| Borscht1 | 10.06.2010 16:09 |
GMER Scan Windows 7 Rootkit auf meinem PC?
Hallo liebe Community! Ich habe den GMER Rootkit Scanner mal durchlaufen lassen, da mein WoW Account gehackt wurde und das Blizzard Support team mir geraten hat den Gmer Scanner zu benutzen, jedoch kenn ich mich nicht sogut mit dem Scanner aus und wollte euch bitten das mal anzuschauen: Code:
GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-06-10 15:16:04
Windows 6.1.7600
Running: 6kytko0n.exe; Driver: C:\Users\Borschti\AppData\Local\Temp\pwriqpoc.sys
---- System - GMER 1.0.15 ----
INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C39AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C39104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C393F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C222D8
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C391DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C39958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C396F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C39F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C3A1A8
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!ZwSaveKeyEx + 13B1 82C8B8E9 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 82CAB3D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? System32\Drivers\spve.sys Das System kann den angegebenen Pfad nicht finden. !
.text USBPORT.SYS!DllUnload 91ED5CA0 5 Bytes JMP 852E34E0
.text ajd2mg00.SYS 91F24000 12 Bytes [44, 48, C2, 82, EE, 46, C2, ...]
.text ajd2mg00.SYS 91F2400D 9 Bytes [27, C2, 82, 48, 4B, C2, 82, ...]
.text ajd2mg00.SYS 91F24017 20 Bytes [00, DE, E7, B1, 8B, E6, E5, ...]
.text ajd2mg00.SYS 91F2402C 149 Bytes [00, 00, 00, 00, 00, 67, C8, ...]
.text ajd2mg00.SYS 91F240C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text ...
? system32\DRIVERS\avgntflt.sys Das System kann den angegebenen Pfad nicht finden. !
.text peauth.sys 8E1F6C9D 28 Bytes [55, C8, ED, D3, E6, D9, 17, ...]
.text peauth.sys 8E1F6CC1 28 Bytes [55, C8, ED, D3, E6, D9, 17, ...]
PAGE peauth.sys 8E1FCB9B 72 Bytes JMP 13A445B1
PAGE peauth.sys 8E1FCBEC 111 Bytes [A7, C3, 85, FA, 02, 8A, E6, ...]
PAGE peauth.sys 8E1FCE20 101 Bytes [8B, 78, 9E, CA, 99, 00, 84, ...]
PAGE ...
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Mozilla Firefox\firefox.exe[5504] ntdll.dll!LdrLoadDll 7761F585 5 Bytes JMP 000913F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\DRIVERS\pci.sys[ntoskrnl.exe!IoDetachDevice] [8BA4CDDC] \SystemRoot\System32\Drivers\spve.sys
IAT \SystemRoot\system32\DRIVERS\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [8BA4CE30] \SystemRoot\System32\Drivers\spve.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8BA22042] \SystemRoot\System32\Drivers\spve.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8BA226D6] \SystemRoot\System32\Drivers\spve.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8BA22800] \SystemRoot\System32\Drivers\spve.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8BA2213E] \SystemRoot\System32\Drivers\spve.sys
IAT \SystemRoot\System32\Drivers\ajd2mg00.SYS[ataport.SYS!AtaPortNotification] 00147880
IAT \SystemRoot\System32\Drivers\ajd2mg00.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75
IAT \SystemRoot\System32\Drivers\ajd2mg00.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015
IAT \SystemRoot\System32\Drivers\ajd2mg00.SYS[ataport.SYS!AtaPortStallExecution] C25DC033
IAT \SystemRoot\System32\Drivers\ajd2mg00.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008
IAT \SystemRoot\System32\Drivers\ajd2mg00.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08
IAT \SystemRoot\System32\Drivers\ajd2mg00.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24
IAT \SystemRoot\System32\Drivers\ajd2mg00.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8
IAT \SystemRoot\System32\Drivers\ajd2mg00.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800
IAT \SystemRoot\System32\Drivers\ajd2mg00.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000
IAT \SystemRoot\System32\Drivers\ajd2mg00.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008
IAT \SystemRoot\System32\Drivers\ajd2mg00.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC
IAT \SystemRoot\System32\Drivers\ajd2mg00.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC
IAT \SystemRoot\System32\Drivers\ajd2mg00.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC
IAT \SystemRoot\System32\Drivers\ajd2mg00.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55
IAT \SystemRoot\System32\Drivers\ajd2mg00.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B
IAT \SystemRoot\System32\Drivers\ajd2mg00.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B
IAT \SystemRoot\System32\Drivers\ajd2mg00.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A
IAT \SystemRoot\System32\Drivers\ajd2mg00.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500
IAT \SystemRoot\System32\Drivers\ajd2mg00.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B
IAT \SystemRoot\System32\Drivers\ajd2mg00.SYS[ataport.SYS!AtaPortInitialize] 157B805E
IAT \SystemRoot\System32\Drivers\ajd2mg00.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500
IAT \SystemRoot\System32\Drivers\ajd2mg00.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B
IAT \SystemRoot\System32\Drivers\ajd2mg00.SYS[NTOSKRNL.exe!KeTickCount] 78801875
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [742A2494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74285624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [742856E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [742A250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74298573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74294D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [742950CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [742951A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [742966D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [742982CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74298819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7429907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7429E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74294C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8529F1F8
Device \Driver\volmgr \Device\VolMgrControl 8529B1F8
Device \Driver\usbuhci \Device\USBPDO-0 86477380
Device \Driver\usbuhci \Device\USBPDO-1 86477380
Device \Driver\PCI_PNP9406 \Device\00000052 spve.sys
Device \Driver\usbuhci \Device\USBPDO-2 86477380
Device \Driver\usbuhci \Device\USBPDO-3 86477380
Device \Driver\usbehci \Device\USBPDO-4 8623C500
Device \Driver\ACPI_HAL \Device\00000048 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Driver\volmgr \Device\HarddiskVolume1 8529B1F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\volmgr \Device\HarddiskVolume2 8529B1F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\cdrom \Device\CdRom0 863231F8
Device \Driver\volmgr \Device\HarddiskVolume3 8529B1F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\cdrom \Device\CdRom1 863231F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8529D1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 8529D1F8
Device \Driver\atapi \Device\Ide\IdePort0 8529D1F8
Device \Driver\atapi \Device\Ide\IdePort1 8529D1F8
Device \Driver\atapi \Device\Ide\IdePort2 8529D1F8
Device \Driver\atapi \Device\Ide\IdePort3 8529D1F8
Device \Driver\volmgr \Device\HarddiskVolume4 8529B1F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\USBSTOR \Device\00000080 863601F8
Device \Driver\volmgr \Device\HarddiskVolume5 8529B1F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\volmgr \Device\HarddiskVolume6 8529B1F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\USBSTOR \Device\00000082 863601F8
Device \Driver\volmgr \Device\HarddiskVolume7 8529B1F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\USBSTOR \Device\00000083 863601F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 864081F8
Device \Driver\USBSTOR \Device\00000084 863601F8
Device \Driver\USBSTOR \Device\00000085 863601F8
Device \Driver\usbuhci \Device\USBFDO-0 86477380
Device \Driver\usbuhci \Device\USBFDO-1 86477380
Device \Driver\usbuhci \Device\USBFDO-2 86477380
Device \Driver\usbuhci \Device\USBFDO-3 86477380
Device \Driver\NetBT \Device\NetBT_Tcpip_{AA89CA67-E5A9-4FAD-A56F-B52C08C9643C} 864081F8
Device \Driver\usbehci \Device\USBFDO-4 8623C500
Device \Driver\USBSTOR \Device\0000007e 863601F8
Device \Driver\USBSTOR \Device\0000007f 863601F8
Device \Driver\ajd2mg00 \Device\Scsi\ajd2mg001 85FD71F8
Device \Driver\ajd2mg00 \Device\Scsi\ajd2mg001Port4Path0Target0Lun0 85FD71F8
Device \Driver\sptd \Device\3828774406 spve.sys
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC5 0xD4 0xC1 0xDD ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x91 0xBA 0xFD 0xCB ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x81 0x8B 0xC2 0x2D ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC5 0xD4 0xC1 0xDD ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x91 0xBA 0xFD 0xCB ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x81 0x8B 0xC2 0x2D ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Borschti\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HP\HP\xa0Update.lnk 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP\HP\xa0Update.lnk 1
---- EOF - GMER 1.0.15 ----
Ich bin mir nicht sicher ob ich nun einen Rootkit habe oder nicht, und bitte um Hilfe bei der Auswertung! mfg Borschti! |
