Franzi5385 | 12.09.2010 10:58 | So hier das logfile von Avenger:
Logfile of The Avenger Version 2.0, (c) by Swandog46
hxxp://swandog46.geekstogo.com
Platform: Windows Vista
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Driver "ovfmoi" disabled successfully.
Driver "ovfmoi" deleted successfully.
File "C:\Windows\system32\Drivers\ovfmoi.sys" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Habe vorhin noch mit GMER einen Scan gemacht, da hats das Logfile gegeben:
GMER Logfile: Code:
GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-09-12 11:36:29
Windows 6.1.7600
Running: s26i6f9e.exe; Driver: C:\Users\Franzi\AppData\Local\Temp\pgryipog.sys
---- System - GMER 1.0.15 ----
SSDT 9150D83C ZwCreateThread
SSDT 9150D828 ZwOpenProcess
SSDT 9150D82D ZwOpenThread
SSDT 9150D837 ZwTerminateProcess
INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83247AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83247104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832473F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832302D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8322F898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832471DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83247958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832476F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83247F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832481A8
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E60599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E84F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 34C 82E8C85C 4 Bytes [3C, D8, 50, 91] {CMP AL, 0xd8; PUSH EAX; XCHG ECX, EAX}
.text ntkrnlpa.exe!RtlSidHashLookup + 4E8 82E8C9F8 4 Bytes [28, D8, 50, 91] {SUB AL, BL; PUSH EAX; XCHG ECX, EAX}
.text ntkrnlpa.exe!RtlSidHashLookup + 508 82E8CA18 4 Bytes [2D, D8, 50, 91]
.text ntkrnlpa.exe!RtlSidHashLookup + 7B8 82E8CCC8 4 Bytes [37, D8, 50, 91] {AAA ; FCOM DWORD [EAX-0x6f]}
? System32\drivers\mnweaqh.sys Das System kann den angegebenen Pfad nicht finden. !
? System32\drivers\jarh.sys Das System kann den angegebenen Pfad nicht finden. !
? System32\Drivers\ovfmoi.sys Ein an das System angeschlossenes Gerät funktioniert nicht. !
.reloc C:\Windows\system32\drivers\acedrv11.sys section is executable [0xAEE36300, 0x25D4C, 0xE0000060]
.text peauth.sys AEE73C9D 28 Bytes [C4, A0, BD, 73, ED, CF, 3B, ...]
.text peauth.sys AEE73CC1 28 Bytes [C4, A0, BD, 73, ED, CF, 3B, ...]
PAGE peauth.sys AEE79B9B 72 Bytes [09, B5, 0D, 40, DC, 7B, AE, ...]
PAGE peauth.sys AEE79BEC 111 Bytes [D9, 58, C4, 78, F1, C5, 78, ...]
PAGE peauth.sys AEE79E20 101 Bytes [C9, 6B, 38, 53, 06, EB, FF, ...]
PAGE ...
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\svchost.exe[1140] ntdll.dll!DbgBreakPoint 76EA3574 1 Byte [C3]
.text C:\Windows\system32\svchost.exe[1140] ntdll.dll!NtProtectVirtualMemory 76EB5380 5 Bytes JMP 0041000A
.text C:\Windows\system32\svchost.exe[1140] ntdll.dll!NtWriteVirtualMemory 76EB5F00 5 Bytes JMP 0042000A
.text C:\Windows\system32\svchost.exe[1140] ntdll.dll!KiUserExceptionDispatcher 76EB6448 5 Bytes JMP 0040000A
.text C:\Windows\system32\svchost.exe[1140] ole32.dll!CoCreateInstance 756457FC 5 Bytes JMP 004C000A
.text C:\Windows\system32\svchost.exe[1140] USER32.dll!GetCursorPos 7542C198 5 Bytes JMP 00E9000A
? C:\Windows\System32\svchost.exe[2636] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: OLEAUT32.dll
.text C:\Windows\system32\taskmgr.exe[2880] ntdll.dll!DbgBreakPoint 76EA3574 1 Byte [C3]
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__wgetmainargs] 01A6B6E9
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_exit] 5409E800
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_XcptFilter] 68500000
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [msvcrt.dll!exit] 0F6DEAD8
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_initterm] 00113EE8
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_amsg_exit] F8BD8D00
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__setusermatherr] E81394A3
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [msvcrt.dll!memcpy] 00000C58
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_controlfp] 59756668
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_except_handler4_common] 04C76661
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [msvcrt.dll!?terminate@@YAXXZ] 838FFE24
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__set_app_type] 66F9FFC6
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__p__fmode] 0CE1BA0F
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__p__commode] 85C330F5
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_cexit] 12CEE9FE
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 00458F24
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!CloseHandle] 042444C6
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] 8D9C9C92
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetProcAddress] E9302464
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetLastError] 000053DA
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 005BE7E9
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 514EE900
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryExA] 35E90000
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!InterlockedExchange] 9C0001AD
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!Sleep] 892434FF
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] 6604247C
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetModuleHandleA] 0C89CF0F
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] A0B98D24
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetTickCount] F7B8C753
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 24BC8DD7
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] BA86FAAB
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!DeactivateActCtx] BA0F669C
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 879C0AFF
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ActivateActCtx] 0F66242C
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrcmpW] 5304E5BA
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegCloseKey] 8DC7D366
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegOpenKeyExW] 5F73E52C
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!HeapSetInformation] CFD3E1F2
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] FF896652
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrlenW] 35FF6056
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LCMapStringW] [004011C5] C:\Windows\System32\svchost.exe (Hostprozess für Windows-Dienste/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegQueryValueExW] 1C24448F
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ReleaseActCtx] 005638E9
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!CreateActCtxW] F6F5F800
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] C4F766D2
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] ED831B48
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ExitProcess] FCEC8302
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetProcessAffinityUpdateMode] 54A0800F
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegDisablePredefinedCacheEx] D0200000
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 81E85024
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetErrorMode] 9C00000D
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObjectEx] 2824448F
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LocalFree] 2474FF50
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!HeapFree] 00458F2C
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 2489669C
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] E8000053
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 0000510A
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] C450E9D5
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 74FF0001
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlCopySid] 458F0424
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 60579C00
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlInitializeCriticalSection] 24648D9C
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSetProcessIsCritical] 5318E934
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 8B660000
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] 56B1E900
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [ntdll.dll!EtwEventWrite] 7E270000
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [ntdll.dll!EtwEventEnabled] C421E9B1
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [ntdll.dll!EtwEventRegister] C3300001
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlFreeHeap] 005A4AE9
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] D6F7C5D3
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 00090AE8
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] 242C8700
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] EAB60F66
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 4AE8F960
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] D0000014
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] 89DC88E0
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 83D084E8
IAT C:\Windows\System32\svchost.exe[2636] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerListen] E99C02ED
IAT C:\Windows\System32\rundll32.exe[3488] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74F15E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3488] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74F15E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3488] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74F15E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3488] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74F15E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3488] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [74F15E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3488] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [74F15E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8680E0A0
Device \Driver\ACPI_HAL \Device\00000051 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
Device -> \Driver\atapi \Device\Harddisk0\DR0 86666EC5
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\ovfmoi@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\ovfmoi@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\services\ovfmoi@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\services\ovfmoi@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\services\ovfmoi@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\ovfmoi@Start 0
Reg HKLM\SYSTEM\ControlSet002\services\ovfmoi@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\services\ovfmoi@Group Boot Bus Extender
---- Files - GMER 1.0.15 ----
File C:\Windows\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ---- --- --- ---
Nach Neustart ist der Bildschirm immer noch schwarz, aber die Datei ist weg. In dem Logfile von GMER ist diese datei auch zu sehen, aber daneben auch noch zwei andere aus dem selben Ordner. Könnten das auch solche Dateien sein? |