Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung
GMER: ntkrnlpa.exe!ZwSaveKey + 13D1, ntkrnlpa.exe!KiDispatchInterrupt + 5A2, MBR ist OK

GMER: ntkrnlpa.exe!ZwSaveKey + 13D1, ntkrnlpa.exe!KiDispatchInterrupt + 5A2, MBR ist OK


Log-Analyse und Auswertung: GMER: ntkrnlpa.exe!ZwSaveKey + 13D1, ntkrnlpa.exe!KiDispatchInterrupt + 5A2, MBR ist OK

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML.

 
Vorheriger Beitrag Vorheriger Beitrag   Nächster Beitrag Nächster Beitrag
Alt 02.09.2011, 00:28   #1
shh
 
GMER: ntkrnlpa.exe!ZwSaveKey + 13D1, ntkrnlpa.exe!KiDispatchInterrupt + 5A2, MBR ist OK - Standard

GMER: ntkrnlpa.exe!ZwSaveKey + 13D1, ntkrnlpa.exe!KiDispatchInterrupt + 5A2, MBR ist OK


Hallo!
ich habe ein Problem mit dem Entseuchen eines Rechners. Andere Trojaner und Rootkits konnte ich mittels GMER/Rkill/Malwarebyte'sAnti-MalMare schon bereinigen, hier beiße ich mir aber die Zähne aus.
System: Windows 7 32bit
Problem:
- MBR ist i.O.
- Virenscanner zeigen nichts (zu richten) an
- Rkill zeigt nichts (weiteres zu killen) an
- Malwarebyte'sAnti-MalMare zeigt nichts (zu richten) an
- GMER erkennt keinen Rootkit. Aber erkennt unter "Sections" Verbiegungen, die, wenn ich Recode ausführe, zum Absturz führen (-> MEMORY_ERROR o.ä.)
- ESET Online Scanner bekommt per Internet keine updates

Mittlerweile habe ich den SPTD-Treiber 1.78 von Deamon-Tools entfernt/deinstalliert, trotzdem sind noch versteckte(?) Registry-Einträge im sptd-services-Zweig. Jetzt weiß ich aber nicht, ob das (einfach "nur") ein Sekundärproblem ist. Möglicherweise war das das Einfallstor.
Jedenfalls läuft hier etwas, was alle neuen Programme hooked, die gestartet werden - was man mit einem GMER(Sections)-Scan recht leicht sieht.
Bitte um Hilfe!
LOGS: (Benutzername -> *USERNAME*)
catchme bringt folgendes:
Code:
ATTFilter
disk not found C:\
detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
GMER:
Code:
ATTFilter
GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2011-09-02 01:44:41
Windows 6.1.7601 Service Pack 1 
Running: j9nc21vb.exe; Driver: C:\Users\*USERNAME*\AppData\Local\Temp\pwlirpog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text  ntkrnlpa.exe!ZwSaveKey + 13D1             82A86349 1 Byte  [06]
.text  ntkrnlpa.exe!KiDispatchInterrupt + 5A2    82ABFD52 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text  C:\Windows\system32\DRIVERS\atikmdag.sys  section is writeable [0x90E01000, 0x227A14, 0xE8000020]
.text  peauth.sys                                95353C9D 28 Bytes  JMP BAC16E34 
.text  peauth.sys                                95353CC1 28 Bytes  JMP BAC16E58 
PAGE   spsys.sys!?SPRevision@@3PADA + 4F90       978D8000 290 Bytes  [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE   spsys.sys!?SPRevision@@3PADA + 50B3       978D8123 629 Bytes  [35, 8D, 97, FE, 05, 34, 35, ...]
PAGE   spsys.sys!?SPRevision@@3PADA + 5329       978D8399 101 Bytes  [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE   spsys.sys!?SPRevision@@3PADA + 538F       978D83FF 148 Bytes  [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE   spsys.sys!?SPRevision@@3PADA + 543B       978D84AB 2228 Bytes  [8B, FF, 55, 8B, EC, FF, 75, ...]
PAGE   ...                     
                  
---- EOF - GMER 1.0.15 ----
OTL offline scan
Code:
ATTFilter
OTLOTL logfile created on: 9/2/2011 1:34:09 AM - Run 
OTLPE by OldTimer - Version 3.1.48.0     Folder = X:\Programs\OTLPE
Windows 7 Ultimate Service Pack 1 (Version = 6.1.7601) - Type = System
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = D: | %SystemRoot% = D:\Windows | %ProgramFiles% = D:\Program Files
Drive C: | 100.00 Mb Total Space | 75.48 Mb Free Space | 75.48% Space Free | Partition Type: NTFS
Drive D: | 74.43 Gb Total Space | 45.00 Gb Free Space | 60.47% Space Free | Partition Type: NTFS
Drive E: | 7.46 Gb Total Space | 1.02 Gb Free Space | 13.61% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive Z: | 1790.47 Gb Total Space | 42.85 Gb Free Space | 2.39% Space Free | Partition Type: NTFS
 
Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001
 
========== Win32 Services (SafeList) ==========
 
SRV - [2011/06/19 16:35:24 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand] -- D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2011/06/06 06:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto] -- D:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand] -- D:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 21:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand] -- D:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto] -- D:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand] --  -- (VGPU)
DRV - File not found [Kernel | System] --  -- (MpKslbcb21994)
DRV - File not found [Kernel | System] --  -- (MpKslb0e0a44c)
DRV - File not found [Kernel | System] --  -- (MpKslab995045)
DRV - File not found [Kernel | System] --  -- (MpKsl760ca118)
DRV - File not found [Kernel | System] --  -- (MpKsl069b7191)
DRV - File not found [Kernel | On_Demand] --  -- (catchme)
DRV - [2010/11/20 17:29:34 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV - [2010/11/20 17:29:24 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 17:29:03 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\system32\drivers\vmbus.sys -- (vmbus)
DRV - [2010/11/20 17:29:03 | 000,112,640 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\tsusbhub.sys -- (tsusbhub)
DRV - [2010/11/20 17:29:03 | 000,077,184 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\Synth3dVsc.sys -- (Synth3dVsc)
DRV - [2010/11/20 17:29:03 | 000,062,464 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\system32\drivers\dmvsc.sys -- (dmvsc)
DRV - [2010/11/20 17:29:03 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- D:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010/11/20 17:29:03 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/11/20 17:29:03 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\system32\drivers\storvsc.sys -- (storvsc)
DRV - [2010/11/20 17:29:03 | 000,027,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\system32\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV - [2010/11/20 17:29:03 | 000,025,600 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\system32\drivers\terminpt.sys -- (terminpt)
DRV - [2010/11/20 17:29:03 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\system32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010/11/20 17:29:03 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\system32\drivers\vms3cap.sys -- (s3cap)
DRV - [2009/08/22 23:06:38 | 000,048,640 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand] -- D:\Windows\System32\drivers\L1E62x86.sys -- (L1E)
DRV - [2009/07/13 18:09:17 | 004,194,816 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- D:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2004/08/13 03:56:20 | 000,005,810 | ---- | M] () [Kernel | On_Demand] -- D:\Windows\System32\drivers\ASACPI.sys -- (MTsensor)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
 
IE - HKU\*USERNAME*_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://start.facemoods.com/?a=ddrnw
IE - HKU\*USERNAME*_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE
IE - HKU\*USERNAME*_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 89 EF 14 23 EA F5 CB 01  [binary data]
IE - HKU\*USERNAME*_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaultenginename: "Facemoods Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de/"
 
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: D:\Windows\System32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: D:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin:  File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: D:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/01 17:35:46 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 6.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/08/19 04:26:51 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 6.0.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins
 
[2011/04/08 08:18:07 | 000,000,000 | ---D | M] (No name found) -- D:\Users\*USERNAME*\AppData\Roaming\Mozilla\Extensions
[2010/09/19 09:09:26 | 000,000,000 | ---D | M] (No name found) -- D:\Users\*USERNAME*\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/07/03 02:46:09 | 000,000,000 | ---D | M] (No name found) -- D:\Users\*USERNAME*\AppData\Roaming\Mozilla\Firefox\Profiles\c8mwc1au.default\extensions
[2011/06/08 06:28:30 | 000,000,000 | ---D | M] (No name found) -- D:\Program Files\Mozilla Firefox\extensions
[2011/06/08 06:28:30 | 000,000,000 | ---D | M] (Java Console) -- D:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
File not found (No name found) -- 
() (No name found) -- D:\USERS\*USERNAME*\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\C8MWC1AU.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
[2011/09/01 17:35:46 | 000,134,104 | ---- | M] (Mozilla Foundation) -- D:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/01/01 04:00:00 | 000,001,392 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\bing.xml
[2010/01/01 04:00:00 | 000,001,153 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2011/06/08 06:21:16 | 000,002,048 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\fcmdSrch.xml
[2010/01/01 04:00:00 | 000,006,805 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2010/01/01 04:00:00 | 000,001,178 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2010/01/01 04:00:00 | 000,001,105 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2009/06/10 17:39:37 | 000,000,824 | ---- | M]) - D:\Windows\System32\drivers\etc\hosts
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\LocalService_ON_D\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\NetworkService_ON_D\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\systemprofile_ON_D\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\*USERNAME*_ON_D\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\*USERNAME*_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - D:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - D:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - D:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2011/05/08 07:37:52 | 000,000,100 | ---- | M] () - E:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2011/09/01 17:17:42 | 000,000,000 | ---D | C] -- D:\Program Files\ESET
[2011/09/01 17:17:28 | 002,322,184 | ---- | C] (ESET) -- D:\Users\*USERNAME*\Desktop\esetsmartinstaller_enu.exe
[2011/09/01 17:12:43 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- D:\Windows\System32\drivers\mbamswissarmy.sys
[2011/09/01 17:12:43 | 000,000,000 | ---D | C] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/09/01 17:12:43 | 000,000,000 | ---D | C] -- D:\ProgramData\Malwarebytes
[2011/09/01 17:12:40 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- D:\Windows\System32\drivers\mbam.sys
[2011/09/01 11:35:58 | 161,627,216 | ---- | C] (Kaspersky Lab) -- D:\Users\*USERNAME*\Desktop\kav12.0.0.374de_de.exe
[2011/09/01 11:03:39 | 000,000,000 | ---D | C] -- D:\a
[2011/09/01 11:01:05 | 003,065,008 | ---- | C] (Safer Networking Limited) -- D:\Users\*USERNAME*\Desktop\RootAlyzer.exe
[2011/09/01 10:42:55 | 000,000,000 | ---D | C] -- D:\Windows\temp
[2011/09/01 10:42:37 | 000,000,000 | -HSD | C] -- D:\$RECYCLE.BIN
[2011/09/01 10:36:13 | 000,518,144 | ---- | C] (SteelWerX) -- D:\Windows\SWREG.exe
[2011/09/01 10:36:13 | 000,406,528 | ---- | C] (SteelWerX) -- D:\Windows\SWSC.exe
[2011/09/01 10:36:13 | 000,060,416 | ---- | C] (NirSoft) -- D:\Windows\NIRCMD.exe
[2011/09/01 10:36:10 | 000,000,000 | ---D | C] -- D:\Windows\ERDNT
[2011/09/01 10:36:08 | 000,000,000 | ---D | C] -- D:\Qoobox
[2011/09/01 07:36:22 | 000,000,000 | ---D | C] -- D:\avz4
[2011/09/01 06:57:54 | 000,581,120 | ---- | C] (OldTimer Tools) -- D:\Users\*USERNAME*\Desktop\OTL.exe
[2011/09/01 06:03:17 | 000,000,000 | ---D | C] -- D:\Windows\Minidump
[2011/09/01 05:57:46 | 000,000,000 | ---D | C] -- D:\Users\*USERNAME*\Desktop\!SECURITY
[2011/09/01 05:15:00 | 000,000,000 | ---D | C] -- D:\Program Files\CCleaner
[2011/09/01 04:55:05 | 000,000,000 | ---D | C] -- D:\Users\*USERNAME*\AppData\Roaming\Malwarebytes
[2011/09/01 04:54:58 | 000,000,000 | ---D | C] -- D:\Program Files\Malwarebytes' Anti-Malware
[2011/08/23 11:04:23 | 000,000,000 | ---D | C] -- D:\Users\*USERNAME*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games
[2011/08/23 11:00:38 | 000,139,264 | ---- | C] (Blizzard Entertainment) -- D:\Windows\War3Unin.exe
[2011/08/23 11:00:38 | 000,000,000 | ---D | C] -- D:\Users\*USERNAME*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Warcraft III
[2011/08/23 11:00:38 | 000,000,000 | ---D | C] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Warcraft III
[2011/08/23 10:57:28 | 000,000,000 | ---D | C] -- D:\Spiele
[2011/08/19 05:02:30 | 000,000,000 | ---D | C] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDFCreator
[2011/08/19 05:02:26 | 000,000,000 | ---D | C] -- D:\Program Files\PDFCreator
[1 D:\*.tmp files -> D:\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2011/09/01 18:00:12 | 000,067,584 | --S- | M] () -- D:\Windows\bootstat.dat
[2011/09/01 18:00:08 | 000,021,248 | -H-- | M] () -- D:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/09/01 18:00:08 | 000,021,248 | -H-- | M] () -- D:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/09/01 17:36:06 | 000,653,928 | ---- | M] () -- D:\Windows\System32\perfh007.dat
[2011/09/01 17:36:06 | 000,615,810 | ---- | M] () -- D:\Windows\System32\perfh009.dat
[2011/09/01 17:36:06 | 000,129,800 | ---- | M] () -- D:\Windows\System32\perfc007.dat
[2011/09/01 17:36:06 | 000,106,190 | ---- | M] () -- D:\Windows\System32\perfc009.dat
[2011/09/01 17:31:26 | 169,750,471 | ---- | M] () -- D:\Windows\MEMORY.DMP
[2011/09/01 17:17:30 | 002,322,184 | ---- | M] (ESET) -- D:\Users\*USERNAME*\Desktop\esetsmartinstaller_enu.exe
[2011/09/01 17:12:43 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/09/01 11:55:22 | 000,017,408 | ---- | M] () -- D:\Users\*USERNAME*\AppData\Local\WebpageIcons.db
[2011/09/01 11:40:50 | 000,001,912 | ---- | M] () -- D:\Windows\epplauncher.mif
[2011/09/01 11:37:29 | 161,627,216 | ---- | M] (Kaspersky Lab) -- D:\Users\*USERNAME*\Desktop\kav12.0.0.374de_de.exe
[2011/09/01 11:29:02 | 036,999,324 | ---- | M] () -- D:\Users\*USERNAME*\Desktop\old.reg
[2011/09/01 06:57:58 | 000,050,477 | ---- | M] () -- D:\Users\*USERNAME*\Desktop\Defogger.exe
[2011/09/01 06:57:54 | 000,581,120 | ---- | M] (OldTimer Tools) -- D:\Users\*USERNAME*\Desktop\OTL.exe
[2011/09/01 06:19:02 | 000,000,000 | ---- | M] () -- D:\Users\*USERNAME*\Desktop\j9nc21vb.bat
[2011/09/01 05:56:07 | 000,302,592 | ---- | M] () -- D:\Users\*USERNAME*\Desktop\j9nc21vb.exe
[2011/09/01 05:50:19 | 000,298,040 | ---- | M] () -- D:\Windows\System32\FNTCACHE.DAT
[2011/09/01 04:51:02 | 000,012,967 | ---- | M] () -- D:\Users\*USERNAME*\Desktop\RechnungBücher.odt
[2011/09/01 03:58:52 | 000,002,066 | ---- | M] () -- D:\Users\*USERNAME*\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Thunderbird.lnk
[2011/08/26 07:01:48 | 000,183,952 | ---- | M] () -- D:\Users\*USERNAME*\Desktop\Lieferschein.26.08.2011_1252-1.pdf
[2011/08/23 11:12:42 | 000,001,643 | ---- | M] () -- D:\Users\*USERNAME*\Desktop\Warcraft III.lnk
[2011/08/23 11:09:54 | 000,050,643 | ---- | M] () -- D:\Windows\War3Unin.dat
[2011/08/23 11:09:54 | 000,001,650 | ---- | M] () -- D:\Users\*USERNAME*\Desktop\Frozen Throne.lnk
[2011/08/23 11:09:52 | 000,139,264 | ---- | M] (Blizzard Entertainment) -- D:\Windows\War3Unin.exe
[2011/08/23 11:09:52 | 000,002,829 | ---- | M] () -- D:\Windows\War3Unin.pif
[2011/08/23 11:09:52 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Warcraft III
[2011/08/19 05:02:31 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDFCreator
[1 D:\*.tmp files -> D:\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2011/09/01 11:55:19 | 000,017,408 | ---- | C] () -- D:\Users\*USERNAME*\AppData\Local\WebpageIcons.db
[2011/09/01 11:29:01 | 036,999,324 | ---- | C] () -- D:\Users\*USERNAME*\Desktop\old.reg
[2011/09/01 10:36:13 | 000,256,000 | ---- | C] () -- D:\Windows\PEV.exe
[2011/09/01 10:36:13 | 000,208,896 | ---- | C] () -- D:\Windows\MBR.exe
[2011/09/01 10:36:13 | 000,098,816 | ---- | C] () -- D:\Windows\sed.exe
[2011/09/01 10:36:13 | 000,080,412 | ---- | C] () -- D:\Windows\grep.exe
[2011/09/01 10:36:13 | 000,068,096 | ---- | C] () -- D:\Windows\zip.exe
[2011/09/01 06:58:00 | 000,050,477 | ---- | C] () -- D:\Users\*USERNAME*\Desktop\Defogger.exe
[2011/09/01 06:19:02 | 000,000,000 | ---- | C] () -- D:\Users\*USERNAME*\Desktop\j9nc21vb.bat
[2011/09/01 06:03:13 | 169,750,471 | ---- | C] () -- D:\Windows\MEMORY.DMP
[2011/09/01 05:56:11 | 000,302,592 | ---- | C] () -- D:\Users\*USERNAME*\Desktop\j9nc21vb.exe
[2011/09/01 05:50:02 | 000,298,040 | ---- | C] () -- D:\Windows\System32\FNTCACHE.DAT
[2011/09/01 04:51:00 | 000,012,967 | ---- | C] () -- D:\Users\*USERNAME*\Desktop\RechnungBücher.odt
[2011/08/26 07:01:48 | 000,183,952 | ---- | C] () -- D:\Users\*USERNAME*\Desktop\Lieferschein.26.08.2011_1252-1.pdf
[2011/08/23 11:09:54 | 000,001,650 | ---- | C] () -- D:\Users\*USERNAME*\Desktop\Frozen Throne.lnk
[2011/08/23 11:02:18 | 000,001,643 | ---- | C] () -- D:\Users\*USERNAME*\Desktop\Warcraft III.lnk
[2011/08/23 11:00:38 | 000,050,643 | ---- | C] () -- D:\Windows\War3Unin.dat
[2011/08/23 11:00:38 | 000,002,829 | ---- | C] () -- D:\Windows\War3Unin.pif
[2011/08/19 05:02:27 | 000,116,224 | ---- | C] () -- D:\Windows\System32\pdfcmnnt.dll
[2011/08/13 13:05:19 | 000,065,024 | ---- | C] () -- D:\Windows\System32\jsproxy.dll
[2011/04/08 08:23:00 | 000,080,896 | ---- | C] () -- D:\Windows\System32\ff_vfw.dll
[2011/04/08 07:38:47 | 000,000,000 | ---- | C] () -- D:\Windows\ativpsrm.bin
[2011/04/08 07:38:47 | 000,000,000 | ---- | C] () -- D:\Windows\System32\atiicdxx.dat
[2010/11/20 20:46:14 | 000,653,928 | ---- | C] () -- D:\Windows\System32\perfh007.dat
[2010/11/20 20:46:14 | 000,295,922 | ---- | C] () -- D:\Windows\System32\perfi007.dat
[2010/11/20 20:46:14 | 000,129,800 | ---- | C] () -- D:\Windows\System32\perfc007.dat
[2010/11/20 20:46:14 | 000,038,104 | ---- | C] () -- D:\Windows\System32\perfd007.dat
[2010/11/20 17:29:34 | 000,080,896 | ---- | C] () -- D:\Windows\System32\RDVGHelper.exe
[2010/11/20 17:29:26 | 000,066,048 | ---- | C] () -- D:\Windows\System32\PrintBrmUi.exe
[2010/11/20 17:29:24 | 000,252,928 | ---- | C] () -- D:\Windows\System32\DShowRdpFilter.dll
[2009/07/14 00:57:37 | 000,067,584 | --S- | C] () -- D:\Windows\bootstat.dat
[2009/07/13 22:05:48 | 000,615,810 | ---- | C] () -- D:\Windows\System32\perfh009.dat
[2009/07/13 22:05:48 | 000,291,294 | ---- | C] () -- D:\Windows\System32\perfi009.dat
[2009/07/13 22:05:48 | 000,106,190 | ---- | C] () -- D:\Windows\System32\perfc009.dat
[2009/07/13 22:05:48 | 000,031,548 | ---- | C] () -- D:\Windows\System32\perfd009.dat
[2009/07/13 22:05:05 | 000,000,741 | ---- | C] () -- D:\Windows\System32\NOISE.DAT
[2009/07/13 22:04:11 | 000,215,943 | ---- | C] () -- D:\Windows\System32\dssec.dat
[2009/07/13 19:55:01 | 000,043,131 | ---- | C] () -- D:\Windows\mib.bin
[2009/07/13 19:51:43 | 000,073,728 | ---- | C] () -- D:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- D:\Windows\System32\BWContextHandler.dll
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- D:\Windows\System32\mlang.dat
[2004/08/13 03:56:20 | 000,005,810 | ---- | C] () -- D:\Windows\System32\drivers\ASACPI.sys
 
========== LOP Check ==========
 
[2011/04/08 07:42:58 | 000,000,000 | -HSD | M] -- D:\ProgramData\Anwendungsdaten
[2009/07/14 00:53:55 | 000,000,000 | -HSD | M] -- D:\ProgramData\Application Data
[2011/06/19 16:43:04 | 000,000,000 | ---D | M] -- D:\ProgramData\DAEMON Tools Lite
[2009/07/14 00:53:55 | 000,000,000 | -HSD | M] -- D:\ProgramData\Desktop
[2009/07/14 00:53:55 | 000,000,000 | -HSD | M] -- D:\ProgramData\Documents
[2011/04/08 07:42:58 | 000,000,000 | -HSD | M] -- D:\ProgramData\Dokumente
[2011/04/08 07:42:58 | 000,000,000 | -HSD | M] -- D:\ProgramData\Favoriten
[2009/07/14 00:53:55 | 000,000,000 | -HSD | M] -- D:\ProgramData\Favorites
[2011/08/28 18:02:34 | 000,000,000 | ---D | M] -- D:\ProgramData\Rosetta Stone
[2009/07/14 00:53:55 | 000,000,000 | -HSD | M] -- D:\ProgramData\Start Menu
[2011/04/08 07:42:58 | 000,000,000 | -HSD | M] -- D:\ProgramData\Startmenü
[2009/07/14 00:53:55 | 000,000,000 | -HSD | M] -- D:\ProgramData\Templates
[2011/04/08 07:42:58 | 000,000,000 | -HSD | M] -- D:\ProgramData\Vorlagen
[2011/08/31 03:27:07 | 000,032,634 | ---- | M] () -- D:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
< End of report >

 

Themen zu GMER: ntkrnlpa.exe!ZwSaveKey + 13D1, ntkrnlpa.exe!KiDispatchInterrupt + 5A2, MBR ist OK
absturz, adobe, autorun, defender, desktop, dll, error, explorer, file, firefox, google, internet, kaspersky, langs, logfile, malwarebytes, microsoft, mozilla thunderbird, nodrives, plug-in, problem, programme, safer networking, scan, software, start menu, temp, trojaner, trojaner analyse rootkit, windows, winlogon


« Keine Anmeldungen mehr möglich im Browser | PC und Browser langsamer, hohe CPU-Auslastung, Verdacht auf Befall »


Ähnliche Themen: GMER: ntkrnlpa.exe!ZwSaveKey + 13D1, ntkrnlpa.exe!KiDispatchInterrupt + 5A2, MBR ist OK


  1. GMER Logfile
    Log-Analyse und Auswertung - 13.09.2014 (9)
  2. GMER Logfile
    Log-Analyse und Auswertung - 17.02.2014 (17)
  3. Frage zu GMER
    Diskussionsforum - 24.08.2013 (1)
  4. ntkrnlpa.exe!KeInsertQueueDcp+0x265 verbraucht 4*25% cpu
    Log-Analyse und Auswertung - 15.03.2012 (17)
  5. Verdacht auf Rootkit: SYS-Dateien **LOCKED** + ntkrnlpa.exe + \Driver\atapi
    Plagegeister aller Art und deren Bekämpfung - 16.10.2011 (4)
  6. Absturz bei Adaware und escan - Scan, unregelmäßiger Bluescreen, ntkrnlpa.exe
    Log-Analyse und Auswertung - 21.03.2011 (33)
  7. Bluescreens nach Vista Neuinstallation: tdcmdpst.sys & ntkrnlpa.exe
    Alles rund um Windows - 19.02.2011 (19)
  8. Gmer log, virus?
    Plagegeister aller Art und deren Bekämpfung - 27.10.2010 (7)
  9. GMER Log
    Plagegeister aller Art und deren Bekämpfung - 08.04.2010 (1)
  10. Auswertung GMER Log
    Plagegeister aller Art und deren Bekämpfung - 30.01.2010 (21)
  11. Gmer meldet was
    Mülltonne - 19.01.2010 (9)
  12. Gmer Logfile
    Alles rund um Windows - 17.10.2009 (4)
  13. Anleitung Gmer und MBR.exe
    Diskussionsforum - 26.06.2009 (2)
  14. ntkrnlpa.exe infiziert von "Trojan-Dropper.Win32.Agent.bwf"
    Plagegeister aller Art und deren Bekämpfung - 17.09.2007 (6)
Anleitungen und Tipps

- Für alle Hilfesuchenden! Was beachten?

- Anleitung: MyStartSearch.com entfernen

- Anleitung: WebSearches löschen

- Hilfe: iStartSurf entfernen – so gehts!

- Anleitung: Omiga Plus richtig entfernen

- Browser Viren entfernen


Zum Thema GMER: ntkrnlpa.exe!ZwSaveKey + 13D1, ntkrnlpa.exe!KiDispatchInterrupt + 5A2, MBR ist OK - Hallo! ich habe ein Problem mit dem Entseuchen eines Rechners. Andere Trojaner und Rootkits konnte ich mittels GMER/Rkill/Malwarebyte'sAnti-MalMare schon bereinigen, hier beiße ich mir aber die Zähne aus. System: Windows - GMER: ntkrnlpa.exe!ZwSaveKey + 13D1, ntkrnlpa.exe!KiDispatchInterrupt + 5A2, MBR ist OK...
Archiv
Du betrachtest: GMER: ntkrnlpa.exe!ZwSaveKey + 13D1, ntkrnlpa.exe!KiDispatchInterrupt + 5A2, MBR ist OK auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55