| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: RKIT/Bubnix.AU in C:\Windows\System32\drivers\jzhkpqtl.sysWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
15.08.2010, 21:01
| #16 |
 |  RKIT/Bubnix.AU in C:\Windows\System32\drivers\jzhkpqtl.sys GMER Logfile: Code:
ATTFilter GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-08-15 21:59:33
Windows 6.1.7600
Running: i8x9d6uf.exe; Driver: C:\Users\Seblon\AppData\Local\Temp\kxryrkob.sys
---- System - GMER 1.0.15 ----
SSDT 8C7090E4 ZwCreateThread
SSDT 8C7090D0 ZwOpenProcess
SSDT 8C7090D5 ZwOpenThread
SSDT 8C7090DF ZwTerminateProcess
INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83049AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83049104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830493F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83031634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83031898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830491DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83049958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830496F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83049F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8304A1A8
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C62599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C86F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 34C 82C8E85C 4 Bytes [E4, 90, 70, 8C] {IN AL, 0x90; JO 0xffffffffffffff90}
.text ntkrnlpa.exe!RtlSidHashLookup + 4E8 82C8E9F8 4 Bytes [D0, 90, 70, 8C]
.text ntkrnlpa.exe!RtlSidHashLookup + 508 82C8EA18 4 Bytes JMP F359BF9F
.text ntkrnlpa.exe!RtlSidHashLookup + 7B8 82C8ECC8 4 Bytes [DF, 90, 70, 8C]
? System32\Drivers\jzhkpqtl.sys Ein an das System angeschlossenes Gerät funktioniert nicht. !
.text peauth.sys AC89AC9D 28 Bytes [1E, AC, AD, 53, AD, 4F, 70, ...]
.text peauth.sys AC89ACC1 28 Bytes [1E, AC, AD, 53, AD, 4F, 70, ...]
PAGE peauth.sys AC8A0E20 101 Bytes [26, 0D, FC, 0E, BC, 4A, 10, ...]
PAGE peauth.sys AC8A102C 1 Byte [41]
PAGE peauth.sys AC8A102C 102 Bytes [41, 55, 46, D5, AB, 0C, 73, ...]
? C:\Users\Seblon\AppData\Local\Temp\mbr.sys Das System kann die angegebene Datei nicht finden. !
? C:\Windows\system32\Drivers\PROCEXP113.SYS Das System kann die angegebene Datei nicht finden. !
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\Explorer.exe[3052] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipAlloc] [73F72494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3052] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusStartup] [73F55624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3052] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusShutdown] [73F556E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3052] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipFree] [73F7250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3052] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDeleteGraphics] [73F68573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3052] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDisposeImage] [73F64D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3052] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageWidth] [73F650CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3052] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageHeight] [73F651A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3052] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73F666D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3052] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateFromHDC] [73F682CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3052] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetCompositingMode] [73F68819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3052] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [73F6907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3052] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDrawImageRectI] [73F6E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3052] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCloneImage] [73F64C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 871BC480
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
Device \Driver\ACPI_HAL \Device\00000063 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015831212e7
Reg HKLM\SYSTEM\CurrentControlSet\services\jzhkpqtl@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\jzhkpqtl@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\services\jzhkpqtl@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\services\jzhkpqtl@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015831212e7 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\jzhkpqtl@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\jzhkpqtl@Start 0
Reg HKLM\SYSTEM\ControlSet002\services\jzhkpqtl@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\services\jzhkpqtl@Group Boot Bus Extender
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Seblon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intel\xae Matrix Storage Manager\Intel\xae Matrix Storage Console.lnk 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel\xae Matrix Storage Manager\Intel\xae Matrix Storage Console.lnk 1
---- EOF - GMER 1.0.15 ----
|
| Themen zu RKIT/Bubnix.AU in C:\Windows\System32\drivers\jzhkpqtl.sys |
| antivir, avira, avira antivir, c:\windows, datei, dateien, entfernen, fehler, fund, guten, infizierte, infizierte dateien, klicke, logfile, löschen, malwarebytes, meldung, neustart, nicht gefunden, quelldatei, rootkit, rootkits, suche, system, system32, warnung, windows |
Baum-Darstellung