC62 2 Bytes [71, 5F] {JNO 0x61} .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtSetValueKey 7C91DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtSetValueKey + 4 7C91DDD2 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtUnloadKey 7C91DECE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtUnloadKey + 4 7C91DED2 2 Bytes [62, 5F] .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtWriteFile 7C91DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtWriteFile + 4 7C91DF82 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] ntdll.dll!NtWriteVirtualMemory + 4 7C91DFB2 2 Bytes [77, 5F] {JA 0x61} .text C:\WINDOWS\RTHDCPL.EXE[3224] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 04940001 .text C:\WINDOWS\RTHDCPL.EXE[3224] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F310F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F340F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [3E, 5F] .text C:\WINDOWS\RTHDCPL.EXE[3224] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [41, 5F] {INC ECX; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[3224] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F370F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] ADVAPI32.dll!CloseServiceHandle 77DB6CE5 6 Bytes JMP 5F100F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] ADVAPI32.dll!OpenServiceW 77DB6FFD 6 Bytes JMP 5F220F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] ADVAPI32.dll!StartServiceA 77DBFB58 6 Bytes JMP 5F250F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] ADVAPI32.dll!StartServiceW 77DC3E94 6 Bytes JMP 5F280F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] ADVAPI32.dll!ControlService 77DC4A09 6 Bytes JMP 5F130F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] ADVAPI32.dll!OpenServiceA 77DC4C66 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] ADVAPI32.dll!LsaAddAccountRights 77DEABF1 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] ADVAPI32.dll!LsaRemoveAccountRights |
13.07.2009, 18:01 | #11 |
Ist mein System von Rootkits verseucht?! Continue GMER log .text C:\WINDOWS\RTHDCPL.EXE[3224] ADVAPI32.dll!ChangeServiceConfigA 77E06E69 6 Bytes JMP 5F040F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] ADVAPI32.dll!ChangeServiceConfigW 77E07001 6 Bytes JMP 5F070F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] ADVAPI32.dll!ChangeServiceConfig2A 77E07101 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] ADVAPI32.dll!ChangeServiceConfig2W 77E07189 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] ADVAPI32.dll!ChangeServiceConfig2W + 4 77E0718D 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[3224] ADVAPI32.dll!CreateServiceA 77E07211 6 Bytes JMP 5F160F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] ADVAPI32.dll!CreateServiceW 77E073A9 6 Bytes JMP 5F190F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] ADVAPI32.dll!DeleteService 77E074B1 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] ole32.dll!CoCreateInstanceEx 774D0526 6 Bytes JMP 5F880F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] ole32.dll!CoGetClassObject 774E56C5 6 Bytes JMP 5F850F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] ole32.dll!CLSIDFromProgID 774E87F2 6 Bytes JMP 5F820F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] ole32.dll!CLSIDFromProgIDEx 7752620D 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FB50F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5F940F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5F910F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] USER32.dll!CreateAcceleratorTableW 7E36D9BB 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] USER32.dll!CreateAcceleratorTableW + 4 7E36D9BF 2 Bytes [B0, 5F] {MOV AL, 0x5f} .text C:\WINDOWS\RTHDCPL.EXE[3224] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5FB20F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F970F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 5FA90F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] USER32.dll!BeginDeferWindowPos 7E37AFB9 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[3224] USER32.dll!SetClipboardData 7E380F9E 6 Bytes JMP 5FB80F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5FAC0F5A .text C:\WINDOWS\RTHDCPL.EXE[3224] USER32.dll!AttachThreadInput 7E381E52 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[3224] USER32.dll!AttachThreadInput + 4 7E381E56 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[3224] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5FA30F5A ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs ShlDrv51.sys (PandaShield driver/Panda Security, S.L.) AttachedDevice \FileSystem\Ntfs \Ntfs pavdrv51.sys (Antivirus Filter Driver for Windows XP/2003 x86/Panda Security, S.L.) AttachedDevice \FileSystem\Ntfs \Ntfs pavdrv51.sys (Antivirus Filter Driver for Windows XP/2003 x86/Panda Security, S.L.) AttachedDevice \FileSystem\Ntfs \Ntfs av5flt.sys AttachedDevice \Driver\Tcpip \Device\Ip NETFLTDI.SYS (Panda TDI Filter/Panda Security, S.L.) AttachedDevice \Driver\Tcpip \Device\Tcp NETFLTDI.SYS (Panda TDI Filter/Panda Security, S.L.) AttachedDevice \Driver\Tcpip \Device\Udp NETFLTDI.SYS (Panda TDI Filter/Panda Security, S.L.) AttachedDevice \Driver\Tcpip \Device\RawIp NETFLTDI.SYS (Panda TDI Filter/Panda Security, S.L.) Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation) Device ShlDrv51.sys (PandaShield driver/Panda Security, S.L.) Device A89EA7B4 Device A8A05631 AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice pavdrv51.sys (Antivirus Filter Driver for Windows XP/2003 x86/Panda Security, S.L.) AttachedDevice pavdrv51.sys (Antivirus Filter Driver for Windows XP/2003 x86/Panda Security, S.L.) AttachedDevice av5flt.sys ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0021857d3494 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002185846bce Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0021857d3494 Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002185846bce Reg HKLM\SOFTWARE\Classes\CLSID\{B6A930A0-A4F5-43A5-9B4E-6189A6C2B9E8}@r!s!t!d!m!d!r!r!t!{!\24!{!r!{!c!i! 19583823 ---- EOF - GMER 1.0.15 ---- Puh das war dann alles dieser GMER log war ewig lang, hoffe ihr blickt da durch. |
Themen zu Ist mein System von Rootkits verseucht?! |
assembly, bho, dll, einstellungen, explorer, firefox, firewall, handel, helper, hijack, hijackthis, home, internet, internet explorer, internet security, iobit, log, microsoft, mozilla, plug-in, prefetch, programm, programme, rootkit, rundll, secrets, secunia, security, software, spyware, system, system volume information, systemcare, temp, windows\temp |