| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: TR/ATRAPS.Gen2, RootKit.0Access und Trojan.Phex.THAGen6Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
06.08.2012, 16:40
| #25 |
 |  TR/ATRAPS.Gen2, RootKit.0Access und Trojan.Phex.THAGen6 Puh, das hat ein wenig gedauert. Im Folgenden also alle gewünschten Logs: GMER Logfile: Code:
ATTFilter GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-08-06 16:40:31
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.14.0
Running: 3jmm48zx.exe; Driver: C:\DOKUME~1\Aerophil\LOKALE~1\Temp\kwroikog.sys
---- System - GMER 1.0.15 ----
SSDT 9C529FBC ZwClose
SSDT 9C529F76 ZwCreateKey
SSDT 9C529FC6 ZwCreateSection
SSDT 9C529F6C ZwCreateThread
SSDT 9C529F7B ZwDeleteKey
SSDT 9C529F85 ZwDeleteValueKey
SSDT 9C529FB7 ZwDuplicateObject
SSDT 9C529F8A ZwLoadKey
SSDT 9C529F58 ZwOpenProcess
SSDT 9C529F5D ZwOpenThread
SSDT 9C529FDF ZwQueryValueKey
SSDT 9C529F94 ZwReplaceKey
SSDT 9C529FD0 ZwRequestWaitReplyPort
SSDT 9C529F8F ZwRestoreKey
SSDT 9C529FCB ZwSetContextThread
SSDT 9C529FD5 ZwSetSecurityObject
SSDT 9C529F80 ZwSetValueKey
SSDT 9C529FDA ZwSystemDebugControl
SSDT 9C529F67 ZwTerminateProcess
---- Kernel code sections - GMER 1.0.15 ----
? Combo-Fix.sys Das System kann die angegebene Datei nicht finden. !
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB84DC000, 0x1B6662, 0xE8000020]
? C:\ComboFix\catchme.sys Das System kann die angegebene Datei nicht finden. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS Das System kann die angegebene Datei nicht finden. !
---- User code sections - GMER 1.0.15 ----
.text C:\Programme\Mozilla Firefox\firefox.exe[3816] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 0116B52A C:\Programme\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Programme\Mozilla Firefox\firefox.exe[3816] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 0141B6F5 C:\Programme\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Programme\Mozilla Firefox\firefox.exe[3816] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 0141B6D2 C:\Programme\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Programme\Mozilla Firefox\firefox.exe[3816] GDI32.dll!SetDIBitsToDevice + 20A 77EF9E14 7 Bytes JMP 0141B653 C:\Programme\Mozilla Firefox\xul.dll (Mozilla Foundation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
Device \FileSystem\Fastfat \Fat 91FF5D20
Device \FileSystem\Fastfat \Fat 92005428
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
---- Files - GMER 1.0.15 ----
File C:\RRbackups\common 0 bytes
File C:\RRbackups\common\css.dat 8192 bytes
File C:\RRbackups\common\hints.dat 8192 bytes
File C:\RRbackups\common\mnd.dat 8192 bytes
File C:\RRbackups\common\regcerts.dat 8192 bytes
File C:\RRbackups\common\restore.log 110 bytes
File C:\RRbackups\common\rr.log 89627 bytes
File C:\RRbackups\common\SAM 262144 bytes
File C:\RRbackups\common\secpolicy.dat 57344 bytes
File C:\RRbackups\common\settings.dat 32768 bytes
File C:\RRbackups\common\system.dat 12288 bytes
File C:\RRbackups\common\tvtcmn.dat 8192 bytes
File C:\RRbackups\common\tvtns.bin 23 bytes
File C:\RRbackups\common\usersids.dat 18720 bytes
File C:\RRbackups\Documents and Settings 0 bytes
File C:\RRbackups\Documents and Settings\Administrator 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Lenovo\Client Security Solution\enroll.ini 50 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3442078936-191556845-2714280049-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3442078936-191556845-2714280049-500\c3ff3929-8e18-46af-9610-f66da22b322d 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3442078936-191556845-2714280049-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Protect\S-1-5-21-4022661095-1875058738-1706889412-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Protect\S-1-5-21-4022661095-1875058738-1706889412-500\4333ae2c-5f72-4aca-b94e-7e149b13c6e9 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Protect\S-1-5-21-4022661095-1875058738-1706889412-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Protect\S-1-5-21-446457410-618114184-1655888578-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Protect\S-1-5-21-446457410-618114184-1655888578-500\6a428da5-73f9-4a9b-a743-20d8c2ac2835 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Protect\S-1-5-21-446457410-618114184-1655888578-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Aerophil 0 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten 0 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Lenovo\Client Security Solution\enroll.ini 50 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Lenovo\Client Security Solution\hibernation.dat 4 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Crypto\RSA\S-1-5-21-3886091965-922040345-3825767373-1008 0 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Crypto\RSA\S-1-5-21-3886091965-922040345-3825767373-1008\6b29ae44e85efac3c72ff4d1865d73f1_5c4a3f28-7052-4922-ac27-61f005a9dc8d 53 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Crypto\RSA\S-1-5-21-3886091965-922040345-3825767373-1008\73d961f8c5ba1c37d83f3a08559ea0da_5c4a3f28-7052-4922-ac27-61f005a9dc8d 49 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Crypto\RSA\S-1-5-21-3886091965-922040345-3825767373-1008\83aa4cc77f591dfc2374580bbd95f6ba_5c4a3f28-7052-4922-ac27-61f005a9dc8d 45 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Crypto\RSA\S-1-5-21-3886091965-922040345-3825767373-1008\8f71098770f72c7a67cd8f1151619865_5c4a3f28-7052-4922-ac27-61f005a9dc8d 54 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Crypto\RSA\S-1-5-21-3886091965-922040345-3825767373-1008\a077ead69703e3bf1fd373a3c9376faa_5c4a3f28-7052-4922-ac27-61f005a9dc8d 77 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3442078936-191556845-2714280049-500 0 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3442078936-191556845-2714280049-500\c3ff3929-8e18-46af-9610-f66da22b322d 388 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3442078936-191556845-2714280049-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3886091965-922040345-3825767373-1008 0 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3886091965-922040345-3825767373-1008\130524b0-77c9-4930-ad87-0a64129be9f4 388 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3886091965-922040345-3825767373-1008\16765e5c-74e8-4c8a-94d9-151f9c5e6cdc 388 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3886091965-922040345-3825767373-1008\80ca1657-1c52-470a-a067-6fd66c0cb0ae 388 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3886091965-922040345-3825767373-1008\87452106-6afb-4f91-a5dd-cf00ff079e38 388 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3886091965-922040345-3825767373-1008\8deadc1d-1eb0-4bb0-add8-d0ff3fcbac4f 388 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3886091965-922040345-3825767373-1008\a3dc3bb9-98f3-4f3b-8120-6e73dca02571 388 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3886091965-922040345-3825767373-1008\ad6a7fc3-5c4e-4255-a1cb-f0cb1c1e82b9 388 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3886091965-922040345-3825767373-1008\cf3d8121-e3f6-41d7-9e3e-edc90cbb2bd0 388 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3886091965-922040345-3825767373-1008\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Protect\S-1-5-21-4022661095-1875058738-1706889412-500 0 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Protect\S-1-5-21-4022661095-1875058738-1706889412-500\4333ae2c-5f72-4aca-b94e-7e149b13c6e9 388 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Protect\S-1-5-21-4022661095-1875058738-1706889412-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Protect\S-1-5-21-446457410-618114184-1655888578-500 0 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Protect\S-1-5-21-446457410-618114184-1655888578-500\6a428da5-73f9-4a9b-a743-20d8c2ac2835 388 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\Protect\S-1-5-21-446457410-618114184-1655888578-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Aerophil\Anwendungsdaten\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\All Users 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Anwendungsdaten 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Anwendungsdaten\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Anwendungsdaten\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Anwendungsdaten\Lenovo\Client Security Solution\cspContainer.dat 332 bytes
File C:\RRbackups\Documents and Settings\All Users\Anwendungsdaten\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Anwendungsdaten\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Anwendungsdaten\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\S-1-5-18 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\S-1-5-18\42e7e898003fbdeb9585806ee1664b51_5c4a3f28-7052-4922-ac27-61f005a9dc8d 57 bytes
File C:\RRbackups\Documents and Settings\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_5c4a3f28-7052-4922-ac27-61f005a9dc8d 47 bytes
File C:\RRbackups\Documents and Settings\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\S-1-5-18\8f71098770f72c7a67cd8f1151619865_5c4a3f28-7052-4922-ac27-61f005a9dc8d 54 bytes
File C:\RRbackups\Documents and Settings\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_5c4a3f28-7052-4922-ac27-61f005a9dc8d 917 bytes
File C:\RRbackups\Documents and Settings\Default User 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Lenovo\Client Security Solution\enroll.ini 50 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3442078936-191556845-2714280049-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3442078936-191556845-2714280049-500\c3ff3929-8e18-46af-9610-f66da22b322d 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3442078936-191556845-2714280049-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Protect\S-1-5-21-4022661095-1875058738-1706889412-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Protect\S-1-5-21-4022661095-1875058738-1706889412-500\4333ae2c-5f72-4aca-b94e-7e149b13c6e9 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Protect\S-1-5-21-4022661095-1875058738-1706889412-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Protect\S-1-5-21-446457410-618114184-1655888578-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Protect\S-1-5-21-446457410-618114184-1655888578-500\6a428da5-73f9-4a9b-a743-20d8c2ac2835 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Protect\S-1-5-21-446457410-618114184-1655888578-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\LocalService 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Anwendungsdaten 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Anwendungsdaten\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Anwendungsdaten\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Anwendungsdaten\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Anwendungsdaten\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Anwendungsdaten\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Anwendungsdaten\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\Crypto\RSA\S-1-5-20 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\Crypto\RSA\S-1-5-20\94498385663a229a93d423c6d144ae0b_5c4a3f28-7052-4922-ac27-61f005a9dc8d 2567 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\Protect\S-1-5-20 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\Protect\S-1-5-20\44c0245b-42e6-4709-8cd4-e5bac538f662 388 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\Protect\S-1-5-20\dcb4f071-2510-4fa4-b7e8-4be7ff4a939a 388 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\Protect\S-1-5-20\e3ec91de-01be-4182-b902-ea844fbdeeea 388 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\Protect\S-1-5-20\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\SystemCertificates\My\CTLs 0 bytes
---- EOF - GMER 1.0.15 ----
OSAM Logfile: Code:
ATTFilter Report of OSAM: Autorun Manager v5.0.11926.0 hxxp://www.online-solutions.ru/en/ Saved at 16:46:18 on 06.08.2012 OS: Windows XP Professional Service Pack 3 (Build 2600) Default Browser: Mozilla Corporation Firefox 14.0.1 Scanner Settings [x] Rootkits detection (hidden registry) [x] Rootkits detection (hidden files) [x] Retrieve files information [x] Check Microsoft signatures Filters [ ] Trusted entries [ ] Empty entries [x] Hidden registry entries (rootkit activity) [x] Exclusively opened files [x] Not found files [x] Files without detailed information [x] Existing files [ ] Non-startable services [ ] Non-startable drivers [x] Active entries [x] Disabled entries [Common] -----( %SystemRoot%\Tasks )----- "PCDoctorBackgroundMonitorTask.job" - "PC-Doctor, Inc." - C:\Programme\PCDR5\pcdr5cuiw32.exe "PMTask.job" - ? - C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE (File found, but it contains no detailed information) [Control Panel Objects] -----( %SystemRoot%\system32 )----- "btcpl.cpl" - "Broadcom Corporation." - C:\WINDOWS\system32\btcpl.cpl "FlashPlayerCPLApp.cpl" - "Adobe Systems Incorporated" - C:\WINDOWS\system32\FlashPlayerCPLApp.cpl "infocardcpl.cpl" - "Microsoft Corporation" - C:\WINDOWS\system32\infocardcpl.cpl "javacpl.cpl" - "Sun Microsystems, Inc." - C:\WINDOWS\system32\javacpl.cpl "PWMCPl.cpl" - "Lenovo Group Limited" - C:\WINDOWS\system32\PWMCPl.cpl "TpShCPL.cpl" - "Lenovo." - C:\WINDOWS\system32\TpShCPL.cpl -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )----- "mlcfg32.cpl" - "Microsoft Corporation" - C:\PROGRA~1\MI1933~1\Office12\MLCFG32.CPL [Drivers] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- "ANC" (ANC) - "IBM Corp." - C:\WINDOWS\System32\drivers\ANC.SYS "APS Digitizer Activity Monitor" (TPDIGIMN) - "Lenovo." - C:\WINDOWS\System32\DRIVERS\ApsHM86.sys "avgntflt" (avgntflt) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avgntflt.sys "avipbb" (avipbb) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avipbb.sys "avkmgr" (avkmgr) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avkmgr.sys "catchme" (catchme) - ? - C:\ComboFix\catchme.sys (File not found) "Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys (File not found) "DLABMFSM" (DLABMFSM) - "Roxio" - C:\WINDOWS\System32\DLA\DLABMFSM.SYS "DLABOIOM" (DLABOIOM) - "Roxio" - C:\WINDOWS\System32\DLA\DLABOIOM.SYS "DLACDBHM" (DLACDBHM) - "Roxio" - C:\WINDOWS\System32\Drivers\DLACDBHM.SYS "DLADResM" (DLADResM) - "Roxio" - C:\WINDOWS\System32\DLA\DLADResM.SYS "DLAIFS_M" (DLAIFS_M) - "Roxio" - C:\WINDOWS\System32\DLA\DLAIFS_M.SYS "DLAOPIOM" (DLAOPIOM) - "Roxio" - C:\WINDOWS\System32\DLA\DLAOPIOM.SYS "DLAPoolM" (DLAPoolM) - "Roxio" - C:\WINDOWS\System32\DLA\DLAPoolM.SYS "DLARTL_M" (DLARTL_M) - "Roxio" - C:\WINDOWS\System32\Drivers\DLARTL_M.SYS "DLAUDFAM" (DLAUDFAM) - "Roxio" - C:\WINDOWS\System32\DLA\DLAUDFAM.SYS "DLAUDF_M" (DLAUDF_M) - "Roxio" - C:\WINDOWS\System32\DLA\DLAUDF_M.SYS "DRVMCDB" (DRVMCDB) - "Sonic Solutions" - C:\WINDOWS\System32\Drivers\DRVMCDB.SYS "DRVNDDM" (DRVNDDM) - "Roxio" - C:\WINDOWS\System32\Drivers\DRVNDDM.SYS "IBMTPCHK" (IBMTPCHK) - ? - C:\WINDOWS\system32\Drivers\IBMBLDID.sys (File found, but it contains no detailed information) "kwroikog" (kwroikog) - ? - C:\DOKUME~1\Aerophil\LOKALE~1\Temp\kwroikog.sys (Hidden registry entry, rootkit activity | File not found) "lbrtfdc" (lbrtfdc) - ? - C:\WINDOWS\system32\drivers\lbrtfdc.sys (File not found) "mbr" (mbr) - ? - C:\DOKUME~1\Aerophil\LOKALE~1\Temp\mbr.sys (Hidden registry entry, rootkit activity | File not found) "PCIDump" (PCIDump) - ? - C:\WINDOWS\system32\drivers\PCIDump.sys (File not found) "PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys (File not found) "PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys (File not found) "PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys (File not found) "PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys (File not found) "pmem" (pmem) - "Microsoft Corporation" - C:\WINDOWS\System32\drivers\pmemnt.sys "PxHelp20" (PxHelp20) - "Sonic Solutions" - C:\WINDOWS\System32\Drivers\PxHelp20.sys "Shockprf" (Shockprf) - "Lenovo." - C:\WINDOWS\System32\DRIVERS\Apsx86.sys "ssmdrv" (ssmdrv) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\ssmdrv.sys "TPPWRIF" (TPPWRIF) - ? - C:\WINDOWS\System32\drivers\Tppwrif.sys (File found, but it contains no detailed information) "TSMAPIP" (TSMAPIP) - ? - C:\WINDOWS\System32\drivers\TSMAPIP.SYS (File found, but it contains no detailed information) "WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys (File not found) [Explorer] -----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )----- {89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install -----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )----- {F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll -----( HKLM\Software\Classes\Protocols\Filter )----- {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {807563E5-5146-11D5-A672-00B0D022E945} "Microsoft Office InfoPath XML Mime Filter" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\MSOXMLMF.DLL -----( HKLM\Software\Classes\Protocols\Handler )----- {32505114-5902-49B2-880A-1F7738E5A384} "Data Page Plugable Protocal mso-offdap11 Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\11\OWC11.DLL {314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL {828030A1-22C1-4009-854F-8E305202313F} "livecall" - "Microsoft Corporation" - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL {828030A1-22C1-4009-854F-8E305202313F} "msnim" - "Microsoft Corporation" - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL {91774881-D725-4E58-B298-07617B9B86A8} "Skype IE add-on Pluggable Protocol" - "Skype Technologies S.A." - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll {03C514A3-1EFB-4856-9F99-10D7BE1653C0} "Windows Live Mail HTML Asynchronous Pluggable Protocol Handler" - "Microsoft Corporation" - C:\Programme\Windows Live\Mail\mailcomm.dll -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )----- {6af09ec9-b429-11d4-a1fb-0090960218cb} "Bluetooth-Umgebung" - "Broadcom Corporation." - C:\WINDOWS\system32\BTNEIG~1.DLL {0563DB41-F538-4B37-A92D-4659049B7766} "CLSID_WLMCMimeFilter" - "Microsoft Corporation" - C:\Programme\Windows Live\Mail\mailcomm.dll {42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" - ? - (File not found | COM-object registry key not found) {1D2680C9-0E2A-469d-B787-065558BC7D43} "Fusion Cache" - "Microsoft Corporation" - c:\WINDOWS\system32\mscoree.dll {853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" - ? - (File not found | COM-object registry key not found) {42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Programme\Microsoft Office\Office12\msohevi.dll {993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll {00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - C:\PROGRA~1\MI1933~1\Office12\MLSHEXT.DLL {C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll {7842554E-6BED-11D2-8CDB-B05550C10000} "Monitor Class" - "Broadcom Corporation." - C:\WINDOWS\system32\btncopy.dll {0006F045-0000-0000-C000-000000000046} "Outlook File Icon Extension" - "Microsoft Corporation" - C:\PROGRA~1\MI1933~1\Office12\OLKFSTUB.DLL {5E44E225-A408-11CF-B581-008029601108} "Roxio DragToDisc Shell Extension" - "Roxio" - C:\Programme\Lenovo\Drag-to-Disc\Shellex.dll {45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "Avira Operations GmbH & Co. KG" - C:\Programme\Avira\AntiVir Desktop\shlext.dll {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll {764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" - ? - (File not found | COM-object registry key not found) {e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll {5E2121EE-0300-11D4-8D3B-444553540000} "SimpleShlExt Class" - "Advanced Micro Devices, Inc." - C:\Programme\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll {BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Web Folders" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\MSONSEXT.DLL {2BE99FD4-A181-4996-BFA9-58C5FFD11F6C} "Windows Live Photo Gallery Autoplay Drop Target" - "Microsoft Corporation" - C:\Programme\Windows Live\Photo Gallery\WLXPhotoGallery.exe {00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C} "Windows Live Photo Gallery Editor Drop Target" - "Microsoft Corporation" - C:\Programme\Windows Live\Photo Gallery\WLXPhotoGallery.exe {00F3712A-CA79-45B4-9E4D-D7891E7F8B9D} "Windows Live Photo Gallery Editor Shim" - "Microsoft Corporation" - C:\Programme\Windows Live\Photo Gallery\PhotoViewerShim.dll {00F30F90-3E96-453B-AFCD-D71989ECC2C7} "Windows Live Photo Gallery Viewer Autoplay Shim" - "Microsoft Corporation" - C:\Programme\Windows Live\Photo Gallery\PhotoViewerShim.dll {00F33137-EE26-412F-8D71-F84E4C2C6625} "Windows Live Photo Gallery Viewer Autoplay Shim" - "Microsoft Corporation" - C:\Programme\Windows Live\Photo Gallery\PhotoViewerShim.dll {00F374B7-B390-4884-B372-2FC349F2172B} "Windows Live Photo Gallery Viewer Drop Target" - "Microsoft Corporation" - C:\Programme\Windows Live\Photo Gallery\WLXPhotoGallery.exe {00F346CB-35A4-465B-8B8F-65A29DBAB1F6} "Windows Live Photo Gallery Viewer Shim" - "Microsoft Corporation" - C:\Programme\Windows Live\Photo Gallery\PhotoViewerShim.dll {06A2568A-CED6-4187-BB20-400B8C02BE5A} "{06A2568A-CED6-4187-BB20-400B8C02BE5A}" - "Microsoft Corporation" - C:\Programme\Windows Live\Photo Gallery\WLXPhotoAcquireWizard.exe [Internet Explorer] -----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )----- ITBar7Height "ITBar7Height" - ? - (File not found | COM-object registry key not found) <binary data> "ITBar7Layout" - ? - (File not found | COM-object registry key not found) -----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )----- 55963676-2F5E-4BAF-AC28-CF26AA587566 "Cisco AnyConnect VPN Client Web Control" - "Cisco Systems, Inc." - C:\WINDOWS\system32\vpnweb.ocx / vpnweb.cab {8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_31" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_31.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} "Java Plug-in 1.6.0_31" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_31.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_31" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_31.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )----- "@btrez.dll,-4015" - ? - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie.htm {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} "ClsidExtension" - "Lenovo Group Limited" - C:\Programme\Lenovo\Client Security Solution\tvtpwm_ie_com.dll {5F7B1267-94A9-47F5-98DB-E99415F33AEC} "In Blog veröffentlichen" - "Microsoft Corporation" - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll {FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Research" - "Microsoft Corporation" - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL {898EA8C8-E7FF-479B-8935-AEC46303B9E5} "Skype Click to Call" - "Skype Technologies S.A." - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )----- {8dcb7100-df86-4384-8842-8fa844297b3f} "Bing Bar" - "Microsoft Corporation." - C:\Programme\Microsoft\BingBar\BingExt.dll -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )----- {18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll {d2ce3e00-f94a-4740-988e-03dc2f38c34f} "Bing Bar Helper" - "Microsoft Corporation." - C:\Programme\Microsoft\BingBar\BingExt.dll {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} "IePasswordManagerHelper Class" - "Lenovo Group Limited" - C:\Programme\Lenovo\Client Security Solution\tvtpwm_ie_com.dll {DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jp2ssv.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} "Java(tm) Plug-In SSV Helper" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\ssv.dll {E7E6F031-17CE-4C07-BC86-EABFE594F69C} "JQSIEStartDetectorImpl Class" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} "Skype Browser Helper" - "Skype Technologies S.A." - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll {9030D464-4C02-4ABF-8ECC-5164760863C6} "Windows Live Anmelde-Hilfsprogramm" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [Logon] -----( %AllUsersProfile%\Startmenü\Programme\Autostart )----- "desktop.ini" - ? - C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini "Digital Line Detect.lnk" - "Avanquest Software " - C:\Programme\Digital Line Detect\DLG.exe (Shortcut exists | File exists) "McAfee Security Scan Plus.lnk" - "McAfee, Inc." - C:\Programme\McAfee Security Scan\2.0.181\SSScheduler.exe (Shortcut exists | File exists) "RCIMGDIR.exe.lnk" - "Ricoh co.,Ltd." - C:\Programme\RotateImage\RCIMGDIR.exe (Shortcut exists | File exists) "BTTray.lnk" - "Broadcom Corporation." - C:\Programme\ThinkPad\Bluetooth Software\BTTray.exe (Shortcut exists | File exists) -----( %UserProfile%\Startmenü\Programme\Autostart )----- "desktop.ini" - ? - C:\Dokumente und Einstellungen\Aerophil\Startmenü\Programme\Autostart\desktop.ini -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )----- "ACTray" - "Lenovo " - C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe "ACWLIcon" - "Lenovo " - C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe "Adobe ARM" - "Adobe Systems Incorporated" - "C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe" "avgnt" - "Avira Operations GmbH & Co. KG" - "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min "CameraApplicationLauncher" - ? - C:\Programme\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe "CreateLMBCShortCut" - ? - "C:\Programme\Lenovo\Mobile Broadband Connect\UserShortcutCreator.exe" "cssauth" - "Lenovo Group Limited" - "C:\Programme\Lenovo\Client Security Solution\cssauth.exe" silent "EZEJMNAP" - "Lenovo Group Ltd." - C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe "FingerPrintSoftware" - "Authentec,Inc" - "C:\Programme\Lenovo Fingerprint Software\fpapp.exe" \s "FreePDF Assistant" - "shbox.de" - C:\Programme\FreePDF_XP\fpassist.exe "LENOVO.TPFNF6R" - "Lenovo Group Limited" - C:\Programme\Lenovo\HOTKEY\TPFNF6R.exe "LPMailChecker" - "Lenovo Group Limited" - C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe "LPManager" - "Lenovo Group Limited" - C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe "Message Center Plus" - ? - C:\Programme\LENOVO\Message Center Plus\MCPLaunch.exe /start "picon" - "Intel Corporation" - "C:\Programme\Gemeinsame Dateien\Intel\Privacy Icon\PrivacyIconClient.exe" -startup "PWRMGRTR" - "Lenovo Group Limited" - rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor "StartCCC" - "Advanced Micro Devices, Inc." - "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun "SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" "TPFNF7" - "Lenovo Group Limited" - C:\Programme\Lenovo\NPDIRECT\TPFNF7SP.exe /r "TPHOTKEY" - "Lenovo Group Limited" - C:\Programme\Lenovo\HOTKEY\TPOSDSVC.exe "TpShocks" - "Lenovo." - TpShocks.exe "TVT Scheduler Proxy" - "Lenovo Group Limited" - C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe [Print Monitors] -----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )----- "Bluetooth-Druckeranschluss" - "Broadcom Corporation." - C:\WINDOWS\system32\bthcrp.dll "Redirected Port" - ? - C:\WINDOWS\system32\redmonnt.dll (File found, but it contains no detailed information) [Services] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- ".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe "Ac Profile Manager Service" (AcPrfMgrSvc) - "Lenovo " - C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe "Access Connections Main Service" (AcSvc) - "Lenovo " - C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe "AD Monitor" (ADMonitor) - ? - C:\WINDOWS\system32\ADMonitor.exe "Anzeige am Bildschirm" (TPHKSVC) - "Lenovo Group Limited" - C:\Programme\LENOVO\HOTKEY\TPHKSVC.exe "ASP.NET State Service" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe "AuthenTec Fingerprint Service" (ATService) - "AuthenTec, Inc." - C:\WINDOWS\system32\AtService.exe "Avira Echtzeit Scanner" (AntiVirService) - "Avira Operations GmbH & Co. KG" - C:\Programme\Avira\AntiVir Desktop\avguard.exe "Avira Planer" (AntiVirSchedulerService) - "Avira Operations GmbH & Co. KG" - C:\Programme\Avira\AntiVir Desktop\sched.exe "BBUpdate" (BBUpdate) - "Microsoft Corporation" - C:\Programme\Microsoft\BingBar\SeaPort.EXE "Bing Bar Update Service" (BBSvc) - "Microsoft Corporation." - C:\Programme\Microsoft\BingBar\BBSvc.EXE "Bluetooth Service" (btwdins) - "Broadcom Corporation." - C:\Programme\ThinkPad\Bluetooth Software\bin\btwdins.exe "Cisco AnyConnect VPN Agent" (vpnagent) - "Cisco Systems, Inc." - C:\Programme\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe "Data Transfer Service" (dtsvc) - ? - C:\WINDOWS\system32\DTS.exe "Fingerprint Server" (FingerprintServer) - "AuthenTec,Inc" - C:\WINDOWS\system32\FpLogonServ.exe "Intel(R) Active Management Technology Local Management Service" (LMS) - "Intel Corporation" - C:\Programme\Intel\AMT\LMS.exe "Intel(R) Active Management Technology User Notification Service" (UNS) - "Intel Corporation" - C:\Programme\Gemeinsame Dateien\Intel\Privacy Icon\UNS\UNS.exe "Intel(R) PROSet/Wireless Event Log" (EvtEng) - "Intel(R) Corporation" - C:\Programme\Intel\WiFi\bin\EvtEng.exe "Intel(R) PROSet/Wireless Registry Service" (RegSrvc) - "Intel(R) Corporation" - C:\Programme\Gemeinsame Dateien\Intel\WirelessCommon\RegSrvc.exe "Intel(R) PROSet/Wireless WiFi Service" (S24EventMonitor) - "Intel(R) Corporation" - C:\Programme\Intel\WiFi\bin\S24EvMon.exe "IviRegMgr" (IviRegMgr) - "InterVideo" - C:\Programme\Gemeinsame Dateien\InterVideo\RegMgr\iviRegMgr.exe "Java Quick Starter" (JavaQuickStarterService) - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jqs.exe "Lenovo Microphone Mute" (LENOVO.MICMUTE) - "Lenovo Group Limited" - C:\Programme\LENOVO\HOTKEY\MICMUTE.exe "McAfee Security Scan Component Host Service" (McComponentHostService) - "McAfee, Inc." - C:\Programme\McAfee Security Scan\2.0.181\McCHSvc.exe "Microsoft Office Diagnostics Service" (odserv) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\ODSERV.EXE "Mozilla Maintenance Service" (MozillaMaintenance) - "Mozilla Foundation" - C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe "Office Source Engine" (ose) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE "Power Manager DBC Service" (Power Manager DBC Service) - ? - C:\Programme\ThinkPad\Utilities\PWMDBSVC.exe "RoxMediaDB10" (RoxMediaDB10) - "Sonic Solutions" - C:\Programme\Gemeinsame Dateien\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe "Skype C2C Service" (Skype C2C Service) - "Skype Technologies S.A." - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Skype\Toolbars\Skype C2C Service\c2c_service.exe "Skype Updater" (SkypeUpdate) - "Skype Technologies" - C:\Programme\Skype\Updater\Updater.exe "SQL Server (MSSMLBIZ)" (MSSQL$MSSMLBIZ) - "Microsoft Corporation" - c:\Programme\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe "SQL Server VSS Writer" (SQLWriter) - "Microsoft Corporation" - c:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe "SQL Server-Browser" (SQLBrowser) - "Microsoft Corporation" - c:\Programme\Microsoft SQL Server\90\Shared\sqlbrowser.exe "SQL Server-Startdienst für Business Contact Manager" (BcmSqlStartupSvc) - "Microsoft Corporation" - C:\Programme\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe "stllssvr" (stllssvr) - "MicroVision Development, Inc." - C:\Programme\Gemeinsame Dateien\SureThing Shared\stllssvr.exe "System Update" (SUService) - "Lenovo Group Limited" - c:\programme\lenovo\system update\suservice.exe "ThinkPad HDD APS Logging Service" (TPHDEXLGSVC) - "Lenovo." - C:\WINDOWS\System32\TPHDEXLG.exe "ThinkVantage Registry Monitor Service" (ThinkVantage Registry Monitor Service) - "Lenovo Group Limited" - c:\Programme\Gemeinsame Dateien\Lenovo\tvt_reg_monitor_svc.exe "TSS Core Service" (TSSCoreService) - "Lenovo" - C:\Programme\Lenovo\Client Security Solution\tvttcsd.exe "TVT Backup Protection Service" (TVT Backup Protection Service) - ? - C:\Programme\Lenovo\Rescue and Recovery\rrpservice.exe "TVT Backup Service" (TVT Backup Service) - "Lenovo Group Limited" - C:\Programme\Lenovo\Rescue and Recovery\rrservice.exe "TVT Scheduler" (TVT Scheduler) - "Lenovo Group Limited" - c:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe "TVT Windows Update Monitor" (TVT_UpdateMonitor) - "Lenovo Group Limited" - C:\Programme\Lenovo\Rescue and Recovery\UpdateMonitor.exe "Windows CardSpace" (idsvc) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe "Windows Presentation Foundation Font Cache 3.0.0.0" (FontCache3.0.0.0) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [Winlogon] -----( HKCU\Control Panel\IOProcs )----- "MVB" - ? - mvfs32.dll (File not found) -----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )----- "ATFUS" - "AuthenTec,Inc" - C:\WINDOWS\system32\FpWinLogonNp.dll "tpfnf2" - ? - C:\Programme\Lenovo\HOTKEY\notifyf2.dll (File found, but it contains no detailed information) "WgaLogon" - "Microsoft Corporation" - C:\WINDOWS\system32\WgaLogon.dll ===[ Logfile end ]=========================================[ Logfile end ]=== --- --- --- If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru Code:
ATTFilter aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-06 16:46:53
-----------------------------
16:46:53.046 OS Version: Windows 5.1.2600 Service Pack 3
16:46:53.046 Number of processors: 2 586 0x170A
16:46:53.046 ComputerName: NOTEBOOK-ALEX UserName: Aerophil
16:46:54.359 Initialize success
16:47:28.281 AVAST engine defs: 12080600
16:47:52.343 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
16:47:52.343 Disk 0 Vendor: WDC_WD32 14.0 Size: 305245MB BusType: 3
16:47:52.421 Disk 0 MBR read successfully
16:47:52.421 Disk 0 MBR scan
16:47:52.468 Disk 0 unknown MBR code
16:47:52.515 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 298376 MB offset 2048
16:47:52.578 Disk 0 Partition 2 00 12 Compaq diag MSDOS5.0 6867 MB offset 611076096
16:47:52.625 Disk 0 scanning sectors +625139712
16:47:52.875 Disk 0 scanning C:\WINDOWS\system32\drivers
16:48:35.812 Service scanning
16:49:04.484 Modules scanning
16:49:53.140 Disk 0 trace - called modules:
16:49:53.171 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
16:49:53.171 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a147030]
16:49:53.187 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000008a[0x8a14b340]
16:49:53.203 5 ACPI.sys[b9f7e620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x89b9f028]
16:49:54.421 AVAST engine scan C:\WINDOWS
16:51:30.531 AVAST engine scan C:\WINDOWS\system32
17:04:02.171 AVAST engine scan C:\WINDOWS\system32\drivers
17:05:41.015 AVAST engine scan C:\Dokumente und Einstellungen\Aerophil
17:31:16.203 AVAST engine scan C:\Dokumente und Einstellungen\All Users
17:34:57.906 Scan finished successfully
17:35:12.984 Disk 0 MBR has been saved successfully to "C:\Dokumente und Einstellungen\Aerophil\Desktop\MBR.dat"
17:35:12.984 The log file has been saved successfully to "C:\Dokumente und Einstellungen\Aerophil\Desktop\aswMBR.txt"
|
| Themen zu TR/ATRAPS.Gen2, RootKit.0Access und Trojan.Phex.THAGen6 |
| administrator, adobe, antivir, avg, avira, bho, bingbar, branding, crypto, dateien gelöscht, desktop, error, explorer, firefox, format, frage, harddisk, helper, homepage, lenovo, logfile, monitor, netzwerk, opera, ordner, plug-in, security, senden, software, temp, trojan.phex.thagen, trojan.phex.thagen6, windows-firewall |
Baum-Darstellung