TR/Crypt.ZPACK.Gen

PsioNic · 03.10.2009, 00:24

........

GMER 1.0.15.15087 - GMER - Rootkit Detector and Remover
Rootkit scan 2009-10-03 01:58:07
Windows 6.0.6000
Running: eytjjhs9.exe; Driver: C:\Users\User\AppData\Local\Temp\kxtdapob.sys

---- System - GMER 1.0.15 ----

SSDT 8C23487C ZwCreateThread
SSDT 8C234868 ZwOpenProcess
SSDT 8C23486D ZwOpenThread
SSDT 8C234877 ZwTerminateProcess
SSDT 8C234872 ZwWriteVirtualMemory

INT 0x81 ? 83A84BF8
INT 0x82 ? 85297BF8
INT 0x82 ? 85297BF8
INT 0x91 ? 83A84BF8
INT 0x92 ? 85297BF8
INT 0x92 ? 85297BF8
INT 0xA1 ? 83A84BF8
INT 0xA2 ? 85297BF8
INT 0xB2 ? 85297BF8

---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\sphl.sys Das System kann den angegebenen Pfad nicht finden. !
.text USBPORT.SYS!DllUnload 8B03EFEB 5 Bytes JMP 852971D8
.text agyoaf3y.SYS 8B842000 22 Bytes [1A, 72, FA, 81, 04, 71, FA, ...]
.text agyoaf3y.SYS 8B842017 137 Bytes [00, 99, 07, 48, 80, A4, 05, ...]
.text agyoaf3y.SYS 8B8420A1 43 Bytes [36, C8, 81, 90, E0, C7, 81, ...]
.text agyoaf3y.SYS 8B8420CE 10 Bytes [00, 00, 00, 00, 00, 00, 6A, ...]
.text agyoaf3y.SYS 8B8420DA 12 Bytes [00, 00, 02, 00, 00, 00, 25, ...]
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [807026D2] \SystemRoot\System32\Drivers\sphl.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [80702040] \SystemRoot\System32\Drivers\sphl.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [807027FC] \SystemRoot\System32\Drivers\sphl.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [807020BE] \SystemRoot\System32\Drivers\sphl.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8070213C] \SystemRoot\System32\Drivers\sphl.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [80712048] \SystemRoot\System32\Drivers\sphl.sys
IAT \SystemRoot\System32\Drivers\agyoaf3y.SYS[ataport.SYS!AtaPortNotification] CC000CC2
IAT \SystemRoot\System32\Drivers\agyoaf3y.SYS[ataport.SYS!AtaPortWritePortUchar] 83EC8B55
IAT \SystemRoot\System32\Drivers\agyoaf3y.SYS[ataport.SYS!AtaPortWritePortUlong] 575320EC
IAT \SystemRoot\System32\Drivers\agyoaf3y.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 458DFF33
IAT \SystemRoot\System32\Drivers\agyoaf3y.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 8D5750FC
IAT \SystemRoot\System32\Drivers\agyoaf3y.SYS[ataport.SYS!AtaPortGetScatterGatherList] 5750F845
IAT \SystemRoot\System32\Drivers\agyoaf3y.SYS[ataport.SYS!AtaPortReadPortUchar] 8957046A
IAT \SystemRoot\System32\Drivers\agyoaf3y.SYS[ataport.SYS!AtaPortStallExecution] 75E8FC7D
IAT \SystemRoot\System32\Drivers\agyoaf3y.SYS[ataport.SYS!AtaPortGetParentBusType] BB0001E8
IAT \SystemRoot\System32\Drivers\agyoaf3y.SYS[ataport.SYS!AtaPortRequestCallback] 000000EA
IAT \SystemRoot\System32\Drivers\agyoaf3y.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 850FC33B
IAT \SystemRoot\System32\Drivers\agyoaf3y.SYS[ataport.SYS!AtaPortGetUnCachedExtension] 0000012B
IAT \SystemRoot\System32\Drivers\agyoaf3y.SYS[ataport.SYS!AtaPortCompleteRequest] 0FFC7D39
IAT \SystemRoot\System32\Drivers\agyoaf3y.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 00012284
IAT \SystemRoot\System32\Drivers\agyoaf3y.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 458D5600
IAT \SystemRoot\System32\Drivers\agyoaf3y.SYS[ataport.SYS!AtaPortMoveMemory] 106A50F4
IAT \SystemRoot\System32\Drivers\agyoaf3y.SYS[ataport.SYS!AtaPortReadPortUshort] 38335668
IAT \SystemRoot\System32\Drivers\agyoaf3y.SYS[ataport.SYS!AtaPortReadPortBufferUshort] FC75FF36
IAT \SystemRoot\System32\Drivers\agyoaf3y.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] D1E85757
IAT \SystemRoot\System32\Drivers\agyoaf3y.SYS[ataport.SYS!AtaPortInitialize] 8B0001E7
IAT \SystemRoot\System32\Drivers\agyoaf3y.SYS[ataport.SYS!AtaPortGetDeviceBase] 1BDEF7F0
IAT \SystemRoot\System32\Drivers\agyoaf3y.SYS[ataport.SYS!AtaPortDeviceStateChange] 23D6F7F6

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 844151F8
Device \FileSystem\fastfat \FatCdrom 85ECB458

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \Driver\volmgr \Device\VolMgrControl 83A861F8
Device \Driver\usbohci \Device\USBPDO-0 854061F8
Device \Driver\usbohci \Device\USBPDO-1 854061F8
Device \Driver\usbohci \Device\USBPDO-2 854061F8
Device \Driver\usbohci \Device\USBPDO-3 854061F8
Device \Driver\usbohci \Device\USBPDO-4 854061F8
Device \Driver\usbehci \Device\USBPDO-5 854091F8
Device \Driver\volmgr \Device\HarddiskVolume1 83A861F8
Device \Driver\volmgr \Device\HarddiskVolume2 83A861F8
Device \Driver\cdrom \Device\CdRom0 854071F8
Device \Driver\volmgr \Device\HarddiskVolume3 83A861F8
Device \Driver\cdrom \Device\CdRom1 854071F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 844141F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-3 844141F8
Device \Driver\atapi \Device\Ide\IdePort0 844141F8
Device \Driver\atapi \Device\Ide\IdePort1 844141F8
Device \Driver\atapi \Device\Ide\IdePort2 844141F8
Device \Driver\atapi \Device\Ide\IdePort3 844141F8
Device \Driver\USBSTOR \Device\00000066 85E5C1F8
Device \Driver\volmgr \Device\HarddiskVolume4 83A861F8
Device \Driver\USBSTOR \Device\00000067 85E5C1F8
Device \Driver\netbt \Device\NetBt_Wins_Export 85D951F8
Device \Driver\PCI_PNP3782 \Device\0000004b sphl.sys
Device \Driver\Smb \Device\NetbiosSmb 85DF5448
Device \Driver\netbt \Device\NetBT_Tcpip_{D0D7F228-D322-4CBC-9B52-57C215872FB4} 85D951F8
Device \Driver\iScsiPrt \Device\RaidPort0 8543B1F8
Device \Driver\usbohci \Device\USBFDO-0 854061F8
Device \Driver\usbohci \Device\USBFDO-1 854061F8
Device \Driver\usbohci \Device\USBFDO-2 854061F8
Device \Driver\usbohci \Device\USBFDO-3 854061F8
Device \Driver\usbohci \Device\USBFDO-4 854061F8
Device \Driver\usbehci \Device\USBFDO-5 854091F8
Device \Driver\sptd \Device\1478027806 sphl.sys
Device \Driver\netbt \Device\NetBT_Tcpip_{EE98BCE5-14D6-47C2-AEFA-77D672BEB98D} 85D951F8
Device \Driver\agyoaf3y \Device\Scsi\agyoaf3y1 854171F8
Device \Driver\agyoaf3y \Device\Scsi\agyoaf3y1Port5Path0Target0Lun0 854171F8
Device \FileSystem\fastfat \Fat 85ECB458

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

Device \FileSystem\cdfs \Cdfs 867691F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00027875abd1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCE 0x69 0x23 0x8E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x61 0x3E 0x83 0x82 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x64 0xAD 0xBE 0x20 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00027875abd1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCE 0x69 0x23 0x8E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x61 0x3E 0x83 0x82 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x64 0xAD 0xBE 0x20 ...

---- EOF - GMER 1.0.15 ----

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, GMER - Rootkit Detector and Remover

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

---------------------------------------------------------------------------------

So, ich hoffe, dass sieht nun etwas besser aus! Wie kann ich nun weiter vogehn? Dennoch, die weiteren Punkte der Wiederherstellung durchgehen, d.h. "Dritter Schritt - Systemabsicherung" mit Auto-Updates, eingeschränkte Benutzerkonten etc.?
Oder sollte ich doch eine RICHTIGE Wiederherstellung durchführen, also nicht mit Recovery?

Vielen lieben Dank nochmals!

PsioNic

Kos · 03.10.2009, 10:05

Hi

Sorry, ich kann mir das Ganze erst heute Abend ansehen, muss gleich weg.
Stand by.

Gruß
Kos

Kos · 03.10.2009, 22:03

Zitat:

G:\Music\Ollies Zeug\skylife\Keygen.exe (Worm.Brontok) -> Quarantined and deleted successfully.

Damit haben wir es schwarz auf gelb,den Gepflogenheiten dieses Forums folgend, ist hier meine letzte Anleitung an dich:

Anleitung: Neuaufsetzen des Systems + Absicherung

Wir sind fertig

Gruß
Kos

TR/Crypt.ZPACK.Gen

Log-Analyse und Auswertung: TR/Crypt.ZPACK.Gen