| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Tr/Agent.atw.1 und TR/Drop.Renos.C.4Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
23.08.2010, 22:27
| #11 |
| |  Tr/Agent.atw.1 und TR/Drop.Renos.C.4 hey. das ging jetzt über ne stunde. habs um ehrlich zu sein, jetzt auch abgebrochen. dauert das wirklich solang? hier erstmal die ergebnisse: GMER Logfile: Code:
ATTFilter GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-08-23 23:21:06
Windows 6.1.7600
Running: kqfpwcc0.exe; Driver: C:\Users\Sara\AppData\Local\Temp\kgtdypow.sys
---- System - GMER 1.0.15 ----
SSDT 805936EC ZwCreateThread
SSDT 805936D8 ZwOpenProcess
SSDT 805936DD ZwOpenThread
SSDT 805936E7 ZwTerminateProcess
INT 0x06 \??\C:\Windows\system32\drivers\Haspnt.sys 979B916D
INT 0x0E \??\C:\Windows\system32\drivers\Haspnt.sys 979B8FC2
INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1FAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1F104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1F3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E082D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E07898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1F1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1F958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1F6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1FF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E201A8
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E7F599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EA3F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 34C 82EAB85C 4 Bytes [EC, 36, 59, 80]
.text ntkrnlpa.exe!RtlSidHashLookup + 4E8 82EAB9F8 4 Bytes [D8, 36, 59, 80]
.text ntkrnlpa.exe!RtlSidHashLookup + 508 82EABA18 4 Bytes [DD, 36, 59, 80]
.text ntkrnlpa.exe!RtlSidHashLookup + 7B8 82EABCC8 4 Bytes [E7, 36, 59, 80]
? System32\drivers\gnkq.sys Das System kann den angegebenen Pfad nicht finden. !
.text C:\Windows\system32\drivers\hardlock.sys section is writeable [0x9A820400, 0x87EE2, 0xE8000020]
.protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0x9A8C4620] C:\Windows\system32\drivers\hardlock.sys entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0x9A8C4620]
.protectÿÿÿÿhardlockunknown last code section [0x9A8C4400, 0x5126, 0xE0000020] C:\Windows\system32\drivers\hardlock.sys unknown last code section [0x9A8C4400, 0x5126, 0xE0000020]
.text peauth.sys 9A933C9D 28 Bytes [C4, 67, A8, 59, B9, 67, 20, ...]
.text peauth.sys 9A933CC1 28 Bytes [C4, 67, A8, 59, B9, 67, 20, ...]
PAGE peauth.sys 9A939B9B 72 Bytes [09, 92, 93, 8B, E3, 05, 52, ...]
PAGE peauth.sys 9A939BEC 111 Bytes [D9, 21, E6, 3C, 79, 7C, FD, ...]
PAGE peauth.sys 9A939E20 101 Bytes [C9, 6E, E2, 32, C4, BA, 5D, ...]
PAGE ...
C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl entry point in "" section [0x9781F41C]
.clc C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl unknown last code section [0x97820000, 0x1000, 0xE0000020]
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\Explorer.EXE[2400] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74542494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2400] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74525624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2400] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [745256E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2400] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7454250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2400] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74538573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2400] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74534D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2400] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [745350CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2400] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [745351A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2400] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [745366D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2400] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [745382CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2400] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74538819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2400] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7453907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2400] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7453E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2400] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74534C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2400] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [00DE1D90] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[2400] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [00DE27E0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[2400] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [00DE11D0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\System32\rundll32.exe[3764] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75815E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3764] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75815E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3764] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75815E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3764] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75815E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\00000059 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
|
| Themen zu Tr/Agent.atw.1 und TR/Drop.Renos.C.4 |
| arbeit, avira, hilflos, immer wieder, morgen, quarantäne, studie, troja, wichtige |
Baum-Darstellung