CDPUserSvc_3897e ROOTKIT Von Gmer gefunden.

Dirk1405

Guten Tag,

Ich Arbeite mit Windows 10, und GMER hat 4 Rootkits gefunden.Ob das wirklich Rootkits sind, kann ich nicht beurteilen.
Ich habe schon selber nach Antworten im Internet geschaut, bin aber nur auf einer japanischen Seite fündig geworden.
https://translate.google.de/translate?hl=de&sl=ja&u=https://answers.microsoft.com/ja-jp/protect/forum/protect_other-protect_scanning/%25E3%2583%25AB%25E3%2583%25BC%25E3%2583%2588%25E3%2582%25AD%25E3%2583%2583/22c70731-336f-4222-81da-707032e342f3&prev=search

Die Rootkits werden auch nicht immer gefunden von Gmer.Beim 2 scan tauchen sie nicht mehr auf.

Hier mal das Logfile:
GMER 2.2.19882 - hxxp://www.gmer.net
Rootkit scan 2016-12-23 10:17:20
Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002c Crucial_CT240M500SSD1 rev.MU05 223,57GB
Running: gmer-2.2.19882.exe; Driver: C:\Users\Harald\AppData\Local\Temp\pxddipow.sys


---- Threads - GMER 2.2 ----

Thread C:\WINDOWS\system32\csrss.exe [760:4816] ffff8755c57b6c20
Thread C:\Windows\System32\RuntimeBroker.exe [5248:2000] 00007ffcd8f820e0

---- Services - GMER 2.2 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] CDPUserSvc_3897e <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\WdBoot.sys (*** hidden *** ) [MANUAL] WdBoot <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\WdFilter.sys (*** hidden *** ) [MANUAL] WdFilter <-- ROOTKIT !!!
Service C:\Program Files (x86)\Windows Defender\MsMpEng.exe (*** hidden *** ) [MANUAL] WinDefend <-- ROOTKIT !!!

---- Registry - GMER 2.2 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot@OfficeODC $UserProfile$\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\*.fsf?$UserProfile$\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\*.fsd?$UserP rofile$\Local Settings\Application Data\Office\16.0\OfficeFileCache\*.fsd?$UserProfile$\Local Settings\Application Data\Office\16.0\OfficeFileCache\*.fsf?$UserProfile$\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\LocalCacheFileEditManager\*.fsf?$UserProfile$ \AppData\Local\Microsoft\Office\16.0\OfficeFileCache\LocalCacheFileEditManager\*.fsd?$UserProfile$\Local Settings\Application Data\Office\16.0\OfficeFileCache\LocalCacheFileEditManager\*.fsd?$UserProfile$\Local Settings\Application Data\Office\16.0\OfficeFileCache\LocalCacheFileEditManager\*.fsf?$UserProfile$\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\*.*?$UserProfile$\L ocal Settings\Application Data\Office\16.0\OfficeFileCache\*.*?$UserProfile$\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\*.fsf?$UserProfile$\AppData\Local\Microsoft\Off ice\16.0\OfficeFileCache\*.fsd?$UserProfile$\Local
Reg HKLM\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings@StringCacheGeneration 348
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Program Files (x86)\Dropbox\OldBinaries??
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1154127652
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 19655
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 3992143
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 3991584
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 3991584
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 3992084
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@DeviceResumeTime 481
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0x05 0xC5 0x94 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-AirSpaceChannel@Status 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-AirSpaceChannel\{f562bb8e-422d-4b5c-b20e-90d710f7d11c}@Status 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_3897e@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_3897e
Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{E919BD49-FA9D-4E56-A318-3145E7365D2B}@DefunctTimestamp 0x76 0xBE 0x5A 0x58 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\KLIF\Parameters@CheckVersion 102
Reg HKLM\SYSTEM\CurrentControlSet\Services\KLIF\Parameters@LastFileRevision 459604
Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1857
Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 153
Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xDE 0x62 0xB1 0x57 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xDE 0xCA 0x75 0xB9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xDE 0xFA 0xEC 0xF5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\WdBoot@Group _Early-Launch
Reg HKLM\SYSTEM\CurrentControlSet\Services\WdBoot@ImagePath \SystemRoot\system32\drivers\WdBoot.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\WdBoot@Start 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\WdBoot
Reg HKLM\SYSTEM\CurrentControlSet\Services\WdFilter@ImagePath \SystemRoot\system32\drivers\WdFilter.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\WdFilter@Start 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\WdFilter
Reg HKLM\SYSTEM\CurrentControlSet\Services\WinDefend@Start 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\WinDefend
Reg HKLM\SYSTEM\Maps@LastMapUpdateCheck 0x2D 0xE2 0x3A 0xAF ...
Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ...
Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ...
Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 149
Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance@MessageTime 0x3F 0xD8 0x73 0xDD ...

---- EOF - GMER 2.2 ----

Kann da jemand mal drüberschauen? Danke.