| |  Probleme mit Url Zone; MBR sauber?
GMER Log... Zitat:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-18 19:39:08
Windows 6.1.7600
Running: 9hm5ub7e.exe; Driver: C:\Users\Klaus\AppData\Local\Temp\pgriapoc.sys
---- System - GMER 1.0.15 ----
SSDT 92A5001C ZwCreateThread
SSDT 92A50008 ZwOpenProcess
SSDT 92A5000D ZwOpenThread
SSDT 92A50017 ZwTerminateProcess
INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E26AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E26104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E263F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E0E634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E0E898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E261DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E26958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E266F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E26F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E271A8
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E86579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EAAF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 34C 82EB284C 4 Bytes [1C, 00, A5, 92] {SBB AL, 0x0; MOVSD ; XCHG EDX, EAX}
.text ntkrnlpa.exe!RtlSidHashLookup + 4E8 82EB29E8 4 Bytes [08, 00, A5, 92] {OR [EAX], AL; MOVSD ; XCHG EDX, EAX}
.text ntkrnlpa.exe!RtlSidHashLookup + 508 82EB2A08 4 Bytes [0D, 00, A5, 92]
.text ntkrnlpa.exe!RtlSidHashLookup + 7B8 82EB2CB8 4 Bytes [17, 00, A5, 92]
? System32\Drivers\spcs.sys Das System kann den angegebenen Pfad nicht finden. !
PAGE ataport.SYS!DllUnload + 1 8BEBEAD7 4 Bytes JMP 8575F1D9
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x92404000, 0x2D5378, 0xE8000020]
.text USBPORT.SYS!DllUnload 918EACA0 5 Bytes JMP 868424E0
.text agqzarkp.SYS 92CB0000 12 Bytes [44, 18, E1, 82, EE, 16, E1, ...]
.text agqzarkp.SYS 92CB000D 9 Bytes [F7, E0, 82, 48, 1B, E1, 82, ...] {MUL EAX; OR BYTE [EAX+0x1b], -0x1f; ADD BYTE [EAX], 0x0}
.text agqzarkp.SYS 92CB0017 20 Bytes [00, DE, 27, D1, 8B, E6, 25, ...]
.text agqzarkp.SYS 92CB002C 134 Bytes [00, 00, 00, 00, D0, 11, E8, ...]
.text agqzarkp.SYS 92CB00B3 14 Bytes JMP EAD2A082
.text ...
.text peauth.sys A1072C9D 28 Bytes [84, 1D, B0, 69, D9, A7, EB, ...]
.text peauth.sys A1072CC1 28 Bytes [84, 1D, B0, 69, D9, A7, EB, ...]
? C:\Users\Klaus\AppData\Local\Temp\mbr.sys Das System kann die angegebene Datei nicht finden. !
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8BC08042] \SystemRoot\System32\Drivers\spcs.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8BC086D6] \SystemRoot\System32\Drivers\spcs.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8BC08800] \SystemRoot\System32\Drivers\spcs.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8BC0813E] \SystemRoot\System32\Drivers\spcs.sys
IAT \SystemRoot\System32\Drivers\agqzarkp.SYS[ataport.SYS!AtaPortNotification] 00147880
IAT \SystemRoot\System32\Drivers\agqzarkp.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75
IAT \SystemRoot\System32\Drivers\agqzarkp.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015
IAT \SystemRoot\System32\Drivers\agqzarkp.SYS[ataport.SYS!AtaPortStallExecution] C25DC033
IAT \SystemRoot\System32\Drivers\agqzarkp.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008
IAT \SystemRoot\System32\Drivers\agqzarkp.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08
IAT \SystemRoot\System32\Drivers\agqzarkp.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24
IAT \SystemRoot\System32\Drivers\agqzarkp.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8
IAT \SystemRoot\System32\Drivers\agqzarkp.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800
IAT \SystemRoot\System32\Drivers\agqzarkp.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000
IAT \SystemRoot\System32\Drivers\agqzarkp.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008
IAT \SystemRoot\System32\Drivers\agqzarkp.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC
IAT \SystemRoot\System32\Drivers\agqzarkp.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC
IAT \SystemRoot\System32\Drivers\agqzarkp.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC
IAT \SystemRoot\System32\Drivers\agqzarkp.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55
IAT \SystemRoot\System32\Drivers\agqzarkp.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B
IAT \SystemRoot\System32\Drivers\agqzarkp.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B
IAT \SystemRoot\System32\Drivers\agqzarkp.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A
IAT \SystemRoot\System32\Drivers\agqzarkp.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500
IAT \SystemRoot\System32\Drivers\agqzarkp.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B
IAT \SystemRoot\System32\Drivers\agqzarkp.SYS[ataport.SYS!AtaPortInitialize] 157B805E
IAT \SystemRoot\System32\Drivers\agqzarkp.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500
IAT \SystemRoot\System32\Drivers\agqzarkp.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7463250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74632494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74615624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [746156E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74628573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74624D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [746250CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [746251A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [746266D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [746282CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74628819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7462907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7462E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1784] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74624C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
Device 863FF1F8
Device Ntfs.sys (NT-Dateisystemtreiber/Microsoft Corporation)
Device 867B51F8
Device fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
Device \Driver\volmgr \Device\VolMgrControl 857611F8
Device \Driver\usbohci \Device\USBPDO-0 8683A1F8
Device \Driver\usbohci \Device\USBPDO-1 8683A1F8
Device \Driver\usbehci \Device\USBPDO-2 8683D1F8
Device \Driver\usbohci \Device\USBPDO-3 8683A1F8
Device \Driver\usbohci \Device\USBPDO-4 8683A1F8
Device \Driver\usbehci \Device\USBPDO-5 8683D1F8
Device \Driver\usbohci \Device\USBPDO-6 8683A1F8
Device \Driver\volmgr \Device\HarddiskVolume1 857611F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 tdrpm139.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
Device \Driver\volmgr \Device\HarddiskVolume2 857611F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 tdrpm139.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
Device \Driver\cdrom \Device\CdRom0 8673D1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{945E76BF-D9C4-4055-A0A0-2904C12F568D} 867CB1F8
Device \Driver\volmgr \Device\HarddiskVolume3 857611F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 tdrpm139.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
Device \Driver\cdrom \Device\CdRom1 8673D1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 863FD1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-3 863FD1F8
Device \Driver\atapi \Device\Ide\IdePort0 863FD1F8
Device \Driver\atapi \Device\Ide\IdePort1 863FD1F8
Device \Driver\atapi \Device\Ide\IdePort2 863FD1F8
Device \Driver\atapi \Device\Ide\IdePort3 863FD1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-5 863FD1F8
Device \Driver\PCI_PNP5743 \Device\00000066 spcs.sys
Device \Driver\volmgr \Device\HarddiskVolume4 857611F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 tdrpm139.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
Device \Driver\sptd \Device\4108359744 spcs.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 867CB1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{E9CECCFE-D6BE-4440-8B49-58E7765670D0} 867CB1F8
Device \Driver\ACPI_HAL \Device\0000005d halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Driver\usbohci \Device\USBFDO-0 8683A1F8
Device \Driver\usbohci \Device\USBFDO-1 8683A1F8
Device \Driver\usbehci \Device\USBFDO-2 8683D1F8
Device \Driver\usbohci \Device\USBFDO-3 8683A1F8
Device \Driver\usbohci \Device\USBFDO-4 8683A1F8
Device \Driver\usbehci \Device\USBFDO-5 8683D1F8
Device \Driver\usbohci \Device\USBFDO-6 8683A1F8
Device \Driver\agqzarkp \Device\Scsi\agqzarkp1 8692D1F8
AttachedDevice fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\Programme\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x07 0x21 0x66 0x71 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE4 0xC9 0x60 0x0A ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x56 0xAE 0x87 0xA0 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\Programme\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x07 0x21 0x66 0x71 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE4 0xC9 0x60 0x0A ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x56 0xAE 0x87 0xA0 ...
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
---- EOF - GMER 1.0.15 ----
|
|
18.01.2010, 20:01
Linear-Darstellung
