Squadron | 18.10.2008 16:35 | Schon wieder "copy of mbr" Backdoor von Profis installiert? Hallo,
könnt Ihr da mal einen Blick drauf werfen? Wir hatte die komplette Hardware getauscht, aber wir befürchten, schon wieder gehackt worden zu sein.
Gmer: Code:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-10-18 17:14:17
Windows 6.0.6001 Service Pack 1
---- User code sections - GMER 1.0.14 ----
? C:\Program Files\Kaspersky Internet Security 2009\avp.exe[884] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: 32.dll
.text C:\Program Files\Kaspersky Internet Security 2009\avp.exe[884] USER32.dll!GetAppCompatFlags2 + 880 77AB6390 4 Bytes [ 70, 11, 41, 6D ]
? C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: 32.dll
.text C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] USER32.dll!GetAppCompatFlags2 + 880 77AB6390 4 Bytes [ 70, 11, 41, 6D ]
---- User IAT/EAT - GMER 1.0.14 ----
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 018C04A8
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!GetModuleFileNameA] 018C04D2
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] 018C04FC
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] 018C0526
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] 018C0550
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] 018C057A
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] 018C05A4
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] 018C05CE
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!FreeLibrary] 018C05F8
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 018C0622
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetModuleFileNameW] 018C064C
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!SetErrorMode] 018C0676
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 018C06A0
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] 018C06CA
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 018C06F4
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] 018C071E
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetModuleFileNameA] 018C0748
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] 018C0772
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 018C079C
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetModuleFileNameW] 018C07C6
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] 018C07F0
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] 018C081A
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!FreeLibrary] 018C0844
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 018C086E
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 018C0898
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] 018C08C2
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!FreeLibrary] 018C08EC
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] 018C0916
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] 018C0940
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 018C0D5A
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] 018C0D84
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] 018C0DAE
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetModuleFileNameA] 018C0DD8
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!SetErrorMode] 018C0E02
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] 018C0E2C
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetModuleFileNameW] 018C0E56
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] 018C0E80
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] 018C0EAA
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] 018C0ED4
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] 018C0EFE
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetModuleFileNameW] 018C0F28
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetModuleFileNameA] 018C0F52
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 018C0F7C
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] 018C0FA6
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!SetErrorMode] 018C0FD0
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] 018F0010
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibrary] 018F003A
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] 018F0064
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 018F008E
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!CreateProcessW] 018F00B8
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 018F00E2
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 018F010C
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!GetModuleFileNameW] 018F0136
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 018F0160
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 018F018A
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 018F01B4
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!GetModuleFileNameA] 018F01DE
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\PSAPI.DLL [KERNEL32.dll!SetUnhandledExceptionFilter] 018F057A
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 018F0994
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] 018F09BE
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] 018F09E8
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] 018F0A12
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!FreeLibrary] 018F0A3C
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\userenv.dll [KERNEL32.dll!SetErrorMode] 01910160
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\userenv.dll [KERNEL32.dll!GetProcAddress] 0191018A
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\userenv.dll [KERNEL32.dll!FreeLibrary] 019101B4
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\userenv.dll [KERNEL32.dll!LoadLibraryA] 019101DE
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 01910208
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\userenv.dll [KERNEL32.dll!GetModuleFileNameW] 01910232
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!GetModuleFileNameA] 018C0208
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] 018C0358
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!FreeLibrary] 018C01DE
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] 018C025C
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] 018C0286
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryExW] 018C02DA
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!GetModuleFileNameW] 018C0232
IAT C:\Program Files\Kaspersky Internet Security 2009\avp.exe[4016] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryW] 018C0304
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00125a5e0fe4
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00125a5e0fe4@00125aa185dd 0x1B 0x38 0x6E 0x77 ...
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\00125a5e0fe4
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\00125a5e0fe4@00125aa185dd 0x1B 0x38 0x6E 0x77 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Scheduler@Heartbeat 0xE8 0xD9 0xFC 0xF0 ...
---- Disk sectors - GMER 1.0.14 ----
Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device
---- EOF - GMER 1.0.14 ----
Danke für Eure Tipps. In der nächsten Antwort poste ich das HJT-File.
Gruß
Squad |