| |
| |||||||
Log-Analyse und Auswertung: bitte um hilfe alles versucht ohne erfolgWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
25.03.2009, 14:05
| #1 |
 |  bitte um hilfe alles versucht ohne erfolg schönen guten tag an alle , hab mal wieder ein dickes problem wie es scheint  also kurze beschreibung: gestern morgen tip top der pc alles war ok. hab ihn dann gestern abend wieder angemacht und er lief richtig langsam und ich konnte keine verbindung ins internet bekommen übrigens hab ne 18000 leitung. updates auf denn neusten stand hab jetzt die ganze nacht alles versucht : ob mit regestry cleaner , avast,g-data 2010, malwarebytes, spyware doctor,tune up 2009,nun auch schon AVG free 8.5 alle auf dem neusten stand natürlich erst andere deinstalliert bevor neues anti vir drauf.... nun hab auch gleich ein HijackThis gemacht : Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:57:47, on 25.03.2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Programme\ICQ6Toolbar\ICQ Service.exe C:\Programme\Java\jre6\bin\jqs.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Programme\Olivetti\ANY_WAY\olMntrService.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\System32\PAStiSvc.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\Explorer.EXE C:\Programme\AVG\AVG8\avgcsrvx.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\wuauclt.exe C:\Programme\Windows Media Player\wmplayer.exe C:\Programme\Internet Explorer\iexplore.exe C:\Programme\Windows Live\Messenger\msnmsgr.exe C:\Programme\ICQ6\ICQ.exe C:\Programme\Windows Live\Messenger\usnsvc.exe C:\Programme\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60341 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13165&gct=&gc=1&q= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60341 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60341 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13165&gct=&gc=1&q= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=13165&gct=&gc=1&q=%s R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: (no name) - - (no file) R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - (no file) O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programme\BitComet\tools\BitCometBHO_1.3.1.15.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programme\AVG\AVG8\avgssie.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programme\AVG\AVG8\avgtoolbar.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programme\AVG\AVG8\avgtoolbar.dll O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Alles mit BitComet herunterladen - res://C:\Programme\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Alle &Videos mit BitComet herunterladen - res://C:\Programme\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: Mit BitComet herunter&laden - res://C:\Programme\BitComet\BitComet.exe/AddLink.htm O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Programme\BitComet\tools\BitCometBHO_1.3.1.15.dll/206 (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F557} (Flatcast Viewer 5.0) - http://www.flatcast-data.com/data/objects/NpFv501.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: ASP.NET-Zustandsdienst (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: ICQ Service - Unknown owner - C:\Programme\ICQ6Toolbar\ICQ Service.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe O23 - Service: olMntrService - Olivetti - C:\Programme\Olivetti\ANY_WAY\olMntrService.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe O24 - Desktop Component 0: (no name) - http://v.netlogstatic.com/v2.05/472//s/skins/love2/skinbg.jpg O24 - Desktop Component 1: (no name) - http://stationbollywood.com/wp-content/uploads/2008/02/rani-mukherjee-007.jpg O24 - Desktop Component 2: (no name) - http://internationalreporter.com/images/Rani_1.gif O24 - Desktop Component 3: (no name) - http://www2.uol.com.br/bandasdegaragem/images/cds/capa1213422461.jpg O24 - Desktop Component 4: (no name) - http://www.musik-base.de/images/fotogalerie/Fler-foto-11238.jpg O24 - Desktop Component 5: (no name) - http://www.rapgen.com/bilder/Flerrueckt/Fler-4.Album-nr.3.png O24 - Desktop Component 6: (no name) - http://www.rapgen.com/bilder/Flerrueckt/Fler-4.Album-nr.2.png O24 - Desktop Component 7: (no name) - http://www.spielmit.com/myprofile/profileimages/images_de/NzY3NzEyOQ==1225173442.JPG O24 - Desktop Component 8: (no name) - http://www.oneworldinternetcafe.com/betta/fullflare.jpg -- End of file - 8625 bytes hoffe ihr könnt mir helfen bin mit meinen latein am ende |
|
25.03.2009, 14:18
| #2 |
  | bitte um hilfe alles versucht ohne erfolg Hi,
__________________Hijackthis, fixen: öffne das HijackThis -- Button "scan" -- vor den nachfolgenden Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten Beim fixen müssen alle Programme geschlossen sein! Code:
ATTFilter R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=13165&gct=&gc=1&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13165&gct=&gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13165&gct=&gc=1&q=
http://www.trojaner-board.de/59299-a...eb-cureit.html Gmer: http://www.trojaner-board.de/74908-a...t-scanner.html Starte GMER und schaue, ob es schon was meldet. Macht es das, bitte alle Fragen mit "nein" beantworten, auf den Reiter "rootkit" gehen, wiederum die Frage mit "nein" beantworten und mit Hilfe von copy den Bericht in den Thread einfügen. Meldet es so nichts, gehe auf den Reiter Rootkit und mache einen Scan. ist dieser beendet, wähle Copy und füge den Bericht ein. Noch ein neues HJ-Log mit den Logs der Tools posten... chris Ps.: Die ganzen Desktopbilder sind gewollt? Code:
ATTFilter O24 - Desktop Component 0: (no name) - ht*p://v.netlogstatic.com/v2.05/472//s/skins/love2/skinbg.jpg
O24 - Desktop Component 1: (no name) - ht*p://stationbollywood.com/wp-content/uploads/2008/02/rani-mukherjee-007.jpg
O24 - Desktop Component 2: (no name) - ht*p://internationalreporter.com/images/Rani_1.gif
O24 - Desktop Component 3: (no name) - ht*p://www2.uol.com.br/bandasdegaragem/images/cds/capa1213422461.jpg
O24 - Desktop Component 4: (no name) - ht*p://www.musik-base.de/images/fotogalerie/Fler-foto-11238.jpg
O24 - Desktop Component 5: (no name) - ht*p://www.rapgen.com/bilder/Flerrueckt/Fler-4.Album-nr.3.png
O24 - Desktop Component 6: (no name) - ht*p://www.rapgen.com/bilder/Flerrueckt/Fler-4.Album-nr.2.png
O24 - Desktop Component 7: (no name) - ht*p://www.spielmit.com/myprofile/profileimages/images_de/NzY3NzEyOQ==1225173442 .JPG
O24 - Desktop Component 8: (no name) - ht*p://www.oneworldinternetcafe.com/betta/fullflare.jpg
__________________ Geändert von Chris4You (25.03.2009 um 14:25 Uhr) |
|
25.03.2009, 19:46
| #3 |
| | bitte um hilfe alles versucht ohne erfolg schönen guten abend, so erst einmal danke für die schnelle hilfe leider ohne erfolg glaube ich mal erst einmal Dr. Web hat nichts gefunden
__________________so nun was hijack gescannt hat: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:42:53, on 25.03.2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Programme\ICQ6Toolbar\ICQ Service.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Programme\Java\jre6\bin\jqs.exe C:\Programme\Olivetti\ANY_WAY\olMntrService.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\System32\PAStiSvc.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Programme\AVG\AVG8\avgcsrvx.exe C:\Programme\Windows Live\Messenger\usnsvc.exe C:\Programme\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60341 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60341 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60341 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programme\BitComet\tools\BitCometBHO_1.3.1.15.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programme\AVG\AVG8\avgssie.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programme\AVG\AVG8\avgtoolbar.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programme\AVG\AVG8\avgtoolbar.dll O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Alles mit BitComet herunterladen - res://C:\Programme\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Alle &Videos mit BitComet herunterladen - res://C:\Programme\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: Mit BitComet herunter&laden - res://C:\Programme\BitComet\BitComet.exe/AddLink.htm O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Programme\BitComet\tools\BitCometBHO_1.3.1.15.dll/206 (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F557} (Flatcast Viewer 5.0) - http://www.flatcast-data.com/data/objects/NpFv501.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: ASP.NET-Zustandsdienst (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: ICQ Service - Unknown owner - C:\Programme\ICQ6Toolbar\ICQ Service.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe O23 - Service: olMntrService - Olivetti - C:\Programme\Olivetti\ANY_WAY\olMntrService.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe -- End of file - 6869 bytes und nun von gmer: GMER 1.0.15.14944 - http://www.gmer.net Rootkit scan 2009-03-25 19:45:01 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.15 ---- SSDT sprk.sys ZwCreateKey [0xF72870E0] SSDT sprk.sys ZwEnumerateKey [0xF72A5CA2] SSDT sprk.sys ZwEnumerateValueKey [0xF72A6030] SSDT sprk.sys ZwOpenKey [0xF72870C0] SSDT sprk.sys ZwQueryKey [0xF72A6108] SSDT sprk.sys ZwQueryValueKey [0xF72A5F88] SSDT sprk.sys ZwSetValueKey [0xF72A619A] INT 0x62 ? 837F4BF8 INT 0x63 ? 8376DBF8 INT 0x73 ? 83860BF8 INT 0x83 ? 83860BF8 INT 0xB4 ? 8376DBF8 ---- Kernel code sections - GMER 1.0.15 ---- ? sprk.sys Das System kann die angegebene Datei nicht finden. ! .text USBPORT.SYS!DllUnload F705C8AC 5 Bytes JMP 8376D1D8 .text a6xz0whe.SYS F6932384 1 Byte [20] .text a6xz0whe.SYS F6932384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...] .text a6xz0whe.SYS F69323AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...] .text a6xz0whe.SYS F69323C4 3 Bytes [00, 00, 00] .text a6xz0whe.SYS F69323C9 1 Byte [00] .text ... ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7288040] sprk.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F728813C] sprk.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72880BE] sprk.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72887FC] sprk.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72886D2] sprk.sys IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!KfAcquireSpinLock] 000000AD IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!READ_PORT_UCHAR] 000000D4 IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!KeGetCurrentIrql] 000000A2 IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!KfRaiseIrql] 000000AF IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!KfLowerIrql] 0000009C IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!HalGetInterruptVector] 000000A4 IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!HalTranslateBusAddress] 00000072 IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!KeStallExecutionProcessor] 000000C0 IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!KfReleaseSpinLock] 000000B7 IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 000000FD IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!READ_PORT_USHORT] 00000093 IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000026 IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!WRITE_PORT_UCHAR] 00000036 IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[WMILIB.SYS!WmiSystemControl] 000000F7 IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[WMILIB.SYS!WmiCompleteRequest] 000000CC IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7298048] sprk.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8385F1F8 AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) Device \Driver\NetBT \Device\NetBT_Tcpip_{7C1DED49-9391-4150-8F64-05A4A264950A} 82D101F8 Device \Driver\usbohci \Device\USBPDO-0 8376B1F8 Device \Driver\usbehci \Device\USBPDO-1 837601F8 AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) Device \Driver\PCI_PNP7986 \Device\00000057 sprk.sys Device \Driver\Cdrom \Device\CdRom0 836D91F8 Device \Driver\Cdrom \Device\CdRom1 836D91F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 82D101F8 Device \Driver\NetBT \Device\NetbiosSmb 82D101F8 Device \Driver\sptd \Device\523172986 sprk.sys AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation) Device \Driver\usbohci \Device\USBFDO-0 8376B1F8 Device \Driver\nvata \Device\NvAta0 838601F8 Device \Driver\usbehci \Device\USBFDO-1 837601F8 Device \Driver\nvata \Device\NvAta1 838601F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82D011F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 82D011F8 Device \Driver\Ftdisk \Device\FtControl 838611F8 Device \Driver\a6xz0whe \Device\Scsi\a6xz0whe1 837521F8 Device \Driver\a6xz0whe \Device\Scsi\a6xz0whe1Port4Path0Target0Lun0 837521F8 Device \FileSystem\Cdfs \Cdfs 82D061F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x49 0x62 0xA1 0xAD ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x49 0x62 0xA1 0xAD ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x02 0x75 0xBE 0x20 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x67 0x13 0x38 0x11 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x49 0x62 0xA1 0xAD ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0E 0xB1 0x49 0xAE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCA 0x52 0xA4 0xD6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x02 0x75 0xBE 0x20 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xAC 0x39 0x1F 0x3F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xE5 0x8D 0x6A 0xDF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xE5 0x8D 0x6A 0xDF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xE5 0x8D 0x6A 0xDF ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0E 0xB1 0x49 0xAE ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCA 0x52 0xA4 0xD6 ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x02 0x75 0xBE 0x20 ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xAC 0x39 0x1F 0x3F ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xE5 0x8D 0x6A 0xDF ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xE5 0x8D 0x6A 0xDF ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xE5 0x8D 0x6A 0xDF ... Reg HKLM\SOFTWARE\Classes\CLSID\{76416OEM-0119-0128-6464-896836586011} Reg HKLM\SOFTWARE\Classes\CLSID\{76416OEM-0119-0128-6464-896836586011}@12AED12 13242BE Reg HKLM\SOFTWARE\Classes\CLSID\{76416OEM-0119-0128-6464-896836586011}\InprocServer32 ---- EOF - GMER 1.0.15 ---- ich versteh zwar nicht was das alles da heißt aber hoffe jemand kann mir da weiter helfen, übrigens das mit denn descop fotos habe ich schon weg gemacht  lg |
|
27.03.2009, 08:38
| #4 |
| | bitte um hilfe alles versucht ohne erfolg Hi, hmm, da ist ein Treiber drin der sich weit unten einhängt, aber von GMER nicht gefunden werden kann: \System32\Drivers\a6xz0whe.SYS Prüfe mal ob Du den findest unter: c:\windows\System32\Drivers\a6xz0whe.SYS und lasse ihn bei virustotal prüfen. virustotal Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen (oder gleich die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf "Send"... jetzt abwarten - dann mit der rechten Maustaste den Text markieren -> kopieren - einfügen http://www.virustotal.com/flash/index_en.html Dann haben wir noch sprk.sys, die aber u. U. zu Daemon-Tools gehören kann (setzt Du das ein?) Malwarebytes Antimalware (MAM). Anleitung&Download hier: http://www.trojaner-board.de/51187-malwarebytes-anti-malware.html Fullscan und alles bereinigen lassen! Log posten. Alternativer Download: http://filepony.de/download-malwarebytes_anti_malware/, http://www.gt500.org/malwarebytes/mbam.jsp Silentrunner: Ziparchive in ein Verzeichnis auspacken, mit Doppelklick starten, "ja" auswählen. Die erstellte Datei findet sich im gleichen Verzeichnis wo das Script hinkopiert wurde, bitte in Editor laden und posten. http://www.silentrunners.org/Silent%20Runners.zip Avira-Antirootkit Downloade Avira Antirootkit und Scanne dein system, poste das logfile. http://dl.antivir.de/down/windows/antivir_rootkit.zip chris
__________________  Don't bring me downVor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden  ) |
|
27.03.2009, 20:56
| #5 |
| | bitte um hilfe alles versucht ohne erfolg huhu also alles durch gearbeitet also System32\Drivers\a6xz0whe.SYS ist nicht auf find bar dann silent runner : "Silent Runners.vbs", revision 59, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "(Default)" = "(empty string)" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "AVG8_TRAY" = "C:\PROGRA~1\AVG\AVG8\avgtray.exe" ["AVG Technologies CZ, s.r.o."] "WinampAgent" = "C:\Programme\Winamp\winampa.exe" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture" -> {HKLM...CLSID} = "BitComet Helper" \InProcServer32\(Default) = "C:\Programme\BitComet\tools\BitCometBHO_1.3.1.15.dll" ["BitComet"] {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\(Default) = "WormRadar.com IESiteBlocker.NavFilter" -> {HKLM...CLSID} = "AVG Safe Search" \InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgssie.dll" ["AVG Technologies CZ, s.r.o."] {A057A204-BACC-4D26-9990-79A187E2698E}\(Default) = (no title provided) -> {HKLM...CLSID} = "AVG Security Toolbar" \InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgtoolbar.dll" ["[[[COMPANYNAME]]]----------------------------"] {DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided) -> {HKLM...CLSID} = "Java(tm) Plug-In 2 SSV Helper" \InProcServer32\(Default) = "C:\Programme\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."] {E7E6F031-17CE-4C07-BC86-EABFE594F69C}\(Default) = "JQSIEStartDetectorImpl" -> {HKLM...CLSID} = "JQSIEStartDetectorImpl Class" \InProcServer32\(Default) = "C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll" ["Sun Microsystems, Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders" -> {HKLM...CLSID} = "Meine freigegebenen Ordner" \InProcServer32\(Default) = "C:\Programme\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS] "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension" -> {HKLM...CLSID} = "MCLiteShellExt Class" \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string] "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension" -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension" \InProcServer32\(Default) = "C:\PROGRA~1\TUNEUP~2\SDShelEx-win32.dll" ["TuneUp Software GmbH"] "{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension" -> {HKLM...CLSID} = "TuneUp Theme Extension" \InProcServer32\(Default) = "C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"] "{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension" -> {HKLM...CLSID} = "SimpleShlExt Class" \InProcServer32\(Default) = "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" [empty string] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG8 Shell Extension" -> {HKLM...CLSID} = "AVG8 Shell Extension Class" \InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -> {HKLM...CLSID} = "WPDShServiceObj Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS] HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\ <<!>> ("" [file not found]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll," HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] <<!>> avgrsstarter\DLLName = "avgrsstx.dll" ["AVG Technologies CZ, s.r.o."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG8 Shell Extension Class" \InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."] ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" -> {HKLM...CLSID} = "MCLiteShellExt Class" \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string] TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension" \InProcServer32\(Default) = "C:\PROGRA~1\TUNEUP~2\SDShelEx-win32.dll" ["TuneUp Software GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" -> {HKLM...CLSID} = "MCLiteShellExt Class" \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string] TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension" \InProcServer32\(Default) = "C:\PROGRA~1\TUNEUP~2\SDShelEx-win32.dll" ["TuneUp Software GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG8 Shell Extension Class" \InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."] MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"] Default executables: -------------------- HKLM\SOFTWARE\Classes\.scr\(Default) = "scrfile" <<!>> HKLM\SOFTWARE\Classes\scrfile\shell\open\command\(Default) = ""%1" %*" [file not found] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "NoLowDiskSpaceChecks" = (REG_DWORD) dword:0x00000001 {unrecognized setting} "NoSimpleStartMenu" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "HideClock" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoTrayItemsDisplay" = (REG_DWORD) dword:0x00000000 {Hide the notification area} "NoRecentDocsHistory" = (REG_DWORD) dword:0x00000001 {unrecognized setting} "ClearRecentDocsOnExit" = (REG_DWORD) dword:0x00000001 {unrecognized setting} "NoCDBurning" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoControlPanel" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoAutoUpdate" = (REG_DWORD) dword:0x00000000 {Windows Automatic Updates} "NoSaveSettings" = (REG_DWORD) dword:0x00000000 {Don't save settings at exit} "NoViewContextMenu" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoTrayContextMenu" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoStartMenuNetworkPlaces" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoNetworkConnections" = (REG_DWORD) dword:0x00000000 {Remove Network Connections from Start Menu} "NoNetHood" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoUserNameInStartMenu" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoWindowsUpdate" = (REG_DWORD) dword:0x00000000 {Remove links and access to Windows Update} "NoSetTaskbar" = (REG_DWORD) dword:0x00000000 {Prevent changes to Taskbar and Start Menu Settings} "NoFind" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoRun" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoDesktop" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoSMConfigurePrograms" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoBandCustomize" = (REG_DWORD) dword:0x00000000 {Disable customizing browser toolbars} "NoToolbarsCustomize" = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "NoResolveTrack" = (REG_DWORD) dword:0x00000001 {unrecognized setting} "HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "NoDispSettingsPage" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoDispCPL" = (REG_DWORD) dword:0x00000000 {Remove Display in Control Panel} "NoDispScrSavPage" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoDispAppearancePage" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoDispBackgroundPage" = (REG_DWORD) dword:0x00000000 {Hide Desktop tab} "DisableRegistryTools" = (REG_DWORD) dword:0x00000000 {Prevent access to registry editing tools} "DisableTaskMgr" = (REG_DWORD) dword:0x00000000 {Remove Task Manager} HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\ "ProgramsTab" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "Check_If_Default" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "CalendarContact" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "Messaging" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "Advanced" = (REG_DWORD) dword:0x00000000 {Disable changing Advanced page settings} "AdvancedTab" = (REG_DWORD) dword:0x00000000 {Disable the Advanced page} "ConnectionsTab" = (REG_DWORD) dword:0x00000000 {Disable the Connections page} "Connection Settings" = (REG_DWORD) dword:0x00000000 {Disable changing connection settings} "Proxy" = (REG_DWORD) dword:0x00000000 {Disable changing proxy settings} "AutoConfig" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "ContentTab" = (REG_DWORD) dword:0x00000000 {Disable the Content page} "CertifPub" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "Ratings" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "CertifPers" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "Profiles" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "PrivacyTab" = (REG_DWORD) dword:0x00000000 {Disable the Privacy page} "Privacy Settings" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "SecurityTab" = (REG_DWORD) dword:0x00000000 {Disable the Security page} "SecChangeSettings" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "SecAddSites" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "History" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "HomePage" = (REG_DWORD) dword:0x00000000 {Disable changing home page settings} "GeneralTab" = (REG_DWORD) dword:0x00000000 {Disable the General page} "Cache" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "Languages" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "Accessibility" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "Fonts" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "Colors" = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\ "NoFavorites" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoTheaterMode" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoSelectDownloadDir" = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Devices: Allow undock without having to log on} "ShutdownWithoutLogon" = (REG_DWORD) dword:0x00000001 {Shutdown: Allow system to be shut down without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Dokumente und Einstellungen\Basra\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ ASHAshampoo_Burning_Studio_6_FREEBURNONARRIVAL\ "Provider" = "Ashampoo Burning Studio 6 FREE" "InvokeProgID" = "Ashampoo.BurningStudio6FREE" "InvokeVerb" = "autoplay-burn" HKLM\SOFTWARE\Classes\Ashampoo.BurningStudio6FREE\shell\autoplay-burn\Command\(Default) = ""C:\Programme\Ashampoo\Ashampoo Burning Studio 6\burningstudio.exe" -autoplay -selectdrive "%l"" ["ashampoo Technology GmbH & Co. KG"] ASHAshampoo_Burning_Studio_6_FREECOPYONARRIVAL\ "Provider" = "Ashampoo Burning Studio 6 FREE" "InvokeProgID" = "Ashampoo.BurningStudio6FREE" "InvokeVerb" = "autoplay-copy" HKLM\SOFTWARE\Classes\Ashampoo.BurningStudio6FREE\shell\autoplay-copy\Command\(Default) = "C:\Programme\Ashampoo\Ashampoo Burning Studio 6\burningstudio.exe" -autoplay -selectdrive "%l" -copy" [file not found] ASHAshampoo_Burning_Studio_6_FREERIPONARRIVAL\ "Provider" = "Ashampoo Burning Studio 6 FREE" "InvokeProgID" = "Ashampoo.BurningStudio6FREE" "InvokeVerb" = "autoplay-rip" HKLM\SOFTWARE\Classes\Ashampoo.BurningStudio6FREE\shell\autoplay-rip\Command\(Default) = ""C:\Programme\Ashampoo\Ashampoo Burning Studio 6\burningstudio.exe" -autoplay -selectdrive "%l" -rip" ["ashampoo Technology GmbH & Co. KG"] AVSDVDMovieOnArrival\ "Provider" = "AVS DVD Player" "InvokeProgID" = "DVD" "InvokeVerb" = "PlayWithAVSDVDPlayer" HKLM\SOFTWARE\Classes\DVD\shell\PlayWithAVSDVDPlayer\Command\(Default) = ""C:\Programme\AVSMedia\DVDPlayer\AVSDVDPlayer.EXE" "%L"" ["Online Media Technologies Ltd."] MSWPDShellNamespaceHandler\ "Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501" "CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}" "InitCmdLine" = " " -> {HKLM...CLSID} = "WPDShextAutoplay" \LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS] WinampMTPHandler\ "Provider" = "Winamp" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = "C:\Programme\Winamp\winamp.exe" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] WinampPlayMediaOnArrival\ "Provider" = "Winamp" "InvokeProgID" = "Winamp.File" "InvokeVerb" = "Play" HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Programme\Winamp\winamp.exe" "%1"" ["Nullsoft"] HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}" -> {HKLM...CLSID} = (no title provided) \LocalServer32\(Default) = ""C:\Programme\Winamp\winamp.exe"" ["Nullsoft"] Enabled Scheduled Tasks: ------------------------ "1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2008\OneClickStarter.exe /schedulestart" [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 22 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{A057A204-BACC-4D26-9990-79A187E2698E}" -> {HKLM...CLSID} = "AVG Security Toolbar" \InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgtoolbar.dll" ["[[[COMPANYNAME]]]----------------------------"] "{855F3B16-6D32-4FE6-8A56-BBB695989046}" -> {HKLM...CLSID} = "ICQToolBar" \InProcServer32\(Default) = "C:\Programme\ICQ6Toolbar\ICQToolBar.dll" ["ICQ"] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ "{A057A204-BACC-4D26-9990-79A187E2698E}" = (no title provided) -> {HKLM...CLSID} = "AVG Security Toolbar" \InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgtoolbar.dll" ["[[[COMPANYNAME]]]----------------------------"] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {B863453A-26C3-4E1F-A54D-A2CD196348E9}\ "ButtonText" = "ICQ Lite" "MenuText" = "ICQ Lite" {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\ {D18A0B52-D63C-4ED0-AFC6-C1E3DC1AF43A}\ "ButtonText" = "BitComet" "Script" = "res://C:\Programme\BitComet\tools\BitCometBHO_1.3.1.15.dll/206" ["BitComet"] {E2E2DD38-D088-4134-82B7-F2BA38496583}\ "MenuText" = "@xpsp3res.dll,-20001" "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS] {E59EB121-F339-4851-A3BA-FE49C35617C2}\ "ButtonText" = "ICQ6" "MenuText" = "ICQ6" "Exec" = "C:\Programme\ICQ6\ICQ.exe" ["ICQ, Inc."] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <<H>> "{855F3B16-6D32-4fe6-8A56-BBB695989046}" = (no title provided) -> {HKLM...CLSID} = "ICQToolBar" \InProcServer32\(Default) = "C:\Programme\ICQ6Toolbar\ICQToolBar.dll" ["ICQ"] HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\ <<H>> "Tabs" = "tbr:res?id=tabs&rep=1" [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."] AVG Free8 E-mail Scanner, avg8emc, "C:\PROGRA~1\AVG\AVG8\avgemc.exe" ["AVG Technologies CZ, s.r.o."] AVG Free8 WatchDog, avg8wd, "C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe" ["AVG Technologies CZ, s.r.o."] Java Quick Starter, JavaQuickStarterService, ""C:\Programme\Java\jre6\bin\jqs.exe" -service -config "C:\Programme\Java\jre6\lib\deploy\jqs\jqs.conf"" ["Sun Microsystems, Inc."] olMntrService, olMntrService, "C:\Programme\Olivetti\ANY_WAY\olMntrService.exe" ["Olivetti"] PnkBstrA, PnkBstrA, "C:\WINDOWS\system32\PnkBstrA.exe" [null data] STI Simulator, STI Simulator, "C:\WINDOWS\System32\PAStiSvc.exe" [null data] TuneUp Designerweiterung, UxTuneUp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]} Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]} ---------- (launch time: 2009-03-27 20:50:42) <<!>>: Suspicious data at a malware launch point. <<H>>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 30 seconds, including 9 seconds for message boxes) |
|
27.03.2009, 20:57
| #6 |
| | bitte um hilfe alles versucht ohne erfolg Avira AntiRootkit Tool - Beta (1.0.1.17) ======================================================================================================== - Scan started Freitag, 27. März 2009 - 20:42:26 ======================================================================================================== -------------------------------------------------------------------------------------------------------- Configuration: -------------------------------------------------------------------------------------------------------- - [X] Scan files - [X] Scan registry - [X] Scan processes - [ ] Fast scan - Working disk total size : 74.53 GB - Working disk free size : 28.85 GB (38 %) -------------------------------------------------------------------------------------------------------- Results: Hidden value : HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{76416OEM-0119-0128-6464-896836586011} -> 12aed12 -------------------------------------------------------------------------------------------------------- Files: 0/24277 Registry items: 1/457179 Processes: 0/33 Scan time: 00:03:17 -------------------------------------------------------------------------------------------------------- Active processes: - wlqlsaun.exe (PID 3692) (Avira AntiRootkit Tool - Beta) - iexplore.exe (PID 4032) - System (PID 4) - smss.exe (PID 640) - csrss.exe (PID 688) - winlogon.exe (PID 716) - services.exe (PID 760) - lsass.exe (PID 772) - ati2evxx.exe (PID 940) - svchost.exe (PID 960) - svchost.exe (PID 1052) - svchost.exe (PID 1164) - svchost.exe (PID 1204) - ati2evxx.exe (PID 1240) - svchost.exe (PID 1404) - svchost.exe (PID 1524) - spoolsv.exe (PID 1700) - avgwdsvc.exe (PID 428) - explorer.exe (PID 524) - avgrsx.exe (PID 608) - avgnsx.exe (PID 616) - jqs.exe (PID 888) - olMntrService.exe (PID 1340) - PnkBstrA.exe (PID 1364) - PAStiSvc.exe (PID 1484) - svchost.exe (PID 1504) - avgemc.exe (PID 1820) - avgtray.exe (PID 2000) - avgcsrvx.exe (PID 1780) - alg.exe (PID 2132) - ALCFDRTM.EXE (PID 2380) - iexplore.exe (PID 1376) - avirarkd.exe (PID 3208) ======================================================================================================== - Scan finished Freitag, 27. März 2009 - 20:45:44 ======================================================================================================== Avira AntiRootkit Tool - Beta (1.0.1.17) ======================================================================================================== - Scan started Freitag, 27. März 2009 - 20:47:54 ======================================================================================================== -------------------------------------------------------------------------------------------------------- Configuration: -------------------------------------------------------------------------------------------------------- - [X] Scan files - [X] Scan registry - [X] Scan processes - [ ] Fast scan - Working disk total size : 74.53 GB - Working disk free size : 28.81 GB (38 %) -------------------------------------------------------------------------------------------------------- Results: Hidden value : HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{76416OEM-0119-0128-6464-896836586011} -> 12aed12 -------------------------------------------------------------------------------------------------------- Files: 0/24277 Registry items: 1/457290 Processes: 0/35 Scan time: 00:03:45 -------------------------------------------------------------------------------------------------------- Active processes: - wlqlsaun.exe (PID 3692) (Avira AntiRootkit Tool - Beta) - iexplore.exe (PID 4032) - System (PID 4) - smss.exe (PID 640) - csrss.exe (PID 688) - winlogon.exe (PID 716) - services.exe (PID 760) - lsass.exe (PID 772) - ati2evxx.exe (PID 940) - svchost.exe (PID 960) - svchost.exe (PID 1052) - svchost.exe (PID 1164) - svchost.exe (PID 1204) - ati2evxx.exe (PID 1240) - svchost.exe (PID 1404) - svchost.exe (PID 1524) - spoolsv.exe (PID 1700) - avgwdsvc.exe (PID 428) - explorer.exe (PID 524) - avgrsx.exe (PID 608) - avgnsx.exe (PID 616) - jqs.exe (PID 888) - olMntrService.exe (PID 1340) - PnkBstrA.exe (PID 1364) - PAStiSvc.exe (PID 1484) - svchost.exe (PID 1504) - avgemc.exe (PID 1820) - avgtray.exe (PID 2000) - avgcsrvx.exe (PID 1780) - alg.exe (PID 2132) - ALCFDRTM.EXE (PID 2380) - iexplore.exe (PID 1376) - avirarkd.exe (PID 3208) - wmiprvse.exe (PID 3680) - wmiprvse.exe (PID 3656) ======================================================================================================== - Scan finished Freitag, 27. März 2009 - 20:51:40 ======================================================================================================== |
|
27.03.2009, 22:26
| #7 |
| | bitte um hilfe alles versucht ohne erfolg Hi, nichts zu finden, was schmeisst MAM raus? Ich muss mir noch was überlegen bzw. nachfragen, der Hiddenkey wird auch von Avira gefunden interessant wäre der Eintrag unter: Reg HKLM\SOFTWARE\Classes\CLSID\{76416OEM-0119-0128-6464-896836586011}\InprocServer32 Unter dem Servereintrag liegt meist das Programm/Dll, da der Eintrag hidden ist, kommen wir da aber wahrscheinlich nicht so einfach hin... Melde mich später wieder..... chris
__________________ Don't bring me downVor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
|
28.03.2009, 09:11
| #8 |
| | bitte um hilfe alles versucht ohne erfolg guten morgen, also komisch ist das der antivir rootkit mir gestern auf gefunden hat ich aber selber mit programm nichts löschen konnte. und das ich im sytsem32 denn treiner nicht manuel finden konnte obwohl ich versteckte sytsem datein mit angeklickt hatte. mfg |
|
31.03.2009, 00:42
| #9 |
| | bitte um hilfe alles versucht ohne erfolg hat jemand in diesem fall rat? freue mich über jede hilfe |
|
31.03.2009, 02:08
| #10 | |
| | bitte um hilfe alles versucht ohne erfolgZitat:
Also die a6xz0whe.SYS sieht mir sehr nach Daemon-Tools aus. Dieser Treibername ändert sich bei jedem Neustart. Führe erneut ein Gmerscan aus und poste das Ergebnis. Hast du einen Dell-PC? |
|
31.03.2009, 06:53
| #11 |
| | bitte um hilfe alles versucht ohne erfolg Hi, Daemon-Tools könnte sein, allerdings gehen die Meinung da etwas auseinander... Am einfachsten dürfte in diesem Fall sein, den Rechner von CD aus zu scannen (Boot-CD erstellen). Dazu zwei Varianten: Antivir, Rescue-CD http://www.avira.de/de/support/support_downloads.html Dort bitte das Rescue System sowie das update dazu runterladen. Beim Start der Anwendung leere CD in den Brenner, CD brennen lassen. Zweite CD brennen mit dem ausgepackten Update. Von CD booten (Einstellung im BIOS vornehmen)... http://www.pcwelt.de/start/sicherheit/antivirus/news/149200/ G Data-Rettungs-CD, Größe ca. 110 MB: http://www.gdata.de/typo3conf/ext/dam_frontend/pushfile.php?docID=826 Runterladen und dann auf CD brennen, von CD booten (im Bios die Bootreihenfolge umstellen, gilt auch für AVIRA).... chris
__________________ Don't bring me downVor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
|
31.03.2009, 15:27
| #12 |
| | bitte um hilfe alles versucht ohne erfolg Ob es die Daemon-Tools sind lässt sich recht leicht prüfen. Nach einem Gmerscan den Namen des gefundenen Treibers mit den Eintrag im Gerätemanager vergleichen. Unter (SCSI-und RAID-Controller). Sind die Namen identisch kann man sicher davon ausgehen, das es von Daemon-Tools kommt. Aber das System von einer Rescue-CD zu scannen ist sowieso eine gute Idee. |
|
31.03.2009, 16:05
| #13 |
| | bitte um hilfe alles versucht ohne erfolg guten tag, nein ist kein dell-pc ist ein AMD athlon(tm) 64 Prossesor 3800 + 2,41 GHZ und 768 arbeitsspeicher erst einmla alle installierten programme : Adobe Acrobat 5.0 Adobe Flash Player 10 ActiveX Adobe Flash Player 9 ActiveX Ashampoo Burning Studio 6 FREE ATI - Dienstprogramm zur Deinstallation der Software ATI Catalyst Control Center ATI Display Driver ATI HYDRAVISION ATI Problem Report Wizard Avira AntiVir Personal - Free Antivirus AVIVO Codecs AVS DVD Player version 2.4 BitComet 1.09 CCleaner (remove only) CD Bremse 1.48 DivX Codec DivX Converter DivX Player DivX Web Player DVD Shrink 3.2 deutsch (DeCSS-frei) HijackThis 2.0.2 ICQ Toolbar ICQ6 Java(TM) 6 Update 12 Java(TM) 6 Update 2 Java(TM) 6 Update 3 Java(TM) 6 Update 5 Java(TM) 6 Update 6 LiveUpdate BVRP Software MAGIX Fotos auf CD & DVD 8 deluxe Download-Version 8.0.2.2 (D) Malwarebytes' Anti-Malware Microsoft .NET Framework 2.0 Language Pack - DEU Microsoft .NET Framework 3.0 Microsoft .NET Framework 3.0 German Language Pack Microsoft Compression Client Pack 1.0 for Windows XP Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 mobile PhoneTools Mozilla Firefox (3.0.7) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 6.0 Parser NVIDIA Drivers NVIDIA PhysX v8.10.13 Realtek AC'97 Audio Registry Mechanic 8.0 Star Wars Empire at War Stargate Empire at War Steinberg Cubase SX Steinberg Cubase SX 3 SUPERAntiSpyware Free Edition SyncroSoft Emu (Remove only) Syncrosofts Lizenz Kontrolle TuneUp Utilities 2008 UltraStar Deluxe Veoh Player Viewpoint Media Player Windows Live Messenger Windows Media Format 11 runtime Windows Media Player 11 Windows XP Service Pack 3 gmer läuft grad noch durch kommt auch gleich |
|
31.03.2009, 16:07
| #14 |
| | bitte um hilfe alles versucht ohne erfolg so gmer : GMER 1.0.15.14966 - http://www.gmer.net Rootkit scan 2009-03-31 17:06:44 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.15 ---- SSDT F7AA3876 ZwCreateKey SSDT F7AA386C ZwCreateThread SSDT F7AA387B ZwDeleteKey SSDT F7AA3885 ZwDeleteValueKey SSDT sppq.sys ZwEnumerateKey [0xF72A5CA2] SSDT sppq.sys ZwEnumerateValueKey [0xF72A6030] SSDT F7AA388A ZwLoadKey SSDT sppq.sys ZwOpenKey [0xF72870C0] SSDT F7AA3858 ZwOpenProcess SSDT F7AA385D ZwOpenThread SSDT sppq.sys ZwQueryKey [0xF72A6108] SSDT sppq.sys ZwQueryValueKey [0xF72A5F88] SSDT F7AA3894 ZwReplaceKey SSDT F7AA388F ZwRestoreKey SSDT F7AA3880 ZwSetValueKey SSDT F7AA3867 ZwTerminateProcess INT 0x62 ? 837F4BF8 INT 0x63 ? 83767BF8 INT 0x73 ? 83860BF8 INT 0x83 ? 83860BF8 INT 0xB4 ? 83767BF8 ---- Kernel code sections - GMER 1.0.15 ---- ? sppq.sys Das System kann die angegebene Datei nicht finden. ! .text USBPORT.SYS!DllUnload F705C8AC 5 Bytes JMP 837671D8 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7288040] sppq.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F728813C] sppq.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72880BE] sppq.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72887FC] sppq.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72886D2] sppq.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7298048] sppq.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8385F1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{7C1DED49-9391-4150-8F64-05A4A264950A} 82D121F8 Device \Driver\usbohci \Device\USBPDO-0 836E71F8 Device \Driver\usbehci \Device\USBPDO-1 837161F8 Device \Driver\Cdrom \Device\CdRom0 8378D1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 82D121F8 Device \Driver\NetBT \Device\NetbiosSmb 82D121F8 Device \Driver\usbohci \Device\USBFDO-0 836E71F8 Device \Driver\usbehci \Device\USBFDO-1 837161F8 Device \Driver\nvata \Device\NvAta0 838601F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82D091F8 Device \Driver\nvata \Device\NvAta1 838601F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 82D091F8 Device \Driver\Ftdisk \Device\FtControl 838611F8 Device \FileSystem\Cdfs \Cdfs 82D041F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x49 0x62 0xA1 0xAD ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x49 0x62 0xA1 0xAD ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x02 0x75 0xBE 0x20 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x67 0x13 0x38 0x11 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x49 0x62 0xA1 0xAD ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0E 0xB1 0x49 0xAE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x3E 0x5E 0x6D 0xD0 ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0E 0xB1 0x49 0xAE ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCA 0x52 0xA4 0xD6 ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x02 0x75 0xBE 0x20 ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xAC 0x39 0x1F 0x3F ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xE5 0x8D 0x6A 0xDF ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xE5 0x8D 0x6A 0xDF ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xE5 0x8D 0x6A 0xDF ... Reg HKLM\SOFTWARE\Classes\CLSID\{76416OEM-0119-0128-6464-896836586011} Reg HKLM\SOFTWARE\Classes\CLSID\{76416OEM-0119-0128-6464-896836586011}@12AED12 13242BE Reg HKLM\SOFTWARE\Classes\CLSID\{76416OEM-0119-0128-6464-896836586011}\InprocServer32 ---- EOF - GMER 1.0.15 ---- |
|
31.03.2009, 16:10
| #15 |
| | bitte um hilfe alles versucht ohne erfolg übrigens ahbe ich vorm sclan deamontools deinstalliert |
|
| Themen zu bitte um hilfe alles versucht ohne erfolg |
| avast, avg, avg free, avg security toolbar, bho, bitte um hilfe, desktop, e-mail, explorer, g-data, helper, hijack, hijackthis, hkus\s-1-5-18, icq, internet, internet explorer, langsam, microsoft, plug-in, problem, programme, security, software, spyware, system, tuneup.defrag, updates, windows, windows xp |
Linear-Darstellung
