Habe Non-Stop Traffic!

#16

Zitat

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-19 20:02:08
Windows 6.1.7600
Running: fic5sve1.exe; Driver: C:\Users\BENUTZ~1\AppData\Local\Temp\agkiakog.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C21AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C21104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C213F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C09FB4
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C211DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C21958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C216F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C21F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C221A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C81579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CA5F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text peauth.sys 9CA94C9D 28 Bytes [D5, AD, 6F, C0, C0, 95, 8F, ...]
.text peauth.sys 9CA94CC1 28 Bytes [D5, AD, 6F, C0, C0, 95, 8F, ...]
PAGE peauth.sys 9CA9B02C 102 Bytes [56, FB, 4D, C3, 87, 54, C3, ...]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73FC250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73FC2494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73FA5624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73FA56E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73FB8573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73FB4D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73FB50CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73FB51A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73FB66D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73FB82CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73FB8819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73FB907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73FBE21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73FB4C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000058 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0011670b4ade
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x23 0xF5 0x0E 0x75 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x78 0xC4 0x34 0xE6 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x48 0x85 0x33 0xC0 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xBA 0x64 0xD9 0x17 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0011670b4ade (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x23 0xF5 0x0E 0x75 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x78 0xC4 0x34 0xE6 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x48 0x85 0x33 0xC0 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xBA 0x64 0xD9 0x17 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG12.00.00.01PROFESSIONAL BED8F194AACB576400B5CF12A1178B1F04E766816DA82CA5F79F85E742A313A2C75CD53DC9D7675D51D7A919A1CDF1D2ABBD4FAB612A7696EFB0F411B7E0A60AA3A625E9962D9CDEA813C548686BEAEE4058B66ADDB43D591C99734BCDCD050202C9477A906D35CA7D9B1D4D0E4896B125B54A583770A1ABE8BC7CBCAB8AED6476ABAE425D4C3438ADFDAFC9D0CA588E9FA23904611C07FDA34D9280A2CA6A3EF706CB8AC392E2707718835290F1D7AD57C5B9EEF60B9774FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB3452A6A0AC4980AC7933FEBC9E127BECC74CD655575125D05F32F1BA6A0DD84A66A9A5799BC808A7558284A25DA4E712C3335F921D6CF2FD3B7612260D19EE8A902FCAC3979D0434D31CF2B54D00725350DE224EEFC7BF6D9BCD1CE484BB8C552F1AE71E7F6B669B9D4270FE770FB8D04AD9B55E6BB143143F1911131C2DA473844908076FF9F99D146F2E06E9C680605459166D306B597C2B6BD5A0A51D4E44154C99D48A032C8B5E51C423378EB1E756C825FA62A705C3260CB5D1F4ABC13B2B676FAE7436914E65C7AF05F6C2D6657AC5A65928926A1A3D775B3CE3EFDC5CD114BE93D8B76062D8EACDACC33222E8B02443AF2EC6D0C5415BD94F4DF3A3425BFDA252E49C73D42A8
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Tools\Install\Media Player Classic \x2013 Home Cinema v1.3.1249.0\Media Player Classic \x2013 Home Cinema v1.3.1249.0.exe 1

---- EOF - GMER 1.0.15 ----

__________
AMD Phenom II X3 720 BE (Noctua NH-U12P) - GigaByte GA-MA790FXT-UD5P - 2GB Corsair DDR3 1333Mhz - 250GB SATAII 16MB - EVGA 9800GTX+ SSC - Audigy2 ZS - Enermax MODU82+ 625W

#17 Der Rootkit ist immernoch da:

Zitat

Malwarebytes' Anti-Malware 1.44
Datenbank Version: 3599
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

19.01.2010 20:12:35
mbam-log-2010-01-19 (20-12-30).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 105907
Laufzeit: 3 minute(s), 2 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\Windows\System32\drivers\tmdoszlk.sys (Rootkit.Agent) -> No action taken.

__________
AMD Phenom II X3 720 BE (Noctua NH-U12P) - GigaByte GA-MA790FXT-UD5P - 2GB Corsair DDR3 1333Mhz - 250GB SATAII 16MB - EVGA 9800GTX+ SSC - Audigy2 ZS - Enermax MODU82+ 625W

#18 http://board.protecus.de/t29351.htm
bitte im abgesicherten modus ausführen, programm einstellen wie beschrieben, heuristik aktiev lassen, bei log alles abhaken, die funde sind nur interessant und die zusammenfassung.