| |
| |||||||
Log-Analyse und Auswertung: Google redirect -> rootkit?Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
08.12.2009, 10:54
| #1 |
 |  Google redirect -> rootkit? Hallo, wenn ich google links öffne werde ich sehr oft auf andere seiten geführt. habe ein wenig gesucht und was ich so gelesen hab hat sich nicht gut angehört. aber um auf nummer sicher zu gehen poste ich lieber. ich hab bereits CCleaner durchlaufen lassen und alles bereinigt, Malwarebytes Anti-Malware (ohne fund), und AVG (ohne fund). OS: win 7 wenn noch irgendwelche infos fehlen, einfach sagen, dann poste ich es. RSIT läuft unter win7 leider nich. Vielen Dank! Dosenfisch hier mein hijackthis-log: Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:43:00, on 08.12.2009 Platform: Unknown Windows (WinNT 6.01.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16385) Boot mode: Normal Running processes: C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\VMware\VMware Workstation\vmware-tray.exe C:\Program Files\VMware\VMware Workstation\hqtray.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\AVG\AVG9\avgtray.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Windows\System32\rundll32.exe C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe C:\Windows\system32\conhost.exe C:\Program Files\Internet Download Manager\IDMan.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Internet Download Manager\IEMonitor.exe C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\taskhost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GR469A~1.DLL O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file) O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file) O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe O4 - HKLM\..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe O4 - HKLM\..\Run: [ Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [msxmlsysgfx] rundll32.exe "C:\Users\Jonas\AppData\Local\msxmlsysgfx\msxmlsysgfx.dll", DllInit O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETZWERKDIENST') O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: BID Link Explorer: Öffne aktuelle Seite - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlinkexplorer.htm O8 - Extra context menu item: BID: Link in Queue einreihen - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlinkqueue.htm O8 - Extra context menu item: BID: Seite in &Queue einreihen - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidqueue.htm O8 - Extra context menu item: BID: Öffne aktuelle Seite - file://C:\Program Files\Bulk Image Downloader\iemenu\iebid.htm O8 - Extra context menu item: BID: Öffne diesen &Link - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlink.htm O8 - Extra context menu item: Download aller Links mit IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download FLV-Videoinhalt mit IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm O8 - Extra context menu item: Download mit IDM - C:\Program Files\Internet Download Manager\IEExt.htm O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL O13 - Gopher Prefix: O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} (System Requirements Lab) - http://intel-drv-cdn.systemrequirementslab.com/multi/bin/sysreqlab_srlx.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GRA32A~1.DLL O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: ShrewSoft DNS Proxy Daemon (dtpd) - Unknown owner - C:\Program Files\ShrewSoft\VPN Client\dtpd.exe O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: ShrewSoft IKE Daemon (iked) - Unknown owner - C:\Program Files\ShrewSoft\VPN Client\iked.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: ShrewSoft IPSEC Daemon (ipsecd) - Unknown owner - C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing) O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe -- End of file - 9302 bytes |
|
08.12.2009, 12:03
| #2 |
  | Google redirect -> rootkit? Hi,
__________________Gmer unter Win 7, mal sehen ob das geht (folge dem Link)... http://www.trojaner-board.de/74908-a...t-scanner.html Den Downloadlink findest Du links oben (www.gmer.net/files), dort dann auf den Button "Download EXE", dabei wird ein zufälliger Name generiert (den und den Pfad wo Du sie gespeichert hast bitte merken). Starte GMER und schaue, ob es schon was meldet. Macht es das, bitte alle Fragen mit "nein" beantworten, auf den Reiter "rootkit" gehen, wiederum die Frage mit "nein" beantworten und mit Hilfe von copy den Bericht in den Thread einfügen. Meldet es so nichts, gehe auf den Reiter Rootkit und mache einen Scan. Ist dieser beendet, wähle Copy und füge den Bericht ein. Wenn nicht, dann Dr. Web: http://www.trojaner-board.de/59299-a...eb-cureit.html chris
__________________ |
|
08.12.2009, 14:33
| #3 |
| | Google redirect -> rootkit? danke für die schnelle antwort!
__________________also ich habe GMER runtergeladen und gestartet und war dann im Rootkit-Fenster und er hat mir nachfolgendes angezeigt. allerdings musste ich nichts drücken, war einfach so da: Code:
ATTFilter GMER 1.0.15.15272 - http://www.gmer.net
Rootkit quick scan 2009-12-08 14:24:32
Windows 6.1.7600
Running: xcg3369o.exe; Driver: C:\Users\Jonas\AppData\Local\Temp\kglcypow.sys
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 864741F8
Device \FileSystem\fastfat \Fat 8724D500
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.sys
AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 VMkbd.sys
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 VMkbd.sys
---- EOF - GMER 1.0.15 ----
habe danach auf scan geklickt, dabei kam folgendes raus, aber wieder keine aufforderung irgendetwas zu tun: Code:
ATTFilter GMER 1.0.15.15272 - http://www.gmer.net
Rootkit scan 2009-12-08 14:31:56
Windows 6.1.7600
Running: xcg3369o.exe; Driver: C:\Users\Jonas\AppData\Local\Temp\kglcypow.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwOpenProcess [0x99BAC620]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwTerminateProcess [0x99BAC6D0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwTerminateThread [0x99BAC770]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwWriteVirtualMemory [0x99BAC810]
INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8303EAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8303E104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8303E3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830272D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83026898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8303E1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8303E958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8303E6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8303EF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8303F1A8
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C57579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C7BF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 4E8 82C839E8 4 Bytes [20, C6, BA, 99]
.text ntkrnlpa.exe!RtlSidHashLookup + 7B8 82C83CB8 8 Bytes [D0, C6, BA, 99, 70, C7, BA, ...] {ROL DH, 0x1; MOV EDX, 0xbac77099; CDQ }
.text ntkrnlpa.exe!RtlSidHashLookup + 82C 82C83D2C 4 Bytes [10, C8, BA, 99]
? System32\Drivers\spbn.sys Das System kann den angegebenen Pfad nicht finden. !
.text USBPORT.SYS!DllUnload 91DBACA0 5 Bytes JMP 8723F1D8
.text akk8wl9y.SYS 95226000 12 Bytes [44, 98, 02, 83, EE, 96, 02, ...]
.text akk8wl9y.SYS 9522600D 9 Bytes [77, 02, 83, 48, 9B, 02, 83, ...] {JA 0x4; OR DWORD [EAX-0x65], 0x2; ADD DWORD [EAX], 0x0}
.text akk8wl9y.SYS 95226017 20 Bytes [00, DE, D7, 34, 8B, E6, D5, ...]
.text akk8wl9y.SYS 9522602C 149 Bytes [00, 00, 00, 00, D0, 21, C5, ...]
.text akk8wl9y.SYS 952260C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text ...
.text peauth.sys A2E36C9D 28 Bytes [55, 85, C7, 87, 4E, 9E, 99, ...]
.text peauth.sys A2E36CC1 28 Bytes [55, 85, C7, 87, 4E, 9E, 99, ...]
PAGE peauth.sys A2E3CB9B 55 Bytes [CE, DC, EF, 73, BA, B7, 9F, ...]
PAGE peauth.sys A2E3CBD3 16 Bytes [9A, 87, 84, AE, 9D, 01, 51, ...] {CALL FAR 0x5101:0x9dae8487; OUT 0x3f, AL; POP ECX; AAS ; HLT ; LES ECX, DWORD [EAX+EDX*8+0x52]}
PAGE peauth.sys A2E3CBEC 97 Bytes [A7, B4, DB, 46, 8D, 3D, 7F, ...]
PAGE ...
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5896] kernel32.dll!SetUnhandledExceptionFilter 76A73142 5 Bytes JMP 6AC85629 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8B243042] \SystemRoot\System32\Drivers\spbn.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8B2436D6] \SystemRoot\System32\Drivers\spbn.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8B243800] \SystemRoot\System32\Drivers\spbn.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8B24313E] \SystemRoot\System32\Drivers\spbn.sys
IAT \SystemRoot\System32\Drivers\akk8wl9y.SYS[ataport.SYS!AtaPortNotification] 00147880
IAT \SystemRoot\System32\Drivers\akk8wl9y.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75
IAT \SystemRoot\System32\Drivers\akk8wl9y.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015
IAT \SystemRoot\System32\Drivers\akk8wl9y.SYS[ataport.SYS!AtaPortStallExecution] C25DC033
IAT \SystemRoot\System32\Drivers\akk8wl9y.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008
IAT \SystemRoot\System32\Drivers\akk8wl9y.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08
IAT \SystemRoot\System32\Drivers\akk8wl9y.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24
IAT \SystemRoot\System32\Drivers\akk8wl9y.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8
IAT \SystemRoot\System32\Drivers\akk8wl9y.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800
IAT \SystemRoot\System32\Drivers\akk8wl9y.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000
IAT \SystemRoot\System32\Drivers\akk8wl9y.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008
IAT \SystemRoot\System32\Drivers\akk8wl9y.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC
IAT \SystemRoot\System32\Drivers\akk8wl9y.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC
IAT \SystemRoot\System32\Drivers\akk8wl9y.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC
IAT \SystemRoot\System32\Drivers\akk8wl9y.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55
IAT \SystemRoot\System32\Drivers\akk8wl9y.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B
IAT \SystemRoot\System32\Drivers\akk8wl9y.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B
IAT \SystemRoot\System32\Drivers\akk8wl9y.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A
IAT \SystemRoot\System32\Drivers\akk8wl9y.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500
IAT \SystemRoot\System32\Drivers\akk8wl9y.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B
IAT \SystemRoot\System32\Drivers\akk8wl9y.SYS[ataport.SYS!AtaPortInitialize] 157B805E
IAT \SystemRoot\System32\Drivers\akk8wl9y.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500
IAT \SystemRoot\System32\Drivers\akk8wl9y.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\System32\rundll32.exe[1716] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75D75D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[1716] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75D75D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[1716] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75D75D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[1716] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75D75D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5896] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75D75D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5896] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75D75D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5896] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75D75D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5896] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75D75D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5896] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [75D75D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5896] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [75D75D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5896] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [75D75D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 864741F8
Device \FileSystem\fastfat \FatCdrom 8724D500
Device \Driver\USBSTOR \Device\0000008f 87DC31F8
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 VMkbd.sys
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 VMkbd.sys
Device \Driver\volmgr \Device\VolMgrControl 857821F8
Device \Driver\usbuhci \Device\USBPDO-0 872931F8
Device \Driver\usbuhci \Device\USBPDO-1 872931F8
Device \Driver\sptd \Device\1767094776 spbn.sys
Device \Driver\usbuhci \Device\USBPDO-2 872931F8
Device \Driver\usbehci \Device\USBPDO-3 872AD500
Device \Driver\usbuhci \Device\USBPDO-4 872931F8
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBPDO-5 872931F8
Device \Driver\usbuhci \Device\USBPDO-6 872931F8
Device \Driver\volmgr \Device\HarddiskVolume1 857821F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\usbehci \Device\USBPDO-7 872AD500
Device \Driver\volmgr \Device\HarddiskVolume2 857821F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\cdrom \Device\CdRom0 870991F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 857841F8
Device \Driver\atapi \Device\Ide\IdePort0 857841F8
Device \Driver\atapi \Device\Ide\IdePort1 857841F8
Device \Driver\atapi \Device\Ide\IdePort2 857841F8
Device \Driver\atapi \Device\Ide\IdePort3 857841F8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-3 857841F8
Device \Driver\volmgr \Device\HarddiskVolume3 857821F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\cdrom \Device\CdRom1 870991F8
Device \Driver\volmgr \Device\HarddiskVolume4 857821F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\cdrom \Device\CdRom2 870991F8
Device \Driver\volmgr \Device\HarddiskVolume5 857821F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\cdrom \Device\CdRom3 870991F8
Device \Driver\USBSTOR \Device\00000081 87DC31F8
Device \Driver\volmgr \Device\HarddiskVolume6 857821F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\cdrom \Device\CdRom4 870991F8
Device \Driver\PCI_PNP0775 \Device\00000069 spbn.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{73B99B48-A5AA-4A4F-BB57-A76198C7EB8B} 870641F8
Device \Driver\volmgr \Device\HarddiskVolume7 857821F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\USBSTOR \Device\00000090 87DC31F8
Device \Driver\USBSTOR \Device\00000083 87DC31F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 870641F8
Device \Driver\usbhub \Device\00000077 hcmon.sys
Device \Driver\USBSTOR \Device\00000084 87DC31F8
Device \Driver\usbhub \Device\00000078 hcmon.sys
Device \Driver\USBSTOR \Device\00000085 87DC31F8
Device \Driver\usbhub \Device\00000079 hcmon.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{2253C295-4A5B-4B19-B841-76274A39646B} 870641F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{3E37D907-D146-474B-853E-5B75FC53C350} 870641F8
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\ACPI_HAL \Device\0000005d halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBFDO-0 872931F8
Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-1 872931F8
Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys
Device \Driver\usbhub \Device\0000007a hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-2 872931F8
Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys
Device \Driver\usbhub \Device\0000007b hcmon.sys
Device \Driver\usbehci \Device\USBFDO-3 872AD500
Device \Driver\usbehci \Device\USBFDO-3 hcmon.sys
Device \Driver\usbhub \Device\0000007c hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-4 872931F8
Device \Driver\usbuhci \Device\USBFDO-4 hcmon.sys
Device \Driver\usbhub \Device\0000007d hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-5 872931F8
Device \Driver\usbuhci \Device\USBFDO-5 hcmon.sys
Device \Driver\usbhub \Device\0000007e hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-6 872931F8
Device \Driver\usbuhci \Device\USBFDO-6 hcmon.sys
Device \Driver\usbehci \Device\USBFDO-7 872AD500
Device \Driver\usbehci \Device\USBFDO-7 hcmon.sys
Device \Driver\akk8wl9y \Device\Scsi\akk8wl9y1Port5Path0Target1Lun0 874BE500
Device \Driver\akk8wl9y \Device\Scsi\akk8wl9y1 874BE500
Device \Driver\akk8wl9y \Device\Scsi\akk8wl9y1Port5Path0Target3Lun0 874BE500
Device \Driver\akk8wl9y \Device\Scsi\akk8wl9y1Port5Path0Target0Lun0 874BE500
Device \Driver\mv61xx \Device\Scsi\mv61xx1 857851F8
Device \Driver\akk8wl9y \Device\Scsi\akk8wl9y1Port5Path0Target2Lun0 874BE500
Device \Driver\mv61xx \Device\Scsi\mv61xx1Port4Path0Target0Lun0 857851F8
Device \Driver\mv61xx \Device\Scsi\mv61xx1Port4Path0Target19Lun0 857851F8
Device \FileSystem\fastfat \Fat 8724D500
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.sys
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x44 0xEB 0x64 0xED ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xCD 0x5D 0xB5 0xDA ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xFB 0xED 0x07 0xBF ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xE9 0xFA 0x84 0xED ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0xC8 0x4B 0xAF 0x8D ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3@hdf12 0x90 0x95 0x85 0xE1 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x44 0xEB 0x64 0xED ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xCD 0x5D 0xB5 0xDA ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xFB 0xED 0x07 0xBF ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xE9 0xFA 0x84 0xED ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0xC8 0x4B 0xAF 0x8D ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3@hdf12 0x90 0x95 0x85 0xE1 ...
---- EOF - GMER 1.0.15 ----
Danke |
|
08.12.2009, 15:57
| #4 |
| | Google redirect -> rootkit? Hallo, lass mal bei Virustotal.com den folgenden Treiber untersuchen: C:\windows\System32\Drivers\akk8wl9y.SYS Lass mal Dr. Web scannen (s. vorangegangenen Post von mir)... chris
__________________  Don't bring me downVor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden  ) |
|
08.12.2009, 17:46
| #5 |
| | Google redirect -> rootkit? hi, also virustotal ergab einen treffer von mc afee: McAfee-GW-Edition 6.8.5 2009.12.06 Heuristic.LooksLike.Win32.NewMalware.H sonst nichts, dennoch hier das komplette logfile: Code:
ATTFilter Antivirus Version letzte aktualisierung Ergebnis
a-squared 4.5.0.43 2009.12.06 -
AhnLab-V3 5.0.0.2 2009.12.06 -
AntiVir 7.9.1.92 2009.12.06 -
Antiy-AVL 2.0.3.7 2009.12.04 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.06 -
AVG 8.5.0.426 2009.12.06 -
BitDefender 7.2 2009.12.06 -
CAT-QuickHeal 10.00 2009.12.05 -
ClamAV 0.94.1 2009.12.06 -
Comodo 3103 2009.12.01 -
DrWeb 5.0.0.12182 2009.12.06 -
eSafe 7.0.17.0 2009.12.06 -
eTrust-Vet 35.1.7159 2009.12.04 -
F-Prot 4.5.1.85 2009.12.06 -
F-Secure 9.0.15370.0 2009.12.03 -
Fortinet 4.0.14.0 2009.12.06 -
GData 19 2009.12.06 -
Ikarus T3.1.1.74.0 2009.12.06 -
Jiangmin 13.0.900 2009.12.02 -
K7AntiVirus 7.10.912 2009.12.05 -
Kaspersky 7.0.0.125 2009.12.06 -
McAfee 5824 2009.12.06 -
McAfee+Artemis 5824 2009.12.06 -
McAfee-GW-Edition 6.8.5 2009.12.06 Heuristic.LooksLike.Win32.NewMalware.H
Microsoft 1.5302 2009.12.06 -
NOD32 4665 2009.12.06 -
Norman 6.03.02 2009.12.05 -
nProtect 2009.1.8.0 2009.12.06 -
Panda 10.0.2.2 2009.12.06 -
PCTools 7.0.3.5 2009.12.06 -
Prevx 3.0 2009.12.06 -
Rising 22.24.06.04 2009.12.06 -
Sophos 4.48.0 2009.12.06 -
Sunbelt 3.2.1858.2 2009.12.06 -
Symantec 1.4.4.12 2009.12.06 -
TheHacker 6.5.0.2.086 2009.12.05 -
TrendMicro 9.100.0.1001 2009.12.06 -
VBA32 3.12.12.0 2009.12.03 -
ViRobot 2009.12.4.2072 2009.12.04 -
VirusBuster 5.0.21.0 2009.12.06 -
weitere Informationen
File size: 21584 bytes
MD5 : 338c86357871c167a96ab976519bf59e
SHA1 : e99e20970139fb1e67bbc54fa8a61c18a4fce36e
SHA256: f28cc534523d1701b0552f5d7e18e88369c4218bdb1f69110c3e31d395884ad6
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x603E
timedatestamp.....: 0x4A5BBF13 (Tue Jul 14 01:11:15 2009)
machinetype.......: 0x14C (Intel I386)
( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2472 0x2600 6.22 9b9f242740c0a1c2494b23ae50935e6d
.rdata 0x4000 0xAE 0x200 1.54 1833a5650ae0f8256ba78bf8ed79d6e1
.data 0x5000 0xC 0x200 0.18 7c80b151582aa6280e754b477343e54e
INIT 0x6000 0x38C 0x400 4.66 392ce67c807da67e018ad9cf892fde4c
.rsrc 0x7000 0x3F0 0x400 3.41 ecb60c1c006d2813169c8bcfe271a200
.reloc 0x8000 0xD2 0x200 2.47 035f51da8bf9893e51952ac185994f14
( 2 imports )
> ataport.sys: AtaPortNotification, AtaPortQuerySystemTime, AtaPortReadPortUchar, AtaPortStallExecution, AtaPortWritePortUchar, AtaPortWritePortUlong, AtaPortGetPhysicalAddress, AtaPortConvertPhysicalAddressToUlong, AtaPortGetScatterGatherList, AtaPortGetParentBusType, AtaPortRequestCallback, AtaPortWritePortBufferUshort, AtaPortGetUnCachedExtension, AtaPortCompleteRequest, AtaPortCopyMemory, AtaPortEtwTraceLog, AtaPortCompleteAllActiveRequests, AtaPortReleaseRequestSenseIrb, AtaPortBuildRequestSenseIrb, AtaPortReadPortBufferUshort, AtaPortInitialize, AtaPortGetDeviceBase, AtaPortDeviceStateChange
> ntoskrnl.exe: KeTickCount
( 0 exports )
TrID : File type identification
Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 384:SN+KUt2BtUXbyTHoCtGRZjNVAsRMNSChq3BLWErUwW9Qu5VpBjbOjBMmhyMD:adUtytUXbyTICtGjNMNbcxHJudkMmwMD
PEiD : -
RDS : NSRL Reference Data Set
-
danke! |
|
08.12.2009, 18:26
| #6 |
| | Google redirect -> rootkit? Hi, könnte auch Fehlalarm sein, obwohl das Ding nach GMER schon so einiges "tut"... Poste das Log von Dr. Web morgen, nicht zu lange im INet bleiben, wenn noch ein TrojanDownloader drauf sein sollte, wird die Kiste immer weiter verseucht... chris
__________________ --> Google redirect -> rootkit? |
|
09.12.2009, 13:35
| #7 |
| | Google redirect -> rootkit? ein paar funde, aber das meißte von spybot und nem bot ordner, beides halte ich für sauber. der letzte eintrag ist etwas merkwürdig (mirc). eintrag 4-8 sagt mir auch nichts. es kam auch eine benachrichtigung, irgendwas mit einer hosts datei, dumm wie ich bin, hab ichs mir natürlich nich gemerkt bzw. wieder vergessen... er sagte sie sei korrupt, dann konnte ich die orginal datei wiederherstellen lassen, was ich auch getan habe, die alte ist nun im quarantaine verzeichnis. hier die log von dr. web: Code:
ATTFilter regLocal.reg;C:\Documents and Settings\All Users\Anwendungsdaten\Spybot - Search & Destroy\Backups;Wahrscheinlich SCRIPT.Virus;;
regLocal.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups;Wahrscheinlich SCRIPT.Virus;;
regLocal.reg;C:\Documents and Settings\All Users\Spybot - Search & Destroy\Backups;Wahrscheinlich SCRIPT.Virus;;
3440aba-19707a7b\myf/y/AppletX.class;C:\Documents and Settings\Jonas\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\3440aba-19707a7b;Exploit.CVE2008.5353;;
3440aba-19707a7b\myf/y/LoaderX.class;C:\Documents and Settings\Jonas\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\3440aba-19707a7b;Exploit.CVE2008.5353;;
3440aba-19707a7b\myf/y/PayloadX.class;C:\Documents and Settings\Jonas\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\3440aba-19707a7b;Exploit.CVE2008.5353;;
3440aba-19707a7b;C:\Documents and Settings\Jonas\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58;Archiv enthält infizierte Objekte;Verschoben.;
Process.exe;C:\Documents and Settings\Jonas\Desktop\Neuer Ordner\Kopie von vh_clan nila all keys\Bot\Config\System;Tool.Prockill;;
3440aba-19707a7b\myf/y/AppletX.class;C:\Documents and Settings\Jonas\DoctorWeb\Quarantine\3440aba-19707a7b;Exploit.CVE2008.5353;;
3440aba-19707a7b\myf/y/LoaderX.class;C:\Documents and Settings\Jonas\DoctorWeb\Quarantine\3440aba-19707a7b;Exploit.CVE2008.5353;;
3440aba-19707a7b\myf/y/PayloadX.class;C:\Documents and Settings\Jonas\DoctorWeb\Quarantine\3440aba-19707a7b;Exploit.CVE2008.5353;;
3440aba-19707a7b;C:\Documents and Settings\Jonas\DoctorWeb\Quarantine;Archiv enthält infizierte Objekte;Verschoben.;
regLocal.reg;C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Backups;Wahrscheinlich SCRIPT.Virus;;
regLocal.reg;C:\Dokumente und Einstellungen\All Users\Application Data\Spybot - Search & Destroy\Backups;Wahrscheinlich SCRIPT.Virus;;
regLocal.reg;C:\Dokumente und Einstellungen\All Users\Spybot - Search & Destroy\Backups;Wahrscheinlich SCRIPT.Virus;;
Process.exe;C:\Dokumente und Einstellungen\Jonas\Desktop\Neuer Ordner\Kopie von vh_clan nila all keys\Bot\Config\System;Tool.Prockill;;
3440aba-19707a70\myf/y/AppletX.class;C:\Dokumente und Einstellungen\Jonas\DoctorWeb\Quarantine\3440aba-19707a70;Exploit.CVE2008.5353;;
3440aba-19707a70\myf/y/LoaderX.class;C:\Dokumente und Einstellungen\Jonas\DoctorWeb\Quarantine\3440aba-19707a70;Exploit.CVE2008.5353;;
3440aba-19707a70\myf/y/PayloadX.class;C:\Dokumente und Einstellungen\Jonas\DoctorWeb\Quarantine\3440aba-19707a70;Exploit.CVE2008.5353;;
3440aba-19707a70;C:\Dokumente und Einstellungen\Jonas\DoctorWeb\Quarantine;Archiv enthält infizierte Objekte;Verschoben.;
regLocal.reg;C:\ProgramData\Spybot - Search & Destroy\Backups;Wahrscheinlich SCRIPT.Virus;;
regLocal.reg;C:\Users\All Users\Anwendungsdaten\Spybot - Search & Destroy\Backups;Wahrscheinlich SCRIPT.Virus;;
regLocal.reg;C:\Users\All Users\Application Data\Spybot - Search & Destroy\Backups;Wahrscheinlich SCRIPT.Virus;;
regLocal.reg;C:\Users\All Users\Spybot - Search & Destroy\Backups;Wahrscheinlich SCRIPT.Virus;;
Process.exe;C:\Users\Jonas\Desktop\Neuer Ordner\Kopie von vh_clan nila all keys\Bot\Config\System;Tool.Prockill;;
mirc.exe;K:\C\Programme\mIRC;Program.mIRC.623;;
|
|
09.12.2009, 13:46
| #8 |
| | Google redirect -> rootkit? Hi, deinstalliere folgende Anwendunge: - Alcohol - daemon-Tools danach noch mal bitte ein GMER-Log neu erstellen (Rootkitscann)... chris
__________________ Don't bring me downVor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
|
09.12.2009, 16:45
| #9 |
| | Google redirect -> rootkit? also deamontools hab ich deinstalliert aber alcohol hat weder einen eintrag in der systemsteuerung noch im startmenu. könnte das der übeltäter sein? |
|
09.12.2009, 17:04
| #10 |
| | Google redirect -> rootkit? Hi, O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing) Ist nicht richtig deinstalliert, daher: http://www.trojaner-board.de/51464-a...-ccleaner.html Die Registry (blaues Würfel-Symbol linke Seite) musst du mehrmals durchsuchen und bereinigen lassen, bis nichts mehr gefunden wird. Installation des cCleaners ohne die Toolbar! Benutzerdefinierte Installation wählen. Danach bitte noch ein neues GMER-Log (Rootkitscann)... chris
__________________ Don't bring me downVor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
|
09.12.2009, 18:00
| #11 |
| | Google redirect -> rootkit? also CCleaner hab ich wieder machen lassen, soweit so gut. gmer hat allerdings probleme bereitet. ist immer gecrasht bei folgender datei. device\harddisc\VolumeSahdowCopy1 wenn ich versuche GMER danach wieder zu starten bekomme ich einen bluescreen und mein rechner startet neu... |
|
09.12.2009, 21:25
| #12 |
| | Google redirect -> rootkit? Hi, GMER lief aber beim ersten Mal... Hast Du was an der Konfiguration genändert bzw. läuft gerade ein Backup? Wurde "Shadow Copy" aktiviert? Prüfen ob die Schattenkopie läuft... Start->In das Eingabefeld Verwaltung eingeben, aus der dann erscheinenden Liste "Verwaltung" auswählen, dann Dienste, nach unten zu "Volumenschattenkopie" scrollen, Doppelklick, prüfen ob er läuft, wenn ja -> Beenden. Systemwiederherstellung deaktivieren: Start->Rechtsklick auf "Computer", im Popup "Eigenschaften" auswählen, in dem erscheinenden Fenster auf der linken Seite "Computerschutz" auswählen, in dem erscheinenden Fenster "Konfigurieren" auswählen, dann "Computerschutz deaktivieren"->OK. Neu booten. Versuche dann GMER laufen zu lassen... Danach auf dem gleichen Wege die Systemwiederherstellung aktivieren und einen ersten Wiederherstellungspunkt erstellen. Was treibt der Rechner sonst so? chris
__________________ Don't bring me downVor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
|
09.12.2009, 22:45
| #13 |
| | Google redirect -> rootkit? ok danke, jetzt gings, allerdings war avg an und inet verbindung auch. hier die log: Code:
ATTFilter GMER 1.0.15.15273 - http://www.gmer.net
Rootkit scan 2009-12-09 22:33:58
Windows 6.1.7600
Running: 7vftppfg.exe; Driver: C:\Users\Jonas\AppData\Local\Temp\kglcypow.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwOpenProcess [0x987B5620]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwTerminateProcess [0x987B56D0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwTerminateThread [0x987B5770]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwWriteVirtualMemory [0x987B5810]
INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C26AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C26104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C263F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C0F2D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C0E898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C261DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C26958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C266F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C26F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C271A8
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C86579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CAAF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 4E8 82CB29E8 4 Bytes [20, 56, 7B, 98] {AND [ESI+0x7b], DL; CWDE }
.text ntkrnlpa.exe!RtlSidHashLookup + 7B8 82CB2CB8 8 Bytes [D0, 56, 7B, 98, 70, 57, 7B, ...] {RCL BYTE [ESI+0x7b], 0x1; CWDE ; JO 0x5d; JNP 0xffffffffffffffa0}
.text ntkrnlpa.exe!RtlSidHashLookup + 82C 82CB2D2C 4 Bytes [10, 58, 7B, 98] {ADC [EAX+0x7b], BL; CWDE }
? System32\Drivers\spqo.sys Das System kann den angegebenen Pfad nicht finden. !
.text USBPORT.SYS!DllUnload 93662CA0 5 Bytes JMP 86FDC4E0
.text peauth.sys A321AC9D 28 Bytes [1E, A6, 85, 03, 0D, 18, DE, ...]
.text peauth.sys A321ACC1 28 Bytes [1E, A6, 85, 03, 0D, 18, DE, ...]
PAGE peauth.sys A3220E20 101 Bytes [26, 0F, C4, 7E, 5C, 5F, 3A, ...]
PAGE peauth.sys A322102C 102 Bytes [41, 7B, 26, 15, BC, 22, 2F, ...]
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8B29D042] \SystemRoot\System32\Drivers\spqo.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8B29D6D6] \SystemRoot\System32\Drivers\spqo.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8B29D800] \SystemRoot\System32\Drivers\spqo.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8B29D13E] \SystemRoot\System32\Drivers\spqo.sys
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\System32\rundll32.exe[3268] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75925D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3268] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75925D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3268] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75925D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3268] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75925D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 864741F8
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys
Device \FileSystem\fastfat \FatCdrom 86EA21F8
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 VMkbd.sys
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 VMkbd.sys
Device \Driver\volmgr \Device\VolMgrControl 857821F8
Device \Driver\usbuhci \Device\USBPDO-0 86EC41F8
Device \Driver\usbuhci \Device\USBPDO-1 86EC41F8
Device \Driver\usbuhci \Device\USBPDO-2 86EC41F8
Device \Driver\usbehci \Device\USBPDO-3 86D09500
Device \Driver\usbuhci \Device\USBPDO-4 86EC41F8
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBPDO-5 86EC41F8
Device \Driver\usbuhci \Device\USBPDO-6 86EC41F8
Device \Driver\volmgr \Device\HarddiskVolume1 857821F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\usbehci \Device\USBPDO-7 86D09500
Device \Driver\volmgr \Device\HarddiskVolume2 857821F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\cdrom \Device\CdRom0 86C4E1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 857841F8
Device \Driver\atapi \Device\Ide\IdePort0 857841F8
Device \Driver\atapi \Device\Ide\IdePort1 857841F8
Device \Driver\atapi \Device\Ide\IdePort2 857841F8
Device \Driver\atapi \Device\Ide\IdePort3 857841F8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-3 857841F8
Device \Driver\volmgr \Device\HarddiskVolume3 857821F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\volmgr \Device\HarddiskVolume4 857821F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\USBSTOR \Device\00000080 8792E500
Device \Driver\volmgr \Device\HarddiskVolume5 857821F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\USBSTOR \Device\00000082 8792E500
Device \Driver\volmgr \Device\HarddiskVolume6 857821F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\USBSTOR \Device\00000083 8792E500
Device \Driver\NetBT \Device\NetBT_Tcpip_{73B99B48-A5AA-4A4F-BB57-A76198C7EB8B} 86D1A1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 86D1A1F8
Device \Driver\usbhub \Device\00000077 hcmon.sys
Device \Driver\USBSTOR \Device\00000084 8792E500
Device \Driver\usbhub \Device\00000078 hcmon.sys
Device \Driver\usbhub \Device\00000079 hcmon.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{2253C295-4A5B-4B19-B841-76274A39646B} 86D1A1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{3E37D907-D146-474B-853E-5B75FC53C350} 86D1A1F8
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\ACPI_HAL \Device\0000005d halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBFDO-0 86EC41F8
Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-1 86EC41F8
Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys
Device \Driver\usbhub \Device\0000007a hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-2 86EC41F8
Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys
Device \Driver\usbhub \Device\0000007b hcmon.sys
Device \Driver\usbehci \Device\USBFDO-3 86D09500
Device \Driver\usbehci \Device\USBFDO-3 hcmon.sys
Device \Driver\usbhub \Device\0000007c hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-4 86EC41F8
Device \Driver\usbuhci \Device\USBFDO-4 hcmon.sys
Device \Driver\usbhub \Device\0000007d hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-5 86EC41F8
Device \Driver\usbuhci \Device\USBFDO-5 hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-6 86EC41F8
Device \Driver\usbuhci \Device\USBFDO-6 hcmon.sys
Device \Driver\usbehci \Device\USBFDO-7 86D09500
Device \Driver\usbehci \Device\USBFDO-7 hcmon.sys
Device \Driver\mv61xx \Device\Scsi\mv61xx1 857851F8
Device \Driver\mv61xx \Device\Scsi\mv61xx1Port4Path0Target0Lun0 857851F8
Device \Driver\mv61xx \Device\Scsi\mv61xx1Port4Path0Target19Lun0 857851F8
Device \FileSystem\fastfat \Fat 86EA21F8
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.sys
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x44 0xEB 0x64 0xED ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x44 0xEB 0x64 0xED ...
Reg HKLM\SOFTWARE\Microsoft\Windows Search\CatalogNames\Windows\SystemIndex@pkm:catalog:LastCatalogCrawlId 267
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\268
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\268@CrawlType 2
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\268@InProgress 1
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\268@DoneAddingCrawlSeeds 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\268@IsCatalogLevel 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\268@LogStartAddId 2
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\2@CrawlNumberInProgress 268
---- EOF - GMER 1.0.15 ----
|
|
10.12.2009, 09:10
| #14 | |
| | Google redirect -> rootkit? Hi, GMER findet was generisches... C:\windows\System32\Drivers\spqo.sys, im ersten Log war es noch: C:\windows\System32\Drivers\spbn.sys... Alcohol und Daemon-Tools hast Du ja deinstalliert, lass aber den Uninstaller mal laufen: Zitat:
chris
__________________ Don't bring me downVor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
|
10.12.2009, 16:23
| #15 |
| | Google redirect -> rootkit? hi, hab die deinstallation durchgeführt, heruntergefahren, neugestartet (ohne netzwerkkabel), dann den residenten Schutz von AVG ausgemacht und GMER laufen lassen, hier die log: Code:
ATTFilter GMER 1.0.15.15273 - http://www.gmer.net
Rootkit scan 2009-12-10 16:21:28
Windows 6.1.7600
Running: 7vftppfg.exe; Driver: C:\Users\Jonas\AppData\Local\Temp\kglcypow.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwOpenProcess [0x98BA4620]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwTerminateProcess [0x98BA46D0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwTerminateThread [0x98BA4770]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwWriteVirtualMemory [0x98BA4810]
INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302CAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302C104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302C3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830152D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83014898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302C1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302C958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302C6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302CF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302D1A8
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C45579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C69F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 4E8 82C719E8 4 Bytes [20, 46, BA, 98] {AND [ESI-0x46], AL; CWDE }
.text ntkrnlpa.exe!RtlSidHashLookup + 7B8 82C71CB8 8 Bytes [D0, 46, BA, 98, 70, 47, BA, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 82C 82C71D2C 4 Bytes [10, 48, BA, 98] {ADC [EAX-0x46], CL; CWDE }
.text peauth.sys A282DC9D 28 Bytes [0F, A6, 81, 0B, 1D, 38, 9E, ...]
.text peauth.sys A282DCC1 28 Bytes [0F, A6, 81, 0B, 1D, 38, 9E, ...]
PAGE peauth.sys A2833E20 101 Bytes [E4, 74, 36, 4F, 3E, 9B, 1F, ...]
PAGE peauth.sys A283402C 102 Bytes [47, 71, 36, 35, FC, A2, B8, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 A845A000 68 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 4FD5 A845A045 203 Bytes [8B, C6, F0, 0F, BA, 28, 00, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50A1 A845A111 17 Bytes [87, 01, 6A, 00, 6A, 20, A3, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 A845A123 487 Bytes [55, 45, A8, FE, 05, 34, 55, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 529B A845A30B 141 Bytes [A8, 3B, 08, 77, 04, 3B, CA, ...]
PAGE ...
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\System32\rundll32.exe[3332] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75A65D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3332] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75A65D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3332] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75A65D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3332] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75A65D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 VMkbd.sys
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 VMkbd.sys
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\usbhub \Device\00000077 hcmon.sys
Device \Driver\usbhub \Device\00000078 hcmon.sys
Device \Driver\usbhub \Device\00000079 hcmon.sys
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\ACPI_HAL \Device\0000005d halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys
Device \Driver\usbhub \Device\0000007a hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys
Device \Driver\usbhub \Device\0000007b hcmon.sys
Device \Driver\usbehci \Device\USBFDO-3 hcmon.sys
Device \Driver\usbhub \Device\0000007c hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-4 hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-5 hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-6 hcmon.sys
Device \Driver\usbehci \Device\USBFDO-7 hcmon.sys
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.sys
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x44 0xEB 0x64 0xED ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x44 0xEB 0x64 0xED ...
Reg HKLM\SOFTWARE\Microsoft\Windows Search\CatalogNames\Windows\SystemIndex@pkm:catalog:LastCatalogCrawlId 272
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\273
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\273@CrawlType 2
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\273@InProgress 1
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\273@DoneAddingCrawlSeeds 1
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\273@IsCatalogLevel 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\273@LogStartAddId 2
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\2@CrawlNumberInProgress 273
---- EOF - GMER 1.0.15 ----
|
|
| Themen zu Google redirect -> rootkit? |
| adobe, avg, avg security toolbar, bho, browser, dll, downloader, explorer, firefox, firewall, google, hijack, internet, internet explorer, logfile, malwarebytes' anti-malware, mozilla, nvidia, plug-in, realtek, rootkit, rootkit?, rundll, security, seiten, senden, software, system, windows |
Linear-Darstellung
