| stopfkopf | 12.06.2008 23:22 |
hier dazu noch die log von rootkit Code:
HKU\.DEFAULT\Control Panel\International 11.06.2008 18:10 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 11.06.2008 18:10 0 bytes Security mismatch.
HKU\S-1-5-21-73586283-1580818891-725345543-1003\Control Panel\International 11.06.2008 18:10 0 bytes Security mismatch.
HKU\S-1-5-21-73586283-1580818891-725345543-1003\Control Panel\International\Geo 11.06.2008 18:10 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International 11.06.2008 18:10 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 11.06.2008 18:10 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 08.04.2006 18:41 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 08.04.2006 18:41 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1-11D0-995D-00C04FD919C1}* 22.08.2006 17:16 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch 13.06.2008 00:14 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 16.04.2006 19:25 0 bytes Access is denied.
C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll 09.05.2008 20:48 252.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll 09.05.2008 20:48 111.50 KB Visible in Windows API, but not in MFT or directory index.
hier noch die Log von catchme Code:
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-12 23:54:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:4ea6ff8a
"s1"=dword:8e7a24fc
"s2"=dword:60d94b1b
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="f:\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:44,48,39,37,ec,7b,37,61,38,78,b8,93,5d,39,43,c9,15,da,31,94,cd,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,b0,0b,88,93,b1,8a,56,4b,78,ac,fb,8f,24,7b,dd,4d,26,..
"khjeh"=hex:4f,de,b4,02,12,24,81,5b,2b,6d,bb,7a,50,30,5a,ae,8f,01,6d,b0,4d,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:29,e8,96,95,17,c3,96,e1,9a,f2,9e,55,a7,09,8b,6f,db,e1,a2,ae,9a,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:e9,81,53,fd,d2,7a,b6,a5,5d,95,df,fa,45,40,0c,72,b9,36,44,63,22,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="f:\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:44,48,39,37,ec,7b,37,61,38,78,b8,93,5d,39,43,c9,15,da,31,94,cd,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,b0,0b,88,93,b1,8a,56,4b,78,ac,fb,8f,24,7b,dd,4d,26,..
"khjeh"=hex:4f,de,b4,02,12,24,81,5b,2b,6d,bb,7a,50,30,5a,ae,8f,01,6d,b0,4d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:29,e8,96,95,17,c3,96,e1,9a,f2,9e,55,a7,09,8b,6f,db,e1,a2,ae,9a,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:e9,81,53,fd,d2,7a,b6,a5,5d,95,df,fa,45,40,0c,72,b9,36,44,63,22,..
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
kan meine dank schätzung nicht in worte fassen, fals nun wieder alles mit meinem system in ordnung ist. |
