Habe Non-Stop Traffic!

#0
19.01.2010, 20:03
Member

Themenstarter

Beiträge: 38
#16

Zitat

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-19 20:02:08
Windows 6.1.7600
Running: fic5sve1.exe; Driver: C:\Users\BENUTZ~1\AppData\Local\Temp\agkiakog.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C21AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C21104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C213F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C09FB4
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C211DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C21958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C216F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C21F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C221A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C81579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CA5F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text peauth.sys 9CA94C9D 28 Bytes [D5, AD, 6F, C0, C0, 95, 8F, ...]
.text peauth.sys 9CA94CC1 28 Bytes [D5, AD, 6F, C0, C0, 95, 8F, ...]
PAGE peauth.sys 9CA9B02C 102 Bytes [56, FB, 4D, C3, 87, 54, C3, ...]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73FC250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73FC2494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73FA5624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73FA56E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73FB8573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73FB4D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73FB50CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73FB51A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73FB66D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73FB82CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73FB8819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73FB907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73FBE21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73FB4C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000058 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0011670b4ade
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x23 0xF5 0x0E 0x75 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x78 0xC4 0x34 0xE6 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x48 0x85 0x33 0xC0 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xBA 0x64 0xD9 0x17 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0011670b4ade (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x23 0xF5 0x0E 0x75 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x78 0xC4 0x34 0xE6 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x48 0x85 0x33 0xC0 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xBA 0x64 0xD9 0x17 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG12.00.00.01PROFESSIONAL BED8F194AACB576400B5CF12A1178B1F04E766816DA82CA5F79F85E742A313A2C75CD53DC9D7675D51D7A919A1CDF1D2ABBD4FAB612A7696EFB0F411B7E0A60AA3A625E9962D9CDEA813C548686BEAEE4058B66ADDB43D591C99734BCDCD050202C9477A906D35CA7D9B1D4D0E4896B125B54A583770A1ABE8BC7CBCAB8AED6476ABAE425D4C3438ADFDAFC9D0CA588E9FA23904611C07FDA34D9280A2CA6A3EF706CB8AC392E2707718835290F1D7AD57C5B9EEF60B9774FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB3452A6A0AC4980AC7933FEBC9E127BECC74CD655575125D05F32F1BA6A0DD84A66A9A5799BC808A7558284A25DA4E712C3335F921D6CF2FD3B7612260D19EE8A902FCAC3979D0434D31CF2B54D00725350DE224EEFC7BF6D9BCD1CE484BB8C552F1AE71E7F6B669B9D4270FE770FB8D04AD9B55E6BB143143F1911131C2DA473844908076FF9F99D146F2E06E9C680605459166D306B597C2B6BD5A0A51D4E44154C99D48A032C8B5E51C423378EB1E756C825FA62A705C3260CB5D1F4ABC13B2B676FAE7436914E65C7AF05F6C2D6657AC5A65928926A1A3D775B3CE3EFDC5CD114BE93D8B76062D8EACDACC33222E8B02443AF2EC6D0C5415BD94F4DF3A3425BFDA252E49C73D42A8
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Tools\Install\Media Player Classic \x2013 Home Cinema v1.3.1249.0\Media Player Classic \x2013 Home Cinema v1.3.1249.0.exe 1

---- EOF - GMER 1.0.15 ----

__________
AMD Phenom II X3 720 BE (Noctua NH-U12P) - GigaByte GA-MA790FXT-UD5P - 2GB Corsair DDR3 1333Mhz - 250GB SATAII 16MB - EVGA 9800GTX+ SSC - Audigy2 ZS - Enermax MODU82+ 625W
Seitenanfang Seitenende
19.01.2010, 20:13
Member

Themenstarter

Beiträge: 38
#17 Der Rootkit ist immernoch da:

Zitat

Malwarebytes' Anti-Malware 1.44
Datenbank Version: 3599
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

19.01.2010 20:12:35
mbam-log-2010-01-19 (20-12-30).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 105907
Laufzeit: 3 minute(s), 2 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\Windows\System32\drivers\tmdoszlk.sys (Rootkit.Agent) -> No action taken.

__________
AMD Phenom II X3 720 BE (Noctua NH-U12P) - GigaByte GA-MA790FXT-UD5P - 2GB Corsair DDR3 1333Mhz - 250GB SATAII 16MB - EVGA 9800GTX+ SSC - Audigy2 ZS - Enermax MODU82+ 625W
Seitenanfang Seitenende
19.01.2010, 20:23
Member

Beiträge: 3716
#18 http://board.protecus.de/t29351.htm
bitte im abgesicherten modus ausführen, programm einstellen wie beschrieben, heuristik aktiev lassen, bei log alles abhaken, die funde sind nur interessant und die zusammenfassung.
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren: