| |
| |||||||
Antiviren-, Firewall- und andere Schutzprogramme: Malwarebytes vs. Adaware ?Windows 7 Sämtliche Fragen zur Bedienung von Firewalls, Anti-Viren Programmen, Anti Malware und Anti Trojaner Software sind hier richtig. Dies ist ein Diskussionsforum für Sicherheitslösungen für Windows Rechner. Benötigst du Hilfe beim Trojaner entfernen oder weil du dir einen Virus eingefangen hast, erstelle ein Thema in den oberen Bereinigungsforen. |
 |
11.11.2009, 14:54
| #16 |
 |  zu den logs Das sind jetzt alle logs, rsit leider in Teilen, da zu groß. Ich bin erstaunt, dass sich jemand die Mühe macht, einem Fremden in solch einem Ausmaß zu helfen. Das Auswerten dieser mir großteils unverständlichen logs muss dich doch einige Zeit beanspruchen? Umso mehr: vielen Dank, dass du dem Problem, das ich selbst ja gar nicht erkannt hätte, auf den Grund gehen möchtest! |
|
11.11.2009, 15:11
| #18 |
| | Rootrepeal logCode:
ATTFilter
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/11/11 15:09
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================
Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB5003000 Size: 49152 File Visible: No Signed: -
Status: -
Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF73C4000 Size: 323584 File Visible: No Signed: -
Status: -
SSDT
-------------------
#: 002 Function Name: NtAccessCheckAndAuditAlarm
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e0f35
#: 003 Function Name: NtAccessCheckByType
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805dac47
#: 004 Function Name: NtAccessCheckByTypeAndAuditAlarm
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e0fbc
#: 005 Function Name: NtAccessCheckByTypeResultList
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8063fcc4
#: 006 Function Name: NtAccessCheckByTypeResultListAndAuditAlarm
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80641e55
#: 007 Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80641e9e
#: 009 Function Name: NtAddBootEntry
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fbaf
#: 010 Function Name: NtAdjustGroupsToken
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8063f483
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e0787
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x86d0c650
#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x86d0c710
#: 014 Function Name: NtAllocateLocallyUniqueId
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805df8e8
#: 015 Function Name: NtAllocateUserPhysicalPages
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062e442
#: 016 Function Name: NtAllocateUuids
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805d8781
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x85f6a890
#: 018 Function Name: NtAreMappedFilesTheSame
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e7258
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x85fddce0
#: 021 Function Name: NtCancelDeviceWakeupRequest
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fb9b
#: 022 Function Name: NtCancelIoFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805cc537
#: 026 Function Name: NtCloseObjectAuditAlarm
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e0b65
#: 027 Function Name: NtCompactKeys
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80655cf4
#: 028 Function Name: NtCompareTokens
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805dfff3
#: 030 Function Name: NtCompressKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80655f61
#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x86e4bfb0
#: 033 Function Name: NtCreateDebugObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80661378
#: 036 Function Name: NtCreateEventPair
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80650200
#: 038 Function Name: NtCreateIoCompletion
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805da662
#: 039 Function Name: NtCreateJobObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805d5cd6
#: 040 Function Name: NtCreateJobSet
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80637c43
#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf4293130
#: 042 Function Name: NtCreateMailslotFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805d6e7f
#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x85fc2b28
#: 045 Function Name: NtCreatePagingFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805b4823
#: 049 Function Name: NtCreateProfile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80650837
#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x85f63650
#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x85fefed8
#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x86c76e68
#: 058 Function Name: NtDebugContinue
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8066264b
#: 059 Function Name: NtDelayExecution
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8056eb07
#: 060 Function Name: NtDeleteAtom
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805dcc8b
#: 061 Function Name: NtDeleteBootEntry
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fb9b
#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805d54ac
#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf42933b0
#: 064 Function Name: NtDeleteObjectAuditAlarm
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80641ef5
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf4293910
#: 067 Function Name: NtDisplayString
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805b5cd8
#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x85fe7630
#: 070 Function Name: NtEnumerateBootEntries
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fbaf
#: 072 Function Name: NtEnumerateSystemEnvironmentValuesEx
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fb87
#: 074 Function Name: NtExtendSection
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062d3f9
#: 075 Function Name: NtFilterToken
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805ce473
#: 076 Function Name: NtFindAtom
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e26f2
#: 079 Function Name: NtFlushKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805d93bb
#: 080 Function Name: NtFlushVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e8ab6
#: 081 Function Name: NtFlushWriteBuffer
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062eca1
#: 082 Function Name: NtFreeUserPhysicalPages
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062e7f7
#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x86c765c0
#: 085 Function Name: NtGetContextThread
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80635721
#: 086 Function Name: NtGetDevicePowerState
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80633bf7
#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x85efcd50
#: 090 Function Name: NtImpersonateClientOfPort
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805dfd66
#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x86d0c5d0
#: 093 Function Name: NtInitiatePowerAction
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806339c3
#: 094 Function Name: NtIsProcessInJob
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80637af7
#: 095 Function Name: NtIsSystemResumeAutomatic
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80633bde
#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x86b83200
#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805ce7e5
#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805ce944
#: 100 Function Name: NtLockFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805dd058
#: 101 Function Name: NtLockProductActivationKeys
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805cdce7
#: 102 Function Name: NtLockRegistryKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805c7155
#: 104 Function Name: NtMakePermanentObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e704c
#: 105 Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e7113
#: 106 Function Name: NtMapUserPhysicalPages
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062da9e
#: 107 Function Name: NtMapUserPhysicalPagesScatter
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062def7
#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x86c764e0
#: 109 Function Name: NtModifyBootEntry
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fb9b
#: 110 Function Name: NtNotifyChangeDirectoryFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805dd2ef
#: 111 Function Name: NtNotifyChangeKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e218f
#: 112 Function Name: NtNotifyChangeMultipleKeys
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e1fa1
#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x85fc2a68
#: 115 Function Name: NtOpenEventPair
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806502f3
#: 117 Function Name: NtOpenIoCompletion
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806210b3
#: 118 Function Name: NtOpenJobObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80637e9b
#: 121 Function Name: NtOpenObjectAuditAlarm
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e9252
#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x85fe7a90
#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x85f6a960
#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x85fd2d90
#: 126 Function Name: NtOpenSemaphore
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e71ca
#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x85fe7700
#: 131 Function Name: NtOpenTimer
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80650129
#: 135 Function Name: NtPrivilegeObjectAuditAlarm
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805d88c7
#: 136 Function Name: NtPrivilegedServiceAuditAlarm
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805cd91a
#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x85fddbf0
#: 140 Function Name: NtQueryBootEntryOrder
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fbaf
#: 141 Function Name: NtQueryBootOptions
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fbaf
#: 147 Function Name: NtQueryEaFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80621300
#: 153 Function Name: NtQueryInformationPort
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062b0a5
#: 158 Function Name: NtQueryIntervalProfile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80650ce7
#: 159 Function Name: NtQueryIoCompletion
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80621174
#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806556d8
#: 162 Function Name: NtQueryMutant
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8065066c
#: 164 Function Name: NtQueryOpenSubKeys
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806558e1
#: 166 Function Name: NtQueryQuotaInformationFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80621bb7
#: 168 Function Name: NtQuerySecurityObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805d9eab
#: 169 Function Name: NtQuerySemaphore
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064f459
#: 171 Function Name: NtQuerySystemEnvironmentValue
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fbd7
#: 172 Function Name: NtQuerySystemEnvironmentValueEx
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fb73
#: 175 Function Name: NtQueryTimer
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e3c32
#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e3b8d
#: 182 Function Name: NtRaiseHardError
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064f195
#: 184 Function Name: NtReadFileScatter
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062248f
#: 185 Function Name: NtReadRequestData
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e050e
#: 188 Function Name: NtReleaseMutant
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8056eb72
#: 191 Function Name: NtRemoveProcessDebug
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806625c6
#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80655b56
#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806564b2
#: 197 Function Name: NtReplyWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062b184
#: 198 Function Name: NtRequestDeviceWakeup
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80633b6b
#: 199 Function Name: NtRequestPort
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e94d0
#: 201 Function Name: NtRequestWakeupLatency
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80633964
#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80656049
#: 205 Function Name: NtResumeProcess
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8063773a
#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8600c7d8
#: 207 Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8065614a
#: 208 Function Name: NtSaveKeyEx
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80656235
#: 209 Function Name: NtSaveMergedKeys
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80656362
#: 211 Function Name: NtSetBootEntryOrder
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fbaf
#: 212 Function Name: NtSetBootOptions
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fbaf
#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x85f81758
#: 214 Function Name: NtSetDebugFilterState
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80663fa8
#: 216 Function Name: NtSetDefaultLocale
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805d6343
#: 217 Function Name: NtSetDefaultUILanguage
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805d62ea
#: 218 Function Name: NtSetEaFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80621847
#: 221 Function Name: NtSetHighEventPair
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806505f3
#: 222 Function Name: NtSetHighWaitLowEventPair
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80650513
#: 223 Function Name: NtSetInformationDebugObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80661f67
#: 225 Function Name: NtSetInformationJobObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805d5e2a
#: 226 Function Name: NtSetInformationKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8065523b
#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x85f953b0
#: 231 Function Name: NtSetIntervalProfile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80650813
#: 233 Function Name: NtSetLdtEntries
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80636653
#: 234 Function Name: NtSetLowEventPair
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80650587
#: 235 Function Name: NtSetLowWaitHighEventPair
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8065049f
#: 236 Function Name: NtSetQuotaInformationFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80621b8f
#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805d9cac
#: 238 Function Name: NtSetSystemEnvironmentValue
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fe74
#: 239 Function Name: NtSetSystemEnvironmentValueEx
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fb73
#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x86c76fd0
#: 242 Function Name: NtSetSystemTime
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064ee49
#: 243 Function Name: NtSetThreadExecutionState
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805eb0b7
#: 245 Function Name: NtSetTimerResolution
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805eb37e
#: 246 Function Name: NtSetUuidSeed
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805cdac6
#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf4293b60
#: 248 Function Name: NtSetVolumeInformationFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806220cd
#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064e597
#: 251 Function Name: NtStartProfile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80650a7e
#: 252 Function Name: NtStopProfile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80650c37
#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x85fc2988
#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x85f815d8
#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80650d97
#: 256 Function Name: NtTerminateJobObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8063800d
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x85fe7ba8
#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x85f81698
#: 261 Function Name: NtTranslateFilePath
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fbc3
#: 262 Function Name: NtUnloadDriver
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80624780
#: 263 Function Name: NtUnloadKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80654db2
#: 264 Function Name: NtUnloadKeyEx
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80654fdb
#: 265 Function Name: NtUnlockFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805dd1b8
#: 266 Function Name: NtUnlockVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062ed15
#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x85f95480
#: 269 Function Name: NtWaitForDebugEvent
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80661cb2
#: 270 Function Name: NtWaitForMultipleObjects
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8056ec4d
#: 272 Function Name: NtWaitHighEventPair
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80650433
#: 273 Function Name: NtWaitLowEventPair
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806503c7
#: 275 Function Name: NtWriteFileGather
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805cc824
#: 276 Function Name: NtWriteRequestData
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e0592
#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x86c76690
#: 279 Function Name: NtCreateKeyedEvent
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805c291a
#: 281 Function Name: NtReleaseKeyedEvent
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8065120b
#: 282 Function Name: NtWaitForKeyedEvent
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80651476
#: 283 Function Name: NtQueryPortInformationProcess
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80634f55
Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x85fcfd00
#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x86a5b560
#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x86a3a050
#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x86a8e050
#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x86b7e4a0
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x86b86350
#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x86a42240
#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x86bb98e8
#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x86c99a30
#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x86de8608
==EOF==
|
|
11.11.2009, 15:12
| #19 |
| | Malwarebytes vs. Adaware ? Systemlook log folgt nach Neustart!  |
|
11.11.2009, 15:27
| #20 |
| | Systemlook logCode:
ATTFilter
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 15:19 on 11/11/2009 by Alex (Administrator - Elevation successful)
========== filefind ==========
Searching for "atapi*"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [10:13 01/04/2009] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\I386\ATAPI.SY_ -ra--- 49558 bytes [14:20 16/03/2006] [12:00 10/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [18:40 13/04/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [22:59 03/08/2004] [18:40 13/04/2008] 96522988E7AE6BC2311BAAD4C84EC299
C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys --a--- 95360 bytes [16:20 16/03/2006] [12:00 10/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys --a--- 95360 bytes [16:20 16/03/2006] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
-=End Of File=-
|
|
11.11.2009, 15:32
| #21 |
| /// Selecta Jahrusso   | Malwarebytes vs. Adaware ? Okay, Rootkit infektion  Was spricht gegen ein neu aufsetzen ?
__________________ --> Malwarebytes vs. Adaware ? |
|
11.11.2009, 15:35
| #22 |
| | Aufsetzen Nein, es spricht an sich nichts dagegen, ich spiele auch schon mit dem Gedanken, weil mein Sony Vaio schon recht langsam ist. Bisher habe ich immer die recovery utility verwendet, die dabei ist. Ist die "recovery" gleichbedeutend mit neu aufsetzen, oder sollte ich komplett formatieren? Vielleicht lege ich mir nach ca. 5 Jahren auch wieder einen neuen Laptop zu, dann würde ich diesen Vaio, der sonst noch recht gut ist, gerne meinem Vater als Zweitcomputer schenken, und das wenn möglich virenfrei. Also werde ich um das Neuaufsetzen nicht herumkommen, sei es nun durch recovery oder Formatieren (?). Siehst du, welche Gefahren dieses Rootkit birgt? Gibt es kein Tool, das es entfernen könnte? Danke, danke, danke !!! Geändert von nyrk (11.11.2009 um 15:48 Uhr) |
|
11.11.2009, 15:47
| #23 |
| /// Selecta Jahrusso | Malwarebytes vs. Adaware ? Ja kann ich entfernen. Aber formatieren wäre sicherer 
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
|
11.11.2009, 15:51
| #24 |
| | Malwarebytes vs. Adaware ? Ok, dann werde ich das asap machen! Gibt es eine verlässliche Möglichkeit, sich gegen solche rootkits zu schützen? Mein AV hat es nicht bemerkt, ebensowenig wie Malwarebytes. Wer weiß, wie lange ich das schon mit herumschleppe Danke für deine Hilfe. Was bin ich schuldig?  |
|
11.11.2009, 15:57
| #25 |
| /// Selecta Jahrusso | Malwarebytes vs. Adaware ? Also Format C: Was du mir schuldest? 10000000000 €  Natürlich nichts  Schutz vor solch Sachen beginnt damit, mit etwas Hirn zu surfen Nicht immer auf alles klicken, wo Klick mich steht.
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
|
11.11.2009, 17:46
| #26 |
| | Malwarebytes vs. Adaware ? Danke, Larusso! Ich habe nun bereits ein Backup des Großteils meiner Daten erstellt und werde dann formatieren. Mich würde interessieren, woran du die rootkits erkannt hast? U.a. daran, dass gewisse Prozesse by "unknown" hooked sind? Ich würde mir auch gern ein profundes Verständnis für diese Dinge aneignen - zum Selbstschutz, aber auch, um anderen (zuerst einmal im Freundes- und Familienkreis) bei Bedarf helfen zu können. Woher hast du dein Wissen zu Malware? Einfach "learning by doing" ? Bücher, websites? Ich spreche zwar keinerlei Programmiersprache, noch verstehe ich, was hinter den Anwendungen steht, doch ich sitze schon recht viel am Computer und helfe hie und da anderen bei - ganz offensichtlich weniger gravierenden - Problemchen. Dass ich unvorsichtig gesurft sein könnte und mir dabei etwas eingefangen habe, überrascht mich, da ich meines Wissens nie Seiten aufrufe oder Links folge, die ich überhaupt nicht kenne. Aber um das "Kennen" zu beurteilen braucht es vermutlich mehr als die Laienkenntnisse eines heavy users, der aber kein heavy knower ist. :P Würde mich freuen, wenn du mich noch - ohne großen Aufwand für dich - auf einen "Pfad der Erleuchtung" stupsen könntest Liebe Grüße aus Wien Alex |
|
11.11.2009, 23:33
| #27 |
| /// Selecta Jahrusso | Malwarebytes vs. Adaware ? Hallo Alex Das Helfen bei Malware Problemen kann man lernen Es gibt dazu eigene "Schulen", aber dafür benötigt es viel Zeit und vor allem den Willen es zu lernen. Thats not easy. Vorkenntnisse im Umgang mit einem PC sind zwar vom Vorteil, jedoch nicht Pflicht. Ich fing damit an, als ich 2 Tage mit einem PC zu tun hatte Vorzuziehen sind english sprachige Schulen Unite aber es gibt auch eine deutschsprachige Schule. HijackThis.de Bitte sei Dir (und alle Mitleser) dabei eins im klaren. Es erfordert sehr viel Zeit und Geduld. Wenn Du/ Ihr schon jetzt weist/ wiss, dass Deine/ Eure Freizeit schon verplant ist, bitte ich Dich/ Euch nicht zu bewerben
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
|
| Themen zu Malwarebytes vs. Adaware ? |
| ad aware, adaware, anderen, angeblich, aware, besser, cookies, druck, einträge, entdeck, entdeckt, entfernen, entfernt, ergebnis, ergebnisse, erkannt, erkennen, forum, frage, gmer, gmer rootkit, heuristik, hilfe!, interne, internet, internet security, internet security 2010, kaufen, laufen, log, malwarebytes, malwarebytes adaware, norton, norton internet security, rootkit, rootkits, schutz, security, sicherheit, sichern, software, system, threads, tool, trojaner, unbekannte, vergleich, website |
Malwarebytes vs. Adaware ?
Linear-Darstellung
