| |
| |||||||
Log-Analyse und Auswertung: Trojaner "hjgruisgenherw.dll" im Ordner System32Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
14.07.2009, 22:21
| #1 |
| |  Trojaner "hjgruisgenherw.dll" im Ordner System32 Hallo, Ich habe seit paar Tagen folgendes Problem: Sobald mein Antivirussystem startet - Avira Antivir Free - kommt mind. 20 mal die Virusmeldung von "hjgruisgenherw.dll". Ich habe in dem Ordner, wo die Datei sich angeblich befinden soll, nachgeguckt, und kann sie nicht finden. Habe mehrmals Komplettscans mit Antivir, CCleaner und mit a-squared Free versucht und auch im Abgesichertenmodus, aber nichts hat geholfen. Auch das googlen nach der DLL ergab keinen einzigen Treffer. Außerdem hat sich mein System enorm verlangsamt und wenn ich z.B bei Google auf ein Suchergebnis klicke, kommt ganz oft statt der angeklickten Seite eine andere (Werbung). Weder das Löschen, in die Quarantäne verschieben noch die anderen Möglichkeiten die bei der Virenmeldung zur Verfügung stehen haben was gebracht. Hier mein HijackThis File : Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:54:30, on 14.07.2009 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\RtHDVCpl.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Lexmark 2300 Series\lxcgmon.exe C:\Program Files\Lexmark 2300 Series\ezprint.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Windows\ehome\ehtray.exe D:\Programme\Steam\Steam.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Windows\ehome\ehmsas.exe C:\Windows\System32\mobsync.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\Program Files\Windows Live\Contacts\wlcomm.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\***\Downloads\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h***:\\www.samsungcomputer.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = h***://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h***://www.google.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h***:\\www.samsungcomputer.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h***://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h***://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h***://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll O2 - BHO: (no name) - {8a194578-81ea-4850-9911-13ba2d71efbd} - (no file) O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [Steam] "d:\programme\steam\steam.exe" -silent O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - Global Startup: BTTray.lnk = ? O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll O9 - Extra 'Tools' menuitem: &Gears-Einstellungen - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O13 - Gopher Prefix: O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - h***://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUpldde-de.cab O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - h***://static.pe.schuelervz.net/photouploader/ImageUploader5.cab?nocache=1227291054 O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/DE-DE/a-UNO1/GAME_UNO1.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - h***://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - h***://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe O23 - Service: Anwendungserfahrung AeLookupSvcALG (AeLookupSvcALG) - Unknown owner - C:\Windows\TEMP\ejhvpdepxt.exe (file missing) O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: lxcg_device - - C:\Windows\system32\lxcgcoms.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe -- End of file - 9093 bytes  . Geändert von Secret91 (14.07.2009 um 22:42 Uhr) |
|
15.07.2009, 08:58
| #3 |
| | Trojaner "hjgruisgenherw.dll" im Ordner System32 Hallo Kaos,
__________________Vielen Dank! Gmer Teil 1: Code:
ATTFilter GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-15 09:50:24
Windows 6.0.6001 Service Pack 1
---- System - GMER 1.0.15 ----
INT 0x51 ? 868A9DB8
INT 0x72 ? 868A9DB8
INT 0x82 ? 868A9DB8
INT 0x92 ? 85028BF8
INT 0x92 ? 868A9DB8
INT 0x92 ? 868A9DB8
INT 0x92 ? 868A9DB8
INT 0x92 ? 85028BF8
INT 0xA2 ? 868A9DB8
Code 8F6502F8 ZwEnumerateKey
Code 8F6502C0 ZwFlushInstructionCache
Code 8F675445 IofCallDriver
Code 8F6A32FE IofCompleteRequest
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!IofCallDriver 82080169 5 Bytes JMP 8F67544A
.text ntoskrnl.exe!IofCompleteRequest 820801D6 5 Bytes JMP 8F6A3303
PAGE ntoskrnl.exe!ZwFlushInstructionCache 821E21C2 5 Bytes JMP 8F6502C4
PAGE ntoskrnl.exe!ZwEnumerateKey 8220D58C 5 Bytes JMP 8F6502FC
? System32\Drivers\sppv.sys Das System kann den angegebenen Pfad nicht finden. !
.text USBPORT.SYS!DllUnload 8EA504CB 5 Bytes JMP 868A9398
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[372] ntdll.dll!LdrLoadDll 76F37933 5 Bytes JMP 015F000A
.text C:\Program Files\Samsung\Samsung Update Plus\SUPBackGround.exe[496] ntdll.dll!LdrLoadDll 76F37933 5 Bytes JMP 003B000A
.text C:\Windows\system32\lsm.exe[648] ntdll.dll!LdrLoadDll 76F37933 5 Bytes JMP 0009000A
.text C:\Windows\system32\nvvsvc.exe[876] ntdll.dll!LdrLoadDll 76F37933 5 Bytes JMP 0039000A
.text C:\Windows\System32\svchost.exe[960] ntdll.dll!LdrLoadDll 76F37933 5 Bytes JMP 0046000A
.text ...
.text C:\Program Files\a-squared Free\a2service.exe[1628] kernel32.dll!CreateThread + 1A 76E746E2 4 Bytes CALL 0045493D C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
.text C:\Windows\system32\taskeng.exe[1876] ntdll.dll!LdrLoadDll 76F37933 5 Bytes JMP 0025000A
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1944] ntdll.dll!LdrLoadDll 76F37933 5 Bytes JMP 0021000A
.text C:\Windows\Explorer.EXE[2076] ntdll.dll!LdrLoadDll 76F37933 5 Bytes JMP 004A000A
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[2152] ntdll.dll!LdrLoadDll 76F37933 5 Bytes JMP 0079000A
.text C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe[2296] ntdll.dll!LdrLoadDll 76F37933 5 Bytes JMP 0011000A
.text ...
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] kernel32.dll!FindResourceExA 76E608DD 7 Bytes JMP 28001D80 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] kernel32.dll!FindResourceA 76E609A5 5 Bytes JMP 28001CF0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] kernel32.dll!CreateEventA 76E74AD8 5 Bytes JMP 28001840 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] kernel32.dll!LockResource 76E77F1F 5 Bytes JMP 28001F50 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] kernel32.dll!FindResourceExW 76E7813B 1 Byte [E9]
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] kernel32.dll!FindResourceExW 76E7813B 7 Bytes JMP 28001C60 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] kernel32.dll!LoadResource 76E78213 7 Bytes JMP 28001E20 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] kernel32.dll!FindResourceW 76E797C7 5 Bytes JMP 28001BE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] kernel32.dll!SizeofResource 76E797E5 7 Bytes JMP 28001EE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] ADVAPI32.dll!CryptDeriveKey 7706E6F6 7 Bytes JMP 28001000 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] ADVAPI32.dll!CryptDecrypt 7706E8D9 7 Bytes JMP 28001060 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] USER32.dll!SetWindowPlacement 761E79BB 5 Bytes JMP 28005EA0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] USER32.dll!SetWindowRgn 761E95E2 7 Bytes JMP 28005FE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] USER32.dll!LoadImageW 761ED61D 5 Bytes JMP 28006770 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] USER32.dll!LoadIconW 761EEC94 5 Bytes JMP 28006960 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] USER32.dll!CreateWindowExW 761F3D67 5 Bytes JMP 28003CF0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] USER32.dll!GetWindowLongW 761FF67F 7 Bytes JMP 28006B00 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] USER32.dll!PeekMessageW 761FFD9F 5 Bytes JMP 280046C0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] USER32.dll!TrackPopupMenuEx 76210F4D 5 Bytes JMP 28004FA0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] USER32.dll!CreateDialogParamW 76211C58 5 Bytes JMP 28006120 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] USER32.dll!MessageBoxIndirectW 7623D56B 5 Bytes JMP 28006310 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] WS2_32.dll!closesocket 766A330C 5 Bytes JMP 2800BB90 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] WS2_32.dll!recv 766A343A 5 Bytes JMP 2800B3B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] WS2_32.dll!WSASend 766A4496 5 Bytes JMP 2800B950 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] WS2_32.dll!send 766A659B 5 Bytes JMP 2800B770 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] WS2_32.dll!WSARecv 766A8400 5 Bytes JMP 2800B550 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] SHELL32.dll!Shell_NotifyIconW 7561C808 5 Bytes JMP 28003440 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] ole32.dll!CoRegisterClassObject 768045AC 5 Bytes JMP 28002360 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] ole32.dll!CoInitializeEx 7683B89A 5 Bytes JMP 28002260 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] ole32.dll!CoCreateInstance 7683E188 5 Bytes JMP 28002600 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] WININET.dll!InternetReadFile 7640654B 5 Bytes JMP 2800A3B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] WININET.dll!InternetCloseHandle 76409088 5 Bytes JMP 2800A560 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] WININET.dll!HttpOpenRequestA 7640D5E8 5 Bytes JMP 2800A220 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2808] WININET.dll!HttpSendRequestA 7641EEB9 5 Bytes JMP 2800A490 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2836] ntdll.dll!LdrLoadDll 76F37933 5 Bytes JMP 003B000A
.text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[3124] ntdll.dll!LdrLoadDll 76F37933 5 Bytes JMP 0049000A
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3256] ntdll.dll!LdrLoadDll 76F37933 5 Bytes JMP 0094000A
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[3512] ntdll.dll!LdrLoadDll 76F37933 5 Bytes JMP 001B000A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3580] ntdll.dll!LdrLoadDll 76F37933 5 Bytes JMP 018D000A
.text ...
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 846922D8
IAT \SystemRoot\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [8A26CC4C] \SystemRoot\System32\Drivers\sppv.sys
IAT \SystemRoot\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [8A26CCA0] \SystemRoot\System32\Drivers\sppv.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8A23C6D2] \SystemRoot\System32\Drivers\sppv.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8A23C040] \SystemRoot\System32\Drivers\sppv.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8A23C7FC] \SystemRoot\System32\Drivers\sppv.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [8A23C0BE] \SystemRoot\System32\Drivers\sppv.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8A23C13C] \SystemRoot\System32\Drivers\sppv.sys
IAT \SystemRoot\system32\drivers\ataport.SYS[ntoskrnl.exe!DbgBreakPoint] 846932D8
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 868A9498
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [8A24C048] \SystemRoot\System32\Drivers\sppv.sys
IAT \SystemRoot\system32\DRIVERS\storport.sys[ntoskrnl.exe!DbgBreakPoint] 8684E2D8
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\a-squared Free\a2service.exe[1628] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [00454A94] C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
IAT C:\Program Files\a-squared Free\a2service.exe[1628] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!QueueUserWorkItem] [00454A94] C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8502A1F8
Device \FileSystem\fastfat \FatCdrom 80E1F1F8
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
Device \Driver\volmgr \Device\VolMgrControl 846951F8
Device \Driver\netbt \Device\NetBT_Tcpip_{4427CA0C-FB92-4D25-A045-B58C7B80BF08} 8F7A2500
Device \Driver\usbuhci \Device\USBPDO-0 867491F8
Device \Driver\usbuhci \Device\USBPDO-1 867491F8
Device \Driver\usbuhci \Device\USBPDO-2 867491F8
Device \Driver\usbehci \Device\USBPDO-3 8673E1F8
Device \Driver\usbuhci \Device\USBPDO-4 867491F8
Device \Driver\usbuhci \Device\USBPDO-5 867491F8
Device \Driver\usbuhci \Device\USBPDO-6 867491F8
Device \Driver\volmgr \Device\HarddiskVolume1 846951F8
Device \Driver\usbehci \Device\USBPDO-7 8673E1F8
Device \Driver\volmgr \Device\HarddiskVolume2 846951F8
Device \Driver\volmgr \Device\HarddiskVolume3 846951F8
Device \Driver\volmgr \Device\HarddiskVolume4 846951F8
Device \Driver\netbt \Device\NetBt_Wins_Export 8F7A2500
Device \Driver\Smb \Device\NetbiosSmb 8F7B13F8
Device \Driver\iScsiPrt \Device\RaidPort0 868491F8
Device \Driver\netbt \Device\NetBT_Tcpip_{DECB8486-47A8-4DB0-A326-AAD9748969B5} 8F7A2500
Device \Driver\usbuhci \Device\USBFDO-0 867491F8
Device \Driver\USBSTOR \Device\0000006c 8FC8C500
Device \Driver\USBSTOR \Device\0000006d 8FC8C500
Device \Driver\usbuhci \Device\USBFDO-1 867491F8
Device \Driver\usbuhci \Device\USBFDO-2 867491F8
Device \Driver\usbehci \Device\USBFDO-3 8673E1F8
Device \Driver\usbuhci \Device\USBFDO-4 867491F8
Device \Driver\usbuhci \Device\USBFDO-5 867491F8
Device \Driver\usbuhci \Device\USBFDO-6 867491F8
Device \Driver\usbehci \Device\USBFDO-7 8673E1F8
Device \FileSystem\fastfat \Fat 80E1F1F8
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
Device \FileSystem\cdfs \Cdfs
|
|
15.07.2009, 08:59
| #4 |
| | Trojaner "hjgruisgenherw.dll" im Ordner System32 Gmer Teil 2 Code:
ATTFilter ---- Services - GMER 1.0.15 ----
Service C:\Windows\system32\drivers\hjgruiofncpbqj.sys (*** hidden *** ) [SYSTEM] hjgruicrditipn <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0002787923ce
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00027879245e
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn@imagepath \systemroot\system32\drivers\hjgruiofncpbqj.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn\main@aid 10003
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruiofncpbqj.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn\modules@hjgruicmd.dll \systemroot\system32\hjgruivypkmmtu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn\modules@hjgruilog.dat \systemroot\system32\hjgruixlnpwdxr.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn\modules@hjgruiwsp.dll \systemroot\system32\hjgruisgenherw.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn\modules@hjgrui.dat \systemroot\system32\hjgruipdyegjhp.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC3 0xB9 0x14 0xAD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x82 0xD9 0xD9 0xB8 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0002787923ce
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00027879245e
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruicrditipn
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruicrditipn@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruicrditipn@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruicrditipn@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruicrditipn@imagepath \systemroot\system32\drivers\hjgruiofncpbqj.sys
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruicrditipn\main
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruicrditipn\main@aid 10003
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruicrditipn\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruicrditipn\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruicrditipn\main\delete
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruicrditipn\main\injector
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruicrditipn\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruicrditipn\main\tasks
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruicrditipn\modules
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruicrditipn\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruiofncpbqj.sys
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruicrditipn\modules@hjgruicmd.dll \systemroot\system32\hjgruivypkmmtu.dll
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruicrditipn\modules@hjgruilog.dat \systemroot\system32\hjgruixlnpwdxr.dat
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruicrditipn\modules@hjgruiwsp.dll \systemroot\system32\hjgruisgenherw.dll
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruicrditipn\modules@hjgrui.dat \systemroot\system32\hjgruipdyegjhp.dat
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC3 0xB9 0x14 0xAD ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x82 0xD9 0xD9 0xB8 ...
---- Files - GMER 1.0.15 ----
File C:\Users\Gizem\AppData\Local\Temp\Low\hjgruiepoibqqkpq.tmp 196 bytes
File C:\Users\Gizem\AppData\Local\Temp\Low\hjgruifwdoidvqbp.tmp 2897 bytes
File C:\Users\Gizem\AppData\Local\Temp\Low\hjgruihqxrnnsrvx.tmp 3083 bytes
File C:\Users\Gizem\AppData\Local\Temp\Low\hjgruitdxipiagxc.tmp 196 bytes
File C:\Users\Gizem\AppData\Local\Temp\Low\hjgruiwbmbtixfdo.tmp 3049 bytes
File C:\Windows\System32\drivers\hjgruiofncpbqj.sys 66560 bytes executable <-- ROOTKIT !!!
File C:\Windows\System32\hjgruipdyegjhp.dat 91 bytes
File C:\Windows\System32\hjgruisgenherw.dll 18944 bytes executable
File C:\Windows\System32\hjgruivypkmmtu.dll 41984 bytes executable
File C:\Windows\System32\hjgruixlnpwdxr.dat 87589 bytes
File C:\Windows\Temp\hjgruijvrqbfdooh.tmp 91 bytes
---- EOF - GMER 1.0.15 ----
Habe es mal in 2 Teile geteilt, weil es sonst zu lang war. |
|
15.07.2009, 16:37
| #5 |
  | Trojaner "hjgruisgenherw.dll" im Ordner System32 Hallo, 1.) Poste bitte die Logs von http://www.trojaner-board.de/74910-a...tion-tool.html. 2.) Anleitung Avenger (by swandog46) Lade dir das Tool Hopsassa und speichere es auf dem Desktop:
Code:
ATTFilter Drivers to delete:
hjgruicrditipn
Registry keys to delete:
HKLM\SYSTEM\ControlSet003\Services\hjgruicrditipn
Files to delete:
C:\Users\Gizem\AppData\Local\Temp\Low\hjgruiepoibqqkpq.tmp
C:\Users\Gizem\AppData\Local\Temp\Low\hjgruifwdoidvqbp.tmp
C:\Users\Gizem\AppData\Local\Temp\Low\hjgruihqxrnnsrvx.tmp
C:\Users\Gizem\AppData\Local\Temp\Low\hjgruitdxipiagxc.tmp
C:\Users\Gizem\AppData\Local\Temp\Low\hjgruiwbmbtixfdo.tmp
C:\Windows\System32\drivers\hjgruiofncpbqj.sys
C:\Windows\System32\hjgruipdyegjhp.dat
C:\Windows\System32\hjgruisgenherw.dll
C:\Windows\System32\hjgruivypkmmtu.dll
C:\Windows\System32\hjgruixlnpwdxr.dat
C:\Windows\Temp\hjgruijvrqbfdooh.tmp
3.) Poste ein neues Gmer-Log. ciao, andreas
__________________ Kein Support per PN! Das ist hier ein Forum und keine Privatbetreuung! Für alle NeuenPrivatbetreuung nur gegen Bezahlung und ich koste sehr teuer.  Anleitungen Virenscanner Kompromittierung unvermeidbar? |
|
15.07.2009, 16:55
| #6 |
| | Trojaner "hjgruisgenherw.dll" im Ordner System32 1) info.txt Teil 1 Code:
ATTFilter info.txt logfile of random's system information tool 1.06 2009-07-15 17:39:21
======Uninstall list======
-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->MsiExec /X{DD1865F0-AD73-40FB-B23E-1822E02396FF}
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}
Adobe Anchor Service CS4-->MsiExec.exe /I{1618734A-3957-4ADD-8199-F973763109A8}
Adobe Bridge CS4-->MsiExec.exe /I{83877DB1-8B77-45BC-AB43-2BAC22E093E0}
Adobe CMaps CS4-->MsiExec.exe /I{94D398EB-D2FD-4FD1-B8C4-592635E8A191}
Adobe Color - Photoshop Specific CS4-->MsiExec.exe /I{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}
Adobe Color EU Recommended Settings CS4-->MsiExec.exe /I{0DC0E85F-36E4-463B-B3EA-4CD8ED2222A1}
Adobe Color JA Extra Settings CS4-->MsiExec.exe /I{0D6013AB-A0C7-41DC-973C-E93129C9A29F}
Adobe Color NA Extra Settings CS4-->MsiExec.exe /I{098A2A49-7CF3-4F08-A38D-FB879117152A}
Adobe Color Video Profiles CS CS4-->MsiExec.exe /I{63C24A08-70F3-4C8E-B9FB-9F21A903801D}
Adobe CSI CS4-->MsiExec.exe /I{0F723FC1-7606-4867-866C-CE80AD292DAF}
Adobe Default Language CS4-->MsiExec.exe /I{C52E3EC1-048C-45E1-8D53-10B0C6509683}
Adobe Device Central CS4-->MsiExec.exe /I{67F0E67A-8E93-4C2C-B29D-47C48262738A}
Adobe Drive CS4-->MsiExec.exe /I{16E16F01-2E2D-4248-A42F-76261C147B6C}
Adobe ExtendScript Toolkit CS4-->MsiExec.exe /I{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}
Adobe Extension Manager CS4-->MsiExec.exe /I{054EFA56-2AC1-48F4-A883-0AB89874B972}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All-->MsiExec.exe /I{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}
Adobe Linguistics CS4-->MsiExec.exe /I{931AB7EA-3656-4BB7-864D-022B09E3DD67}
Adobe Media Player-->msiexec /qb /x {39F6E2B4-CFE8-C30A-66E8-489651F0F34C}
Adobe Media Player-->MsiExec.exe /I{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}
Adobe Output Module-->MsiExec.exe /I{BB4E33EC-8181-4685-96F7-8554293DEC6A}
Adobe PDF Library Files CS4-->MsiExec.exe /I{F93C84A6-0DC6-42AF-89FA-776F7C377353}
Adobe Photoshop CS4 Support-->MsiExec.exe /I{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}
Adobe Photoshop CS4-->C:\Program Files\Common Files\Adobe\Installers\faf656ef605427ee2f42989c3ad31b8\Setup.exe --uninstall=1
Adobe Photoshop CS4-->MsiExec.exe /I{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}
Adobe Photoshop CS4-->MsiExec.exe /I{E4848436-0345-47E2-B648-8B522FCDA623}
Adobe Reader 8.1.6 - Deutsch-->MsiExec.exe /I{AC76BA86-7AD7-1031-7B44-A81300000003}
Adobe Search for Help-->MsiExec.exe /I{F0E64E2E-3A60-40D8-A55D-92F6831875DA}
Adobe Service Manager Extension-->MsiExec.exe /I{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}
Adobe Setup-->MsiExec.exe /I{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}
Adobe Shockwave Player 11.5-->"C:\Windows\system32\Adobe\Shockwave 11\uninstaller.exe"
Adobe Type Support CS4-->MsiExec.exe /I{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}
Adobe Update Manager CS4-->MsiExec.exe /I{05308C4E-7285-4066-BAE3-6B50DA6ED755}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}
Adobe XMP Panels CS4-->MsiExec.exe /I{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}
AdobeColorCommonSetCMYK-->MsiExec.exe /I{68243FF8-83CA-466B-B2B8-9F99DA5479C4}
AdobeColorCommonSetRGB-->MsiExec.exe /I{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}
Agere Systems HDA Modem-->agrsmdel
Apple Mobile Device Support-->MsiExec.exe /I{659B48CD-0608-4ED5-94C0-0B6C87114F10}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
a-squared Free 4.5-->"C:\Program Files\a-squared Free\unins000.exe"
Atheros WLAN Client-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{04983D37-2202-4295-94A2-8B547C66133F}\setup.exe" -l0x9
Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Business Contact Manager für Outlook 2007 SP2-->"C:\Program Files\Microsoft Small Business\Business Contact Manager\SetupBootstrap\Setup.exe" /remove {4cb9f93c-9edc-4be9-ae61-af128ddbecfa}
Business Contact Manager für Outlook 2007 SP2-->MsiExec.exe /X{4CB9F93C-9EDC-4BE9-AE61-AF128DDBECFA}
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
Connect-->MsiExec.exe /I{B29AD377-CC12-490A-A480-1452337C618D}
Counter-Strike: Source-->"D:\Programme\Steam\steam.exe" steam://uninstall/240
CyberLink DVD Suite-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
CyberLink Power2Go-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall
Die Sims™ 3-->"C:\Program Files\InstallShield Installation Information\{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}\setup.exe" -runfromtemp -l0x0007 -removeonly
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Plus DirectShow Filters-->C:\Program Files\DivX\DivXDSFiltersUninstall.exe /DSFILTERS
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EA Download Manager-->C:\Program Files\Electronic Arts\EADM\Uninstall.exe
Easy Battery Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6F730513-8688-4C3C-90A3-6B9792CE2EF3}\setup.exe" -l0x9 Remove
Easy Display Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17283B95-21A8-4996-97DA-547A48DB266F}\setup.exe" -l0x9 -removeonly
Easy Network Manager 3.0-->C:\Program Files\InstallShield Installation Information\{4EA8EA5D-8E46-4698-9BF7-2F2AD8E1C185}\setup.exe -runfromtemp -l0x0407
Easy SpeedUp Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF367AA4-070B-493C-9575-85BE59D789C9}\setup.exe" -l0x9 Remove
Fiesta Online 1.01.004-->C:\Program Files\Gamigo Games\Fiesta Online\uninst.exe
Google Gears-->MsiExec.exe /I{F9FBBFFE-5CFD-3271-B127-C2326D796F94}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
ICQ6.5-->"C:\Program Files\InstallShield Installation Information\{60DE4033-9503-48D1-A483-7846BD217CA9}\setup.exe" -runfromtemp -l0x0009 -removeonly
imagine digital freedom - Samsung-->MsiExec.exe /X{00AF10C1-44BD-4862-9D7F-24E6BA3E87FD}
Intel PROSet Wireless-->Intel PROSet Wireless
Intel® Matrix Storage Manager-->C:\Windows\system32\imsmudlg.exe -uninstall
iTunes-->MsiExec.exe /I{CC5702D7-86E2-45A8-99D7-E8B976ADCC56}
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
Junk Mail filter update-->MsiExec.exe /I{4DE3E3D9-AE81-45DE-9195-3015F7B1DBF3}
kuler-->MsiExec.exe /I{098727E1-775A-4450-B573-3F441F1CA243}
LabelPrint-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\setup.exe" -uninstall
Lexmark 2300 Series-->C:\Program Files\Lexmark 2300 Series\Install\x86\Uninst.exe
Lexmark Fax-Lösungen-->C:\Program Files\Lexmark Fax Solutions\Install\x86\Uninst.exe
LightScribe System Software 1.12.37.1-->MsiExec.exe /X{004C5DA2-2051-4D25-94BA-51CF810C91EB}
Messenger Plus! Live-->"C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft .NET Framework 3.5 Language Pack SP1 - DEU-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 Language Pack SP1 - deu\setup.exe
Microsoft .NET Framework 3.5 Language Pack SP1 - deu-->MsiExec.exe /I{052FDD78-A6EA-3187-8386-C82F4CA3A929}
Microsoft .NET Framework 3.5 SP1-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Office 2003 Web Components-->MsiExec.exe /I{90A40407-6000-11D3-8CFE-0150048383C9}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0407-0000-0000000FF1CE} /uninstall {9BD40163-B95D-4B07-8991-0AB775B6D88B}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0407-0000-0000000FF1CE} /uninstall {9BD40163-B95D-4B07-8991-0AB775B6D88B}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0407-0000-0000000FF1CE} /uninstall {9BD40163-B95D-4B07-8991-0AB775B6D88B}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0407-0000-0000000FF1CE} /uninstall {26454C26-D259-4543-AA60-3189E09C5F76}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0407-0000-0000000FF1CE} /uninstall {9BD40163-B95D-4B07-8991-0AB775B6D88B}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Microsoft Office Excel MUI (German) 2007-->MsiExec.exe /X{90120000-0016-0407-0000-0000000FF1CE}
Microsoft Office Home and Student 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007-->MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (German) 2007-->MsiExec.exe /X{90120000-00A1-0407-0000-0000000FF1CE}
Microsoft Office Outlook Connector-->MsiExec.exe /I{95120000-0120-0407-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (German) 2007-->MsiExec.exe /X{90120000-0018-0407-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (German) 2007-->MsiExec.exe /X{90120000-001F-0407-0000-0000000FF1CE}
Microsoft Office Proof (Italian) 2007-->MsiExec.exe /X{90120000-001F-0410-0000-0000000FF1CE}
Microsoft Office Proofing (German) 2007-->MsiExec.exe /X{90120000-002C-0407-0000-0000000FF1CE}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0407-0000-0000000FF1CE} /uninstall {A0516415-ED61-419A-981D-93596DA74165}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0410-0000-0000000FF1CE} /uninstall {322296D4-1EAE-4030-9FBC-D2787EB25FA2}
Microsoft Office Shared MUI (German) 2007-->MsiExec.exe /X{90120000-006E-0407-0000-0000000FF1CE}
Microsoft Office Small Business Connectivity Components-->MsiExec.exe /X{A939D341-5A04-4E0A-BB55-3E65B386432D}
Microsoft Office Word MUI (German) 2007-->MsiExec.exe /X{90120000-001B-0407-0000-0000000FF1CE}
Microsoft SOAP Toolkit 2.0 SP2-->MsiExec.exe /I{36BEAD11-8577-49AD-9250-E06A50AE87B0}
Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)-->MsiExec.exe /I{028ED9C4-25EE-4DEE-9CF4-91034BC89B18}
Microsoft SQL Server 2005-->"C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server Native Client-->MsiExec.exe /I{7FB12670-0F93-4E1E-B2F5-4F339199A03A}
Microsoft SQL Server VSS Writer-->MsiExec.exe /I{849A32C3-E75A-4791-9B11-E568BA3525A4}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft WSE 3.0 Runtime-->MsiExec.exe /X{E3E71D07-CD27-46CB-8448-16D4FB29AA13}
Mozilla Firefox (3.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
n-tv plus-->MsiExec.exe /X{04FDCC5E-4B50-4A08-804D-D82DDFB1589F}
NVIDIA Drivers-->C:\Windows\system32\nvuninst.exe UninstallGUI
NVIDIA PhysX-->MsiExec.exe /X{DD1865F0-AD73-40FB-B23E-1822E02396FF}
OpenOffice.org 3.1-->MsiExec.exe /I{99E862CC-6F69-4D39-99AA-DBF71BF3B585}
PDF Settings CS4-->MsiExec.exe /I{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}
Phex 3.4.2.116 (remove only)-->"C:\Program Files\Phex\uninstall.exe"
Photoshop Camera Raw-->MsiExec.exe /I{CC75AB5C-2110-4A7F-AF52-708680D22FE8}
Play AVStation-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{955597D8-E5E1-474D-B647-60AC44566D24} /l1031
PlayCamera-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{804F1285-8CBF-408D-8CDC-D4D40003B2E4}\setup.exe" -l0x7
PowerDirector-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\setup.exe" -uninstall
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerProducer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{C78EAC6F-7A73-452E-8134-DBB2165C5A68}
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -removeonly
Samsung Magic Doctor-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32D6A58F-9659-446C-BBFC-E6F2B41F24DC}\Setup.exe" -l0x9 Remove
Samsung Recovery Solution III-->"C:\Program Files\InstallShield Installation Information\{145DE957-0679-4A2A-BB5C-1D3E9808FAB2}\setup.exe" -runfromtemp -l0x0007 -removeonly
Samsung Update Plus-->"C:\Program Files\InstallShield Installation Information\{A5F483F0-2D79-4FCA-AE09-D0D96E23EBF7}\setup.exe" -runfromtemp -l0x0409 -removeonly
Samsung Update Plus-->MsiExec.exe /X{A5F483F0-2D79-4FCA-AE09-D0D96E23EBF7}
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB969679)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {C66E4A6C-6E07-4C63-8CCD-2493B5087C73}
Security Update for Microsoft Office Excel 2007 (KB969682)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {C03803BD-745A-46F8-8557-817DED578780}
Security Update for Microsoft Office PowerPoint 2007 (KB957789)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {7559E742-FF9F-4FAE-B279-008ED296CB4D}
Security Update for Microsoft Office system 2007 (KB969613)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {5ECEB317-CBE9-4E08-AB10-756CB6F0FB6C}
Security Update for Microsoft Office Word 2007 (KB969604)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {CF3D6499-709C-43D0-8908-BC5652656050}
Source SDK Base-->"D:\Programme\Steam\steam.exe" steam://uninstall/215
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Suite Shared Configuration CS4-->MsiExec.exe /I{842B4B72-9E8F-4962-B3C1-1C422A5C4434}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
Unterstützungsdateien für das Microsoft SQL Server-Setup (Englisch)-->MsiExec.exe /X{07629207-FAA0-4F1A-8092-BF5085BE511F}
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update für Microsoft Office Excel 2007 Help (KB963678)-->msiexec /package {90120000-0016-0407-0000-0000000FF1CE} /uninstall {BEC163EC-7A83-48A1-BFB6-3BF47CC2F8CF}
Update für Microsoft Office Powerpoint 2007 Help (KB963669)-->msiexec /package {90120000-0018-0407-0000-0000000FF1CE} /uninstall {EA160DA3-E9B5-4D03-A518-21D306665B96}
Update für Microsoft Office Word 2007 Help (KB963665)-->msiexec /package {90120000-001B-0407-0000-0000000FF1CE} /uninstall {38472199-D7B6-4833-A949-10E4EE6365A1}
User Guide-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAE68339-B0F6-4D33-9554-5A3DB2DFF5DA}\setup.exe" -l0x9 Remove
VC80CRTRedist - 8.0.50727.762-->MsiExec.exe /I{767CC44C-9BBC-438D-BAD3-FD4595DD148B}
Vimicro UVC Camera-->C:\Program Files\InstallShield Installation Information\{71A51B09-E7D3-11DB-A386-005056C00008}\setup.exe -runfromtemp -l0x0009 -removeonly
WIDCOMM Bluetooth Software 6.0.1.6300-->MsiExec.exe /X{03D1988F-469F-4843-8E6E-E5FE9D17889D}
Windows Live Anmelde-Assistent-->MsiExec.exe /I{52B97218-98CB-4B8B-9283-D213C85E1AA4}
Windows Live Call-->MsiExec.exe /I{5FC68772-6D56-41C6-9DF1-24E868198AE6}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{91E04CA7-0B13-4F8C-AA4D-2A573AC96D19}
Windows Live Fotogalerie-->MsiExec.exe /X{119B7481-0216-40D2-A5CC-C3E1F461ECC1}
Windows Live Mail-->MsiExec.exe /I{5A166C0B-9557-4364-A057-F946D674E6AC}
Windows Live Messenger-->MsiExec.exe /X{837B6259-6FF5-4E66-87C1-A5A15ED36FF4}
Windows Live Movie Maker-Betaversion-->MsiExec.exe /X{FE6E1AF6-6B88-44FE-8101-84AE6A52B393}
Windows Live OneCare safety scanner-->"C:\Program Files\Windows Live Safety Center\UnInstall.exe"
Windows Live OneCare safety scanner-->MsiExec.exe /X{FE0646A7-19D0-41B4-A2BB-2C35D644270D}
Windows Live Sync-->MsiExec.exe /X{ED636101-1959-4360-8BF7-209436E7DEE4}
Windows Live-Uploadtool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Windows Movie Maker 2.6-->MsiExec.exe /X{B3DAF54F-DB25-4586-9EF1-96D24BB14088}
WinRAR-->C:\Program Files\WinRAR\uninstall.exe
Zattoo 3.3.4 Beta-->C:\Program Files\Zattoo\uninst.exe
|
|
15.07.2009, 16:56
| #7 |
| | Trojaner "hjgruisgenherw.dll" im Ordner System32 1) info.txt Teil 2 Code:
ATTFilter ======Hosts File======
127.0.0.1 activate.adobe.com
======Security center information======
AV: McAfee VirusScan
FW: McAfee Personal Firewall
AS: McAfee VirusScan
AS: Windows Defender
======System event log======
Computer Name: Gizem-PC
Event Code: 4375
Message: Windows-Wartung konnte das Paket KB948465 (Service Pack) nicht in den Status Aufgelöst(Resolved) setzen.
Record Number: 98727
Source Name: Microsoft-Windows-Servicing
Time Written: 20090715150301.000000-000
Event Type: Fehler
User: NT-AUTORITÄT\SYSTEM
Computer Name: Gizem-PC
Event Code: 4375
Message: Windows-Wartung konnte das Paket KB948465 (Service Pack) nicht in den Status Aufgelöst(Resolved) setzen.
Record Number: 98728
Source Name: Microsoft-Windows-Servicing
Time Written: 20090715150301.000000-000
Event Type: Fehler
User: NT-AUTORITÄT\SYSTEM
Computer Name: Gizem-PC
Event Code: 4375
Message: Windows-Wartung konnte das Paket KB948465 (Service Pack) nicht in den Status Aufgelöst(Resolved) setzen.
Record Number: 98729
Source Name: Microsoft-Windows-Servicing
Time Written: 20090715150301.000000-000
Event Type: Fehler
User: NT-AUTORITÄT\SYSTEM
Computer Name: Gizem-PC
Event Code: 7040
Message: Der Starttyp des Diensts "Windows Modules Installer" wurde von Automatisch starten in Manuell starten geändert.
Record Number: 98730
Source Name: Service Control Manager
Time Written: 20090715150301.000000-000
Event Type: Informationen
User: NT-AUTORITÄT\SYSTEM
Computer Name: Gizem-PC
Event Code: 7036
Message: Dienst "Windows Modules Installer" befindet sich jetzt im Status "Beendet".
Record Number: 98731
Source Name: Service Control Manager
Time Written: 20090715150530.000000-000
Event Type: Informationen
User:
=====Application event log=====
Computer Name: Gizem-PC
Event Code: 4113
Message: AntiVir erkannte in der Datei C:\Windows\System32\hjgruisgenherw.dll verdächtigen Code mit der Bezeichnung 'TR/TDss.yux'!
Record Number: 29030
Source Name: Avira AntiVir
Time Written: 20090715153455.000000-000
Event Type: Warnung
User: NT-AUTORITÄT\SYSTEM
Computer Name: Gizem-PC
Event Code: 4113
Message: AntiVir erkannte in der Datei C:\Windows\System32\hjgruisgenherw.dll verdächtigen Code mit der Bezeichnung 'TR/TDss.yux'!
Record Number: 29031
Source Name: Avira AntiVir
Time Written: 20090715153840.000000-000
Event Type: Warnung
User: NT-AUTORITÄT\SYSTEM
Computer Name: Gizem-PC
Event Code: 4113
Message: AntiVir erkannte in der Datei C:\Windows\System32\hjgruisgenherw.dll verdächtigen Code mit der Bezeichnung 'TR/TDss.yux'!
Record Number: 29032
Source Name: Avira AntiVir
Time Written: 20090715153849.000000-000
Event Type: Warnung
User: NT-AUTORITÄT\SYSTEM
Computer Name: Gizem-PC
Event Code: 4113
Message: AntiVir erkannte in der Datei C:\Windows\System32\hjgruisgenherw.dll verdächtigen Code mit der Bezeichnung 'TR/TDss.yux'!
Record Number: 29033
Source Name: Avira AntiVir
Time Written: 20090715153902.000000-000
Event Type: Warnung
User: NT-AUTORITÄT\SYSTEM
Computer Name: Gizem-PC
Event Code: 5
Message: Unsupported service control request (see data below)
Record Number: 29034
Source Name: LightScribeService
Time Written: 20090715153919.000000-000
Event Type: Informationen
User:
=====Security event log=====
Computer Name: Gizem-PC
Event Code: 4624
Message: Ein Konto wurde erfolgreich angemeldet.
Antragsteller:
Sicherheits-ID: S-1-5-18
Kontoname: GIZEM-PC$
Kontodomäne: WORKGROUP
Anmelde-ID: 0x3e7
Anmeldetyp: 5
Neue Anmeldung:
Sicherheits-ID: S-1-5-18
Kontoname: SYSTEM
Kontodomäne: NT-AUTORITÄT
Anmelde-ID: 0x3e7
Anmelde-GUID: {00000000-0000-0000-0000-000000000000}
Prozessinformationen:
Prozess-ID: 0x274
Prozessname: C:\Windows\System32\services.exe
Netzwerkinformationen:
Arbeitsstationsname:
Quellnetzwerkadresse: -
Quellport: -
Detaillierte Authentifizierungsinformationen:
Anmeldeprozess: Advapi
Authentifizierungspaket: Negotiate
Übertragene Dienste: -
Paketname (nur NTLM): -
Schlüssellänge: 0
Dieses Ereignis wird beim Erstellen einer Anmeldesitzung generiert. Es wird auf dem Computer generiert, auf den zugegriffen wurde.
Die Antragstellerfelder geben das Konto auf dem lokalen System an, von dem die Anmeldung angefordert wurde. Dies ist meistens ein Dienst wie der Serverdienst oder ein lokaler Prozess wie "Winlogon.exe" oder "Services.exe".
Das Anmeldetypfeld gibt den jeweiligen Anmeldetyp an. Die häufigsten Typen sind 2 (interaktiv) und 3 (Netzwerk).
Die Felder für die neue Anmeldung geben das Konto an, für das die Anmeldung erstellt wurde, d. h. das angemeldete Konto.
Die Netzwerkfelder geben die Quelle einer Remoteanmeldeanforderung an. der Arbeitsstationsname ist nicht immer verfügbar und kann in manchen Fällen leer bleiben.
Die Felder für die Authentifizierungsinformationen enthalten detaillierte Informationen zu dieser speziellen Anmeldeanforderung.
- Die Anmelde-GUID ist ein eindeutiger Bezeichner, der verwendet werden kann, um dieses Ereignis mit einem KDC-Ereignis zu korrelieren.
- Die übertragenen Dienste geben an, welche Zwischendienste an der Anmeldeanforderung beteiligt waren.
- Der Paketname gibt das in den NTLM-Protokollen verwendete Unterprotokoll an.
- Die Schlüssellänge gibt die Länge des generierten Sitzungsschlüssels an. Wenn kein Sitzungsschlüssel angefordert wurde, ist dieser Wert 0.
Record Number: 29174
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090715145600.792900-000
Event Type: Überwachung erfolgreich
User:
Computer Name: Gizem-PC
Event Code: 4672
Message: Einer neuen Anmeldung wurden besondere Rechte zugewiesen.
Antragsteller:
Sicherheits-ID: S-1-5-18
Kontoname: SYSTEM
Kontodomäne: NT-AUTORITÄT
Anmelde-ID: 0x3e7
Berechtigungen: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 29175
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090715145600.792900-000
Event Type: Überwachung erfolgreich
User:
Computer Name: Gizem-PC
Event Code: 4648
Message: Anmeldeversuch mit expliziten Anmeldeinformationen.
Antragsteller:
Sicherheits-ID: S-1-5-18
Kontoname: GIZEM-PC$
Kontodomäne: WORKGROUP
Anmelde-ID: 0x3e7
Anmelde-GUID: {00000000-0000-0000-0000-000000000000}
Konto, dessen Anmeldeinformationen verwendet wurden:
Kontoname: SYSTEM
Kontodomäne: NT-AUTORITÄT
Anmelde-GUID: {00000000-0000-0000-0000-000000000000}
Zielserver:
Zielservername: localhost
Weitere Informationen: localhost
Prozessinformationen:
Prozess-ID: 0x274
Prozessname: C:\Windows\System32\services.exe
Netzwerkinformationen:
Netzwerkadresse: -
Port: -
Dieses Ereignis wird bei einem Anmeldeversuch durch einen Prozess generiert, wenn ausdrücklich die Anmeldeinformationen des Kontos angegeben werden. Dies ist normalerweise der Fall in Batch-Konfigurationen, z. B. bei geplanten Aufgaben oder wenn der Befehl "runas" verwendet wird.
Record Number: 29176
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090715145602.384900-000
Event Type: Überwachung erfolgreich
User:
Computer Name: Gizem-PC
Event Code: 4624
Message: Ein Konto wurde erfolgreich angemeldet.
Antragsteller:
Sicherheits-ID: S-1-5-18
Kontoname: GIZEM-PC$
Kontodomäne: WORKGROUP
Anmelde-ID: 0x3e7
Anmeldetyp: 5
Neue Anmeldung:
Sicherheits-ID: S-1-5-18
Kontoname: SYSTEM
Kontodomäne: NT-AUTORITÄT
Anmelde-ID: 0x3e7
Anmelde-GUID: {00000000-0000-0000-0000-000000000000}
Prozessinformationen:
Prozess-ID: 0x274
Prozessname: C:\Windows\System32\services.exe
Netzwerkinformationen:
Arbeitsstationsname:
Quellnetzwerkadresse: -
Quellport: -
Detaillierte Authentifizierungsinformationen:
Anmeldeprozess: Advapi
Authentifizierungspaket: Negotiate
Übertragene Dienste: -
Paketname (nur NTLM): -
Schlüssellänge: 0
Dieses Ereignis wird beim Erstellen einer Anmeldesitzung generiert. Es wird auf dem Computer generiert, auf den zugegriffen wurde.
Die Antragstellerfelder geben das Konto auf dem lokalen System an, von dem die Anmeldung angefordert wurde. Dies ist meistens ein Dienst wie der Serverdienst oder ein lokaler Prozess wie "Winlogon.exe" oder "Services.exe".
Das Anmeldetypfeld gibt den jeweiligen Anmeldetyp an. Die häufigsten Typen sind 2 (interaktiv) und 3 (Netzwerk).
Die Felder für die neue Anmeldung geben das Konto an, für das die Anmeldung erstellt wurde, d. h. das angemeldete Konto.
Die Netzwerkfelder geben die Quelle einer Remoteanmeldeanforderung an. der Arbeitsstationsname ist nicht immer verfügbar und kann in manchen Fällen leer bleiben.
Die Felder für die Authentifizierungsinformationen enthalten detaillierte Informationen zu dieser speziellen Anmeldeanforderung.
- Die Anmelde-GUID ist ein eindeutiger Bezeichner, der verwendet werden kann, um dieses Ereignis mit einem KDC-Ereignis zu korrelieren.
- Die übertragenen Dienste geben an, welche Zwischendienste an der Anmeldeanforderung beteiligt waren.
- Der Paketname gibt das in den NTLM-Protokollen verwendete Unterprotokoll an.
- Die Schlüssellänge gibt die Länge des generierten Sitzungsschlüssels an. Wenn kein Sitzungsschlüssel angefordert wurde, ist dieser Wert 0.
Record Number: 29177
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090715145602.384900-000
Event Type: Überwachung erfolgreich
User:
Computer Name: Gizem-PC
Event Code: 4672
Message: Einer neuen Anmeldung wurden besondere Rechte zugewiesen.
Antragsteller:
Sicherheits-ID: S-1-5-18
Kontoname: SYSTEM
Kontodomäne: NT-AUTORITÄT
Anmelde-ID: 0x3e7
Berechtigungen: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 29178
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090715145602.384900-000
Event Type: Überwachung erfolgreich
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\Intel\WiFi\bin\;C:\Program Files\Common Files\DivX Shared\;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 23 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=1706
"NUMBER_OF_PROCESSORS"=2
"TRACE_FORMAT_SEARCH_PATH"=\\NTREL202.ntdev.corp.microsoft.com\4F18C3A5-CA09-4DBD-B6FC-219FDD4C6BE0\TraceFormat
"DFSTRACINGON"=FALSE
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip
-----------------EOF-----------------
|
|
15.07.2009, 16:58
| #8 |
| | Trojaner "hjgruisgenherw.dll" im Ordner System32 1) log.txt Code:
ATTFilter Logfile of random's system information tool 1.06 (written by random/random)
Run by Gizem at 2009-07-15 17:39:02
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 99 GB (67%) free of 148 GB
Total RAM: 3066 MB (62% free)
======Scheduled tasks folder======
C:\Windows\tasks\ggnzipmb.job
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\tasks\SupBackGroundTask.job
C:\Windows\tasks\User_Feed_Synchronization-{643F9551-BCD5-41AF-AB75-992461D9A86B}.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
Click-to-Call BHO - C:\Program Files\Windows Live\Messenger\wlchtc.dll [2009-02-06 73072]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8a194578-81ea-4850-9911-13ba2d71efbd} ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Anmelde-Hilfsprogramm - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53}]
Google Gears Helper - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll [2009-06-09 2097152]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-21 1008184]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2008-04-17 6111232]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2007-10-26 1029416]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2007-03-14 71216]
"LanguageShortcut"=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2007-01-08 52256]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"AdobeCS4ServiceManager"=C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe [2008-08-14 611712]
"LXCGCATS"=rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16 []
"lxcgmon.exe"=C:\Program Files\Lexmark 2300 Series\lxcgmon.exe [2007-04-29 205744]
"EzPrint"=C:\Program Files\Lexmark 2300 Series\ezprint.exe [2007-04-29 103344]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-05-30 292136]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2009-05-27 13781536]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-21 1233920]
"LightScribe Control Panel"=C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2008-03-17 2289664]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-02-06 3885408]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-21 125952]
"Steam"=d:\programme\steam\steam.exe [2009-06-11 1217784]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-21 202240]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
======File associations======
.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*
======List of files/folders created in the last 1 months======
2009-07-15 17:39:02 ----D---- C:\rsit
2009-07-15 17:39:02 ----D---- C:\Program Files\trend micro
2009-07-14 21:11:50 ----A---- C:\Windows\ntbtlog.txt
2009-07-14 08:25:46 ----A---- C:\Windows\system32\nvcod130.dll
2009-07-14 08:25:46 ----A---- C:\Windows\system32\LANGWRBK.DLL
2009-07-14 08:25:45 ----A---- C:\Windows\system32\ieencode.dll
2009-07-14 08:25:45 ----A---- C:\Windows\system32\extmgr.dll
2009-07-13 21:33:58 ----SHD---- C:\Config.Msi
2009-07-13 19:45:30 ----D---- C:\Program Files\a-squared Free
2009-07-12 22:55:29 ----A---- C:\Windows\system32\msonpmon.dll
2009-07-12 22:54:36 ----D---- C:\Program Files\Microsoft Works
2009-07-12 22:54:24 ----D---- C:\Program Files\Common Files\DESIGNER
2009-07-12 22:52:44 ----RHD---- C:\MSOCache
2009-07-12 13:54:25 ----D---- C:\Program Files\Google
2009-07-11 11:17:20 ----D---- C:\Windows\Minidump
2009-07-11 09:18:46 ----D---- C:\Program Files\CCleaner
2009-07-08 22:16:12 ----D---- C:\Program Files\JRE
2009-07-05 22:38:07 ----D---- C:\Program Files\MIKSOFT
2009-07-05 22:05:06 ----D---- C:\Users\Gizem\AppData\Roaming\CyberLink
2009-07-05 22:05:04 ----D---- C:\ProgramData\CyberLink
2009-07-05 21:27:13 ----D---- C:\Program Files\Movie Maker 2.6
2009-06-27 18:07:13 ----D---- C:\ProgramData\Avira
2009-06-23 19:07:42 ----A---- C:\Windows\system32\asdjfhla.txt
======List of files/folders modified in the last 1 months======
2009-07-15 17:39:06 ----D---- C:\Windows\Temp
2009-07-15 17:39:02 ----RD---- C:\Program Files
2009-07-15 17:32:43 ----D---- C:\Windows\Prefetch
2009-07-15 17:03:00 ----D---- C:\Windows\winsxs
2009-07-15 17:03:00 ----D---- C:\Windows\system32\catroot
2009-07-15 17:01:35 ----D---- C:\Windows\system32\catroot2
2009-07-15 15:27:23 ----D---- C:\Windows\System32
2009-07-15 10:28:39 ----D---- C:\Windows
2009-07-14 16:32:36 ----D---- C:\Program Files\Messenger Plus! Live
2009-07-13 21:44:36 ----SHD---- C:\Windows\Installer
2009-07-13 21:44:31 ----D---- C:\ProgramData\Microsoft Help
2009-07-13 21:43:34 ----RSD---- C:\Windows\assembly
2009-07-13 21:34:29 ----D---- C:\Program Files\Common Files\microsoft shared
2009-07-13 00:27:45 ----HD---- C:\ProgramData
2009-07-13 00:27:45 ----D---- C:\Program Files\Lx_cats
2009-07-12 22:54:28 ----D---- C:\Program Files\Microsoft Office
2009-07-12 22:54:24 ----D---- C:\Program Files\Common Files
2009-07-12 22:54:17 ----RSD---- C:\Windows\Fonts
2009-07-12 22:53:16 ----D---- C:\Windows\ShellNew
2009-07-12 22:21:51 ----A---- C:\Windows\win.ini
2009-07-12 13:54:30 ----D---- C:\Windows\Tasks
2009-07-12 13:54:30 ----D---- C:\Windows\system32\Tasks
2009-07-11 09:28:47 ----D---- C:\Program Files\Mozilla Firefox
2009-07-11 09:24:11 ----D---- C:\Windows\Debug
2009-07-10 19:11:43 ----D---- C:\Temp
2009-07-08 22:17:17 ----D---- C:\Program Files\OpenOffice.org 3
2009-07-05 13:49:57 ----SD---- C:\Windows\Downloaded Program Files
2009-07-04 22:25:05 ----D---- C:\Windows\system32\drivers
2009-07-04 22:17:03 ----SD---- C:\Users\Gizem\AppData\Roaming\Microsoft
2009-07-04 21:38:04 ----SHD---- C:\System Volume Information
2009-07-03 16:11:28 ----D---- C:\Program Files\Common Files\Steam
2009-06-28 00:49:17 ----D---- C:\Program Files\Avira
2009-06-24 18:47:20 ----D---- C:\Windows\Microsoft.NET
2009-06-24 15:00:40 ----D---- C:\Program Files\Internet Explorer
2009-06-23 19:15:57 ----D---- C:\ProgramData\NVIDIA
2009-06-23 19:14:32 ----D---- C:\Program Files\DAEMON Tools Pro
2009-06-23 19:12:13 ----D---- C:\Windows\inf
2009-06-23 19:10:37 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-06-23 19:10:24 ----D---- C:\Program Files\AGEIA Technologies
2009-06-23 19:07:58 ----D---- C:\NVIDIA
2009-06-23 19:03:30 ----D---- C:\Program Files\SystemRequirementsLab
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys [2009-02-13 11608]
R1 avipbb;avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 ssmdrv;ssmdrv; C:\Windows\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R2 adfs;adfs; C:\Windows\system32\drivers\adfs.sys [2008-08-14 74720]
R2 avgntflt;avgntflt; C:\Windows\system32\DRIVERS\avgntflt.sys [2009-03-24 55640]
R2 KMDFMEMIO;SAMSUNG Kernel Driver; C:\Windows\system32\DRIVERS\kmdfmemio.sys [2007-05-23 13312]
R3 CmBatt;Treiber für Microsoft-ACPI-Kontrollmethodenkompatible Batterie; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-21 14208]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2008-04-17 2098904]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw5v32.sys [2008-06-26 3662848]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver; C:\Windows\system32\drivers\nvhda32v.sys [2009-04-30 64032]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2009-05-27 9850240]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2007-10-26 193456]
R3 VMC302;Vimicro Camera Service VMC302; C:\Windows\System32\Drivers\VMC302.sys [2008-06-05 242048]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-21 83328]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller; C:\Windows\system32\DRIVERS\yk60x86.sys [2007-12-28 298496]
S3 AgereSoftModem;Agere Systems Soft Modem; C:\Windows\system32\DRIVERS\AGRSM.sys [2006-11-28 1161888]
S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\Windows\system32\DRIVERS\bcm4sbxp.sys [2006-11-02 45056]
S3 BthEnum;Bluetooth-Anforderungsblocktreiber; C:\Windows\system32\DRIVERS\BthEnum.sys [2008-01-21 19456]
S3 BthPan;Bluetooth-Gerät (PAN); C:\Windows\system32\DRIVERS\bthpan.sys [2008-01-21 92160]
S3 BTHPORT;Bluetooth-Porttreiber; C:\Windows\System32\Drivers\BTHport.sys [2008-01-21 219648]
S3 BTHUSB;USB-Treiber für Bluetooth-Funkgerät; C:\Windows\System32\Drivers\BTHUSB.sys [2008-01-21 29184]
S3 btwaudio;Bluetooth-Audiogerät; C:\Windows\system32\drivers\btwaudio.sys [2008-02-14 80424]
S3 btwavdt;Bluetooth AVDT; C:\Windows\system32\drivers\btwavdt.sys [2007-07-16 80936]
S3 btwrchid;btwrchid; C:\Windows\system32\DRIVERS\btwrchid.sys [2007-07-16 16168]
S3 drmkaud;Microsoft Kernel-DRM-Audioentschlüsselung; C:\Windows\system32\drivers\drmkaud.sys [2008-01-21 5632]
S3 hamachi;Hamachi Network Interface; C:\Windows\system32\DRIVERS\hamachi.sys [2009-02-18 25280]
S3 HdAudAddService;Microsoft 1.1 UAA-Funktionstreiber für High Definition Audio-Dienst; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-10-19 1380864]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-21 8192]
S3 MSPCLOCK;Microsoft Proxy für Streaming Clock; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-21 5888]
S3 MSPQM;Microsoft Proxy für Streaming Quality Manager; C:\Windows\system32\drivers\MSPQM.sys [2008-01-21 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink-Konvertierung; C:\Windows\system32\drivers\MSTEE.sys [2008-01-21 6016]
S3 NETw3v32;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw3v32.sys [2008-01-21 2225664]
S3 RFCOMM;Bluetooth-Gerät (RFCOMM-Protokoll-TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2008-02-21 50688]
S3 s117bus;Sony Ericsson Device 117 driver (WDM); C:\Windows\system32\DRIVERS\s117bus.sys [2007-06-25 82984]
S3 usbscan;USB-Scannertreiber; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-21 35328]
S3 usbvideo;USB-Videogerät (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-01-21 134016]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-21 39936]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-21 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-21 386616]
S4 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2008-01-21 88576]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2008-01-21 11264]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 a2free;a-squared Free Service; C:\Program Files\a-squared Free\a2service.exe [2009-07-14 719392]
R2 AntiVirSchedulerService;Avira AntiVir Planer; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-05-11 185089]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-05-29 144712]
R2 BcmSqlStartupSvc;SQL Server-Startdienst für Business Contact Manager; C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-16 30312]
R2 Bonjour Service;Bonjour-Dienst; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; C:\Windows\system32\svchost.exe [2008-01-21 21504]
R2 EvtEng;Intel® PROSet/Wireless Event Log; C:\Program Files\Intel\WiFi\bin\EvtEng.exe [2008-07-10 819200]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2008-03-17 73728]
R2 lxcg_device;lxcg_device; C:\Windows\system32\lxcgcoms.exe [2007-04-29 537520]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2009-05-27 211488]
R2 RegSrvc;Intel® PROSet/Wireless Registry Service; C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe [2008-07-10 466944]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2006-12-19 272024]
R2 SQLBrowser;SQL Server-Browser; C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2008-11-24 239968]
R2 SQLWriter;SQL Server VSS Writer; C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2008-11-24 87904]
R3 iPod Service;iPod-Dienst; C:\Program Files\iPod\bin\iPodService.exe [2009-05-30 541992]
R3 Steam Client Service;Steam Client Service; C:\Program Files\Common Files\Steam\SteamService.exe [2009-07-03 316664]
S2 AeLookupSvcALG;Anwendungserfahrung AeLookupSvcALG; C:\Windows\TEMP\ejhvpdepxt.exe service []
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-07-12 133104]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-01-11 655624]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ); C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S4 MSSQLServerADHelper;Hilfsdienst von SQL Server für Active Directory; C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2008-11-24 45408]
-----------------EOF-----------------
|
|
15.07.2009, 16:59
| #9 |
| | Trojaner "hjgruisgenherw.dll" im Ordner System32 2) Avenger Code:
ATTFilter Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows Vista
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Driver "hjgruicrditipn" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet003\Services\hjgruicrditipn" deleted successfully.
Error: could not delete file "C:\Users\Gizem\AppData\Local\Temp\Low\hjgruiepoibqqkpq.tmp"
Deletion of file "C:\Users\Gizem\AppData\Local\Temp\Low\hjgruiepoibqqkpq.tmp" failed!
Status: 0xc0000156
Error: could not delete file "C:\Users\Gizem\AppData\Local\Temp\Low\hjgruifwdoidvqbp.tmp"
Deletion of file "C:\Users\Gizem\AppData\Local\Temp\Low\hjgruifwdoidvqbp.tmp" failed!
Status: 0xc0000156
Error: could not delete file "C:\Users\Gizem\AppData\Local\Temp\Low\hjgruihqxrnnsrvx.tmp"
Deletion of file "C:\Users\Gizem\AppData\Local\Temp\Low\hjgruihqxrnnsrvx.tmp" failed!
Status: 0xc0000156
Error: could not delete file "C:\Users\Gizem\AppData\Local\Temp\Low\hjgruitdxipiagxc.tmp"
Deletion of file "C:\Users\Gizem\AppData\Local\Temp\Low\hjgruitdxipiagxc.tmp" failed!
Status: 0xc0000156
Error: could not delete file "C:\Users\Gizem\AppData\Local\Temp\Low\hjgruiwbmbtixfdo.tmp"
Deletion of file "C:\Users\Gizem\AppData\Local\Temp\Low\hjgruiwbmbtixfdo.tmp" failed!
Status: 0xc0000156
Error: could not delete file "C:\Windows\System32\drivers\hjgruiofncpbqj.sys"
Deletion of file "C:\Windows\System32\drivers\hjgruiofncpbqj.sys" failed!
Status: 0xc0000156
Error: could not delete file "C:\Windows\System32\hjgruipdyegjhp.dat"
Deletion of file "C:\Windows\System32\hjgruipdyegjhp.dat" failed!
Status: 0xc0000156
Error: could not delete file "C:\Windows\System32\hjgruisgenherw.dll"
Deletion of file "C:\Windows\System32\hjgruisgenherw.dll" failed!
Status: 0xc0000156
Error: could not delete file "C:\Windows\System32\hjgruivypkmmtu.dll"
Deletion of file "C:\Windows\System32\hjgruivypkmmtu.dll" failed!
Status: 0xc0000156
Error: could not delete file "C:\Windows\System32\hjgruixlnpwdxr.dat"
Deletion of file "C:\Windows\System32\hjgruixlnpwdxr.dat" failed!
Status: 0xc0000156
Error: file "C:\Windows\Temp\hjgruijvrqbfdooh.tmp" not found!
Deletion of file "C:\Windows\Temp\hjgruijvrqbfdooh.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Completed script processing.
*******************
Finished! Terminate.
|
|
15.07.2009, 17:31
| #10 |
| | Trojaner "hjgruisgenherw.dll" im Ordner System32 3) Gmer Teil 1 Code:
ATTFilter GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-15 18:30:35
Windows 6.0.6001 Service Pack 1
---- System - GMER 1.0.15 ----
INT 0x51 ? 867D1E30
INT 0x72 ? 867D1E30
INT 0x82 ? 867D1E30
INT 0x92 ? 85028BF8
INT 0x92 ? 867D1E30
INT 0x92 ? 867D1E30
INT 0x92 ? 867D1E30
INT 0x92 ? 85028BF8
INT 0xA2 ? 867D1E30
Code 8F20A308 ZwEnumerateKey
Code 8F1B5B90 ZwFlushInstructionCache
Code 8F27F2BD IofCallDriver
Code 8F28934E IofCompleteRequest
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!IofCallDriver 8204A169 5 Bytes JMP 8F27F2C2
.text ntoskrnl.exe!IofCompleteRequest 8204A1D6 5 Bytes JMP 8F289353
PAGE ntoskrnl.exe!ZwFlushInstructionCache 821AC1C2 5 Bytes JMP 8F1B5B94
PAGE ntoskrnl.exe!ZwEnumerateKey 821D758C 5 Bytes JMP 8F20A30C
? System32\Drivers\spgg.sys Das System kann den angegebenen Pfad nicht finden. !
.text USBPORT.SYS!DllUnload 8E65A4CB 5 Bytes JMP 867D1410
? system32\drivers\gaxtgn.sys Das System kann den angegebenen Pfad nicht finden. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\a-squared Free\a2service.exe[440] kernel32.dll!CreateThread + 1A 775446E2 4 Bytes CALL 0045493D C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
.text C:\Windows\system32\lsm.exe[652] ntdll.dll!LdrLoadDll 77BD7933 5 Bytes JMP 0034000A
.text C:\Windows\system32\winlogon.exe[884] ntdll.dll!LdrLoadDll 77BD7933 5 Bytes JMP 0007000A
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] kernel32.dll!FindResourceExA 775308DD 7 Bytes JMP 28001D80 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] kernel32.dll!FindResourceA 775309A5 5 Bytes JMP 28001CF0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] kernel32.dll!CreateEventA 77544AD8 5 Bytes JMP 28001840 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] kernel32.dll!LockResource 77547F1F 5 Bytes JMP 28001F50 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] kernel32.dll!FindResourceExW 7754813B 1 Byte [E9]
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] kernel32.dll!FindResourceExW 7754813B 7 Bytes JMP 28001C60 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] kernel32.dll!LoadResource 77548213 7 Bytes JMP 28001E20 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] kernel32.dll!FindResourceW 775497C7 5 Bytes JMP 28001BE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] kernel32.dll!SizeofResource 775497E5 7 Bytes JMP 28001EE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] ADVAPI32.dll!CryptDeriveKey 779DE6F6 7 Bytes JMP 28001000 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] ADVAPI32.dll!CryptDecrypt 779DE8D9 7 Bytes JMP 28001060 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] USER32.dll!SetWindowPlacement 778A79BB 5 Bytes JMP 28005EA0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] USER32.dll!SetWindowRgn 778A95E2 7 Bytes JMP 28005FE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] USER32.dll!LoadImageW 778AD61D 5 Bytes JMP 28006770 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] USER32.dll!LoadIconW 778AEC94 5 Bytes JMP 28006960 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] USER32.dll!CreateWindowExW 778B3D67 5 Bytes JMP 28003CF0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] USER32.dll!GetWindowLongW 778BF67F 7 Bytes JMP 28006B00 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] USER32.dll!PeekMessageW 778BFD9F 5 Bytes JMP 280046C0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] USER32.dll!TrackPopupMenuEx 778D0F4D 5 Bytes JMP 28004FA0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] USER32.dll!CreateDialogParamW 778D1C58 5 Bytes JMP 28006120 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] USER32.dll!MessageBoxIndirectW 778FD56B 5 Bytes JMP 28006310 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] WS2_32.dll!closesocket 77B8330C 5 Bytes JMP 2800BB90 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] WS2_32.dll!recv 77B8343A 5 Bytes JMP 2800B3B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] WS2_32.dll!WSASend 77B84496 5 Bytes JMP 2800B950 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] WS2_32.dll!send 77B8659B 5 Bytes JMP 2800B770 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] WS2_32.dll!WSARecv 77B88400 5 Bytes JMP 2800B550 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] SHELL32.dll!Shell_NotifyIconW 7686C808 5 Bytes JMP 28003440 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] ole32.dll!CoRegisterClassObject 766045AC 5 Bytes JMP 28002360 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] ole32.dll!CoInitializeEx 7663B89A 5 Bytes JMP 28002260 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] ole32.dll!CoCreateInstance 7663E188 5 Bytes JMP 28002600 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] WININET.dll!InternetReadFile 7634654B 5 Bytes JMP 2800A3B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] WININET.dll!InternetCloseHandle 76349088 5 Bytes JMP 2800A560 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] WININET.dll!HttpOpenRequestA 7634D5E8 5 Bytes JMP 2800A220 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2480] WININET.dll!HttpSendRequestA 7635EEB9 5 Bytes JMP 2800A490 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 846922D8
IAT \SystemRoot\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [8A269C4C] \SystemRoot\System32\Drivers\spgg.sys
IAT \SystemRoot\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [8A269CA0] \SystemRoot\System32\Drivers\spgg.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8A2396D2] \SystemRoot\System32\Drivers\spgg.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8A239040] \SystemRoot\System32\Drivers\spgg.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8A2397FC] \SystemRoot\System32\Drivers\spgg.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [8A2390BE] \SystemRoot\System32\Drivers\spgg.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8A23913C] \SystemRoot\System32\Drivers\spgg.sys
IAT \SystemRoot\system32\drivers\ataport.SYS[ntoskrnl.exe!DbgBreakPoint] 846932D8
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 867D1510
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [8A249048] \SystemRoot\System32\Drivers\spgg.sys
IAT \SystemRoot\system32\DRIVERS\storport.sys[ntoskrnl.exe!DbgBreakPoint] 869D62D8
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\a-squared Free\a2service.exe[440] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [00454A94] C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
IAT C:\Program Files\a-squared Free\a2service.exe[440] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!QueueUserWorkItem] [00454A94] C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8502A1F8
Device \FileSystem\fastfat \FatCdrom 867F61F8
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
Device \Driver\volmgr \Device\VolMgrControl 846951F8
Device \Driver\netbt \Device\NetBT_Tcpip_{4427CA0C-FB92-4D25-A045-B58C7B80BF08} 8F3841F8
Device \Driver\usbuhci \Device\USBPDO-0 84FC01F8
Device \Driver\usbuhci \Device\USBPDO-1 84FC01F8
Device \Driver\usbuhci \Device\USBPDO-2 84FC01F8
Device \Driver\usbehci \Device\USBPDO-3 867B61F8
Device \Driver\usbuhci \Device\USBPDO-4 84FC01F8
Device \Driver\usbuhci \Device\USBPDO-5 84FC01F8
Device \Driver\usbuhci \Device\USBPDO-6 84FC01F8
Device \Driver\volmgr \Device\HarddiskVolume1 846951F8
Device \Driver\usbehci \Device\USBPDO-7 867B61F8
Device \Driver\volmgr \Device\HarddiskVolume2 846951F8
Device \Driver\volmgr \Device\HarddiskVolume3 846951F8
Device \Driver\volmgr \Device\HarddiskVolume4 846951F8
Device \Driver\netbt \Device\NetBt_Wins_Export 8F3841F8
Device \Driver\Smb \Device\NetbiosSmb 8F3331F8
Device \Driver\iScsiPrt \Device\RaidPort0 869D71F8
Device \Driver\netbt \Device\NetBT_Tcpip_{DECB8486-47A8-4DB0-A326-AAD9748969B5} 8F3841F8
Device \Driver\usbuhci \Device\USBFDO-0 84FC01F8
Device \Driver\USBSTOR \Device\0000006c 8F3B51F8
Device \Driver\USBSTOR \Device\0000006d 8F3B51F8
Device \Driver\usbuhci \Device\USBFDO-1 84FC01F8
Device \Driver\usbuhci \Device\USBFDO-2 84FC01F8
Device \Driver\usbehci \Device\USBFDO-3 867B61F8
Device \Driver\usbuhci \Device\USBFDO-4 84FC01F8
Device \Driver\usbuhci \Device\USBFDO-5 84FC01F8
Device \Driver\usbuhci \Device\USBFDO-6 84FC01F8
Device \Driver\usbehci \Device\USBFDO-7 867B61F8
Device \FileSystem\fastfat \Fat 867F61F8
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
Device \FileSystem\cdfs \Cdfs 847EA1F8
---- Services - GMER 1.0.15 ----
Service C:\Windows\system32\drivers\hjgruiofncpbqj.sys (*** hidden *** ) [SYSTEM] hjgruicrditipn <-- ROOTKIT !!!
|
|
15.07.2009, 17:32
| #11 |
| | Trojaner "hjgruisgenherw.dll" im Ordner System32 3) Gmer Teil 2 Code:
ATTFilter ---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0002787923ce
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00027879245e
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn@imagepath \systemroot\system32\drivers\hjgruiofncpbqj.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruiofncpbqj.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn\modules@hjgruicmd.dll \systemroot\system32\hjgruipfywmjoe.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn\modules@hjgrui.dat \systemroot\system32\hjgruibkpypnqj.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruicrditipn\modules@hjgruilog.dat \systemroot\system32\hjgruipwvdyrvr.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC3 0xB9 0x14 0xAD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x82 0xD9 0xD9 0xB8 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0002787923ce
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00027879245e
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruicrditipn
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruicrditipn@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruicrditipn@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruicrditipn@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruicrditipn@imagepath \systemroot\system32\drivers\hjgruiofncpbqj.sys
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruicrditipn\modules
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruicrditipn\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruiofncpbqj.sys
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruicrditipn\modules@hjgruicmd.dll \systemroot\system32\hjgruipfywmjoe.dll
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC3 0xB9 0x14 0xAD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x82 0xD9 0xD9 0xB8 ...
---- Files - GMER 1.0.15 ----
File C:\Users\Gizem\AppData\Local\Temp\Low\hjgruiepoibqqkpq.tmp 196 bytes
File C:\Users\Gizem\AppData\Local\Temp\Low\hjgruifwdoidvqbp.tmp 2897 bytes
File C:\Users\Gizem\AppData\Local\Temp\Low\hjgruihqxrnnsrvx.tmp 3083 bytes
File C:\Users\Gizem\AppData\Local\Temp\Low\hjgruitdxipiagxc.tmp 196 bytes
File C:\Users\Gizem\AppData\Local\Temp\Low\hjgruiwbmbtixfdo.tmp 3049 bytes
File C:\Windows\System32\drivers\hjgruiofncpbqj.sys 66560 bytes executable <-- ROOTKIT !!!
File C:\Windows\System32\hjgruipdyegjhp.dat 91 bytes
File C:\Windows\System32\hjgruipwvdyrvr.dat 2214 bytes
File C:\Windows\System32\hjgruisgenherw.dll 18944 bytes executable
File C:\Windows\System32\hjgruivypkmmtu.dll 41984 bytes executable
File C:\Windows\System32\hjgruixlnpwdxr.dat 90430 bytes
---- EOF - GMER 1.0.15 ----
|
|
15.07.2009, 17:51
| #12 |
| | Trojaner "hjgruisgenherw.dll" im Ordner System32 1.) Neues Skript für Avenger: Code:
ATTFilter Drivers to delete:
hjgruicrditipn
Registry keys to delete:
HKLM\SYSTEM\ControlSet002\Services\hjgruicrditipn
Folders to delete:
C:\Users\Gizem\AppData\Local\Temp\Low
Files to delete:
C:\Windows\tasks\ggnzipmb.job
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\tasks\SupBackGroundTask.job
C:\Users\Gizem\AppData\Local\Temp\Low\hjgruiepoibqqkpq.tmp
C:\Users\Gizem\AppData\Local\Temp\Low\hjgruifwdoidvqbp.tmp
C:\Users\Gizem\AppData\Local\Temp\Low\hjgruihqxrnnsrvx.tmp
C:\Users\Gizem\AppData\Local\Temp\Low\hjgruitdxipiagxc.tmp
C:\Users\Gizem\AppData\Local\Temp\Low\hjgruiwbmbtixfdo.tmp
C:\Windows\System32\hjgruisgenherw.dll
C:\Windows\System32\drivers\hjgruiofncpbqj.sys
C:\Windows\System32\hjgruipdyegjhp.dat
C:\Windows\System32\hjgruivypkmmtu.dll
C:\Windows\System32\hjgruixlnpwdxr.dat
C:\Windows\Temp\hjgruijvrqbfdooh.tmp
2.) Rootkitscan mit RootRepeal
Sieht so aus, als wenn wir da mit Live-CD ranmüssen oder kannst du mit der Kommandozeile umgehen? 3.) Lade dir hier ein Iso und brenne es laut Anleitung auf CD. ciao, andreas
__________________ Kein Support per PN! Das ist hier ein Forum und keine Privatbetreuung! Für alle NeuenPrivatbetreuung nur gegen Bezahlung und ich koste sehr teuer. Anleitungen Virenscanner Kompromittierung unvermeidbar? |
|
| Themen zu Trojaner "hjgruisgenherw.dll" im Ordner System32 |
| antivir guard, avg, avira, bho, c:\windows\temp, defender, desktop, firefox, google, google update, gupdate, hijack, hijackthis, internet, internet explorer, logfile, mozilla, object, plug-in, problem, registry, rundll, senden, software, system, trojaner, vista, werbung, windows, windows\temp |
Linear-Darstellung
