| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Rootkits oder Trojaner im Computer?Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
16.11.2008, 11:03
| #1 |
| |  Rootkits oder Trojaner im Computer? Hallo, Ich brauche Hilfe. In meinem LapTop ist Windows XP prof. (software und Tastatur in englisch) mit SP3 installiert. Nach der installieren vom SP3 bzw. kurze Zeit spaeter wurde der Rechner immer langsamer. Darauf hin habe ich mit Gmer, Icesword, Rootkit Unhooker, Silent Runners und USEC Radix den Rechner gescant. Habe diverse Hooks in der SSDT gefunden die aber von Zonealarm (vsdatant.sys) und Rising Antivirus (hookhelp.sys) erstellt wurden. Neu sind aber in der IAT diverse Code Hooks. Drei neue [unknown_code_page] Code Hooks und diverse Codehooks durch die Datei: ShimEng.dll Wenn ich die zwei letztgenannten Code Hooks alle mit Fixchecked zurueck setze, laeuft der Rechner wieder etwas besser. Benutzt Microsoft Rootkit Techniken und fuer was sind die Code Hooks gut, wenn mein Rechner ohne diese besser laeuft. Es ist natuerlich aeusserst umstaendlich nach jedem Bootvorgang diese Code Hooks zu beseitigen. Habe dann mit Combofix einen Scan gemacht, werde aber dieses Programm nicht mehr verwenden, da trotz uninstall das Programm mir undokumentiert mindestens 10 *.exe dateien in das Verzeichnis C:\Windows gespeichert hat. Das Programm Viruskeeper hat dieses festgestellt und sie wieder entfernt. Hier nun die HJT log Datei Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:25:19 AM, on 11/16/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Rising\Rav\CCenter.exe C:\WINDOWS\System32\svchost.exe C:\PROGRAM FILES\RISING\RAV\ravmond.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\PROGRAM FILES\RISING\RAV\RavStub.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\AxBx\VirusKeeper 2008 Pro\vk_service.exe C:\WINDOWS\Explorer.EXE C:\PROGRAM FILES\RISING\RAV\RavMon.exe C:\WINDOWS\system32\00THotkey.exe C:\WINDOWS\system32\TPWRTRAY.EXE C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0L2.EXE C:\Program Files\Rising\Rav\RavTask.exe C:\Program Files\AxBx\VirusKeeper 2008 Pro\VirusKeeper.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\ntvdm.exe C:\Down\actual\New\Antispy\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 10 O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0L2.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400" O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system O4 - HKLM\..\Run: [VirusKeeper] C:\Program Files\AxBx\VirusKeeper 2008 Pro\VirusKeeper.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\system32\dllhost.exe O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\system32\dllhost.exe O23 - Service: VirusKeeper antivirus/antispyware (vkservice) - AxBx - C:\Program Files\AxBx\VirusKeeper 2008 Pro\vk_service.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 4433 bytes Code:
ATTFilter
"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"00THotkey" = "C:\WINDOWS\system32\00THotkey.exe" ["TOSHIBA Corp."]
"Tpwrtray" = "TPWRTRAY.EXE" ["TOSHIBA Corporation"]
"TFncKy" = "TFncKy.exe /Type 10" ["Toshiba Corporation"]
"TosHKCW.exe" = "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" ["TOSHIBA CORPORATION"]
"ZoneAlarm Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"EM_EXEC" = "C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" ["Logitech Inc. "]
"EPSON Stylus CX6400" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0L2.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"" ["SEIKO EPSON CORPORATION"]
"RavTask" = ""C:\Program Files\Rising\Rav\RavTask.exe" -system" ["Beijing Rising Information Technology Co., Ltd."]
"VirusKeeper" = "C:\Program Files\AxBx\VirusKeeper 2008 Pro\VirusKeeper.exe" ["AxBx"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}\(Default) = "ZoneAlarm Spy Blocker BHO"
-> {HKLM...CLSID} = "ZoneAlarm Spy Blocker BHO"
\InProcServer32\(Default) = "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" ["ZoneAlarm"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
"{00000000-0001-0001-0000-000000000000}" = "shredderse"
-> {HKLM...CLSID} = "shredderse"
\InProcServer32\(Default) = "c:\program files\steganos trace destructor 6.5\shredderse.dll" [null data]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\MSOffice\Office\OLKFSTUB.DLL" [MS]
"{46E22146-59C0-4136-9233-52E412E2B428}" = "EzCddax extension"
-> {HKLM...CLSID} = "EzCddax Class"
\InProcServer32\(Default) = "C:\Program Files\Easy CD-DA Extractor 7\ezcddax.dll" [null data]
"{1C7593CB-C1CC-4BA7-BE52-8EEA47F9CB1D}" = "RISING"
-> {HKLM...CLSID} = "MenuShlExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\RavExt.dll" ["Beijing Rising Information Technology Co., Ltd."]
"{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Shell Extension"
-> {HKLM...CLSID} = "a-squared Free Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{32CD708B-60A7-4C00-9377-D73EAA495F0F}" = "Rising Execute File Exts hook"
-> {HKLM...CLSID} = "ShlExecHack Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\RavExt.dll" ["Beijing Rising Information Technology Co., Ltd."]
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"bsmain" ["Beijing Rising Information Technology Co., Ltd."]| [file not found]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> dimsntfy\DLLName = "C:\WINDOWS\System32\dimsntfy.dll" [MS]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
EzCddax\(Default) = "{46E22146-59C0-4136-9233-52E412E2B428}"
-> {HKLM...CLSID} = "EzCddax Class"
\InProcServer32\(Default) = "C:\Program Files\Easy CD-DA Extractor 7\ezcddax.dll" [null data]
RisingRavExt\(Default) = "{1C7593CB-C1CC-4BA7-BE52-8EEA47F9CB1D}"
-> {HKLM...CLSID} = "MenuShlExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\RavExt.dll" ["Beijing Rising Information Technology Co., Ltd."]
shredderse\(Default) = "{00000000-0001-0001-0000-000000000000}"
-> {HKLM...CLSID} = "shredderse"
\InProcServer32\(Default) = "c:\program files\steganos trace destructor 6.5\shredderse.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
RisingRavExt\(Default) = "{1C7593CB-C1CC-4BA7-BE52-8EEA47F9CB1D}"
-> {HKLM...CLSID} = "MenuShlExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\RavExt.dll" ["Beijing Rising Information Technology Co., Ltd."]
shredderse\(Default) = "{00000000-0001-0001-0000-000000000000}"
-> {HKLM...CLSID} = "shredderse"
\InProcServer32\(Default) = "c:\program files\steganos trace destructor 6.5\shredderse.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
-> {HKLM...CLSID} = "a-squared Free Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]
RisingRavExt\(Default) = "{1C7593CB-C1CC-4BA7-BE52-8EEA47F9CB1D}"
-> {HKLM...CLSID} = "MenuShlExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\RavExt.dll" ["Beijing Rising Information Technology Co., Ltd."]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
-> {HKLM...CLSID} = "a-squared Free Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
Default executables:
--------------------
<<!>> HKLM\SOFTWARE\Classes\.scr\(Default) = "AutoCADScriptFile"
<<!>> HKLM\SOFTWARE\Classes\AutoCADScriptFile\shell\open\command\(Default) = "C:\WINDOWS\NOTEPAD.EXE "%1"" [MS]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"disableregistrytools" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}
HKCU\Software\Policies\Microsoft\Windows\System\
"disablecmd" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Disable the command prompt}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\hfmei\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
EZCDDAXAutoPlayAudioCD\
"Provider" = "Easy CD-DA Extractor 7"
"InvokeProgID" = "ezcddax.AutoPlay"
"InvokeVerb" = "AudioCD"
HKLM\SOFTWARE\Classes\ezcddax.AutoPlay\shell\AudioCD\command\(Default) = ""C:\Program Files\Easy CD-DA Extractor 7\ezcddax.exe" -nn" ["Jukka Poikolainen"]
EZCDDAXAutoPlayBlankCD\
"Provider" = "Easy CD-DA Extractor 7"
"InvokeProgID" = "ezcddax.AutoPlay"
"InvokeVerb" = "EmptyCD"
HKLM\SOFTWARE\Classes\ezcddax.AutoPlay\shell\EmptyCD\command\(Default) = ""C:\Program Files\Easy CD-DA Extractor 7\ezcddax.exe" -nn" ["Jukka Poikolainen"]
NeroAutoPlay2CDAudio\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_CDAudio"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_CDAudio\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /New:AudioCD /Drive:%L" ["Ahead Software AG"]
NeroAutoPlay2CopyCD\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "PlayCDAudioOnArrival_CopyCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_CopyCD\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /Dialog:DiscCopy /Drive:%L" ["Ahead Software AG"]
NeroAutoPlay2DataDisc\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_DataDisc"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_DataDisc\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /New:ISODisc /Drive:%L" ["Ahead Software AG"]
NeroAutoPlay2LaunchNeroStartSmart\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_LaunchNeroStartSmart"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_LaunchNeroStartSmart\command\(Default) = "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe /AutoPlay /Drive:%L" ["Ahead Software AG"]
Rising.Rav.20\
"Provider" = "Rising Antivirus"
"InvokeProgID" = "Rising.Rav.20"
"InvokeVerb" = "Ravopen"
HKLM\SOFTWARE\Classes\Rising.Rav.20\shell\Ravopen\command\(Default) = "C:\Program Files\Rising\Rav\Rav.exe %1" ["Beijing Rising Information Technology Co., Ltd."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 12
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"
-> {HKLM...CLSID} = "ZoneAlarm Spy Blocker"
\InProcServer32\(Default) = "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" ["ZoneAlarm"]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}" = (no title provided)
-> {HKLM...CLSID} = "ZoneAlarm Spy Blocker"
\InProcServer32\(Default) = "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" ["ZoneAlarm"]
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
HKLM\SOFTWARE\Classes\CLSID\{916C1EF1-CA89-4F1B-AFDA-3CA85BD0F831}\(Default) = "ZoneAlarm PopBlocker"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Rising Process Communication Center, RsCCenter, ""C:\Program Files\Rising\Rav\CCenter.exe"" ["Beijing Rising Information Technology Co., Ltd."]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
VirusKeeper antivirus/antispyware, vkservice, "C:\Program Files\AxBx\VirusKeeper 2008 Pro\vk_service.exe" ["AxBx"]
Keyboard Driver Filters:
------------------------
HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = <<!>> "Lkbdflt2" ["Logitech"]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
EPSON V6 2KMonitor\Driver = "EBPMON24.DLL" ["SEIKO EPSON CORPORATION"]
PDF-XChange\Driver = "pxc25pm.dll" ["Tracker Software"]
---------- (launch time: 2008-11-16 09:21:45)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 446 seconds, including 7 seconds for message boxes)
hfmei Geändert von hfmei (16.11.2008 um 11:31 Uhr) |
|
17.11.2008, 12:06
| #2 |
| | Rootkits oder Trojaner im Computer? Hallo,
__________________In der Zwischenzeit habe ich je einen kompletten Scan mit: Rising Antivirus Kaspersky Online Scan und mit a-squared Free gemacht. Bei allen Scans wurde nichts gefunden. Eine neue RootkitUnhooker log-Datei fuege ich bei. Code:
ATTFilter RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.8.341.552
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
>SSDT State
NtAssignProcessToJobObject
Actual Address 0xF799CEE8
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtConnectPort
Actual Address 0xF29F6040
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtCreateFile
Actual Address 0xF29F2930
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtCreateKey
Actual Address 0xF799CC77
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtCreatePort
Actual Address 0xF29F6510
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtCreateProcess
Actual Address 0xF29FC870
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtCreateProcessEx
Actual Address 0xF29FCAA0
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtCreateSection
Actual Address 0xF29FFFD0
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtCreateThread
Actual Address 0xF799CD71
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtCreateWaitablePort
Actual Address 0xF29F6600
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtDebugActiveProcess
Actual Address 0xF799CE84
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtDeleteFile
Actual Address 0xF29F2F20
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtDeleteKey
Actual Address 0xF799CCC2
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtDeleteValueKey
Actual Address 0xF799CCA9
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtDuplicateObject
Actual Address 0xF29FC580
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtLoadDriver
Actual Address 0xF799CD3F
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtLoadKey
Actual Address 0xF29FE8B0
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtLockVirtualMemory
Actual Address 0xF799CE52
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtOpenFile
Actual Address 0xF29F2D70
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtOpenProcess
Actual Address 0xF29FC350
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtOpenSection
Actual Address 0xF799CD8A
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtOpenThread
Actual Address 0xF29FC150
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtProtectVirtualMemory
Actual Address 0xF799CE39
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtQueryValueKey
Actual Address 0xF799CECF
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtQueueApcThread
Actual Address 0xF799CE07
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtReadVirtualMemory
Actual Address 0xF799CE20
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtRenameKey
Actual Address 0xF799CCDB
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtReplaceKey
Actual Address 0xF29FECB0
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtRequestWaitReplyPort
Actual Address 0xF29F5C00
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtRestoreKey
Actual Address 0xF799CD0D
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtSecureConnectPort
Actual Address 0xF29F6220
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtSetContextThread
Actual Address 0xF799CDD5
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtSetInformationFile
Actual Address 0xF29F3120
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtSetSecurityObject
Actual Address 0xF799CCF4
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtSetSystemInformation
Actual Address 0xF799CE6B
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtSetValueKey
Actual Address 0xF799CC90
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtSuspendProcess
Actual Address 0xF799CDEE
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtSuspendThread
Actual Address 0xF799CDBC
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtSystemDebugControl
Actual Address 0xF799CE9D
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtTerminateProcess
Actual Address 0xF29FCCD0
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtTerminateThread
Actual Address 0xF799CDA3
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtWriteVirtualMemory
Actual Address 0xF799CD58
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
==============================================
>Shadow
NtUserGetKeyboardState
Actual Address 0xF799D776
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtUserGetRawInputBuffer
Actual Address 0xF799D744
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtUserGetRawInputData
Actual Address 0xF799D75D
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
NtUserMessageCall
Actual Address 0xF29F4250
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtUserPostMessage
Actual Address 0xF29F42E0
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtUserPostThreadMessage
Actual Address 0xF29F4360
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtUserSendInput
Actual Address 0xF29F4520
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtUserSetWindowsHookEx
Actual Address 0xF799D6F9
Hooked by: C:\WINDOWS\system32\drivers\HOOKHELP.sys
==============================================
>Processes
Process: System
Process Id: 4
EPROCESS Address: 0x857CA830
Process: C:\WINDOWS\system32\smss.exe
Process Id: 608
EPROCESS Address: 0x854D0678
Process: C:\WINDOWS\system32\csrss.exe
Process Id: 672
EPROCESS Address: 0x854B5500
Process: C:\WINDOWS\system32\winlogon.exe
Process Id: 696
EPROCESS Address: 0x85490030
Process: C:\WINDOWS\system32\services.exe
Process Id: 740
EPROCESS Address: 0x8545E750
Process: C:\WINDOWS\system32\lsass.exe
Process Id: 752
EPROCESS Address: 0x8545A460
Process: C:\WINDOWS\system32\TPWRTRAY.EXE
Process Id: 808
EPROCESS Address: 0x852471B8
Process: C:\WINDOWS\system32\00THotkey.exe
Process Id: 884
EPROCESS Address: 0x852B2578
Process: C:\WINDOWS\system32\svchost.exe
Process Id: 916
EPROCESS Address: 0x854667A0
Process: C:\Program Files\Toshiba\Wireless Hotkey\TosHKCW.exe
Process Id: 932
EPROCESS Address: 0x85231DA0
Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1016
EPROCESS Address: 0x85440BB8
Process: C:\Program Files\Rising\Rav\CCenter.exe
Process Id: 1048
EPROCESS Address: 0x8543F4D0
Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1064
EPROCESS Address: 0x854262C8
Process: C:\Program Files\Toshiba\Toshiba Controls\TFncKy.exe
Process Id: 1092
EPROCESS Address: 0x8522F030
Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1192
EPROCESS Address: 0x853C3030
Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1312
EPROCESS Address: 0x853ACDA0
Process: C:\Program Files\Rising\Rav\RavMonD.exe
Process Id: 1356
EPROCESS Address: 0x85412940
Process: C:\WINDOWS\explorer.exe
Process Id: 1376
EPROCESS Address: 0x85283C28
Process: C:\Program Files\Rising\Rav\RavStub.exe
Process Id: 1640
EPROCESS Address: 0x8538A418
Process: C:\WINDOWS\system32\spoolsv.exe
Process Id: 1744
EPROCESS Address: 0x85379B18
Process: C:\PROGRA~1\Logitech\MOUSEW~1\system\EM_EXEC.EXE
Process Id: 1852
EPROCESS Address: 0x8529A7E0
Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1892
EPROCESS Address: 0x85367030
Process: C:\Program Files\AxBx\VirusKeeper 2008 Pro\vk_service.exe
Process Id: 2004
EPROCESS Address: 0x853698F0
Process: C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I0L2.EXE
Process Id: 2080
EPROCESS Address: 0x85294B80
Process: C:\Program Files\Rising\Rav\RavTask.exe
Process Id: 2136
EPROCESS Address: 0x85217BC0
Process: C:\Program Files\Rising\Rav\RavMon.exe
Process Id: 2224
EPROCESS Address: 0x85227DA0
Process: C:\Program Files\AxBx\VirusKeeper 2008 Pro\VirusKeeper.exe
Process Id: 2360
EPROCESS Address: 0x85201660
Process: C:\WINDOWS\system32\ctfmon.exe
Process Id: 2456
EPROCESS Address: 0x85229640
Process: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
Process Id: 1784
EPROCESS Address: 0x852544E8
Process: C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Process Id: 3044
EPROCESS Address: 0x851ED7B0
Process: C:\RkUnhooker\hL67ePn557ok7G34G.exe
Process Id: 3628
EPROCESS Address: 0x851BBD18
==============================================
>Drivers
Driver: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000
Size: 2189184 bytes
Driver: PnpManager
Address: 0x804D7000
Size: 2189184 bytes
Driver: RAW
Address: 0x804D7000
Size: 2189184 bytes
Driver: WMIxWDM
Address: 0x804D7000
Size: 2189184 bytes
Driver: Win32k
Address: 0xBF800000
Size: 1847296 bytes
Driver: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000
Size: 1847296 bytes
Driver: C:\WINDOWS\system32\DRIVERS\LTSM.sys
Address: 0xF2B72000
Size: 802816 bytes
Driver: Ntfs.sys
Address: 0xF73E8000
Size: 577536 bytes
Driver: C:\WINDOWS\System32\tridxp.dll
Address: 0xBF9D5000
Size: 561152 bytes
Driver: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xF28B8000
Size: 458752 bytes
Driver: C:\WINDOWS\System32\vsdatant.sys
Address: 0xF29C3000
Size: 393216 bytes
Driver: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF709E000
Size: 385024 bytes
Driver: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xF2A23000
Size: 364544 bytes
Driver: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xF0ACC000
Size: 335872 bytes
Driver: C:\WINDOWS\system32\drivers\aliadwdm.sys
Address: 0xF7271000
Size: 274432 bytes
Driver: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xF06E0000
Size: 266240 bytes
Driver: C:\WINDOWS\system32\DRIVERS\tridxpm.sys
Address: 0xF730F000
Size: 221184 bytes
Driver: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xF70FC000
Size: 196608 bytes
Driver: ACPI.sys
Address: 0xF754A000
Size: 188416 bytes
Driver: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xF0B96000
Size: 184320 bytes
Driver: NDIS.sys
Address: 0xF73BB000
Size: 184320 bytes
Driver: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xF2928000
Size: 176128 bytes
Driver: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xF0E6B000
Size: 163840 bytes
Driver: C:\WINDOWS\system32\drivers\HookSys.sys
Address: 0xF2891000
Size: 159744 bytes
Driver: dmio.sys
Address: 0xF74D6000
Size: 155648 bytes
Driver: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xF299D000
Size: 155648 bytes
Driver: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF724D000
Size: 147456 bytes
Driver: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF72D7000
Size: 147456 bytes
Driver: C:\WINDOWS\system32\DRIVERS\klif.sys
Address: 0xF2B4F000
Size: 143360 bytes
Driver: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF72B4000
Size: 143360 bytes
Driver: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF2953000
Size: 139264 bytes
Driver: fltmgr.sys
Address: 0xF749E000
Size: 131072 bytes
Driver: ftdisk.sys
Address: 0xF74FC000
Size: 126976 bytes
Driver: pcmcia.sys
Address: 0xF751B000
Size: 122880 bytes
Driver: C:\WINDOWS\system32\DRIVERS\e100b325.sys
Address: 0xF721C000
Size: 118784 bytes
Driver: Mup.sys
Address: 0xF738D000
Size: 106496 bytes
Driver: atapi.sys
Address: 0xF74BE000
Size: 98304 bytes
Driver: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF2879000
Size: 98304 bytes
Driver: KSecDD.sys
Address: 0xF7475000
Size: 94208 bytes
Driver: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF7205000
Size: 94208 bytes
Driver: C:\WINDOWS\system32\DRIVERS\irda.sys
Address: 0xF0E93000
Size: 90112 bytes
Driver: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xF08D7000
Size: 86016 bytes
Driver: C:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xF7239000
Size: 81920 bytes
Driver: srescan.sys
Address: 0xF73A7000
Size: 81920 bytes
Driver: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF72FB000
Size: 81920 bytes
Driver: ACPI_HAL
Address: 0x806EE000
Size: 81152 bytes
Driver: C:\WINDOWS\system32\hal.dll
Address: 0x806EE000
Size: 81152 bytes
Driver: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xF2A7C000
Size: 77824 bytes
Driver: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000
Size: 73728 bytes
Driver: sr.sys
Address: 0xF748C000
Size: 73728 bytes
Driver: pci.sys
Address: 0xF7539000
Size: 69632 bytes
Driver: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF712C000
Size: 69632 bytes
Driver: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF7809000
Size: 65536 bytes
Driver: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF7639000
Size: 65536 bytes
Driver: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xF7699000
Size: 65536 bytes
Driver: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF7659000
Size: 61440 bytes
Driver: C:\WINDOWS\system32\DRIVERS\LMouFlt2.sys
Address: 0xF7689000
Size: 61440 bytes
Driver: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF7649000
Size: 61440 bytes
Driver: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xF0C03000
Size: 61440 bytes
Driver: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF7739000
Size: 61440 bytes
Driver: C:\WINDOWS\system32\drivers\HookNtos.sys
Address: 0xF77B9000
Size: 57344 bytes
Driver: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF75D9000
Size: 53248 bytes
Driver: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF7669000
Size: 53248 bytes
Driver: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF76B9000
Size: 53248 bytes
Driver: VolSnap.sys
Address: 0xF75B9000
Size: 53248 bytes
Driver: C:\WINDOWS\system32\DRIVERS\L8042Pr2.sys
Address: 0xF7679000
Size: 49152 bytes
Driver: C:\WINDOWS\System32\Drivers\pcouffin.sys
Address: 0xF76F9000
Size: 49152 bytes
Driver: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF76D9000
Size: 49152 bytes
Driver: alim1541.sys
Address: 0xF75E9000
Size: 45056 bytes
Driver: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF77C9000
Size: 45056 bytes
Driver: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF7629000
Size: 45056 bytes
Driver: MountMgr.sys
Address: 0xF75A9000
Size: 45056 bytes
Driver: C:\WINDOWS\system32\DRIVERS\p3.sys
Address: 0xF7619000
Size: 45056 bytes
Driver: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF76C9000
Size: 45056 bytes
Driver: isapnp.sys
Address: 0xF7599000
Size: 40960 bytes
Driver: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF7719000
Size: 40960 bytes
Driver: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF7709000
Size: 40960 bytes
Driver: disk.sys
Address: 0xF75C9000
Size: 36864 bytes
Driver: C:\WINDOWS\system32\drivers\HIDCLASS.SYS
Address: 0xF7789000
Size: 36864 bytes
Driver: C:\WINDOWS\system32\drivers\LHidUsb.Sys
Address: 0xF7769000
Size: 36864 bytes
Driver: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF76E9000
Size: 36864 bytes
Driver: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF77A9000
Size: 36864 bytes
Driver: C:\WINDOWS\system32\DRIVERS\smcirda.sys
Address: 0xF76A9000
Size: 36864 bytes
Driver: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xF7799000
Size: 36864 bytes
Driver: C:\WINDOWS\system32\drivers\HookReg.sys
Address: 0xF79A1000
Size: 32768 bytes
Driver: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF7909000
Size: 32768 bytes
Driver: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF7961000
Size: 32768 bytes
Driver: C:\WINDOWS\system32\DRIVERS\fdc.sys
Address: 0xF7891000
Size: 28672 bytes
Driver: C:\WINDOWS\system32\drivers\HIDPARSE.SYS
Address: 0xF7941000
Size: 28672 bytes
Driver: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF7819000
Size: 28672 bytes
Driver: C:\WINDOWS\System32\Drivers\sybex38.SYS
Address: 0xF7921000
Size: 28672 bytes
Driver: C:\WINDOWS\system32\drivers\HOOKHELP.sys
Address: 0xF7999000
Size: 24576 bytes
Driver: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF7871000
Size: 24576 bytes
Driver: C:\WINDOWS\system32\DRIVERS\LHidFlt2.sys
Address: 0xF7971000
Size: 24576 bytes
Driver: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF7881000
Size: 24576 bytes
Driver: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF7931000
Size: 24576 bytes
Driver: C:\WINDOWS\system32\DRIVERS\flpydisk.sys
Address: 0xF7911000
Size: 20480 bytes
Driver: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF7951000
Size: 20480 bytes
Driver: PartMgr.sys
Address: 0xF7821000
Size: 20480 bytes
Driver: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF78D1000
Size: 20480 bytes
Driver: C:\WINDOWS\system32\DRIVERS\rasirda.sys
Address: 0xF78A1000
Size: 20480 bytes
Driver: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF78E1000
Size: 20480 bytes
Driver: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF78B1000
Size: 20480 bytes
Driver: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Address: 0xF7851000
Size: 20480 bytes
Driver: C:\WINDOWS\System32\watchdog.sys
Address: 0xF78D9000
Size: 20480 bytes
Driver: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xF79B1000
Size: 16384 bytes
Driver: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Address: 0xF7A59000
Size: 16384 bytes
Driver: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF7A89000
Size: 16384 bytes
Driver: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xF0F89000
Size: 16384 bytes
Driver: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xF7A45000
Size: 16384 bytes
Driver: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF79A9000
Size: 12288 bytes
Driver: compbatt.sys
Address: 0xF79AD000
Size: 12288 bytes
Driver: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF7349000
Size: 12288 bytes
Driver: C:\WINDOWS\system32\DRIVERS\irenum.sys
Address: 0xF7A49000
Size: 12288 bytes
Driver: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xF71F9000
Size: 12288 bytes
Driver: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF7A65000
Size: 12288 bytes
Driver: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF7A35000
Size: 12288 bytes
Driver: aliide.sys
Address: 0xF7A9D000
Size: 8192 bytes
Driver: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF7ABD000
Size: 8192 bytes
Driver: dmload.sys
Address: 0xF7A9F000
Size: 8192 bytes
Driver: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B25000
Size: 8192 bytes
Driver: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7AB9000
Size: 8192 bytes
Driver: C:\WINDOWS\system32\drivers\HookCont.sys
Address: 0xF7ACF000
Size: 8192 bytes
Driver: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7A99000
Size: 8192 bytes
Driver: C:\WINDOWS\system32\DRIVERS\LKbdFlt2.sys
Address: 0xF7AA7000
Size: 8192 bytes
Driver: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF7AC5000
Size: 8192 bytes
Driver: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF7ACB000
Size: 8192 bytes
Driver: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF7AC9000
Size: 8192 bytes
Driver: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF7AAD000
Size: 8192 bytes
Driver: TVALD.SYS
Address: 0xF7AA1000
Size: 8192 bytes
Driver: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF7AB3000
Size: 8192 bytes
Driver: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF7A9B000
Size: 8192 bytes
Driver: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF7C34000
Size: 4096 bytes
Driver: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7B9F000
Size: 4096 bytes
Driver: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7C70000
Size: 4096 bytes
Driver: C:\WINDOWS\system32\Drivers\RsNTGdi.sys
Address: 0xF7CBA000
Size: 4096 bytes
==============================================
>Stealth
==============================================
>Hooks
ntfs.sys-->ntoskrnl.exe-->IoCheckShareAccess, Type: IAT modification 0xF73FFD10 [HookSys.sys]
ntfs.sys-->ntoskrnl.exe-->MmFlushImageSection, Type: IAT modification 0xF73FFCD0 [HookSys.sys]
ntfs.sys-->ntoskrnl.exe-->SeAccessCheck, Type: IAT modification 0xF73FFE2C [HookSys.sys]
ntoskrnl.exe+0x00004AA2, Type: Inline - RelativeJump 0x804DBAA2 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B74C, Type: Inline - RelativeJump 0x804E274C [ntoskrnl.exe]
ntoskrnl.exe+0x0000B760, Type: Inline - RelativeJump 0x804E2760 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B77C, Type: Inline - RelativeJump 0x804E277C [ntoskrnl.exe]
ntoskrnl.exe+0x0000B7A0, Type: Inline - PushRet 0x804E27A0 [unknown_code_page]
ntoskrnl.exe+0x0000B7B8, Type: Inline - RelativeJump 0x804E27B8 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B878, Type: Inline - RelativeJump 0x804E2878 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B890, Type: Inline - PushRet 0x804E2890 [unknown_code_page]
ntoskrnl.exe+0x0000B96C, Type: Inline - PushRet 0x804E296C [unknown_code_page]
tcpip.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xF2A62428 [vsdatant.sys]
tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xF2A62454 [vsdatant.sys]
tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xF2A62460 [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xF779EB4C [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification 0xF779EB1C [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xF779EB3C [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xF779EB28 [vsdatant.sys]
[1376]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218 [shimeng.dll]
[1376]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4 [shimeng.dll]
[1376]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268 [shimeng.dll]
[1376]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4 [shimeng.dll]
[1376]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C [shimeng.dll]
[1376]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x78051488 [shimeng.dll]
[1376]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C [shimeng.dll]
schon mal Danke mfG |
|
22.11.2008, 10:25
| #3 |
| | Rootkits oder Trojaner im Computer? Hallo,
__________________Danke, ein tolles Forum, nach einer Woche noch keine Antwort! Ihr koennt mein Thema schliessen, da ich in einem anderen Forum schon nach einem Tag Hilfe bekommen habe. mfG hmei |
|
| Themen zu Rootkits oder Trojaner im Computer? |
| 7-zip, adobe, antivirus, application, bho, bootvorgang, browser, combofix, computer, desktop, down, finds, gpedit.msc, helper, hijack, hijackthis, internet, internet explorer, launch, log datei, malware, monitor, nero.exe, nodrives, notepad.exe, programm, registry, rootkit, saver, shortcut, shut down, software, system, tastatur, tracker, trojaner, usb, windows, windows xp, windows xp sp3, xp sp3 |
Linear-Darstellung
