Hallo Arne,
hier schon mal das log file vom GMER
GMER Logfile:
Code:
Alles auswählen Aufklappen ATTFilter
GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-04-22 22:16:01
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-0 Hitachi_HTS543225L9A300 rev.FBEOC40C
Running: kdhlhg1w.exe; Driver: C:\Users\Thomas\AppData\Local\Temp\kxliipoc.sys
---- System - GMER 1.0.15 ----
SSDT 8B1C230E ZwCreateSection
SSDT 8B1C2318 ZwRequestWaitReplyPort
SSDT 8B1C2313 ZwSetContextThread
SSDT 8B1C231D ZwSetSecurityObject
SSDT 8B1C2322 ZwSystemDebugControl
SSDT 8B1C22AF ZwTerminateProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 215 822C3998 4 Bytes [0E, 23, 1C, 8B] {PUSH CS; AND EBX, [EBX+ECX*4]}
.text ntkrnlpa.exe!KeSetEvent + 539 822C3CBC 4 Bytes [18, 23, 1C, 8B] {SBB [EBX], AH; SBB AL, 0x8b}
.text ntkrnlpa.exe!KeSetEvent + 56D 822C3CF0 4 Bytes [13, 23, 1C, 8B] {ADC ESP, [EBX]; SBB AL, 0x8b}
.text ntkrnlpa.exe!KeSetEvent + 5D1 822C3D54 4 Bytes [1D, 23, 1C, 8B]
.text ntkrnlpa.exe!KeSetEvent + 619 822C3D9C 4 Bytes [22, 23, 1C, 8B] {AND AH, [EBX]; SBB AL, 0x8b}
.text ...
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8E208000, 0x1F875A, 0xE8000020]
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\Explorer.EXE[3708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [740F7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7414A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [740FBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [740EF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [740F75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [740EE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74128395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [740FDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [740EFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [740EFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [740E71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7417CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7411C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [740ED968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [740E6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [740E687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [740F2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\0000003f halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat AsDsm.sys (Data Security Manager Driver/Windows (R) Codename Longhorn DDK provider)
---- Files - GMER 1.0.15 ----
File C:\ADSM_PData_0150 0 bytes
File C:\ADSM_PData_0150\DB 0 bytes
File C:\ADSM_PData_0150\DB\SI.db 624 bytes
File C:\ADSM_PData_0150\DB\UL.db 16 bytes
File C:\ADSM_PData_0150\DB\VL.db 16 bytes
File C:\ADSM_PData_0150\DB\_avt 512 bytes
File C:\ADSM_PData_0150\DragWait.exe 253952 bytes executable
File C:\ADSM_PData_0150\_avt 512 bytes
File C:\Program Files\ASUS\ASUS Data Security Manager\driver\x86 0 bytes
File C:\Program Files\ASUS\ASUS Data Security Manager\driver\x86\AsDsm.sys 29752 bytes executable
File C:\Program Files\ASUS\ASUS Data Security Manager\driver\x86\_avt 512 bytes
---- EOF - GMER 1.0.15 ----
--- --- ---
Gruß
Thomas
22.04.2012, 21:19
Hybrid-Darstellung
