| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Verdacht auf Rootkit, Antivirenherstellerseiten werden geblockt, ständ. svchost.exe connectsWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
08.08.2010, 16:22
| #1 | ||
 |  Verdacht auf Rootkit, Antivirenherstellerseiten werden geblockt, ständ. svchost.exe connects Hi, nach all den Jahren habe ich mir wahrscheinlich wieder einen Trojaner eingefangen, und brauche eure Hilfe um ihn wieder loszuwerden. System: Win XP SP3, Sygate Personal Firewall Symptome: - Keine Antivirenseiten aufrufbar im Browser (Firefox), u.a. www.kaspersky.com, www.bitdefender.de, etc und sogar hxxp://www.virustotal.com/ und hxxp://virusscan.jotti.org/ werden geblockt, d.h. "Adresse nicht gefunden" - Ab und zu Verbindungsaufbaus zu diversen random erscheinenden IPs - allg. etwas lahmer Was ich getan habe: - HiJackThis: HiJackthis Logfile: Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:15:45, on 08.08.2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINXP\System32\smss.exe C:\WINXP\system32\winlogon.exe C:\WINXP\system32\services.exe C:\WINXP\system32\lsass.exe C:\WINXP\system32\nvsvc32.exe C:\WINXP\system32\svchost.exe C:\WINXP\System32\svchost.exe C:\Programme\Sygate\SPF\Smc.exe C:\WINXP\System32\svchost.exe C:\WINXP\System32\svchost.exe C:\WINXP\system32\LEXBCES.EXE C:\WINXP\system32\LEXPPS.EXE C:\WINXP\system32\spoolsv.exe C:\WINXP\System32\svchost.exe C:\Programme\NVIDIA Corporation\nTune\nTuneService.exe C:\WINXP\system32\svchost.exe C:\WINXP\Explorer.EXE C:\WINXP\V0230Mon.exe C:\WINXP\system32\RUNDLL32.EXE C:\Programme\Mozilla Firefox\firefox.exe C:\Programme\Trend Micro\HijackThis\HijackThis.exe C:\Programme\gmer\gmer.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Home/Home.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [V0230Mon.exe] C:\WINXP\V0230Mon.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Programme\MAGIX\Common\Database\bin\fbserver.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe O23 - Service: Jana Server 2 (Janad) - Thomas Hauck, Privat - C:\Programme\Jana2\Janad.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINXP\system32\LEXBCES.EXE O23 - Service: MagicTuneEngine - Unknown owner - C:\Programme\MagicTune Premium\MagicTuneEngine.exe O23 - Service: MySQL - Unknown owner - C:\Programme\MySQL\MySQL.exe (file missing) O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Programme\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINXP\system32\PnkBstrA.exe O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Programme\Sandboxie\SbieSvc.exe O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\Smc.exe O23 - Service: Messenger USN Journal Reader-Service für freigegebene Ordner (usnjsvc) - Unknown owner - C:\Programme\MSN Messenger\usnsvc.exe (file missing) O23 - Service: Creative VF0230 RunApp Service (VF0230Srv) - Creative Technology Ltd. - C:\WINXP\system32\V0230Srv.exe -- End of file - 3748 bytes ..ist aber m.E. sauber. - GMER: GMER Logfile: Code:
ATTFilter GMER 1.0.14.14536 - hxxp://www.gmer.net
Rootkit scan 2010-08-08 17:16:53
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.14 ----
SSDT \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xB7141B30]
SSDT spjx.sys ZwCreateKey [0xB7EA80E0]
SSDT \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xB71416F0]
SSDT spjx.sys ZwEnumerateKey [0xB7EC6CA2]
SSDT spjx.sys ZwEnumerateValueKey [0xB7EC7030]
SSDT \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xB7141470]
SSDT spjx.sys ZwOpenKey [0xB7EA80C0]
SSDT \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xB7141C50]
SSDT spjx.sys ZwQueryKey [0xB7EC7108]
SSDT spjx.sys ZwQueryValueKey [0xB7EC6F88]
SSDT spjx.sys ZwSetValueKey [0xB7EC719A]
SSDT \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xB7141990]
SSDT \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xB71418D0]
SSDT \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xB7141D60]
INT 0x62 ? 8A55CBF8
INT 0x63 ? 8A2DEF00
INT 0x73 ? 8A5CFBF8
INT 0x83 ? 8A5CFBF8
INT 0xB1 ? 8A55CBF8
INT 0xB1 ? 8A5CFBF8
INT 0xB1 ? 8A5CFBF8
INT 0xB4 ? 8A2DEF00
---- Kernel code sections - GMER 1.0.14 ----
.text ntkrnlpa.exe!KeDelayExecutionThread + 2 804FA86C 5 Bytes JMP B3666AE0 \SystemRoot\System32\Drivers\rkhdrv10.SYS
PAGE ntkrnlpa.exe!NtOpenProcess + 5 805CB401 5 Bytes JMP B3666A80 \SystemRoot\System32\Drivers\rkhdrv10.SYS
? spjx.sys Das System kann die angegebene Datei nicht finden. !
.text af6c9tcs.SYS B7B40384 1 Byte [ 20 ]
.text af6c9tcs.SYS B7B40386 35 Bytes [ 00, 68, 00, 00, 00, 00, 00, ... ]
.text af6c9tcs.SYS B7B403AA 24 Bytes [ 00, 00, 20, 00, 00, E0, 00, ... ]
.text af6c9tcs.SYS B7B403C4 3 Bytes [ 00, 00, 00 ]
.text af6c9tcs.SYS B7B403C9 1 Byte [ 00 ]
.text ...
.text USBPORT.SYS!DllUnload B7B208AC 5 Bytes JMP 8A2DE4E0
.text a9tkk9gu.SYS B71F3386 35 Bytes [ 00, 00, 00, 00, 00, 00, 20, ... ]
.text a9tkk9gu.SYS B71F33AA 24 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text a9tkk9gu.SYS B71F33C4 3 Bytes [ 00, 70, 02 ]
.text a9tkk9gu.SYS B71F33C9 1 Byte [ 2E ]
.text a9tkk9gu.SYS B71F33CB 9 Bytes [ 00, 00, 5A, 02, 00, 00, 00, ... ]
.text ...
.text tcpip.sys!IPTransmit + 10FC B4962D3A 6 Bytes CALL B7CCFCE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPTransmit + 2A52 B4964690 6 Bytes CALL B7CCFCE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPRegisterProtocol + 930 B497A454 6 Bytes CALL B7CCFCE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys B71343FD 7 Bytes CALL B7CCFE30 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
? C:\WINXP\system32\2.tmp Das System kann die angegebene Datei nicht finden. !
---- User code sections - GMER 1.0.14 ----
.text C:\WINXP\System32\svchost.exe[1336] ntdll.dll!NtQueryInformationProcess 7C91D7E0 5 Bytes JMP 01959DB4
.text C:\WINXP\System32\svchost.exe[1336] NETAPI32.dll!NetpwPathCanonicalize 597DA3A9 5 Bytes JMP 01959D54
.text C:\WINXP\system32\svchost.exe[1512] ntdll.dll!NtQueryInformationProcess 7C91D7E0 5 Bytes JMP 00819DB4
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EA9040] spjx.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EA913C] spjx.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EA90BE] spjx.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EA97FC] spjx.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EA96D2] spjx.sys
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!KfAcquireSpinLock] 00000034
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!READ_PORT_UCHAR] 0000008E
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!KeGetCurrentIrql] 00000043
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!KfRaiseIrql] 00000044
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!KfLowerIrql] 000000C4
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!HalGetInterruptVector] 000000DE
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!HalTranslateBusAddress] 000000E9
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!KeStallExecutionProcessor] 000000CB
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!KfReleaseSpinLock] 00000054
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 0000007B
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!READ_PORT_USHORT] 00000094
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000032
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!WRITE_PORT_UCHAR] 000000A6
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[WMILIB.SYS!WmiSystemControl] 00000023
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[WMILIB.SYS!WmiCompleteRequest] 0000003D
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EB9048] spjx.sys
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!KfAcquireSpinLock] C0840CEC
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!READ_PORT_UCHAR] 053C0D74
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!KeGetCurrentIrql] 57B80974
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!KfRaiseIrql] 8B000000
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!KfLowerIrql] 56C35DE5
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!HalGetInterruptVector] 8D08758B
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!HalTranslateBusAddress] 8D51FC4D
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!KeStallExecutionProcessor] 8D52FD55
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!KfReleaseSpinLock] 8D51FE4D
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 8D52FF55
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!READ_PORT_USHORT] 8D51F84D
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 5052F455
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!WRITE_PORT_UCHAR] EACAE856
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[WMILIB.SYS!WmiSystemControl] 0FC08520
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[WMILIB.SYS!WmiCompleteRequest] 0001B185
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
---- User IAT/EAT - GMER 1.0.14 ----
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs 8A5CB1F8
Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\libusb0 \Device\libusb00001 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\libusb0 \Device\libusb00002 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\libusb0 \Device\libusb00003 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\libusb0 \Device\libusb00004 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\usbohci \Device\USBPDO-0 8A2D5500
Device \Driver\usbohci \Device\USBPDO-0 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\usbehci \Device\USBPDO-1 8A3081F8
Device \Driver\usbehci \Device\USBPDO-1 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A5CD1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A5CD1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A5CD1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A5CD1F8
Device \Driver\usbhub \Device\USBPDO-2 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\usbhub \Device\USBPDO-3 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\usbhub \Device\USBPDO-5 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\usbhub \Device\000000a2 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A55D1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\sptd \Device\4154638052 spjx.sys
Device \Driver\usbhub \Device\000000a3 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A55D1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\Cdrom \Device\CdRom0 8A26C500
Device \Driver\HidUsb \Device\000000b0 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A55D1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\Cdrom \Device\CdRom1 8A26C500
Device \Driver\PCI_PNP9302 \Device\00000073 spjx.sys
Device \Driver\HidUsb \Device\000000b1 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\Ftdisk \Device\HarddiskVolume4 8A55D1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\Cdrom \Device\CdRom2 8A26C500
Device \Driver\PCI_PNP9302 \Device\00000074 spjx.sys
Device \Driver\Ftdisk \Device\HarddiskVolume5 8A55D1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\Cdrom \Device\CdRom3 8A26C500
Device \Driver\PCI_PNP9302 \Device\00000075 spjx.sys
Device \Driver\usbccgp \Device\000000a7 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\NetBT \Device\NetBT_Tcpip_{2AD7F161-852C-4CC4-B375-F5B658583059} 89CAB390
Device \Driver\Ftdisk \Device\HarddiskVolume6 8A55D1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\Cdrom \Device\CdRom4 8A26C500
Device \Driver\usbccgp \Device\000000a8 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\Cdrom \Device\CdRom5 8A26C500
Device \Driver\NetBT \Device\NetBt_Wins_Export 89CAB390
Device \Driver\USBSTOR \Device\000000a9 89F0C1F8
Device \Driver\USBSTOR \Device\000000a9 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\Cdrom \Device\CdRom6 8A26C500
Device \Driver\Cdrom \Device\CdRom7 8A26C500
Device \Driver\NetBT \Device\NetbiosSmb 89CAB390
Device \Driver\sptd \Device\4154794302 spjx.sys
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\usbohci \Device\USBFDO-0 8A2D5500
Device \Driver\usbohci \Device\USBFDO-0 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\usbehci \Device\USBFDO-1 8A3081F8
Device \Driver\usbehci \Device\USBFDO-1 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88F251F8
Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\USBSTOR \Device\000000ad 89F0C1F8
Device \Driver\USBSTOR \Device\000000ad USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \FileSystem\MRxSmb \Device\LanmanRedirector 88F251F8
Device \Driver\HidUsb \Device\000000af USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\Ftdisk \Device\FtControl 8A55D1F8
Device \Driver\af6c9tcs \Device\Scsi\af6c9tcs1Port6Path0Target0Lun0 8A2D6500
Device \Driver\a9tkk9gu \Device\Scsi\a9tkk9gu1 8A246500
Device \Driver\a9tkk9gu \Device\Scsi\a9tkk9gu1Port5Path0Target2Lun0 8A246500
Device \Driver\a9tkk9gu \Device\Scsi\a9tkk9gu1Port5Path0Target0Lun0 8A246500
Device \Driver\nvgts \Device\Scsi\nvgts2Port4Path0Target0Lun0 8A5CC1F8
Device \Driver\nvgts \Device\Scsi\nvgts1Port3Path1Target1Lun0 8A5CC1F8
Device \Driver\nvgts \Device\Scsi\nvgts1 8A5CC1F8
Device \Driver\nvgts \Device\Scsi\nvgts2 8A5CC1F8
Device \Driver\af6c9tcs \Device\Scsi\af6c9tcs1 8A2D6500
Device \Driver\a9tkk9gu \Device\Scsi\a9tkk9gu1Port5Path0Target1Lun0 8A246500
Device \Driver\a9tkk9gu \Device\Scsi\a9tkk9gu1Port5Path0Target3Lun0 8A246500
Device \Driver\nvgts \Device\Scsi\nvgts1Port3Path0Target0Lun0 8A5CC1F8
Device \FileSystem\Cdfs \Cdfs 87E861F8
---- Services - GMER 1.0.14 ----
Service C:\WINXP\system32\svchost.exe (*** hidden *** ) [AUTO] fwatk <-- ROOTKIT !!!
Service C:\Programme\NVIDIA (*** hidden *** ) [AUTO] nTuneService <-- ROOTKIT !!!
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk@DisplayName Windows Monitor
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk@Description Erstellt eine Verbindung zu einem Remotenetzwerk, wenn ein Programm eine Remote-DNS- oder -NetBIOS-Adresse referenziert.
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk\Parameters@ServiceDll C:\WINXP\system32\dgmqdvl.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -1556605242
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -822666141
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programme\DAEMON Tools Pro\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7B 0x59 0x19 0x5D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x6F 0x64 0xFF 0x71 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x95 0x08 0x39 0xAC ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0xEF 0x7A 0x2A 0x18 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0xF8 0xDD 0x37 0xD9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12 0xC0 0x10 0x5C 0xB7 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xE8 0x9D 0x99 0x9A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programme\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x44 0x43 0xB8 0x40 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9B 0x02 0x54 0xD9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x0C 0xEC 0xA8 0xCE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x0C 0xEC 0xA8 0xCE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x0C 0xEC 0xA8 0xCE ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9FEFE5DA-A060-3A28-BC58-423BD3BC8E9C}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9FEFE5DA-A060-3A28-BC58-423BD3BC8E9C}@laghfdgnoplmdoikmjlfckjj 0x64 0x62 0x61 0x6F ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9FEFE5DA-A060-3A28-BC58-423BD3BC8E9C}@maihobkjbcbjfgcbjgmmcjhmca 0x64 0x61 0x61 0x6F ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9FEFE5DA-A060-3A28-BC58-423BD3BC8E9C}@laihobkjbcbjfgcbphcldgbn 0x64 0x62 0x61 0x6F ...
---- EOF - GMER 1.0.14 ----[/quote]
wobei folgende Einträge rot hinterlegt waren: Zitat:
also liegt das Problem wahrscheinlich hier: Zitat:
auch die Datei "dgmqdvl.dll" ist unauffindbar. Wie sollte ich weiter vorgehen? Gruss Pete |
|
08.08.2010, 16:32
| #2 |
| /// Malware-holic   | Verdacht auf Rootkit, Antivirenherstellerseiten werden geblockt, ständ. svchost.exe connects bitte erstelle und poste ein combofix log.
__________________Ein Leitfaden und Tutorium zur Nutzung von ComboFix |
|
08.08.2010, 18:12
| #3 |
| | Verdacht auf Rootkit, Antivirenherstellerseiten werden geblockt, ständ. svchost.exe connects Was ich getan habe:
__________________Combofix heruntergeladen. Combofix ausgeführt, "ja" geklickt. Es kommt die Meldung, AVG AntiVir wäre aktiv, was nicht der Fall ist, lediglich ein deaktivierter Dienst ist in der Diensteverwaltung eingetragen, klick auf OK -> noch ein Fenster, AVG wäre immer noch aktiv, trotzdem ausführen -> klick auf OK -> nichts. ComboFix.exe nicht mal mehr im Speicher zu sehen. Versucht, AVG 8.0 zu deinstallieren -> fehlgeschlagen. Nochmals versucht, ComboFix zu starten -> wie vorher. Ideen? |
|
08.08.2010, 18:26
| #4 |
| /// Malware-holic | Verdacht auf Rootkit, Antivirenherstellerseiten werden geblockt, ständ. svchost.exe connects kannst du es im abgesicherten modus versuchen? sollte bei pcstart die f8-taste sein. |
|
08.08.2010, 21:10
| #5 |
| | Verdacht auf Rootkit, Antivirenherstellerseiten werden geblockt, ständ. svchost.exe connects Es passiert genau dasselbe im abgesicherten Modus. Habe mittlerweile versucht, AVG mittels AVG Remover zu entfernen [1], hat auch einiges entfernt, wenn man nach dem Log geht, leider kommt trotzdem beim ausführen von combofix die Meldung, dass AVG läuft. [1] hxxp://www.computerbild.de/download/AVG-Remover-4324307.html Ausserdem schliesst sich der Taskmanager beim ausführen von Combofix und es starten und beenden sich viele prozesse in schneller Abfolge, habe mal drauf geachtet. Geändert von GoodFella (08.08.2010 um 21:28 Uhr) |
|
08.08.2010, 21:46
| #6 | ||
| | Verdacht auf Rootkit, Antivirenherstellerseiten werden geblockt, ständ. svchost.exe connects Ich habe mich erinnert, dass ich ein ähnliches Problem schonmal hatte und das damalige Vorgehen kopiert s. hier: http://www.trojaner-board.de/69512-v...blockiert.html Habe also Avenger mit folgendem Script benutzt: Zitat:
Zitat:
GMER sagt folgendes: GMER Logfile: Code:
ATTFilter GMER 1.0.14.14536 - hxxp://www.gmer.net
Rootkit scan 2010-08-08 22:42:06
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.14 ----
SSDT \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xB82BAB30]
SSDT spkk.sys ZwCreateKey [0xB7EA80E0]
SSDT \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xB82BA6F0]
SSDT spkk.sys ZwEnumerateKey [0xB7EC6CA2]
SSDT spkk.sys ZwEnumerateValueKey [0xB7EC7030]
SSDT \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xB82BA470]
SSDT spkk.sys ZwOpenKey [0xB7EA80C0]
SSDT \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xB82BAC50]
SSDT spkk.sys ZwQueryKey [0xB7EC7108]
SSDT spkk.sys ZwQueryValueKey [0xB7EC6F88]
SSDT spkk.sys ZwSetValueKey [0xB7EC719A]
SSDT \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xB82BA990]
SSDT \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xB82BA8D0]
SSDT \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xB82BAD60]
INT 0x62 ? 8A5CCBF8
INT 0x63 ? 8A2DEF00
INT 0x73 ? 8A55FBF8
INT 0x83 ? 8A55FBF8
INT 0xB1 ? 8A5CCBF8
INT 0xB1 ? 8A55FBF8
INT 0xB1 ? 8A55FBF8
INT 0xB4 ? 8A2DEF00
---- Kernel code sections - GMER 1.0.14 ----
? rfvttg.sys Das System kann die angegebene Datei nicht finden. !
? spkk.sys Das System kann die angegebene Datei nicht finden. !
.text acd3hc2y.SYS B7B40384 1 Byte [ 20 ]
.text acd3hc2y.SYS B7B40386 35 Bytes [ 00, 68, 00, 00, 00, 00, 00, ... ]
.text acd3hc2y.SYS B7B403AA 24 Bytes [ 00, 00, 20, 00, 00, E0, 00, ... ]
.text acd3hc2y.SYS B7B403C4 3 Bytes [ 00, 00, 00 ]
.text acd3hc2y.SYS B7B403C9 1 Byte [ 00 ]
.text ...
.text USBPORT.SYS!DllUnload B7B208AC 5 Bytes JMP 8A2DE4E0
.text agki3jfh.SYS B71F3386 35 Bytes [ 00, 00, 00, 00, 00, 00, 20, ... ]
.text agki3jfh.SYS B71F33AA 24 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text agki3jfh.SYS B71F33C4 3 Bytes [ 00, 70, 02 ]
.text agki3jfh.SYS B71F33C9 1 Byte [ 2E ]
.text agki3jfh.SYS B71F33CB 9 Bytes [ 00, 00, 5A, 02, 00, 00, 00, ... ]
.text ...
.text tcpip.sys!IPTransmit + 10FC B4962D3A 6 Bytes CALL B7CCFCE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPTransmit + 2A52 B4964690 6 Bytes CALL B7CCFCE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPRegisterProtocol + 930 B497A454 6 Bytes CALL B7CCFCE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys B82CD3FD 4 Bytes CALL B7CCFE30 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys B82CD402 2 Bytes [ 90, 90 ]
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EA9040] spkk.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EA913C] spkk.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EA90BE] spkk.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EA97FC] spkk.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EA96D2] spkk.sys
IAT \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!KfAcquireSpinLock] 00000034
IAT \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!READ_PORT_UCHAR] 0000008E
IAT \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!KeGetCurrentIrql] 00000043
IAT \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!KfRaiseIrql] 00000044
IAT \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!KfLowerIrql] 000000C4
IAT \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!HalGetInterruptVector] 000000DE
IAT \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!HalTranslateBusAddress] 000000E9
IAT \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!KeStallExecutionProcessor] 000000CB
IAT \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!KfReleaseSpinLock] 00000054
IAT \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 0000007B
IAT \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!READ_PORT_USHORT] 00000094
IAT \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000032
IAT \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!WRITE_PORT_UCHAR] 000000A6
IAT \SystemRoot\System32\Drivers\acd3hc2y.SYS[WMILIB.SYS!WmiSystemControl] 00000023
IAT \SystemRoot\System32\Drivers\acd3hc2y.SYS[WMILIB.SYS!WmiCompleteRequest] 0000003D
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EB9048] spkk.sys
IAT \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!KfAcquireSpinLock] C0840CEC
IAT \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!READ_PORT_UCHAR] 053C0D74
IAT \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!KeGetCurrentIrql] 57B80974
IAT \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!KfRaiseIrql] 8B000000
IAT \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!KfLowerIrql] 56C35DE5
IAT \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!HalGetInterruptVector] 8D08758B
IAT \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!HalTranslateBusAddress] 8D51FC4D
IAT \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!KeStallExecutionProcessor] 8D52FD55
IAT \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!KfReleaseSpinLock] 8D51FE4D
IAT \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 8D52FF55
IAT \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!READ_PORT_USHORT] 8D51F84D
IAT \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 5052F455
IAT \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!WRITE_PORT_UCHAR] EACAE856
IAT \SystemRoot\System32\Drivers\agki3jfh.SYS[WMILIB.SYS!WmiSystemControl] 0FC08520
IAT \SystemRoot\System32\Drivers\agki3jfh.SYS[WMILIB.SYS!WmiCompleteRequest] 0001B185
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
---- User IAT/EAT - GMER 1.0.14 ----
IAT C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs 8A55B1F8
Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\libusb0 \Device\libusb00001 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\libusb0 \Device\libusb00002 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\sptd \Device\2806207844 spkk.sys
Device \Driver\libusb0 \Device\libusb00003 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\libusb0 \Device\libusb00004 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\usbohci \Device\USBPDO-0 8A2701F8
Device \Driver\usbohci \Device\USBPDO-0 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A55D1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A55D1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A55D1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A55D1F8
Device \Driver\usbehci \Device\USBPDO-1 8A2641F8
Device \Driver\usbehci \Device\USBPDO-1 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\usbhub \Device\USBPDO-2 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\usbhub \Device\USBPDO-3 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\usbhub \Device\USBPDO-5 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A5CD1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\usbhub \Device\000000a3 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\Cdrom \Device\CdRom0 8A2541F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A5CD1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\HidUsb \Device\000000b0 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\usbhub \Device\000000a4 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\Cdrom \Device\CdRom1 8A2541F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A5CD1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\HidUsb \Device\000000b1 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\Cdrom \Device\CdRom2 8A2541F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 8A5CD1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\HidUsb \Device\000000b2 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\PCI_PNP9094 \Device\00000074 spkk.sys
Device \Driver\Cdrom \Device\CdRom3 8A2541F8
Device \Driver\Ftdisk \Device\HarddiskVolume5 8A5CD1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\PCI_PNP9094 \Device\00000075 spkk.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{2AD7F161-852C-4CC4-B375-F5B658583059} 8900D500
Device \Driver\Cdrom \Device\CdRom4 8A2541F8
Device \Driver\Ftdisk \Device\HarddiskVolume6 8A5CD1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\usbccgp \Device\000000a8 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\PCI_PNP9094 \Device\00000076 spkk.sys
Device \Driver\Cdrom \Device\CdRom5 8A2541F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8900D500
Device \Driver\usbccgp \Device\000000a9 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\Cdrom \Device\CdRom6 8A2541F8
Device \Driver\Cdrom \Device\CdRom7 8A2541F8
Device \Driver\NetBT \Device\NetbiosSmb 8900D500
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\USBSTOR \Device\000000aa 88EF4500
Device \Driver\USBSTOR \Device\000000aa USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\usbohci \Device\USBFDO-0 8A2701F8
Device \Driver\usbohci \Device\USBFDO-0 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\usbehci \Device\USBFDO-1 8A2641F8
Device \Driver\usbehci \Device\USBFDO-1 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88F231F8
Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \FileSystem\MRxSmb \Device\LanmanRedirector 88F231F8
Device \Driver\USBSTOR \Device\000000ae 88EF4500
Device \Driver\USBSTOR \Device\000000ae USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\Ftdisk \Device\FtControl 8A5CD1F8
Device \Driver\agki3jfh \Device\Scsi\agki3jfh1Port5Path0Target0Lun0 8A245500
Device \Driver\acd3hc2y \Device\Scsi\acd3hc2y1 8A5CA1F8
Device \Driver\acd3hc2y \Device\Scsi\acd3hc2y1Port6Path0Target0Lun0 8A5CA1F8
Device \Driver\nvgts \Device\Scsi\nvgts2Port4Path0Target0Lun0 8A55C1F8
Device \Driver\agki3jfh \Device\Scsi\agki3jfh1 8A245500
Device \Driver\nvgts \Device\Scsi\nvgts1Port3Path1Target1Lun0 8A55C1F8
Device \Driver\agki3jfh \Device\Scsi\agki3jfh1Port5Path0Target2Lun0 8A245500
Device \Driver\nvgts \Device\Scsi\nvgts1 8A55C1F8
Device \Driver\nvgts \Device\Scsi\nvgts2 8A55C1F8
Device \Driver\agki3jfh \Device\Scsi\agki3jfh1Port5Path0Target3Lun0 8A245500
Device \Driver\agki3jfh \Device\Scsi\agki3jfh1Port5Path0Target1Lun0 8A245500
Device \Driver\nvgts \Device\Scsi\nvgts1Port3Path0Target0Lun0 8A55C1F8
Device \Driver\sptd \Device\2806364094 spkk.sys
Device \FileSystem\Cdfs \Cdfs 87EA71F8
---- Services - GMER 1.0.14 ----
Service C:\Programme\NVIDIA (*** hidden *** ) [AUTO] nTuneService <-- ROOTKIT !!!
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -1556605242
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -822666141
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programme\DAEMON Tools Pro\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7B 0x59 0x19 0x5D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x6F 0x64 0xFF 0x71 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x95 0x08 0x39 0xAC ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0xEF 0x7A 0x2A 0x18 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0xF8 0xDD 0x37 0xD9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12 0xC0 0x10 0x5C 0xB7 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xE8 0x9D 0x99 0x9A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programme\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x44 0x43 0xB8 0x40 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9B 0x02 0x54 0xD9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x0C 0xEC 0xA8 0xCE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x0C 0xEC 0xA8 0xCE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x0C 0xEC 0xA8 0xCE ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9FEFE5DA-A060-3A28-BC58-423BD3BC8E9C}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9FEFE5DA-A060-3A28-BC58-423BD3BC8E9C}@laghfdgnoplmdoikmjlfckjj 0x64 0x62 0x61 0x6F ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9FEFE5DA-A060-3A28-BC58-423BD3BC8E9C}@maihobkjbcbjfgcbjgmmcjhmca 0x64 0x61 0x61 0x6F ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9FEFE5DA-A060-3A28-BC58-423BD3BC8E9C}@laihobkjbcbjfgcbphcldgbn 0x64 0x62 0x61 0x6F ...
---- EOF - GMER 1.0.14 ----
..der verdächtige Treiber und die Datei sind also weg ^^ Was kann ich jetzt noch tun, um ComboFix zum laufen zu bringen bzw. AVG loszuwerden? Leider sind immer noch jegliche Antivirenseiten unerreichbar, d.h. irgendwas hat überlebt. Habe mal die hosts Datei gecheckt, nichts aussergewöhnliches. Hoffe du verzeihst mir meine Eigeninitiative  Gruss Pete |
|
09.08.2010, 11:19
| #7 |
| /// Malware-holic | Verdacht auf Rootkit, Antivirenherstellerseiten werden geblockt, ständ. svchost.exe connects versuchs jetzt noch mal. und du solltest dir mal gedanken über dein sicherheitskonzept machen, wenn du dich 2mal mit der selben malware inizierst stimmt da was nicht. |
|
21.08.2010, 20:01
| #8 |
| | Verdacht auf Rootkit, Antivirenherstellerseiten werden geblockt, ständ. svchost.exe connects hi, combofix geht nicht, egal was ich mache. Habe aber einen Erfolg zu verbuchen: Mein System war nämlich clean, aber jeden Tag nachm Zocken war er wieder infiziert. Habe dann alle betroffenen Datein per Virustotal checken lassen und siehe da, der Warcraft III HP View Helper war n Trojan Downloader. Den gelöscht und seitdem hab ich keine Probs mehr. Danke für eure Zeit.  |
|
| Themen zu Verdacht auf Rootkit, Antivirenherstellerseiten werden geblockt, ständ. svchost.exe connects |
| antivirus, avg free, avira, bho, browser, firefox, google, hal.dll, helper, hijack, hijackthis, internet, internet explorer, logfile, mozilla, nicht gefunden, ntdll.dll, object, plug-in, problem, registry, rootkit, secur, server, shell32.dll, software, svchost.exe, thomas, trojaner, trojaner eingefangen, usbport.sys, windows, windows xp |
Linear-Darstellung
