| GoodFella | 08.08.2010 16:22 |
Verdacht auf Rootkit, Antivirenherstellerseiten werden geblockt, ständ. svchost.exe connects
Hi,
nach all den Jahren habe ich mir wahrscheinlich wieder einen Trojaner eingefangen, und brauche eure Hilfe um ihn wieder loszuwerden.
System: Win XP SP3, Sygate Personal Firewall
Symptome:
- Keine Antivirenseiten aufrufbar im Browser (Firefox), u.a. www.kaspersky.com, www.bitdefender.de, etc und sogar hxxp://www.virustotal.com/ und hxxp://virusscan.jotti.org/ werden geblockt, d.h. "Adresse nicht gefunden"
- Ab und zu Verbindungsaufbaus zu diversen random erscheinenden IPs
- allg. etwas lahmer
Was ich getan habe:
- HiJackThis:
HiJackthis Logfile: Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:15:45, on 08.08.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\nvsvc32.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\Programme\Sygate\SPF\Smc.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\LEXBCES.EXE
C:\WINXP\system32\LEXPPS.EXE
C:\WINXP\system32\spoolsv.exe
C:\WINXP\System32\svchost.exe
C:\Programme\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\Explorer.EXE
C:\WINXP\V0230Mon.exe
C:\WINXP\system32\RUNDLL32.EXE
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\Programme\gmer\gmer.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Home/Home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [V0230Mon.exe] C:\WINXP\V0230Mon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Programme\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: Jana Server 2 (Janad) - Thomas Hauck, Privat - C:\Programme\Jana2\Janad.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINXP\system32\LEXBCES.EXE
O23 - Service: MagicTuneEngine - Unknown owner - C:\Programme\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: MySQL - Unknown owner - C:\Programme\MySQL\MySQL.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Programme\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINXP\system32\PnkBstrA.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Programme\Sandboxie\SbieSvc.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\Smc.exe
O23 - Service: Messenger USN Journal Reader-Service für freigegebene Ordner (usnjsvc) - Unknown owner - C:\Programme\MSN Messenger\usnsvc.exe (file missing)
O23 - Service: Creative VF0230 RunApp Service (VF0230Srv) - Creative Technology Ltd. - C:\WINXP\system32\V0230Srv.exe
--
End of file - 3748 bytes
--- --- ---
..ist aber m.E. sauber.
- GMER:
GMER Logfile: Code:
GMER 1.0.14.14536 - hxxp://www.gmer.net
Rootkit scan 2010-08-08 17:16:53
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.14 ----
SSDT \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xB7141B30]
SSDT spjx.sys ZwCreateKey [0xB7EA80E0]
SSDT \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xB71416F0]
SSDT spjx.sys ZwEnumerateKey [0xB7EC6CA2]
SSDT spjx.sys ZwEnumerateValueKey [0xB7EC7030]
SSDT \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xB7141470]
SSDT spjx.sys ZwOpenKey [0xB7EA80C0]
SSDT \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xB7141C50]
SSDT spjx.sys ZwQueryKey [0xB7EC7108]
SSDT spjx.sys ZwQueryValueKey [0xB7EC6F88]
SSDT spjx.sys ZwSetValueKey [0xB7EC719A]
SSDT \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xB7141990]
SSDT \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xB71418D0]
SSDT \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xB7141D60]
INT 0x62 ? 8A55CBF8
INT 0x63 ? 8A2DEF00
INT 0x73 ? 8A5CFBF8
INT 0x83 ? 8A5CFBF8
INT 0xB1 ? 8A55CBF8
INT 0xB1 ? 8A5CFBF8
INT 0xB1 ? 8A5CFBF8
INT 0xB4 ? 8A2DEF00
---- Kernel code sections - GMER 1.0.14 ----
.text ntkrnlpa.exe!KeDelayExecutionThread + 2 804FA86C 5 Bytes JMP B3666AE0 \SystemRoot\System32\Drivers\rkhdrv10.SYS
PAGE ntkrnlpa.exe!NtOpenProcess + 5 805CB401 5 Bytes JMP B3666A80 \SystemRoot\System32\Drivers\rkhdrv10.SYS
? spjx.sys Das System kann die angegebene Datei nicht finden. !
.text af6c9tcs.SYS B7B40384 1 Byte [ 20 ]
.text af6c9tcs.SYS B7B40386 35 Bytes [ 00, 68, 00, 00, 00, 00, 00, ... ]
.text af6c9tcs.SYS B7B403AA 24 Bytes [ 00, 00, 20, 00, 00, E0, 00, ... ]
.text af6c9tcs.SYS B7B403C4 3 Bytes [ 00, 00, 00 ]
.text af6c9tcs.SYS B7B403C9 1 Byte [ 00 ]
.text ...
.text USBPORT.SYS!DllUnload B7B208AC 5 Bytes JMP 8A2DE4E0
.text a9tkk9gu.SYS B71F3386 35 Bytes [ 00, 00, 00, 00, 00, 00, 20, ... ]
.text a9tkk9gu.SYS B71F33AA 24 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text a9tkk9gu.SYS B71F33C4 3 Bytes [ 00, 70, 02 ]
.text a9tkk9gu.SYS B71F33C9 1 Byte [ 2E ]
.text a9tkk9gu.SYS B71F33CB 9 Bytes [ 00, 00, 5A, 02, 00, 00, 00, ... ]
.text ...
.text tcpip.sys!IPTransmit + 10FC B4962D3A 6 Bytes CALL B7CCFCE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPTransmit + 2A52 B4964690 6 Bytes CALL B7CCFCE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPRegisterProtocol + 930 B497A454 6 Bytes CALL B7CCFCE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys B71343FD 7 Bytes CALL B7CCFE30 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
? C:\WINXP\system32\2.tmp Das System kann die angegebene Datei nicht finden. !
---- User code sections - GMER 1.0.14 ----
.text C:\WINXP\System32\svchost.exe[1336] ntdll.dll!NtQueryInformationProcess 7C91D7E0 5 Bytes JMP 01959DB4
.text C:\WINXP\System32\svchost.exe[1336] NETAPI32.dll!NetpwPathCanonicalize 597DA3A9 5 Bytes JMP 01959D54
.text C:\WINXP\system32\svchost.exe[1512] ntdll.dll!NtQueryInformationProcess 7C91D7E0 5 Bytes JMP 00819DB4
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EA9040] spjx.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EA913C] spjx.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EA90BE] spjx.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EA97FC] spjx.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EA96D2] spjx.sys
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!KfAcquireSpinLock] 00000034
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!READ_PORT_UCHAR] 0000008E
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!KeGetCurrentIrql] 00000043
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!KfRaiseIrql] 00000044
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!KfLowerIrql] 000000C4
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!HalGetInterruptVector] 000000DE
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!HalTranslateBusAddress] 000000E9
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!KeStallExecutionProcessor] 000000CB
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!KfReleaseSpinLock] 00000054
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 0000007B
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!READ_PORT_USHORT] 00000094
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000032
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!WRITE_PORT_UCHAR] 000000A6
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[WMILIB.SYS!WmiSystemControl] 00000023
IAT \SystemRoot\System32\Drivers\af6c9tcs.SYS[WMILIB.SYS!WmiCompleteRequest] 0000003D
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EB9048] spjx.sys
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!KfAcquireSpinLock] C0840CEC
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!READ_PORT_UCHAR] 053C0D74
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!KeGetCurrentIrql] 57B80974
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!KfRaiseIrql] 8B000000
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!KfLowerIrql] 56C35DE5
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!HalGetInterruptVector] 8D08758B
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!HalTranslateBusAddress] 8D51FC4D
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!KeStallExecutionProcessor] 8D52FD55
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!KfReleaseSpinLock] 8D51FE4D
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 8D52FF55
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!READ_PORT_USHORT] 8D51F84D
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 5052F455
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!WRITE_PORT_UCHAR] EACAE856
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[WMILIB.SYS!WmiSystemControl] 0FC08520
IAT \SystemRoot\System32\Drivers\a9tkk9gu.SYS[WMILIB.SYS!WmiCompleteRequest] 0001B185
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
---- User IAT/EAT - GMER 1.0.14 ----
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs 8A5CB1F8
Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\libusb0 \Device\libusb00001 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\libusb0 \Device\libusb00002 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\libusb0 \Device\libusb00003 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\libusb0 \Device\libusb00004 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\usbohci \Device\USBPDO-0 8A2D5500
Device \Driver\usbohci \Device\USBPDO-0 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\usbehci \Device\USBPDO-1 8A3081F8
Device \Driver\usbehci \Device\USBPDO-1 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A5CD1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A5CD1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A5CD1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A5CD1F8
Device \Driver\usbhub \Device\USBPDO-2 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\usbhub \Device\USBPDO-3 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\usbhub \Device\USBPDO-5 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\usbhub \Device\000000a2 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A55D1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\sptd \Device\4154638052 spjx.sys
Device \Driver\usbhub \Device\000000a3 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A55D1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\Cdrom \Device\CdRom0 8A26C500
Device \Driver\HidUsb \Device\000000b0 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A55D1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\Cdrom \Device\CdRom1 8A26C500
Device \Driver\PCI_PNP9302 \Device\00000073 spjx.sys
Device \Driver\HidUsb \Device\000000b1 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\Ftdisk \Device\HarddiskVolume4 8A55D1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\Cdrom \Device\CdRom2 8A26C500
Device \Driver\PCI_PNP9302 \Device\00000074 spjx.sys
Device \Driver\Ftdisk \Device\HarddiskVolume5 8A55D1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\Cdrom \Device\CdRom3 8A26C500
Device \Driver\PCI_PNP9302 \Device\00000075 spjx.sys
Device \Driver\usbccgp \Device\000000a7 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\NetBT \Device\NetBT_Tcpip_{2AD7F161-852C-4CC4-B375-F5B658583059} 89CAB390
Device \Driver\Ftdisk \Device\HarddiskVolume6 8A55D1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\Cdrom \Device\CdRom4 8A26C500
Device \Driver\usbccgp \Device\000000a8 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\Cdrom \Device\CdRom5 8A26C500
Device \Driver\NetBT \Device\NetBt_Wins_Export 89CAB390
Device \Driver\USBSTOR \Device\000000a9 89F0C1F8
Device \Driver\USBSTOR \Device\000000a9 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\Cdrom \Device\CdRom6 8A26C500
Device \Driver\Cdrom \Device\CdRom7 8A26C500
Device \Driver\NetBT \Device\NetbiosSmb 89CAB390
Device \Driver\sptd \Device\4154794302 spjx.sys
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\usbohci \Device\USBFDO-0 8A2D5500
Device \Driver\usbohci \Device\USBFDO-0 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\usbehci \Device\USBFDO-1 8A3081F8
Device \Driver\usbehci \Device\USBFDO-1 USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88F251F8
Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\USBSTOR \Device\000000ad 89F0C1F8
Device \Driver\USBSTOR \Device\000000ad USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \FileSystem\MRxSmb \Device\LanmanRedirector 88F251F8
Device \Driver\HidUsb \Device\000000af USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device \Driver\Ftdisk \Device\FtControl 8A55D1F8
Device \Driver\af6c9tcs \Device\Scsi\af6c9tcs1Port6Path0Target0Lun0 8A2D6500
Device \Driver\a9tkk9gu \Device\Scsi\a9tkk9gu1 8A246500
Device \Driver\a9tkk9gu \Device\Scsi\a9tkk9gu1Port5Path0Target2Lun0 8A246500
Device \Driver\a9tkk9gu \Device\Scsi\a9tkk9gu1Port5Path0Target0Lun0 8A246500
Device \Driver\nvgts \Device\Scsi\nvgts2Port4Path0Target0Lun0 8A5CC1F8
Device \Driver\nvgts \Device\Scsi\nvgts1Port3Path1Target1Lun0 8A5CC1F8
Device \Driver\nvgts \Device\Scsi\nvgts1 8A5CC1F8
Device \Driver\nvgts \Device\Scsi\nvgts2 8A5CC1F8
Device \Driver\af6c9tcs \Device\Scsi\af6c9tcs1 8A2D6500
Device \Driver\a9tkk9gu \Device\Scsi\a9tkk9gu1Port5Path0Target1Lun0 8A246500
Device \Driver\a9tkk9gu \Device\Scsi\a9tkk9gu1Port5Path0Target3Lun0 8A246500
Device \Driver\nvgts \Device\Scsi\nvgts1Port3Path0Target0Lun0 8A5CC1F8
Device \FileSystem\Cdfs \Cdfs 87E861F8
---- Services - GMER 1.0.14 ----
Service C:\WINXP\system32\svchost.exe (*** hidden *** ) [AUTO] fwatk <-- ROOTKIT !!!
Service C:\Programme\NVIDIA (*** hidden *** ) [AUTO] nTuneService <-- ROOTKIT !!!
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk@DisplayName Windows Monitor
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk@Description Erstellt eine Verbindung zu einem Remotenetzwerk, wenn ein Programm eine Remote-DNS- oder -NetBIOS-Adresse referenziert.
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk\Parameters@ServiceDll C:\WINXP\system32\dgmqdvl.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -1556605242
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -822666141
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programme\DAEMON Tools Pro\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7B 0x59 0x19 0x5D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x6F 0x64 0xFF 0x71 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x95 0x08 0x39 0xAC ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0xEF 0x7A 0x2A 0x18 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0xF8 0xDD 0x37 0xD9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12 0xC0 0x10 0x5C 0xB7 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xE8 0x9D 0x99 0x9A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programme\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x44 0x43 0xB8 0x40 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9B 0x02 0x54 0xD9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x0C 0xEC 0xA8 0xCE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x0C 0xEC 0xA8 0xCE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x0C 0xEC 0xA8 0xCE ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9FEFE5DA-A060-3A28-BC58-423BD3BC8E9C}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9FEFE5DA-A060-3A28-BC58-423BD3BC8E9C}@laghfdgnoplmdoikmjlfckjj 0x64 0x62 0x61 0x6F ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9FEFE5DA-A060-3A28-BC58-423BD3BC8E9C}@maihobkjbcbjfgcbjgmmcjhmca 0x64 0x61 0x61 0x6F ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9FEFE5DA-A060-3A28-BC58-423BD3BC8E9C}@laihobkjbcbjfgcbphcldgbn 0x64 0x62 0x61 0x6F ...
---- EOF - GMER 1.0.14 ----[/quote]
--- --- ---
wobei folgende Einträge rot hinterlegt waren: Zitat:
---- Services - GMER 1.0.14 ----
Service C:\WINXP\system32\svchost.exe (*** hidden *** ) [AUTO] fwatk <-- ROOTKIT !!!
Service C:\Programme\NVIDIA (*** hidden *** ) [AUTO] nTuneService <-- ROOTKIT !!!
| Das eine ist der Grafiktreiber, das andere macht mir sorgen. Hab die svchost.exe mal bei hxxp://www.virscan.org/ hochgeladen (wird zum Glück nicht geblockt), keine Infizierung.
also liegt das Problem wahrscheinlich hier: Zitat:
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk@DisplayName Windows Monitor
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk@Description Erstellt eine Verbindung zu einem Remotenetzwerk, wenn ein Programm eine Remote-DNS- oder -NetBIOS-Adresse referenziert.
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\fwatk\Parameters@ServiceDll C:\WINXP\system32\dgmqdvl.dll
| Hab mit regedit versucht den Schlüssel fwat zu löschen, leider ohne Erfolg,
auch die Datei "dgmqdvl.dll" ist unauffindbar.
Wie sollte ich weiter vorgehen?
Gruss
Pete |
