| |
| |||||||
Log-Analyse und Auswertung: TdssWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
01.11.2008, 16:36
| #1 |
| |  Tdss Hallo Trojaner-Board, vorgestern fing ich mir einiges, die Scans ergaben dann FakeAler, brast, karna und TDSServ, der mittlerweile was Suchresultate angeht übrig geblieben ist. Gestern ging ich mal ran und habe mich an dieses Vorgehen gehalten, etwa bis Beitrag 6. TDSSmhxt.sys ließ sich in einem Livevirus löschen, aber das ist nur ein Tropfen... Dann heute noch einen >300 Minuten langen Dr. Web CureIT scan (gemäß Anleitung), von dem ich nun ein 30MB log habe, der fand einiges. Malwarebytes findet nichts mehr. HJT sieht zur Zeit so aus. Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:34:30, on 01.11.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.20900) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\WINDOWS\system32\nvsvc32.exe C:\PROGRA~1\DrWeb\spidernt.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\DrWeb\spiderml.exe C:\Program Files\DrWeb\DRWEBSCD.EXE C:\PROGRA~1\DrWeb\spiderui.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\OpenOffice.org 2.2\program\soffice.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [SpIDerMail] "C:\Program Files\DrWeb\spiderml.exe" O4 - HKLM\..\Run: [DrWebScheduler] "C:\Program Files\DrWeb\DRWEBSCD.EXE" O4 - HKLM\..\Run: [SpIDerNT] C:\PROGRA~1\DrWeb\spiderui.exe /agent O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe O4 - Startup: Wuala.lnk = C:\Program Files\Caleido\Wuala\Wuala.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SpIDer Guard for Windows (SPIDERNT) - Doctor Web, Ltd. - C:\PROGRA~1\DrWeb\spidernt.exe -- End of file - 5365 bytes |
|
02.11.2008, 19:23
| #2 | |
| /// Winkelfunktion /// TB-Süch-Tiger™   |  Tdss Hallo und
__________________ Zitat:
Wenn Du das einfach nicht willst  bitte ich Dich dann mal RSIT und Combofix auszuführen.RSIT: Lade Random's System Information Tool (RSIT) herunter und speichere es auf Deinem Desktop. Starte mit Doppelklick die RSIT.exe. Klicke auf Continue, um die Nutzungsbedingungen zu akzeptieren. Wenn Du HijackThis nicht installiert hast, wird RSIT das für Dich herunterladen und installieren. In dem Fall bitte auch die Nutzungsbedingungen von Trend Micro (http://de.trendmicro.com/de/home) für HJT akzeptieren "I accept". Wenn Deine Firewall fragt, bitte RSIT erlauben, ins Netz zu gehen. Der Scan startet automatisch, RSIT checkt nun einige wichtige System-Bereiche und produziert Logfiles als Analyse-Grundlage. Wenn der Scan beendet ist, werden zwei Logfiles erstellt und in Deinem Editor geöffnet. Bitte poste den Inhalt von C:\rsit\log.txt und C:\rsit\info.txt (<= minimiert) hier in den Thread, wieder mit Codetags umschlossen. ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten. Poste alle Logfiles bitte mit Codetags umschlossen (#-Button) also so: HTML-Code: [code] Hier das Logfile rein! [/code]
__________________ |
|
05.11.2008, 16:55
| #3 |
| | Tdss GMER meldet beim Starten nicht mehr die versteckten Prozesse in roter Schrift. Unter Rootkit/Malware zweimal ssdt.sys, zwei mal Device (irgend ein 32 Bit Wert), dreimal Attached Device (Werte: zweimal Spidersys (SPiderGUard) und fitmgr.sys).
__________________ComboFix verrichtet entweder keine Arbeit, meldet im Prompt Access Denied oder, bestimmte Dateien könnten nicht kreiert werden. Die RSIT Logs: RSIT info.txt. Code:
ATTFilter info.txt logfile of random's system information tool 1.04 2008-11-04 17:48:31
======Uninstall list======
[qip] 8020 Jeak Edition-->C:\Program Files\QIP\uninstall.exe
-->C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Photoshop Elements 6.0-->msiexec /I {F54AC413-D2C6-4A24-B324-370C223C6250}
Adobe Reader 8.1.2 - Deutsch-->MsiExec.exe /I{AC76BA86-7AD7-1031-7B44-A81200000003}
AMIP (remove only)-->"C:\Program Files\Winamp\Plugins\amip_uninstall.exe"
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
Avira RootKit Detection-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FD25FCD-6F39-4686-AFBB-7056EBAE5E68}\setup.exe" -l0x9
Call of Duty-->C:\PROGRA~1\CALLOF~1\Uninstall\Unwise.exe /u C:\PROGRA~1\CALLOF~1\Uninstall\Install.log
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
CloneCD-->"C:\Program Files\SlySoft\CloneCD\ccd-uninst.exe" /D="C:\Program Files\SlySoft\CloneCD"
Counter-Strike 1.6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{13B792AA-C078-43A4-8A3A-8B12D629940D}\Setup.exe" -l0x19
DF CrcSfv 1.3-->"C:\Program Files\DF CrcSfv\unins000.exe"
Dr.Web-->"C:\Program Files\InstallShield Installation Information\{BBE2F69C-4338-11D7-8F0C-00A0244F4E2D}\setup.exe" -runfromtemp -l0x0007 -removeonly
EA SPORTS online 2006-->C:\Program Files\EA SPORTS\EA SPORTS online\EASOUNInstaller.exe
Exact Audio Copy 0.95b4-->C:\Program Files\Exact Audio Copy\uninst.exe
FIFA 06-->C:\Program Files\EA SPORTS\FIFA 06\EAUninstall.exe
FinalBurner Free v1.30.0.127-->"C:\Program Files\FinalBurner\Uninstall.exe" "C:\Program Files\FinalBurner\install.log" -u
GameTap-->C:\Program Files\InstallShield Installation Information\{67E158AF-8856-4337-B483-EA21930786AF}\setup.exe -runfromtemp -l0x0009 -removeonly
GetDataBack for FAT-->"C:\Program Files\Runtime Software\GetDataBack\Uninstall.exe" "C:\Program Files\Runtime Software\GetDataBack\install.log" -u
GrabIt 1.7.2 Beta 3 (build 996)-->"C:\Program Files\GrabIt\unins000.exe"
Guitar Pro 5.2-->"C:\Program Files\Guitar Pro 5\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
IrfanView (remove only)-->C:\Program Files\IrfanView\iv_uninstall.exe
KaLoMa 4.65-->"C:\Program Files\KaLoMa\unins000.exe"
Last.fm 1.5.1.30182-->"C:\Program Files\Last.fm\unins000.exe"
LEd Beta 0.52-->"C:\Program Files\LEd\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Matroska Pack - Lazy Man's MKV 0.9.9-->"C:\Program Files\LD-Anime\unins000.exe"
mIRC-->d:\mirc\uninstall.exe _?=d:\mirc
Mozilla Firefox (3.0.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.6)-->C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero 7 Ultra Edition-->MsiExec.exe /X{CF097717-F174-4144-954A-FBC4BF301031}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Net Blitz II-->C:\WINDOWS\Uninstall Net Blitz II.exe
News File Grabber 4.5.0.2-->"C:\Program Files\RSBR-Software\News File Grabber\unins000.exe"
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
NVIDIA nForce APU1 Utilities-->C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection Remove_NVAUtilsNT 132 C:\WINDOWS\INF\NVAUtils.inf
OpenOffice.org 2.2-->MsiExec.exe /I{E7DA9B23-5715-45D8-965E-E76688A2B948}
PokerStars.net-->"C:\Program Files\PokerStars.NET\PokerStarsUninstall.exe" /u:PokerStars.net
QIP 2005 Uninstall-->"C:\Program Files\QIP\unqip.exe"
QuickTime-->MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937894)-->"C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941568)-->"C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948881)-->"C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Sibelius Scorch Plugin-->"C:\Program Files\Musicnotes\uninstsc.exe"
Skype™ 3.8-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
The Personal FTP Server 5.52f-->"C:\Program Files\PFTP\unins000.exe"
Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB932823-v3)-->"C:\WINDOWS\$NtUninstallKB932823-v3$\spuninst\spuninst.exe"
Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Winamp (remove only)-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Live Messenger-->MsiExec.exe /I{279DB581-239C-4E13-97F8-0F48E40BE75C}
WinRAR-->C:\Program Files\WinRAR\uninstall.exe
XP Codec Pack-->C:\Program Files\XP Codec Pack\Uninstall.exe
YouSendIt Express-->C:\Program Files\InstallShield Installation Information\{FA362C5C-A5D2-470F-A2CC-F13546919D36}\setup.exe -runfromtemp -l0x0409
======Security center information======
AV: Doctor Web Anti-Virus
AV: Avira AntiVir PersonalEdition
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 6 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=0602
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
-----------------EOF-----------------
|
|
05.11.2008, 18:34
| #4 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Tdss Was ist mit dem anderen RSIT-Log?
__________________ Logfiles bitte immer in CODE-Tags posten  |
|
05.11.2008, 19:48
| #5 |
| | Tdss Achja... Code:
ATTFilter Logfile of random's system information tool 1.04 (written by random/random) Run by *** at 2008-11-04 17:46:39 Microsoft Windows XP Professional Service Pack 2 System drive C: has 3 GB (13%) free of 23 GB Total RAM: 255 MB (19% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:48:09, on 04.11.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.20900) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\WINDOWS\system32\nvsvc32.exe C:\PROGRA~1\DrWeb\spidernt.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\NVATray.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe C:\Program Files\DrWeb\spiderml.exe C:\Program Files\DrWeb\DRWEBSCD.EXE C:\PROGRA~1\DrWeb\spiderui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\OpenOffice.org 2.2\program\soffice.exe C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\michael\Desktop\RSIT.exe C:\Program Files\Trend Micro\HijackThis\michael.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [SpIDerMail] "C:\Program Files\DrWeb\spiderml.exe" O4 - HKLM\..\Run: [DrWebScheduler] "C:\Program Files\DrWeb\DRWEBSCD.EXE" O4 - HKLM\..\Run: [SpIDerNT] C:\PROGRA~1\DrWeb\spiderui.exe /agent O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SpIDer Guard for Windows (SPIDERNT) - Doctor Web, Ltd. - C:\PROGRA~1\DrWeb\spidernt.exe -- End of file - 5686 bytes ======Registry dump====== [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "NVIDIA nForce APU1 Utilities"=C:\WINDOWS\system32\NVATray.exe [2001-11-28 45056] "QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-04-27 282624] "NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-01 153136] "NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-22 7700480] "nwiz"=nwiz.exe /install [] "NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-10-22 86016] "avgnt"=C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-07-17 266497] "Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792] "Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe [2007-09-10 67488] "CloneCDTray"=C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe [2006-09-28 57344] "SpIDerMail"=C:\Program Files\DrWeb\spiderml.exe [2008-06-10 501080] "DrWebScheduler"=C:\Program Files\DrWeb\DRWEBSCD.EXE [2008-05-05 283888] "SpIDerNT"=C:\PROGRA~1\DrWeb\spiderui.exe [2008-10-23 197896] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-06-27 152872] C:\Documents and Settings\michael\Start Menu\Programs\Startup OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll [2007-04-15 133632] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "NoDispScrSavPage"=0 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "D:\mIRC\mirc.exe"="D:\mIRC\mirc.exe:*:Enabled:mIRC" "C:\Program Files\Last.fm\LastFM.exe"="C:\Program Files\Last.fm\LastFM.exe:*:Enabled:LastFM" "C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire" "C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger" "C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" "C:\Program Files\PPMate\ppmate.exe"="C:\Program Files\PPMate\ppmate.exe:*:Enabled:PPMate" "C:\Program Files\PPMate\ppamnet.exe"="C:\Program Files\PPMate\ppamnet.exe:*:Enabled:PPMate" "C:\Program Files\QIP\qip.exe"="C:\Program Files\QIP\qip.exe:*:Enabled:Quiet Internet Pager" "C:\Program Files\PFTP\PFtp.exe"="C:\Program Files\PFTP\PFtp.exe:*:Enabled:The Personal FTP Server" "C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] shell\AutoRun\command - F:\SETUP.EXE ======List of files/folders created in the last 1 months====== 2008-11-04 17:46:39 ----D---- C:\rsit 2008-10-31 21:45:59 ----AT---- C:\WINDOWS\system32\DRWEBSP.DLL 2008-10-31 21:45:50 ----D---- C:\Program Files\DrWeb 2008-10-31 19:51:49 ----D---- C:\Avenger 2008-10-31 19:51:49 ----A---- C:\avenger.txt 2008-10-31 17:36:52 ----A---- C:\WINDOWS\ntbtlog.txt 2008-10-31 17:31:42 ----D---- C:\WINDOWS\system32\appmgmt 2008-10-31 17:09:53 ----D---- C:\Program Files\CCleaner 2008-10-31 17:04:58 ----D---- C:\Program Files\Avira GmbH 2008-10-31 11:15:39 ----A---- C:\WINDOWS\gmer.ini 2008-10-31 11:15:36 ----A---- C:\WINDOWS\gmer_uninstall.cmd 2008-10-31 11:15:35 ----A---- C:\WINDOWS\gmer.dll 2008-10-31 11:15:34 ----A---- C:\WINDOWS\gmer.exe 2008-10-31 07:57:47 ----A---- C:\WINDOWS\system32\TDSSfxwp.dll 2008-10-31 07:57:44 ----A---- C:\WINDOWS\system32\TDSScfum.dll 2008-10-31 07:57:32 ----A---- C:\WINDOWS\system32\TDSSofxh.dll 2008-10-25 12:27:04 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$ 2008-10-19 09:24:03 ----D---- C:\Program Files\GameTap 2008-10-19 09:24:03 ----D---- C:\Documents and Settings\All Users\Application Data\GameTap 2008-10-19 09:23:16 ----D---- C:\Documents and Settings\michael\Application Data\InstallShield 2008-10-17 09:50:20 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$ 2008-10-16 16:36:14 ----D---- C:\Documents and Settings\michael\Application Data\skypePM 2008-10-16 16:33:47 ----D---- C:\Program Files\Common Files\Skype 2008-10-16 11:44:15 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$ 2008-10-16 11:44:04 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$ 2008-10-16 11:43:52 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$ 2008-10-16 11:34:43 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$ 2008-10-07 08:38:15 ----D---- C:\WINDOWS\system32\CatRoot_bak ======List of files/folders modified in the last 1 months====== 2008-11-04 17:37:56 ----D---- C:\Program Files\Mozilla Firefox 2008-11-04 17:36:56 ----D---- C:\WINDOWS\Temp 2008-11-04 17:25:24 ----D---- C:\WINDOWS\system32\CatRoot2 2008-11-04 17:20:45 ----D---- C:\Documents and Settings\michael\Application Data\OpenOffice.org2 2008-11-04 07:38:24 ----A---- C:\WINDOWS\SchedLgU.Txt 2008-11-03 23:56:23 ----D---- C:\WINDOWS\Prefetch 2008-11-03 23:55:31 ----D---- C:\WINDOWS 2008-11-03 09:00:40 ----D---- C:\WINDOWS\Minidump 2008-11-01 12:55:59 ----D---- C:\WINDOWS\system32 2008-11-01 11:29:56 ----D---- C:\Program Files\DAEMON Tools 2008-10-31 21:45:50 ----RD---- C:\Program Files 2008-10-31 21:45:50 ----HD---- C:\Program Files\InstallShield Installation Information 2008-10-31 20:00:38 ----D---- C:\WINDOWS\system32\drivers 2008-10-31 18:49:01 ----D---- C:\Documents and Settings 2008-10-31 17:36:44 ----D---- C:\Config.Msi 2008-10-31 17:28:02 ----SHD---- C:\WINDOWS\Installer 2008-10-31 17:15:52 ----D---- C:\WINDOWS\Debug 2008-10-31 09:55:10 ----RSHDC---- C:\WINDOWS\system32\dllcache 2008-10-30 23:28:41 ----D---- C:\Documents and Settings\michael\Application Data\uTorrent 2008-10-26 08:17:49 ----D---- C:\Program Files\aEton CommunicaEor 2008-10-26 08:15:51 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI 2008-10-25 12:28:22 ----HD---- C:\WINDOWS\inf 2008-10-25 12:25:49 ----HD---- C:\WINDOWS\$hf_mig$ 2008-10-20 14:29:43 ----D---- C:\Documents and Settings\michael\Application Data\Mozilla 2008-10-16 18:08:21 ----D---- C:\Documents and Settings\michael\Application Data\Skype 2008-10-16 16:34:08 ----D---- C:\Program Files\Skype 2008-10-16 16:33:47 ----D---- C:\Program Files\Common Files 2008-10-16 11:42:40 ----D---- C:\Program Files\Internet Explorer 2008-10-16 11:41:45 ----D---- C:\WINDOWS\ie7updates 2008-10-15 17:53:28 ----A---- C:\WINDOWS\system32\netapi32.dll 2008-10-07 09:50:35 ----D---- C:\WINDOWS\system32\CatRoot ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2007-04-15 37376] R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys [] R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2008-07-17 75072] R1 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2007-08-07 25160] R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2008-04-19 21248] R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032] R2 Aspi32;Aspi32; C:\WINDOWS\system32\drivers\Aspi32.sys [1999-09-10 25244] R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2004-08-03 88448] R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2001-08-23 63232] R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2001-08-23 55936] R2 rspndr;Link-Layer Topology Discovery Responder; C:\WINDOWS\system32\DRIVERS\rspndr.sys [2007-04-15 62336] R2 SPIDER;SpIDer Guard File System Monitor; \??\C:\PROGRA~1\DrWeb\spider.sys [] R2 STEC3;STEC3; \??\C:\WINDOWS\system32\STEC3.sys [] R2 X4HSX32;X4HSX32; \??\C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [] R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2007-04-15 60800] R3 avgntflt;avgntflt; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys [] R3 ElbyCDFL;ElbyCDFL; C:\WINDOWS\System32\Drivers\ElbyCDFL.sys [2007-02-16 34760] R3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-10-31 85969] R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2007-04-15 61824] R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-10-22 3994624] R3 nvax;Service for NVIDIA® nForce(TM) Audio Enumerator; C:\WINDOWS\system32\drivers\nvax.sys [2001-11-28 13056] R3 nvnforce;Service for NVIDIA® nForce(TM) Audio; C:\WINDOWS\system32\drivers\nvapu.sys [2001-11-28 162304] R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992] R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2007-04-15 59264] R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2007-04-15 17152] R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496] R3 W8100PCI;ASUS 802.11b/g Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\mrv8k51.sys [2003-12-24 256512] S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848] S3 ASNDIS5;ASNDIS5 Protocol Driver; \??\C:\WINDOWS\system32\ASNDIS5.SYS [] S3 azwocbxo;azwocbxo; C:\WINDOWS\system32\drivers\azwocbxo.sys [] S3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-23 9600] S3 mbr;mbr; \??\C:\DOCUME~1\michael\LOCALS~1\Temp\mbr.sys [] S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616] S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2007-04-15 77568] S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2007-04-15 82944] S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys [] S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2004-08-03 73472] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6; C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-10 124832] R2 AntiVirScheduler;AntiVir PersonalEdition Classic Planer; C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-07-17 68865] R2 AntiVirService;AntiVir PersonalEdition Classic Guard; C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-08-15 149761] R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-22 159810] R2 SPIDERNT;SpIDer Guard for Windows; C:\PROGRA~1\DrWeb\spidernt.exe [2008-10-23 197896] R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-06-27 279848] S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-07-14 654848] S3 usnjsvc;Messenger USN Journal Reader-Service für freigegebene Ordner; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136] S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408] S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336] -----------------EOF----------------- |
|
05.11.2008, 20:05
| #6 |
| /// Winkelfunktion /// TB-Süch-Tiger™ |  Tdss Hallo, Entscheide Dich entweder für DrWeb oder AntiVir, aber zwei Virenscanner mit Wächter solltest Du nicht installiert haben. Stell sicher, daß Dir auch alle Dateien angezeigt werden, danach folgende Dateien bei Virustotal.com auswerten lassen und alle Ergebnisse posten, und zwar so, daß man die der einzelnen Virenscanner sehen kann. Bitte mit Dateigrößen und Prüfsummen: Code:
ATTFilter C:\WINDOWS\system32\TDSSfxwp.dll
C:\WINDOWS\system32\TDSScfum.dll
C:\WINDOWS\system32\TDSSofxh.dll
C:\WINDOWS\system32\drivers\azwocbxo.sys
C:\WINDOWS\system32\STEC3.sys
Anleitung Avenger (by swandog46) Lade dir das Tool Avenger und speichere es auf dem Desktop:
Code:
ATTFilter files to delete:
C:\WINDOWS\system32\TDSSfxwp.dll
C:\WINDOWS\system32\TDSScfum.dll
C:\WINDOWS\system32\TDSSofxh.dll
C:\WINDOWS\system32\drivers\azwocbxo.sys
C:\WINDOWS\system32\STEC3.sys
drivers to delete:
STEC3
azwocbxo
registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys
__________________ --> Tdss |
|
06.11.2008, 23:34
| #7 |
| | Tdss Den Dr. Web hatte ich mir noch extra zugelegt, stand in der Maßnahmenkette sogar recht weit hinten. Dann trenne ich mich mal von einem... C:\WINDOWS\system32\TDSSfxwp.dll Code:
ATTFilter File size: 2444 bytes
MD5...: 6a120b0566d05879f006c9cd3b57dc5c
SHA1..: 15598f3e49357c96112a0743100e7de7b3d82334
SHA256: 0ab70f3756b07acea7471cf9142600059db11050b7fa722d9b69ff2f7ae34445
SHA512: ca26d452964de3bb4c0df408f2d675b54460614ec7548bacf83d43ec3ae71840
98b5e8cfc324025b89df2312c1a0ab5b8e95ca510ffa78796872734578973106
Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.11.5.3 2008.11.06 -
AntiVir 7.9.0.26 2008.11.06 -
Authentium 5.1.0.4 2008.11.06 -
Avast 4.8.1248.0 2008.11.06 -
AVG 8.0.0.161 2008.11.06 -
BitDefender 7.2 2008.11.06 -
CAT-QuickHeal 9.50 2008.11.04 -
ClamAV 0.94.1 2008.11.06 -
DrWeb 4.44.0.09170 2008.11.06 -
eSafe 7.0.17.0 2008.11.06 -
eTrust-Vet 31.6.6195 2008.11.06 -
Ewido 4.0 2008.11.06 -
F-Prot 4.4.4.56 2008.11.06 -
F-Secure 8.0.14332.0 2008.11.06 Vundo.DZC
Fortinet 3.117.0.0 2008.11.06 -
GData 19 2008.11.06 -
Ikarus T3.1.1.45.0 2008.11.06 -
K7AntiVirus 7.10.518 2008.11.06 -
Kaspersky 7.0.0.125 2008.11.06 -
McAfee 5425 2008.11.05 -
Microsoft 1.4005 2008.11.06 -
NOD32 3591 2008.11.06 -
Norman 5.80.02 2008.11.06 Vundo.DZC
Panda 9.0.0.4 2008.11.05 -
PCTools 4.4.2.0 2008.11.06 -
Prevx1 V2 2008.11.06 -
Rising 21.02.32.00 2008.11.06 -
SecureWeb-Gateway 6.7.6 2008.11.06 -
Sophos 4.35.0 2008.11.06 -
Sunbelt 3.1.1783.2 2008.11.05 -
Symantec 10 2008.11.06 -
TheHacker 6.3.1.1.141 2008.11.05 -
TrendMicro 8.700.0.1004 2008.11.06 -
VBA32 3.12.8.9 2008.11.05 -
ViRobot 2008.11.6.1455 2008.11.06 -
VirusBuster 4.5.11.0 2008.11.06 -
Guard meldetete die Datei, ignorieren war nicht möglich, ich wählte "desinfizieren", nach Neustart ist die Datei scheinbar nicht mehr vorhanden. C:\WINDOWS\system32\TDSSofxh.dll Code:
ATTFilter File size: 26624 bytes
MD5...: 83f257ff1cadb6bd8a24d9921ced0bed
SHA1..: 3b66fb3cc981ee95e30a0a9049d3ff2ea74d756b
SHA256: 47354d57f63c7b8420d5b42a466078b7c19794e0d32e778d419b4d0ee777d317
SHA512: bfbec420e51270dc0b8e0e991ea71ccc2b317dfdfbf6fa38cf43897e0d0bfb0f
a79e0a6e6ce880bcf6e67fbce58ca82b29b07a03747e265b2b8f9fb7edc89419
AhnLab-V3 2008.11.5.3 2008.11.06 -
AntiVir 7.9.0.26 2008.11.06 TR/Agent.gbt.26624
Authentium 5.1.0.4 2008.11.06 W32/Trojan3.GW
Avast 4.8.1248.0 2008.11.06 -
AVG 8.0.0.161 2008.11.06 -
BitDefender 7.2 2008.11.06 Trojan.FakeAlert.AKV
CAT-QuickHeal 9.50 2008.11.04 -
ClamAV 0.94.1 2008.11.06 -
DrWeb 4.44.0.09170 2008.11.06 BackDoor.Tdss.27
eSafe 7.0.17.0 2008.11.06 Suspicious File
eTrust-Vet 31.6.6195 2008.11.06 -
Ewido 4.0 2008.11.06 -
F-Prot 4.4.4.56 2008.11.06 W32/Trojan3.GW
F-Secure 8.0.14332.0 2008.11.06 -
Fortinet 3.117.0.0 2008.11.06 -
GData 19 2008.11.06 Trojan.FakeAlert.AKV
Ikarus T3.1.1.45.0 2008.11.06 Trojan-Downloader.Win32.Renos.AQ
K7AntiVirus 7.10.518 2008.11.06 -
Kaspersky 7.0.0.125 2008.11.06 -
McAfee 5426 2008.11.06 Generic.dx
Microsoft 1.4005 2008.11.06 Trojan:Win32/Sudiet.B
NOD32 3592 2008.11.06 -
Norman 5.80.02 2008.11.06 -
Panda 9.0.0.4 2008.11.06 Bck/Tdss.C
PCTools 4.4.2.0 2008.11.06 -
Prevx1 V2 2008.11.06 Cloaked Malware
Rising 21.02.32.00 2008.11.06 -
SecureWeb-Gateway 6.7.6 2008.11.06 Trojan.Agent.gbt.26624
Sophos 4.35.0 2008.11.06 Troj/Tdss-A
Sunbelt 3.1.1783.2 2008.11.05 Trojan.TDSServ
Symantec 10 2008.11.06 -
TheHacker 6.3.1.1.142 2008.11.06 -
TrendMicro 8.700.0.1004 2008.11.06 -
VBA32 3.12.8.9 2008.11.06 -
ViRobot 2008.11.6.1455 2008.11.06 -
VirusBuster 4.5.11.0 2008.11.06 -
Existiert nicht C:\WINDOWS\system32\STEC3.sys Code:
ATTFilter File size: 2368 bytes
MD5...: e4ebf293d1f612bda19b646c36715b20
SHA1..: a867e2c752f5cecb279ce5a90b54de9a7b494e6a
SHA256: 39ebd72bf112098032784d4fd84915e936e7594ab25794af5f37fa5b0b6309bc
SHA512: 22ef38256fe206ce3c6467a2905be79deb0ddb250eb7b5752817cc537b3031d1
e739f370983c8b3bf32d3e9783cdcb19de3abfc7a372d8841fc8829bacef5c27
AhnLab-V3 2008.11.5.3 2008.11.06 -
AntiVir 7.9.0.26 2008.11.06 -
Authentium 5.1.0.4 2008.11.06 -
Avast 4.8.1248.0 2008.11.06 -
AVG 8.0.0.161 2008.11.06 -
BitDefender 7.2 2008.11.06 -
CAT-QuickHeal 9.50 2008.11.04 -
ClamAV 0.94.1 2008.11.06 -
DrWeb 4.44.0.09170 2008.11.06 -
eSafe 7.0.17.0 2008.11.06 -
eTrust-Vet 31.6.6195 2008.11.06 -
Ewido 4.0 2008.11.06 -
F-Prot 4.4.4.56 2008.11.06 -
F-Secure 8.0.14332.0 2008.11.06 -
Fortinet 3.117.0.0 2008.11.06 -
GData 19 2008.11.06 -
Ikarus T3.1.1.45.0 2008.11.06 -
K7AntiVirus 7.10.518 2008.11.06 -
Kaspersky 7.0.0.125 2008.11.06 -
McAfee 5426 2008.11.06 -
Microsoft 1.4005 2008.11.06 -
NOD32 3592 2008.11.06 -
Norman 5.80.02 2008.11.06 -
Panda 9.0.0.4 2008.11.06 -
PCTools 4.4.2.0 2008.11.06 -
Prevx1 V2 2008.11.06 -
Rising 21.02.32.00 2008.11.06 -
SecureWeb-Gateway 6.7.6 2008.11.06 -
Sophos 4.35.0 2008.11.06 -
Sunbelt 3.1.1783.2 2008.11.05 -
Symantec 10 2008.11.06 -
TheHacker 6.3.1.1.142 2008.11.06 -
TrendMicro 8.700.0.1004 2008.11.06 -
VBA32 3.12.8.9 2008.11.06 -
ViRobot 2008.11.6.1455 2008.11.06 -
VirusBuster 4.5.11.0 2008.11.06 -
|
|
07.11.2008, 09:17
| #8 |
| /// Winkelfunktion /// TB-Süch-Tiger™ |  Tdss Machst Du das noch mit dem Avenger?
__________________ Logfiles bitte immer in CODE-Tags posten |
|
07.11.2008, 17:42
| #9 |
| | Tdss avenger.txt Code:
ATTFilter Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "C:\WINDOWS\system32\TDSSfxwp.dll" deleted successfully.
Error: file "C:\WINDOWS\system32\TDSScfum.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSScfum.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
File "C:\WINDOWS\system32\TDSSofxh.dll" deleted successfully.
Error: file "C:\WINDOWS\system32\drivers\azwocbxo.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\azwocbxo.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
File "C:\WINDOWS\system32\STEC3.sys" deleted successfully.
Driver "STEC3" deleted successfully.
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\azwocbxo" not found!
Deletion of driver "azwocbxo" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Registry key "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" deleted successfully.
Registry key "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm" deleted successfully.
Registry key "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys" deleted successfully.
Registry key "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:38, on 2008-11-07 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.20900) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NVATray.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\DrWeb\spiderml.exe C:\Program Files\DrWeb\DRWEBSCD.EXE C:\PROGRA~1\DrWeb\spidernt.exe C:\PROGRA~1\DrWeb\spiderui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\OpenOffice.org 2.2\program\soffice.exe C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\***\Desktop\qlketzd.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [SpIDerMail] "C:\Program Files\DrWeb\spiderml.exe" O4 - HKLM\..\Run: [DrWebScheduler] "C:\Program Files\DrWeb\DRWEBSCD.EXE" O4 - HKLM\..\Run: [SpIDerNT] C:\PROGRA~1\DrWeb\spiderui.exe /agent O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe O4 - Startup: Wuala.lnk = C:\Program Files\Caleido\Wuala\Wuala.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SpIDer Guard for Windows (SPIDERNT) - Doctor Web, Ltd. - C:\PROGRA~1\DrWeb\spidernt.exe -- End of file - 5633 bytes |
|
07.11.2008, 21:01
| #10 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Tdss Okay. Probier mal, ob Combofix nun starten will.
__________________ Logfiles bitte immer in CODE-Tags posten |
|
08.11.2008, 14:59
| #11 |
| | Tdss Das ging, der Scan ergab: Code:
ATTFilter ComboFix 08-11-03.06 - *** 2008-11-08 14:23:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.46 [GMT 1:00]
Running from: c:\documents and settings\***\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSStkdv.log
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SYSREST.SYS
-------\Legacy_TDSSSERV
-------\Legacy_TDSSSERV.SYS
((((((((((((((((((((((((( Files Created from 2008-10-08 to 2008-11-08 )))))))))))))))))))))))))))))))
.
2008-11-04 17:46 . 2008-11-04 17:48 <DIR> d-------- C:\rsit
2008-10-31 21:48 . 2008-11-01 10:40 <DIR> d-------- c:\documents and settings\***\DoctorWeb
2008-10-31 21:45 . 2008-11-08 13:46 <DIR> d-------- c:\program files\DrWeb
2008-10-31 21:45 . 2008-10-31 21:45 77,824 --a----t- c:\windows\system32\DRWEBSP.DLL
2008-10-31 18:49 . 2008-10-31 18:49 <DIR> d-------- c:\documents and settings\Administrator
2008-10-31 17:09 . 2008-10-31 17:09 <DIR> d-------- c:\program files\CCleaner
2008-10-31 17:04 . 2008-10-31 17:04 <DIR> d-------- c:\program files\Avira GmbH
2008-10-31 11:15 . 2008-11-05 16:50 250 --a------ c:\windows\gmer.ini
2008-10-19 09:24 . 2008-10-19 09:24 <DIR> d-------- c:\program files\GameTap
2008-10-19 09:24 . 2008-10-19 10:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\GameTap
2008-10-19 09:23 . 2008-10-19 09:23 <DIR> d-------- c:\documents and settings\***\Application Data\InstallShield
2008-10-16 16:36 . 2008-10-16 16:36 <DIR> d-------- c:\documents and settings\***\Application Data\skypePM
2008-10-16 16:36 . 2008-10-16 16:36 56 --ah----- c:\windows\system32\ezsidmv.dat
2008-10-16 16:33 . 2008-10-16 16:33 <DIR> d-------- c:\program files\Common Files\Skype
2008-10-15 16:55 . 2008-08-14 10:57 2,185,984 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 16:55 . 2008-08-14 10:55 2,142,720 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 16:55 . 2008-08-14 10:18 2,020,864 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-15 16:54 . 2008-08-14 10:18 2,062,976 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-08 13:42 --------- d-----w c:\documents and settings\***\Application Data\OpenOffice.org2
2008-11-01 10:29 --------- d-----w c:\program files\DAEMON Tools
2008-10-31 20:45 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-26 07:17 --------- d-----w c:\program files\aEton CommunicaEor
2008-10-16 17:08 --------- d-----w c:\documents and settings\***\Application Data\Skype
2008-10-16 15:34 --------- d-----w c:\program files\Skype
2008-09-30 18:28 --------- d-----w c:\program files\GrabIt
2008-09-19 09:08 --------- d-----w c:\program files\Trend Micro
2008-09-18 15:37 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-09-18 15:37 --------- d-----w c:\documents and settings\***\Application Data\Malwarebytes
2008-09-18 15:37 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-09-15 12:17 1,846,912 ----a-w c:\windows\system32\win32k.sys
2008-08-26 09:08 827,904 ----a-w c:\windows\system32\wininet.dll
2008-08-14 09:57 2,185,984 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:18 2,062,976 ----a-w c:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-10 67488]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"SpIDerMail"="c:\program files\DrWeb\spiderml.exe" [2008-06-10 501080]
"DrWebScheduler"="c:\program files\DrWeb\DRWEBSCD.EXE" [2008-05-05 283888]
"SpIDerNT"="c:\progra~1\DrWeb\spiderui.exe" [2008-10-23 197896]
"NVIDIA nForce APU1 Utilities"="NVATray.exe" [2001-11-28 c:\windows\system32\NVATray.exe]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\***\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 393216]
Wuala.lnk - c:\program files\Caleido\Wuala\Wuala.exe [2008-06-13 153600]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\mIRC\\mirc.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\QIP\\qip.exe"=
"c:\\Program Files\\PFTP\\PFtp.exe"=
"c:\\Program Files\\Caleido\\Wuala\\Wuala.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-10 124832]
R2 SPIDER;SpIDer Guard File System Monitor;c:\progra~1\DrWeb\spider.sys [2008-10-23 268040]
R2 SPIDERNT;SpIDer Guard for Windows;c:\progra~1\DrWeb\spidernt.exe [2008-10-23 197896]
R3 W8100PCI;ASUS 802.11b/g Driver for Windows XP;c:\windows\system32\DRIVERS\mrv8k51.sys [2003-12-24 256512]
S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.SYS [2002-09-09 16269]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\SETUP.EXE
.
- - - - ORPHANS REMOVED - - - -
HKU-Default-Run-brastk - c:\windows\system32\brastk.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\***\Application Data\Mozilla\Firefox\Profiles\e1k5rf8g.default\
FF -: plugin - c:\program files\GameTap\bin\Release\npgametaptool.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-08 14:36:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\program files\OpenOffice.org 2.2\program\soffice.exe
c:\program files\OpenOffice.org 2.2\program\soffice.bin
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2008-11-08 14:51:32 - machine was rebooted [***]
ComboFix-quarantined-files.txt 2008-11-08 13:51:15
Pre-Run: 3,466,813,440 bytes free
Post-Run: 3,414,876,160 bytes free
148 --- E O F --- 2008-10-25 11:29:33
|
|
09.11.2008, 19:56
| #12 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Tdss Das sieht eigentlich wieder okay aus. Mach nochmal bitte einen Durchlauf mit MalwareBytes.
__________________ Logfiles bitte immer in CODE-Tags posten |
|
12.09.2009, 20:38
| #13 |
| | Tdss ich habe tdss gerade erfolgreich von meinem computer gekickt. nachdem ich alle möglichen tools erfolglos ausprobiert hatte, die viren/trojanerjäger haben da keine chance, die melden zwar erfolg, haben aber keine chance! folgende vorgehensweise war erfolgreich: mit hilfe der wiederherstellungskonsole alle dateien "SKYNET*.*" einzeln aus den verzeichnissen WINDOWS\system32 und WINDOWS\system32\drivers löschen, nur so lässt sich das ding entfernen! alle kopien von protect.dll und autochk.dll aus dem dateisystem löschen, die liegen versteckt in sämtlichen profilfpfaden (WINDOWS\system32\config\systemprofile nicht vergessen!) und in WINDOWS\system32 in sämtlichen autostart-ordnern lag noch eine versteckte .lnk -löschen Wininit.ini enthielt bei mir den eintrag: [rename] c:\tempjunk8719.tmp=C:\WINDOWSN\system32\drivers\SKYNETjiuhyiqg.sys_old nul=c:\tempjunk7555.tmp c:\tempjunk910.tmp=C:\WINDOWSN\system32\drivers\SKYNETjiuhyiqg.sys c:\tempjunk103.tmp=C:\WINDOWSN\system32\SKYNETdkmpqqai.dll_old c:\tempjunk9948.tmp=C:\WINDOWSN\system32\SKYNETdkmpqqai.dll c:\tempjunk9192.tmp=C:\WINDOWSN\system32\SKYNETwuynilwd.dll_old c:\tempjunk2148.tmp=C:\WINDOWSN\system32\SKYNETwuynilwd.dll c:\tempjunk7669.tmp=C:\WINDOWSN\system32\SKYNETeeqtlpab.dat_old c:\tempjunk2214.tmp=C:\WINDOWSN\system32\SKYNETeeqtlpab.dat c:\tempjunk1993.tmp=C:\WINDOWSN\system32\SKYNETtetyxvkd.dat_old c:\tempjunk7555.tmp=C:\WINDOWSN\system32\SKYNETtetyxvkd.dat leeren! ->SKYNETjiuhyiqg.sys<- DAS IST DER ÜBELTÄTER!!! in den Lokale Einstellungen fand ich noch diverse versteckte verzeichnisse mit Flash-Playern, die als hiwis für den wurm arbeiteten, darüber hinaus noch ein haufen temp und cache-dateien die arbeit war mühselig, aber lohnenswert, ich hab dem ding in den hintern getreten und meine mühle ist jetzt sauber wie ein frischgewickelter babypopo  |
|
| Themen zu Tdss |
| adobe, antivir, avg, avgnt, avgnt.exe, avira, dll, downloader, explorer, firefox, hijack, hijackthis, hkus\s-1-5-18, internet, internet explorer, log, löschen, malwarebytes, messenger, microsoft, mozilla, nvidia, photoshop, rundll, software, suchresultate, system, trojaner-board, windows, windows xp |
Linear-Darstellung
