Trojaner-Board
Seite 2 von 2 1 2
100 Beiträge dieses Themas auf einer Seite anzeigen

Trojaner-Board (https://www.trojaner-board.de/)
-   Antiviren-, Firewall- und andere Schutzprogramme (https://www.trojaner-board.de/antiviren-firewall-andere-schutzprogramme/)
-   -   Malwarebytes vs. Adaware ? (https://www.trojaner-board.de/79321-malwarebytes-vs-adaware.html)

nyrk 11.11.2009 14:54
zu den logs
 
Das sind jetzt alle logs, rsit leider in Teilen, da zu groß.

Ich bin erstaunt, dass sich jemand die Mühe macht, einem Fremden in solch einem Ausmaß zu helfen. Das Auswerten dieser mir großteils unverständlichen logs muss dich doch einige Zeit beanspruchen?

Umso mehr: vielen Dank, dass du dem Problem, das ich selbst ja gar nicht erkannt hätte, auf den Grund gehen möchtest!

nyrk 11.11.2009 14:56
Antivirus war deaktiviert, ebenso WLAN. Lediglich auf den Neustart zwischen rsit und gmer habe ich vergessen :(

Ich werde jetzt neu starten und dann laut deinen Anweisungen mit rootrepeal scannen.

nyrk 11.11.2009 15:11
Rootrepeal log
 
Code:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:                2009/11/11 15:09
Program Version:                Version 1.3.5.0
Windows Version:                Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB5003000        Size: 49152        File Visible: No        Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF73C4000        Size: 323584        File Visible: No        Signed: -
Status: -

SSDT
-------------------
#: 002        Function Name: NtAccessCheckAndAuditAlarm
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e0f35

#: 003        Function Name: NtAccessCheckByType
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805dac47

#: 004        Function Name: NtAccessCheckByTypeAndAuditAlarm
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e0fbc

#: 005        Function Name: NtAccessCheckByTypeResultList
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8063fcc4

#: 006        Function Name: NtAccessCheckByTypeResultListAndAuditAlarm
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80641e55

#: 007        Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80641e9e

#: 009        Function Name: NtAddBootEntry
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fbaf

#: 010        Function Name: NtAdjustGroupsToken
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8063f483

#: 011        Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e0787

#: 012        Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x86d0c650

#: 013        Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x86d0c710

#: 014        Function Name: NtAllocateLocallyUniqueId
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805df8e8

#: 015        Function Name: NtAllocateUserPhysicalPages
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062e442

#: 016        Function Name: NtAllocateUuids
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805d8781

#: 017        Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x85f6a890

#: 018        Function Name: NtAreMappedFilesTheSame
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e7258

#: 019        Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x85fddce0

#: 021        Function Name: NtCancelDeviceWakeupRequest
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fb9b

#: 022        Function Name: NtCancelIoFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805cc537

#: 026        Function Name: NtCloseObjectAuditAlarm
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e0b65

#: 027        Function Name: NtCompactKeys
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80655cf4

#: 028        Function Name: NtCompareTokens
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805dfff3

#: 030        Function Name: NtCompressKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80655f61

#: 031        Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x86e4bfb0

#: 033        Function Name: NtCreateDebugObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80661378

#: 036        Function Name: NtCreateEventPair
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80650200

#: 038        Function Name: NtCreateIoCompletion
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805da662

#: 039        Function Name: NtCreateJobObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805d5cd6

#: 040        Function Name: NtCreateJobSet
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80637c43

#: 041        Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf4293130

#: 042        Function Name: NtCreateMailslotFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805d6e7f

#: 043        Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x85fc2b28

#: 045        Function Name: NtCreatePagingFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805b4823

#: 049        Function Name: NtCreateProfile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80650837

#: 052        Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x85f63650

#: 053        Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x85fefed8

#: 057        Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x86c76e68

#: 058        Function Name: NtDebugContinue
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8066264b

#: 059        Function Name: NtDelayExecution
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8056eb07

#: 060        Function Name: NtDeleteAtom
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805dcc8b

#: 061        Function Name: NtDeleteBootEntry
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fb9b

#: 062        Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805d54ac

#: 063        Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf42933b0

#: 064        Function Name: NtDeleteObjectAuditAlarm
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80641ef5

#: 065        Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf4293910

#: 067        Function Name: NtDisplayString
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805b5cd8

#: 068        Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x85fe7630

#: 070        Function Name: NtEnumerateBootEntries
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fbaf

#: 072        Function Name: NtEnumerateSystemEnvironmentValuesEx
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fb87

#: 074        Function Name: NtExtendSection
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062d3f9

#: 075        Function Name: NtFilterToken
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805ce473

#: 076        Function Name: NtFindAtom
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e26f2

#: 079        Function Name: NtFlushKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805d93bb

#: 080        Function Name: NtFlushVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e8ab6

#: 081        Function Name: NtFlushWriteBuffer
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062eca1

#: 082        Function Name: NtFreeUserPhysicalPages
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062e7f7

#: 083        Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x86c765c0

#: 085        Function Name: NtGetContextThread
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80635721

#: 086        Function Name: NtGetDevicePowerState
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80633bf7

#: 089        Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x85efcd50

#: 090        Function Name: NtImpersonateClientOfPort
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805dfd66

#: 091        Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x86d0c5d0

#: 093        Function Name: NtInitiatePowerAction
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806339c3

#: 094        Function Name: NtIsProcessInJob
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80637af7

#: 095        Function Name: NtIsSystemResumeAutomatic
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80633bde

#: 097        Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x86b83200

#: 098        Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805ce7e5

#: 099        Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805ce944

#: 100        Function Name: NtLockFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805dd058

#: 101        Function Name: NtLockProductActivationKeys
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805cdce7

#: 102        Function Name: NtLockRegistryKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805c7155

#: 104        Function Name: NtMakePermanentObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e704c

#: 105        Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e7113

#: 106        Function Name: NtMapUserPhysicalPages
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062da9e

#: 107        Function Name: NtMapUserPhysicalPagesScatter
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062def7

#: 108        Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x86c764e0

#: 109        Function Name: NtModifyBootEntry
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fb9b

#: 110        Function Name: NtNotifyChangeDirectoryFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805dd2ef

#: 111        Function Name: NtNotifyChangeKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e218f

#: 112        Function Name: NtNotifyChangeMultipleKeys
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e1fa1

#: 114        Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x85fc2a68

#: 115        Function Name: NtOpenEventPair
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806502f3

#: 117        Function Name: NtOpenIoCompletion
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806210b3

#: 118        Function Name: NtOpenJobObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80637e9b

#: 121        Function Name: NtOpenObjectAuditAlarm
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e9252

#: 122        Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x85fe7a90

#: 123        Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x85f6a960

#: 125        Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x85fd2d90

#: 126        Function Name: NtOpenSemaphore
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e71ca

#: 128        Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x85fe7700

#: 131        Function Name: NtOpenTimer
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80650129

#: 135        Function Name: NtPrivilegeObjectAuditAlarm
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805d88c7

#: 136        Function Name: NtPrivilegedServiceAuditAlarm
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805cd91a

#: 137        Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x85fddbf0

#: 140        Function Name: NtQueryBootEntryOrder
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fbaf

#: 141        Function Name: NtQueryBootOptions
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fbaf

#: 147        Function Name: NtQueryEaFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80621300

#: 153        Function Name: NtQueryInformationPort
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062b0a5

#: 158        Function Name: NtQueryIntervalProfile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80650ce7

#: 159        Function Name: NtQueryIoCompletion
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80621174

#: 161        Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806556d8

#: 162        Function Name: NtQueryMutant
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8065066c

#: 164        Function Name: NtQueryOpenSubKeys
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806558e1

#: 166        Function Name: NtQueryQuotaInformationFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80621bb7

#: 168        Function Name: NtQuerySecurityObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805d9eab

#: 169        Function Name: NtQuerySemaphore
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064f459

#: 171        Function Name: NtQuerySystemEnvironmentValue
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fbd7

#: 172        Function Name: NtQuerySystemEnvironmentValueEx
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fb73

#: 175        Function Name: NtQueryTimer
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e3c32

#: 180        Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e3b8d

#: 182        Function Name: NtRaiseHardError
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064f195

#: 184        Function Name: NtReadFileScatter
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062248f

#: 185        Function Name: NtReadRequestData
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e050e

#: 188        Function Name: NtReleaseMutant
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8056eb72

#: 191        Function Name: NtRemoveProcessDebug
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806625c6

#: 192        Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80655b56

#: 193        Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806564b2

#: 197        Function Name: NtReplyWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062b184

#: 198        Function Name: NtRequestDeviceWakeup
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80633b6b

#: 199        Function Name: NtRequestPort
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e94d0

#: 201        Function Name: NtRequestWakeupLatency
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80633964

#: 204        Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80656049

#: 205        Function Name: NtResumeProcess
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8063773a

#: 206        Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8600c7d8

#: 207        Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8065614a

#: 208        Function Name: NtSaveKeyEx
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80656235

#: 209        Function Name: NtSaveMergedKeys
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80656362

#: 211        Function Name: NtSetBootEntryOrder
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fbaf

#: 212        Function Name: NtSetBootOptions
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fbaf

#: 213        Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x85f81758

#: 214        Function Name: NtSetDebugFilterState
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80663fa8

#: 216        Function Name: NtSetDefaultLocale
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805d6343

#: 217        Function Name: NtSetDefaultUILanguage
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805d62ea

#: 218        Function Name: NtSetEaFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80621847

#: 221        Function Name: NtSetHighEventPair
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806505f3

#: 222        Function Name: NtSetHighWaitLowEventPair
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80650513

#: 223        Function Name: NtSetInformationDebugObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80661f67

#: 225        Function Name: NtSetInformationJobObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805d5e2a

#: 226        Function Name: NtSetInformationKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8065523b

#: 228        Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x85f953b0

#: 231        Function Name: NtSetIntervalProfile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80650813

#: 233        Function Name: NtSetLdtEntries
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80636653

#: 234        Function Name: NtSetLowEventPair
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80650587

#: 235        Function Name: NtSetLowWaitHighEventPair
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8065049f

#: 236        Function Name: NtSetQuotaInformationFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80621b8f

#: 237        Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805d9cac

#: 238        Function Name: NtSetSystemEnvironmentValue
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fe74

#: 239        Function Name: NtSetSystemEnvironmentValueEx
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fb73

#: 240        Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x86c76fd0

#: 242        Function Name: NtSetSystemTime
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064ee49

#: 243        Function Name: NtSetThreadExecutionState
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805eb0b7

#: 245        Function Name: NtSetTimerResolution
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805eb37e

#: 246        Function Name: NtSetUuidSeed
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805cdac6

#: 247        Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf4293b60

#: 248        Function Name: NtSetVolumeInformationFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806220cd

#: 249        Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064e597

#: 251        Function Name: NtStartProfile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80650a7e

#: 252        Function Name: NtStopProfile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80650c37

#: 253        Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x85fc2988

#: 254        Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x85f815d8

#: 255        Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80650d97

#: 256        Function Name: NtTerminateJobObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8063800d

#: 257        Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x85fe7ba8

#: 258        Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x85f81698

#: 261        Function Name: NtTranslateFilePath
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064fbc3

#: 262        Function Name: NtUnloadDriver
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80624780

#: 263        Function Name: NtUnloadKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80654db2

#: 264        Function Name: NtUnloadKeyEx
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80654fdb

#: 265        Function Name: NtUnlockFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805dd1b8

#: 266        Function Name: NtUnlockVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062ed15

#: 267        Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x85f95480

#: 269        Function Name: NtWaitForDebugEvent
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80661cb2

#: 270        Function Name: NtWaitForMultipleObjects
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8056ec4d

#: 272        Function Name: NtWaitHighEventPair
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80650433

#: 273        Function Name: NtWaitLowEventPair
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806503c7

#: 275        Function Name: NtWriteFileGather
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805cc824

#: 276        Function Name: NtWriteRequestData
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e0592

#: 277        Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x86c76690

#: 279        Function Name: NtCreateKeyedEvent
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805c291a

#: 281        Function Name: NtReleaseKeyedEvent
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8065120b

#: 282        Function Name: NtWaitForKeyedEvent
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80651476

#: 283        Function Name: NtQueryPortInformationProcess
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80634f55

Shadow SSDT
-------------------
#: 307        Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x85fcfd00

#: 383        Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x86a5b560

#: 414        Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x86a3a050

#: 416        Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x86a8e050

#: 428        Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x86b7e4a0

#: 460        Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x86b86350

#: 475        Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x86a42240

#: 476        Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x86bb98e8

#: 549        Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x86c99a30

#: 552        Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x86de8608

==EOF==

nyrk 11.11.2009 15:12
Systemlook log folgt nach Neustart! :dankeschoen:

nyrk 11.11.2009 15:27
Systemlook log
 
Code:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 15:19 on 11/11/2009 by Alex (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi*"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys        -----c 95360 bytes        [10:13 01/04/2009]        [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\I386\ATAPI.SY_        -ra--- 49558 bytes        [14:20 16/03/2006]        [12:00 10/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\WINDOWS\ServicePackFiles\i386\atapi.sys        ------ 96512 bytes        [18:40 13/04/2008]        [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys        --a--- 96512 bytes        [22:59 03/08/2004]        [18:40 13/04/2008] 96522988E7AE6BC2311BAAD4C84EC299
C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys        --a--- 95360 bytes        [16:20 16/03/2006]        [12:00 10/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys        --a--- 95360 bytes        [16:20 16/03/2006]        [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

Larusso 11.11.2009 15:32
Okay, Rootkit infektion :(

Was spricht gegen ein neu aufsetzen ?

nyrk 11.11.2009 15:35
Aufsetzen
 
Nein, es spricht an sich nichts dagegen, ich spiele auch schon mit dem Gedanken, weil mein Sony Vaio schon recht langsam ist. Bisher habe ich immer die recovery utility verwendet, die dabei ist.
Ist die "recovery" gleichbedeutend mit neu aufsetzen, oder sollte ich komplett formatieren?

Vielleicht lege ich mir nach ca. 5 Jahren auch wieder einen neuen Laptop zu, dann würde ich diesen Vaio, der sonst noch recht gut ist, gerne meinem Vater als Zweitcomputer schenken, und das wenn möglich virenfrei. Also werde ich um das Neuaufsetzen nicht herumkommen, sei es nun durch recovery oder Formatieren (?).

Siehst du, welche Gefahren dieses Rootkit birgt? Gibt es kein Tool, das es entfernen könnte?

Danke, danke, danke !!!

Larusso 11.11.2009 15:47
Ja kann ich entfernen.

Aber formatieren wäre sicherer ;)

nyrk 11.11.2009 15:51
Ok, dann werde ich das asap machen!

Gibt es eine verlässliche Möglichkeit, sich gegen solche rootkits zu schützen?
Mein AV hat es nicht bemerkt, ebensowenig wie Malwarebytes. Wer weiß, wie lange ich das schon mit herumschleppe :(


Danke für deine Hilfe. Was bin ich schuldig? :daumenhoc

Larusso 11.11.2009 15:57
Also Format C: :daumenhoc

Was du mir schuldest? 10000000000 € :uglyhammer:
Natürlich nichts :)

Schutz vor solch Sachen beginnt damit, mit etwas Hirn zu surfen :)
Nicht immer auf alles klicken, wo Klick mich steht.

nyrk 11.11.2009 17:46
Danke, Larusso!

Ich habe nun bereits ein Backup des Großteils meiner Daten erstellt und werde dann formatieren.

Mich würde interessieren, woran du die rootkits erkannt hast? U.a. daran, dass gewisse Prozesse by "unknown" hooked sind?

Ich würde mir auch gern ein profundes Verständnis für diese Dinge aneignen - zum Selbstschutz, aber auch, um anderen (zuerst einmal im Freundes- und Familienkreis) bei Bedarf helfen zu können. Woher hast du dein Wissen zu Malware? Einfach "learning by doing" ? Bücher, websites?

Ich spreche zwar keinerlei Programmiersprache, noch verstehe ich, was hinter den Anwendungen steht, doch ich sitze schon recht viel am Computer und helfe hie und da anderen bei - ganz offensichtlich weniger gravierenden - Problemchen.
Dass ich unvorsichtig gesurft sein könnte und mir dabei etwas eingefangen habe, überrascht mich, da ich meines Wissens nie Seiten aufrufe oder Links folge, die ich überhaupt nicht kenne.
Aber um das "Kennen" zu beurteilen braucht es vermutlich mehr als die Laienkenntnisse eines heavy users, der aber kein heavy knower ist. :P

Würde mich freuen, wenn du mich noch - ohne großen Aufwand für dich - auf einen "Pfad der Erleuchtung" stupsen könntest :)

Liebe Grüße aus Wien
Alex

Larusso 11.11.2009 23:33
Hallo Alex

Das Helfen bei Malware Problemen kann man lernen :)
Es gibt dazu eigene "Schulen", aber dafür benötigt es viel Zeit und vor allem den Willen es zu lernen.
Thats not easy.
Vorkenntnisse im Umgang mit einem PC sind zwar vom Vorteil, jedoch nicht Pflicht.
Ich fing damit an, als ich 2 Tage mit einem PC zu tun hatte ;)

Vorzuziehen sind english sprachige Schulen
Unite
aber es gibt auch eine deutschsprachige Schule.
HijackThis.de

Bitte sei Dir (und alle Mitleser) dabei eins im klaren.
Es erfordert sehr viel Zeit und Geduld.
Wenn Du/ Ihr schon jetzt weist/ wiss, dass Deine/ Eure Freizeit schon verplant ist, bitte ich Dich/ Euch nicht zu bewerben :)


Alle Zeitangaben in WEZ +1. Es ist jetzt 04:20 Uhr.
Seite 2 von 2 1 2
100 Beiträge dieses Themas auf einer Seite anzeigen

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55