| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: TR/ATRAPS.GenWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
17.07.2009, 08:36
| #1 |
 |  TR/ATRAPS.Gen Hi an Alle, ich bitte um Eure Hilfe, was hier gerade bei mir abgeht geht auf keine Kuhhaut mehr. Ich versuche den Sachverhalt mal zu klären.... Wir haben im Verein einen Kamera und ich wollte jetzt die Daten kopieren...plötzlich diese Meldung: TR/ATRAPS.Gen Found! Hä? was? auf ner kamera=? wie kann das sein? Folgende Datei: auf dem Laufwerk N:/system.exe ist ein Trojaner!?! Antivir hat es gefunden und gelöscht. Soweit so gut, hab auch ein Virenscann laufen lassen, keine verdächtigen funde... aber es ist doch nciht jetzt weg oda? Hier meine Logfile, schaut mal bitte drüber....aber es geht noch weiter... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 09:33:48, on 17.07.2009 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v7.00 (7.00.6002.18005) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\System32\rundll32.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Windows\system32\NOTEPAD.EXE C:\program files\avira\antivir desktop\avcenter.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter O4 - HKCU\..\Run: [BackgroundSwitcher] "C:\Program Files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe" O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST') O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O13 - Gopher Prefix: O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing) O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: PCLEPCI - Unknown owner - C:\Windows\system32\drivers\pclepci.sys (file missing) O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- End of file - 5869 bytes Wie siehts aus? So die story geht, ich öffne gestern einen brief: Folgende abbuchung konnte nicht getätigt werden: Infoscore Forderungsmanagement über 100€ was???? Diese Kontodaten hat nur die Telekom und sonst niemand, extra dafür eingerichtet...(Mietskonto). Ich hab angst dieser trojaner hat meine daten weitergeschickt? aber und wie und warum? ... Ich hoffe mir kann jemand helfen danke im voraus gruß flo |
|
19.07.2009, 20:35
| #2 |
| /// Helfer-Team    | TR/ATRAPS.Gen Hallo Sorin2009
__________________ - Die Anweisungen bitte gründlich lesen und immer streng einhalten, da ich die Reihenfolge nach bestimmten Kriterien vorbereitet habe: - Wichtig: Alle Befehle bitte als Administrator ausführen! rechte Maustaste auf die Eingabeaufforderung und "als Administrator ausführen" auswählen - 32 bit Vista oder 64bit-Rechner? 1. → Klicke unter Start auf Arbeitsplatz. → Klicke im Menü Extras auf Ordneroptionen. → Dateien und Ordner/Erweiterungen bei bekannten Dateitypen ausblenden → Haken entfernen → Geschützte und Systemdateien ausblenden → Haken entfernen → Versteckte Dateien und Ordner/Alle Dateien und Ordner anzeigen → Haken setzen. → Bei "Geschützte Systemdateien ausblenden" darf kein Häkchen sein und "Alle Dateien und Ordner anzeigen" muss aktiviert sein. 2. - Lade dir RSIT - Rootkit/Info v.wikipedia.org) aufzuspüren, werden wir ein Tool - Gmer - einsetzen :
** keine Verbindung zu einem Netzwerk und Internet - WLAN nicht vergessen Wenn der Scan beendet ist, bitte alle Programme und Tools wieder aktivieren! 5. → besuche die Seite von virustotal und die Dateien aus Codebox bitte prüfen lassen - inklusive Dateigröße und Name, MD5 und SHA1 auch mitkopieren: Code:
ATTFilter C:\Windows\system32\drivers\pclepci.sys
→ Suche die Datei auf deinem Rechner→ Doppelklick auf die zu prüfende Datei (oder kopiere den Inhalt ab aus der Codebox) → "Senden der Datei" und Warte, bis der Scandurchlauf aller Virenscanner beendet ist → das Ergebnis wie Du es bekommst da reinkoperen (inklusive Dateigröße und Name, MD5 und SHA1): Damit dein Thread übersichtlicher und schön lesbar bleibt, am besten nutze den Code-Tags für deinen Post: → vor dein log schreibst du:[code] hier kommt dein logfile rein → dahinter:[/code] ** Möglichst nicht ins internet gehen, kein Online-Banking, File-sharing, Chatprogramme usw gruß Coverflow |
|
22.07.2009, 06:42
| #3 |
| | TR/ATRAPS.Gen Hi,
__________________danke dass du dich gemeldet hast. Also ich versuch das alles mal hier rein zu posten. [code] Code:
ATTFilter Logfile of random's system information tool 1.06 (written by random/random) Run by Flo at 2009-07-22 07:38:24 Microsoft® Windows Vista™ Home Premium Service Pack 2 System drive C: has 38 GB (32%) free of 119 GB Total RAM: 3070 MB (42% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 07:38:26, on 22.07.2009 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v7.00 (7.00.6002.18005) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\System32\rundll32.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Flo\Desktop\RSIT.exe C:\Program Files\Trend Micro\HijackThis\Flo.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter O4 - HKCU\..\Run: [BackgroundSwitcher] "C:\Program Files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe" O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST') O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O13 - Gopher Prefix: O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing) O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: PCLEPCI - Unknown owner - C:\Windows\system32\drivers\pclepci.sys (file missing) O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- End of file - 5434 bytes ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}] Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}] Groove GFS Browser Helper - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {32099AAC-C132-4136-9E9A-4E364A424E17} - DAEMON Tools Toolbar - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll [2008-12-10 929224] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184] "NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2008-12-08 92704] "Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696] "SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888] "avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "WindowsWelcomeCenter"=oobefldr.dll,ShowWelcomeCenter [] "BackgroundSwitcher"=C:\Program Files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe [2008-12-08 1095568] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-12-29 687560] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe] C:\Windows\ehome\ehTray.exe [2008-01-19 125952] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ] C:\Program Files\ICQ6.5\ICQ.exe silent [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchList] C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe [2007-03-21 145496] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2009-03-17 2387968] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan] C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe [2007-09-20 1836328] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [2007-03-01 153136] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] C:\Windows\system32\NvCpl.dll [2008-12-08 13601312] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] C:\Program Files\Skype\Phone\Skype.exe [2008-11-18 21633320] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] C:\Program Files\Winamp\winampa.exe [2009-03-09 37888] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Flo^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk] C:\PROGRA~1\OPENOF~1.ORG\program\QUICKS~1.EXE [2008-12-15 384000] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "EnableLUA"=0 "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 "EnableUIADesktopToggle"=0 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "BindDirectlyToPropertySetStorage"= [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] ======List of files/folders created in the last 1 months====== 2009-07-21 18:33:01 ----D---- C:\Windows\Minidump 2009-07-21 17:59:50 ----D---- C:\rsit 2009-07-17 09:06:16 ----D---- C:\Program Files\Trend Micro 2009-07-15 18:23:20 ----D---- C:\ProgramData\Kaspersky Lab 2009-07-15 09:34:55 ----A---- C:\Windows\system32\t2embed.dll 2009-07-15 09:34:54 ----A---- C:\Windows\system32\lpk.dll 2009-07-15 09:34:54 ----A---- C:\Windows\system32\fontsub.dll 2009-07-15 09:34:54 ----A---- C:\Windows\system32\dciman32.dll 2009-07-15 09:34:54 ----A---- C:\Windows\system32\atmfd.dll 2009-07-13 16:33:13 ----D---- C:\ProgramData\KONAMI 2009-07-13 13:50:24 ----D---- C:\AudioSuite 2009-07-13 10:53:09 ----D---- C:\Program Files\DAMN NFO Viewer 2009-07-07 02:26:06 ----A---- C:\ProgramData\ra3.ini 2009-07-07 01:05:42 ----D---- C:\Users\Flo\AppData\Roaming\Red Alert 3 2009-07-06 23:59:13 ----A---- C:\Windows\system32\D3DX9_38.dll 2009-07-06 23:59:13 ----A---- C:\Windows\system32\d3dx10_38.dll 2009-07-06 23:59:13 ----A---- C:\Windows\system32\D3DCompiler_38.dll 2009-06-26 15:15:49 ----D---- C:\Program Files\Common Files\DivX Shared 2009-06-26 15:05:14 ----D---- C:\ProgramData\WindowsSearch 2009-06-26 11:31:36 ----D---- C:\Users\Flo\AppData\Roaming\DivX 2009-06-26 11:12:54 ----D---- C:\Users\Flo\AppData\Roaming\MPEG Streamclip 2009-06-26 11:12:12 ----D---- C:\Users\Flo\AppData\Roaming\Apple Computer 2009-06-26 11:11:52 ----DC---- C:\Windows\system32\DRVSTORE 2009-06-26 11:11:18 ----D---- C:\ProgramData\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-06-26 11:09:32 ----D---- C:\Program Files\Apple Software Update 2009-06-26 11:07:28 ----D---- C:\ProgramData\Apple 2009-06-26 09:38:58 ----D---- C:\Program Files\Convert VOB to AVI 2009-06-26 09:32:02 ----A---- C:\Users\Flo\AppData\Roaming\inst.exe 2009-06-26 09:32:01 ----D---- C:\Users\Flo\AppData\Roaming\Vso 2009-06-25 14:26:57 ----D---- C:\ProgramData\NOS 2009-06-25 14:26:57 ----D---- C:\Program Files\NOS ======List of files/folders modified in the last 1 months====== 2009-07-22 07:36:45 ----D---- C:\Windows\Temp 2009-07-22 07:31:24 ----D---- C:\Windows\Prefetch 2009-07-22 07:31:00 ----SHD---- C:\System Volume Information 2009-07-22 07:22:29 ----D---- C:\Program Files\Mozilla Firefox 2009-07-21 18:33:01 ----D---- C:\Windows 2009-07-21 18:31:03 ----D---- C:\Windows\LiveKernelReports 2009-07-21 18:28:24 ----D---- C:\Users\Flo\AppData\Roaming\Skype 2009-07-21 18:03:25 ----D---- C:\Users\Flo\AppData\Roaming\skypePM 2009-07-18 08:12:41 ----D---- C:\Windows\system32\catroot2 2009-07-17 09:06:16 ----RD---- C:\Program Files 2009-07-17 08:44:56 ----SHD---- C:\Config.Msi 2009-07-17 08:43:33 ----SHD---- C:\Windows\Installer 2009-07-17 08:43:09 ----HD---- C:\ProgramData 2009-07-17 08:43:05 ----D---- C:\Windows\system32\drivers 2009-07-17 08:43:03 ----D---- C:\Windows\System32 2009-07-17 08:42:46 ----D---- C:\Windows\system32\catroot 2009-07-17 08:42:46 ----D---- C:\Windows\inf 2009-07-15 19:04:09 ----A---- C:\Windows\system32\PerfStringBackup.INI 2009-07-15 13:38:26 ----D---- C:\Windows\Debug 2009-07-15 11:32:02 ----D---- C:\Windows\winsxs 2009-07-15 09:37:10 ----D---- C:\Program Files\Windows Mail 2009-07-13 20:20:43 ----A---- C:\Windows\NeroDigital.ini 2009-07-11 20:53:13 ----D---- C:\Users\Flo\AppData\Roaming\dvdcss 2009-07-08 02:52:52 ----D---- C:\Users\Flo\AppData\Roaming\Hamachi 2009-07-07 17:10:56 ----A---- C:\Windows\system32\mrt.exe 2009-07-07 11:43:58 ----RSD---- C:\Windows\assembly 2009-07-07 11:37:32 ----HD---- C:\Program Files\InstallShield Installation Information 2009-07-07 00:29:37 ----A---- C:\Windows\system32\CmdLineExt.dll 2009-07-06 23:59:06 ----D---- C:\Windows\Logs 2009-06-26 15:19:38 ----D---- C:\Program Files\DivX 2009-06-26 15:15:49 ----D---- C:\Program Files\Common Files 2009-06-26 11:10:40 ----D---- C:\Program Files\Internet Explorer 2009-06-24 18:04:40 ----SD---- C:\Users\Flo\AppData\Roaming\Microsoft 2009-06-24 15:13:35 ----D---- C:\Windows\Microsoft.NET ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys [2009-02-13 11608] R1 avipbb;avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [2009-05-15 96104] R1 ssmdrv;ssmdrv; C:\Windows\system32\DRIVERS\ssmdrv.sys [2009-06-09 28520] R2 atksgt;atksgt; C:\Windows\system32\DRIVERS\atksgt.sys [2009-07-07 271360] R2 avgntflt;avgntflt; C:\Windows\system32\DRIVERS\avgntflt.sys [2009-05-15 55640] R2 lirsgt;lirsgt; C:\Windows\system32\DRIVERS\lirsgt.sys [2009-07-07 18048] R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2006-11-14 37376] R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller; C:\Windows\system32\DRIVERS\l160x86.sys [2007-10-31 46592] R3 BthEnum;Bluetooth-Auflistungsdienst; C:\Windows\system32\DRIVERS\BthEnum.sys [2009-04-11 22528] R3 BthPan;Bluetooth-Gerät (PAN); C:\Windows\system32\DRIVERS\bthpan.sys [2008-01-19 92160] R3 BTHUSB;USB-Treiber für Bluetooth-Funkgerät; C:\Windows\System32\Drivers\BTHUSB.sys [2009-04-11 29696] R3 CmBatt;Treiber für Microsoft-ACPI-Kontrollmethodenkompatible Batterie; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-19 14208] R3 HdAudAddService;Microsoft 1.1 UAA-Funktionstreiber für High Definition Audio-Dienst; C:\Windows\system32\drivers\HdAudio.sys [2009-04-11 236544] R3 MarvinBus;Pinnacle Marvin Bus; C:\Windows\system32\DRIVERS\MarvinBus.sys [2007-01-04 171520] R3 MTsensor;ATK0100 ACPI UTILITY; C:\Windows\system32\DRIVERS\ATKACPI.sys [2006-12-14 7680] R3 NETw4v32;Intel(R) Wireless WiFi Link Adaptertreiber für Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-09-26 2251776] R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2008-12-08 7451712] R3 RFCOMM;Bluetooth-Gerät (RFCOMM-Protokoll-TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2009-04-11 148992] R3 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmptsk.sys [2005-11-16 28928] R3 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimsptsk.sys [2005-12-22 51840] R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2009-04-11 89088] R3 smserial;smserial; C:\Windows\system32\DRIVERS\smserial.sys [2006-11-02 1010560] R3 TPM;TPM; C:\Windows\system32\drivers\tpm.sys [2008-01-19 45624] R3 usbvideo;USB-Videogerät (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-01-19 134016] R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328] S3 a6q2hzhb;a6q2hzhb; C:\Windows\system32\drivers\a6q2hzhb.sys [] S3 BTHPORT;Bluetooth-Porttreiber; C:\Windows\System32\Drivers\BTHport.sys [2009-04-11 507904] S3 drmkaud;Microsoft Kernel-DRM-Audioentschlüsselung; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632] S3 hamachi;Hamachi Network Interface; C:\Windows\system32\DRIVERS\hamachi.sys [2009-06-06 25280] S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192] S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888] S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504] S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016] S3 NETw3v32;Intel(R) PRO/Wireless 3945BG Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw3v32.sys [2006-11-02 1781760] S3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2006-11-02 44544] S3 usbscan;USB-Scannertreiber; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328] S3 uufnVaxt;uufnVaxt; \??\C:\Users\Flo\AppData\Local\Temp\uufnVaxt.sys [] S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 AntiVirSchedulerService;Avira AntiVir Planer; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-06-09 108289] R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-06-09 185089] R2 ASLDRService;ASLDR Service; C:\Program Files\ATK Hotkey\ASLDRSrv.exe [2007-02-06 94208] R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; C:\Windows\system32\svchost.exe [2008-01-19 21504] R2 EvtEng;Intel(R) PROSet/Wireless Event Log; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2007-06-01 647168] R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2009-03-17 73728] R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3; C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe [2007-09-20 853288] R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2008-12-08 203296] R2 PnkBstrA;PnkBstrA; C:\Windows\system32\PnkBstrA.exe [2009-03-06 66872] R2 RegSrvc;Intel(R) PROSet/Wireless Registry Service; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2007-06-01 327680] S2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0; C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe [] S2 PCLEPCI;PCLEPCI; C:\Windows\system32\drivers\pclepci.sys [] S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824] S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136] S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184] -----------------EOF----------------- Code:
ATTFilter Adobe Flash Player 10 ActiveX Adobe Systems Incorporated
Adobe Flash Player 10 Plugin Adobe Systems Incorporated
Adobe Reader 9.1.2 - Deutsch Adobe Systems Incorporated
Anno 1701 Sunflowers
Apple Software Update Apple Inc.
ATK Hotkey ATK
ATKOSD2 ATK
Avira AntiVir Personal - Free Antivirus Avira GmbH
CCleaner (remove only) Piriform
Cole2k Media - Nero Audio Plugin Pack Cole
Command & Conquer™ Alarmstufe Rot 3 Electronic Arts
Crysis(R) Electronic Arts
DAEMON Tools Toolbar DT Soft Ltd
DivX Codec DivX, Inc.
DivX Converter DivX, Inc.
DivX Player DivX, Inc.
DivX Plus DirectShow Filters DivX, Inc.
DivX Web Player DivX,Inc.
Fritz11 WM Edition ChessBase
Hamachi 1.0.3.0
HijackThis 2.0.2 TrendMicro
Intel(R) PROSet/Wireless Software Intel Corporation
Java(TM) 6 Update 13 Sun Microsystems, Inc.
John's Background Switcher 3.6 johnsadventures.com
K-Lite Mega Codec Pack 4.5.3
LightScribe System Software LightScribe
Microsoft – Speichern als PDF – Add-In für 2007 Microsoft Office-Programme Microsoft Corporation
Microsoft .NET Framework 3.5 Language Pack SP1 - DEU Microsoft Corporation
Microsoft .NET Framework 3.5 SP1 Microsoft Corporation
Microsoft Office Enterprise 2007 Microsoft Corporation
Microsoft Visual C++ 2005 Redistributable Microsoft Corporation
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Corporation
Mozilla Firefox (3.0.11) Mozilla
MSXML 4.0 SP2 (KB927978) Microsoft Corporation
MSXML 4.0 SP2 (KB954430) Microsoft Corporation
Nero 8 Nero AG
No23 Recorder No23
NVIDIA Drivers NVIDIA Corporation
NVIDIA PhysX v8.09.04 NVIDIA Corporation
OpenOffice.org 3.0 OpenOffice.org
Pinnacle Instant DVD Recorder
Playchess ChessBase
Pro Evolution Soccer 2009 KONAMI
PunkBuster Services Even Balance, Inc.
Sins of a Solar Empire Stardock Entertainment
Skype™ 3.8 Skype Technologies S.A.
SopCast 3.0.3 SopCast.com
Star Wars JK II Jedi Outcast
Studio 11 Pinnacle Systems
Uninstall 1.0.0.1
VLC media player 0.9.8a VideoLAN Team
Winamp Nullsoft, Inc
WinRAR
Xfire (remove only)
Zattoo 3.3.4 Beta Zattoo Inc.
gmer hat vorher immer abgebrochen und rootkit spuckt nur eine logfile aus. danke nochmal gruß flo |
|
22.07.2009, 06:44
| #4 |
| | TR/ATRAPS.Gen und hier noch die GMER logfile Code:
ATTFilter GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-22 07:21:34
Windows 6.0.6002 Service Pack 2
---- System - GMER 1.0.15 ----
SSDT 9DBD65DC ZwCreateThread
SSDT 9DBD65C8 ZwOpenProcess
SSDT 9DBD65CD ZwOpenThread
SSDT 9DBD65D7 ZwTerminateProcess
INT 0x52 ? 86ADBF00
INT 0x62 ? 86ADBF00
INT 0x72 ? 86ADBF00
INT 0x82 ? 86ADBF00
INT 0x82 ? 86ADBF00
INT 0x93 ? 86ADBF00
INT 0xA2 ? 8512CBF8
INT 0xB2 ? 8436BBF8
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 221 81EEB964 4 Bytes [DC, 65, BD, 9D] {FSUB QWORD [EBP-0x43]; POPF }
.text ntkrnlpa.exe!KeSetEvent + 3F1 81EEBB34 4 Bytes [C8, 65, BD, 9D] {ENTER 0xbd65, 0x9d}
.text ntkrnlpa.exe!KeSetEvent + 40D 81EEBB50 4 Bytes [CD, 65, BD, 9D]
.text ntkrnlpa.exe!KeSetEvent + 621 81EEBD64 4 Bytes [D7, 65, BD, 9D]
? System32\Drivers\spzu.sys Das System kann den angegebenen Pfad nicht finden. !
.text USBPORT.SYS!DllUnload 8EA3641B 5 Bytes JMP 86ADB4E0
.text a6q2hzhb.SYS 8EF20000 22 Bytes [82, 33, E1, 81, 6C, 32, E1, ...]
.text a6q2hzhb.SYS 8EF20017 45 Bytes [00, 32, A7, F9, 89, 3D, A5, ...]
.text a6q2hzhb.SYS 8EF20045 135 Bytes [5A, EE, 81, FD, D9, E7, 81, ...]
.text a6q2hzhb.SYS 8EF200CE 10 Bytes [00, 00, 00, 00, 00, 00, 6A, ...]
.text a6q2hzhb.SYS 8EF200DA 12 Bytes [00, 00, 02, 00, 00, 00, 25, ...]
.text ...
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [89E916D2] \SystemRoot\System32\Drivers\spzu.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [89E91040] \SystemRoot\System32\Drivers\spzu.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [89E917FC] \SystemRoot\System32\Drivers\spzu.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [89E910BE] \SystemRoot\System32\Drivers\spzu.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [89E9113C] \SystemRoot\System32\Drivers\spzu.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [89EA1048] \SystemRoot\System32\Drivers\spzu.sys
IAT \SystemRoot\System32\Drivers\a6q2hzhb.SYS[ataport.SYS!AtaPortNotification] CC000CC2
IAT \SystemRoot\System32\Drivers\a6q2hzhb.SYS[ataport.SYS!AtaPortWritePortUchar] 83EC8B55
IAT \SystemRoot\System32\Drivers\a6q2hzhb.SYS[ataport.SYS!AtaPortWritePortUlong] 575320EC
IAT \SystemRoot\System32\Drivers\a6q2hzhb.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 458DFF33
IAT \SystemRoot\System32\Drivers\a6q2hzhb.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 8D5750FC
IAT \SystemRoot\System32\Drivers\a6q2hzhb.SYS[ataport.SYS!AtaPortGetScatterGatherList] 5750F845
IAT \SystemRoot\System32\Drivers\a6q2hzhb.SYS[ataport.SYS!AtaPortReadPortUchar] 8957046A
IAT \SystemRoot\System32\Drivers\a6q2hzhb.SYS[ataport.SYS!AtaPortStallExecution] 75E8FC7D
IAT \SystemRoot\System32\Drivers\a6q2hzhb.SYS[ataport.SYS!AtaPortGetParentBusType] BB0001E8
IAT \SystemRoot\System32\Drivers\a6q2hzhb.SYS[ataport.SYS!AtaPortRequestCallback] 000000EA
IAT \SystemRoot\System32\Drivers\a6q2hzhb.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 850FC33B
IAT \SystemRoot\System32\Drivers\a6q2hzhb.SYS[ataport.SYS!AtaPortGetUnCachedExtension] 0000012B
IAT \SystemRoot\System32\Drivers\a6q2hzhb.SYS[ataport.SYS!AtaPortCompleteRequest] 0FFC7D39
IAT \SystemRoot\System32\Drivers\a6q2hzhb.SYS[ataport.SYS!AtaPortMoveMemory] 00012284
IAT \SystemRoot\System32\Drivers\a6q2hzhb.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 458D5600
IAT \SystemRoot\System32\Drivers\a6q2hzhb.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 106A50F4
IAT \SystemRoot\System32\Drivers\a6q2hzhb.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 38335668
IAT \SystemRoot\System32\Drivers\a6q2hzhb.SYS[ataport.SYS!AtaPortReadPortUshort] FC75FF36
IAT \SystemRoot\System32\Drivers\a6q2hzhb.SYS[ataport.SYS!AtaPortReadPortBufferUshort] D1E85757
IAT \SystemRoot\System32\Drivers\a6q2hzhb.SYS[ataport.SYS!AtaPortInitialize] 8B0001E7
IAT \SystemRoot\System32\Drivers\a6q2hzhb.SYS[ataport.SYS!AtaPortGetDeviceBase] 1BDEF7F0
IAT \SystemRoot\System32\Drivers\a6q2hzhb.SYS[ataport.SYS!AtaPortDeviceStateChange] 23D6F7F6
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [741A7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [741FA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [741ABB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7419F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [741A75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7419E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [741D8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [741ADA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7419FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7419FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [741971CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7422CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [741CC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7419D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74196853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7419687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [741A2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8512F1F8
Device \FileSystem\fastfat \FatCdrom 8F9211F8
Device \Driver\volmgr \Device\VolMgrControl 8436D1F8
Device \Driver\netbt \Device\NetBT_Tcpip_{B853D941-9EFE-4764-9A0D-269FFAF9FDE6} 899453A0
Device \Driver\PCI_PNP0482 \Device\00000050 spzu.sys
Device \Driver\usbuhci \Device\USBPDO-0 86A9A1F8
Device \Driver\usbuhci \Device\USBPDO-1 86A9A1F8
Device \Driver\usbehci \Device\USBPDO-2 86AAC1F8
Device \Driver\usbuhci \Device\USBPDO-3 86A9A1F8
Device \Driver\usbuhci \Device\USBPDO-4 86A9A1F8
Device \Driver\usbuhci \Device\USBPDO-5 86A9A1F8
Device \Driver\usbehci \Device\USBPDO-6 86AAC1F8
Device \Driver\volmgr \Device\HarddiskVolume1 8436D1F8
Device \Driver\USBSTOR \Device\00000071 899361F8
Device \Driver\volmgr \Device\HarddiskVolume2 8436D1F8
Device \Driver\USBSTOR \Device\00000072 899361F8
Device \Driver\cdrom \Device\CdRom0 86B3D1F8
Device \Driver\volmgr \Device\HarddiskVolume3 8436D1F8
Device \Driver\netbt \Device\NetBT_Tcpip_{6E68E5FC-70E0-47F4-AF44-CC4F53F13C94} 899453A0
Device \Driver\USBSTOR \Device\00000073 899361F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8512D1F8
Device \Driver\atapi \Device\Ide\IdePort0 8512D1F8
Device \Driver\cdrom \Device\CdRom1 86B3D1F8
Device \Driver\volmgr \Device\HarddiskVolume4 8436D1F8
Device \Driver\cdrom \Device\CdRom2 86B3D1F8
Device \Driver\volmgr \Device\HarddiskVolume5 8436D1F8
Device \Driver\USBSTOR \Device\00000076 899361F8
Device \Driver\netbt \Device\NetBt_Wins_Export 899453A0
Device \Driver\Smb \Device\NetbiosSmb 8994E1F8
Device \Driver\netbt \Device\NetBT_Tcpip_{180A084F-B24B-4EA7-A5A9-EAEA78FE5CC0} 899453A0
Device \Driver\iScsiPrt \Device\RaidPort0 86C77500
Device \Driver\usbuhci \Device\USBFDO-0 86A9A1F8
Device \Driver\netbt \Device\NetBT_Tcpip_{66185AA1-1D63-46C0-A942-231508946BD3} 899453A0
Device \Driver\usbuhci \Device\USBFDO-1 86A9A1F8
Device \Driver\usbehci \Device\USBFDO-2 86AAC1F8
Device \Driver\BTHUSB \Device\0000007c bthport.sys (Bluetooth-Bustreiber/Microsoft Corporation)
Device \Driver\usbuhci \Device\USBFDO-3 86A9A1F8
Device \Driver\usbuhci \Device\USBFDO-4 86A9A1F8
Device \Driver\BTHUSB \Device\0000007e bthport.sys (Bluetooth-Bustreiber/Microsoft Corporation)
Device \Driver\usbuhci \Device\USBFDO-5 86A9A1F8
Device \Driver\usbehci \Device\USBFDO-6 86AAC1F8
Device \Driver\sptd \Device\3543432494 spzu.sys
Device \Driver\a6q2hzhb \Device\Scsi\a6q2hzhb1 86C741F8
Device \Driver\a6q2hzhb \Device\Scsi\a6q2hzhb1Port3Path0Target0Lun0 86C741F8
Device \FileSystem\fastfat \Fat 8F9211F8
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
Device \FileSystem\cdfs \Cdfs A957F1F8
|
|
22.07.2009, 06:45
| #5 |
| | TR/ATRAPS.GenCode:
ATTFilter
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0018f337f16b
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001bfcef5770
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x79 0x49 0x98 0x07 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x43 0x42 0x13 0x4B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x75 0xF3 0x4B 0xF2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0018f337f16b
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001bfcef5770
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x79 0x49 0x98 0x07 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x43 0x42 0x13 0x4B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x75 0xF3 0x4B 0xF2 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x46 0x47 0x15 0xB0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x97 0x20 0x4E 0x9A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xB2 0x46 0x9A 0xE2 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...
---- EOF - GMER 1.0.15 ----
|
|
22.07.2009, 18:21
| #7 | ||
| /// Helfer-Team | TR/ATRAPS.Gen hi Ok, die Datei stammt von Pinnacle 1. Schliesse alle Programme einschliesslich Internet Explorer und fixe mit Hijackthis die Einträge aus der nachfolgenden Codebox (HijackThis starten→ Einträge auswählen→ Häckhen setzen→ "Fix checked"klicken→ PC neu aufstarten): Zitat:
- Speichermedien wie Externe Festplatte/USB-Stick usw bitte anschließen, halte dabei die Shift-Taste gedrückt! - Lade das Combofix von einem der folgenden Download Spiegel herunter: BleepingComputer - ForoSpyware oder GeeksToGo - Wichtig!: installiere auf den Desktop - Antiviren, - und andere Schutz/Spyprogramme bitte deaktivieren - Schließe jeder externe Datenträger (USB Stick und USB Festplatte etc) an dein Computer an - dabei die Shift-Taste bitte unbedingt gedrückt halten! - Per Doppelklick die ComboFix.exe starten und den Anweisungen folgen - Falls die Microsoft-Windows-Wiederherstellungskonsole auf dein Rechner nicht installiert ist, und wenn du direkt gefragt wirst, es zu ermöglichen stimme dem Lizenzvertrag zu. Danach erscheint ein Fenster zur Bestätigung, ansonsten wird ComboFix mit der Arbeit fortfahren - bestätige mit "ja", damit den Suchlauf automatisch beginnen kann Zitat:
** Eine bebilderte Anleitung findest Du hier: bleepingcomputer.com/combofix/Anleitung 3. poste erneut: Trend Micro HijackThis-Logfile |
|
22.07.2009, 19:22
| #8 |
| | TR/ATRAPS.Gen hi, kannst du mir mal kurz erklären was ich da mach? und was du bis jetzt rausgefunden hast? gruß flo |
|
22.07.2009, 19:46
| #9 |
| | TR/ATRAPS.GenCode:
ATTFilter ComboFix 09-07-22.01 - Flo 22.07.2009 20:36.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.49.1031.18.3070.2149 [GMT 2:00]
ausgeführt von:: c:\users\Flo\Desktop\ComboFix.exe
SP: Windows-Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-4130345303-399438028-616338062-500
C:\test.txt
c:\users\Flo\AppData\Roaming\inst.exe
c:\windows\Installer\1ae86.msi
c:\windows\Installer\25757.msi
c:\windows\PGMONITOR.EXE
.
((((((((((((((((((((((( Dateien erstellt von 2009-06-22 bis 2009-07-22 ))))))))))))))))))))))))))))))
.
2009-07-22 18:41 . 2009-07-22 18:41 -------- d-----w- c:\users\Flo\AppData\Local\temp
2009-07-21 15:59 . 2009-07-21 15:59 -------- d-----w- C:\rsit
2009-07-18 17:31 . 2009-07-18 17:31 -------- d-----w- c:\users\Flo\AppData\Local\RapidShare
2009-07-18 17:30 . 2009-07-18 17:31 -------- d-----w- c:\users\Flo\AppData\Local\Deployment
2009-07-18 17:30 . 2009-07-18 17:30 -------- d-----w- c:\users\Flo\AppData\Local\Apps
2009-07-17 07:06 . 2009-07-17 07:06 -------- d-----w- c:\program files\Trend Micro
2009-07-15 16:23 . 2009-07-17 06:44 -------- d-----w- c:\programdata\Kaspersky Lab
2009-07-15 16:14 . 2009-07-15 16:13 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-07-15 16:13 . 2009-07-15 16:16 -------- d-----w- c:\users\Flo\.housecall6.6
2009-07-15 07:34 . 2009-06-15 14:53 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-07-15 07:34 . 2009-06-15 14:52 23552 ----a-w- c:\windows\system32\lpk.dll
2009-07-15 07:34 . 2009-06-15 14:52 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-07-15 07:34 . 2009-06-15 14:51 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-07-15 07:34 . 2009-06-15 12:42 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-07-13 14:33 . 2009-07-13 14:33 -------- d-----w- c:\programdata\KONAMI
2009-07-13 12:15 . 2009-07-13 12:15 3262 ----a-r- c:\users\Flo\AppData\Roaming\Microsoft\Installer\{22B0E143-2B0B-435B-9F56-136A3D16065F}\controlPanelIcon.exe
2009-07-13 12:15 . 2009-07-13 12:15 10134 ----a-r- c:\users\Flo\AppData\Roaming\Microsoft\Installer\{22B0E143-2B0B-435B-9F56-136A3D16065F}\SystemFolder_msiexec.exe
2009-07-13 12:15 . 2009-07-19 19:23 -------- d-----w- c:\users\Flo\AppData\Local\No23 Recorder
2009-07-13 11:50 . 2009-07-13 11:51 -------- d-----w- C:\AudioSuite
2009-07-13 08:53 . 2009-07-13 08:53 -------- d-----w- c:\program files\DAMN NFO Viewer
2009-07-07 09:44 . 2009-07-07 09:44 271360 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-07-07 09:44 . 2009-07-07 09:44 18048 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-07-06 23:05 . 2009-07-07 00:19 -------- d-----w- c:\users\Flo\AppData\Roaming\Red Alert 3
2009-07-06 21:59 . 2008-05-30 12:11 467984 ----a-w- c:\windows\system32\d3dx10_38.dll
2009-07-06 21:59 . 2008-05-30 12:11 3850760 ----a-w- c:\windows\system32\D3DX9_38.dll
2009-07-06 21:59 . 2008-05-30 12:11 1491992 ----a-w- c:\windows\system32\D3DCompiler_38.dll
2009-06-26 13:15 . 2009-06-26 13:18 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-26 13:05 . 2009-06-26 13:05 -------- d-----w- c:\programdata\WindowsSearch
2009-06-26 09:31 . 2009-06-26 09:31 -------- d-----w- c:\users\Flo\AppData\Roaming\DivX
2009-06-26 09:12 . 2009-06-26 09:12 -------- d-----w- c:\users\Flo\AppData\Roaming\MPEG Streamclip
2009-06-26 09:12 . 2009-06-26 09:12 -------- d-----w- c:\users\Flo\AppData\Local\Apple Computer
2009-06-26 09:12 . 2009-06-26 09:12 -------- d-----w- c:\users\Flo\AppData\Roaming\Apple Computer
2009-06-26 09:11 . 2009-06-26 09:29 -------- dc----w- c:\windows\system32\DRVSTORE
2009-06-26 09:11 . 2009-06-26 09:11 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-26 09:09 . 2009-06-26 09:09 -------- d-----w- c:\users\Flo\AppData\Local\Apple
2009-06-26 09:09 . 2009-06-26 09:09 -------- d-----w- c:\program files\Apple Software Update
2009-06-26 09:07 . 2009-06-26 09:07 -------- d-----w- c:\programdata\Apple
2009-06-26 07:38 . 2009-06-26 09:24 -------- d-----w- c:\program files\Convert VOB to AVI
2009-06-26 07:32 . 2009-06-26 07:32 47360 ----a-w- c:\users\Flo\AppData\Roaming\pcouffin.sys
2009-06-26 07:32 . 2009-06-26 07:32 -------- d-----w- c:\users\Flo\AppData\Roaming\Vso
2009-06-25 12:26 . 2009-06-25 14:40 -------- d-----w- c:\programdata\NOS
2009-06-25 12:26 . 2009-06-25 14:40 -------- d-----w- c:\program files\NOS
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-22 18:32 . 2009-02-10 21:48 149677 ----a-w- c:\programdata\nvModes.dat
2009-07-22 18:30 . 2007-04-18 08:33 12 ----a-w- c:\windows\bthservsdp.dat
2009-07-22 18:29 . 2009-02-01 18:28 -------- d-----w- c:\users\Flo\AppData\Roaming\Skype
2009-07-22 18:16 . 2009-02-01 18:30 -------- d-----w- c:\users\Flo\AppData\Roaming\skypePM
2009-07-22 09:46 . 2009-02-05 07:52 1 ----a-w- c:\users\Flo\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-07-15 17:04 . 2007-04-18 09:14 5855368 ----a-w- c:\windows\system32\perfh007.dat
2009-07-15 17:04 . 2007-04-18 09:14 1842514 ----a-w- c:\windows\system32\perfc007.dat
2009-07-15 07:37 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-11 18:53 . 2009-02-28 21:19 -------- d-----w- c:\users\Flo\AppData\Roaming\dvdcss
2009-07-08 00:52 . 2009-06-06 21:04 -------- d-----w- c:\users\Flo\AppData\Roaming\Hamachi
2009-07-07 09:37 . 2009-02-01 21:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-06 22:29 . 2009-03-06 11:46 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-06-26 13:19 . 2009-02-20 19:35 -------- d-----w- c:\program files\DivX
2009-06-18 16:57 . 2009-06-18 16:57 -------- d-----w- c:\program files\Zattoo
2009-06-18 16:51 . 2009-06-18 16:51 -------- d-----w- c:\program files\SopCast
2009-06-06 21:04 . 2009-06-06 21:04 -------- d-----w- c:\program files\Hamachi
2009-06-06 21:04 . 2009-06-06 21:04 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys
2009-06-02 14:56 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-06-02 14:56 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-06-02 14:56 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-06-02 14:56 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-06-02 14:56 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-06-02 14:56 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-06-02 14:55 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-02 14:47 . 2006-11-02 12:37 37665 ----a-w- c:\windows\Fonts\GlobalUserInterface.CompositeFont
2009-05-14 23:08 . 2009-05-14 23:05 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-14 23:08 . 2009-05-14 23:05 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-05-05 09:01 . 2009-02-01 18:09 119352 ----a-w- c:\users\Flo\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-01 21:02 . 2009-05-01 21:02 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
2009-04-24 16:02 . 2009-06-10 19:01 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-22 12:51 . 2009-02-01 18:26 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackgroundSwitcher"="c:\program files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe" [2008-12-08 1095568]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2009-04-11 2153472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-08 92704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\J:\0autocheck autochk *
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Users^Flo^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\users\Flo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):33,07,f5,28,93,e3,c9,01
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{233A094F-3BE1-4C04-B320-DBED86A8CD74}"= c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{12E1002B-ADA4-492F-88CC-6DD938E4DDE5}d:\\immortal throne\\tqit.exe"= UDP:d:\immortal throne\tqit.exe:Tqit
"UDP Query User{2CBFADEF-B99F-4B5C-9CF9-8B31D0FFF160}d:\\immortal throne\\tqit.exe"= TCP:d:\immortal throne\tqit.exe:Tqit
"{EA8865C2-CBC6-4E98-9544-392DBE9D573F}"= UDP:c:\program files\KONAMI\Pro Evolution Soccer 2008\PES2008.exe:Pro Evolution Soccer 2008
"{18EAED47-5D36-4E64-A6E0-3E72A09F6A4E}"= TCP:c:\program files\KONAMI\Pro Evolution Soccer 2008\PES2008.exe:Pro Evolution Soccer 2008
"TCP Query User{F07853CB-8DE6-4D5A-9CE2-DFC1C618BA9A}d:\\immortal throne\\tqit.exe"= UDP:d:\immortal throne\tqit.exe:Tqit
"UDP Query User{E3865238-048E-4098-A2FA-02620D4CE4CC}d:\\immortal throne\\tqit.exe"= TCP:d:\immortal throne\tqit.exe:Tqit
"{26023A95-5AB1-49FA-B696-84EF8A88D311}"= UDP:d:\spiele\Sins of a Solar Empire\Kalypso\Sins of a Solar Empire\Sins of a Solar Empire.exe:Sins of a Solar Empire
"{9B106C3C-4EEA-449F-ACAE-E63C8B0F211C}"= TCP:d:\spiele\Sins of a Solar Empire\Kalypso\Sins of a Solar Empire\Sins of a Solar Empire.exe:Sins of a Solar Empire
"{323EBDCB-EDCE-47B2-8D16-5D1C516E2A0C}"= UDP:d:\spiele\Crysis\Bin32\Crysis.exe:Crysis_32
"{27A23FC7-7BF2-4670-B651-5714F2DF0E6B}"= TCP:d:\spiele\Crysis\Bin32\Crysis.exe:Crysis_32
"{312F5CCF-098F-460B-BFC6-FB4A5F24C8DB}"= UDP:d:\spiele\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{6B64777F-9E18-4393-BE24-CBED49E2B27C}"= TCP:d:\spiele\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{080A4FB4-CE03-4F42-AE33-053A9389FAB4}"= UDP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{F4B0ACCD-D2AE-41F5-AF94-7950C2E81B2C}"= TCP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{2E212B36-3EBF-467C-ADAE-5275AB3794F0}"= UDP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{4458C160-DBB3-48BE-ADC2-E93FB836660D}"= TCP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{C8368983-56AD-42A8-98E6-7ED77022A7D1}"= UDP:c:\program files\Pinnacle\Studio 11\programs\RM.exe:Render Manager
"{EE101408-9512-442C-877E-7805EE73DC1F}"= TCP:c:\program files\Pinnacle\Studio 11\programs\RM.exe:Render Manager
"{03B21BB6-6886-4CEC-8136-6859F546F2A2}"= UDP:c:\program files\Pinnacle\Studio 11\programs\Studio.exe:Studio
"{8220459A-5830-409C-8DC5-C9ED6324C7E9}"= TCP:c:\program files\Pinnacle\Studio 11\programs\Studio.exe:Studio
"{62DAA6DD-9018-4AC0-A163-4B96E1A5989B}"= UDP:c:\program files\Pinnacle\Studio 11\programs\PMSRegisterFile.exe:PMSRegisterFile
"{C7D6875F-AD04-4180-B989-3F8CC04F1A91}"= TCP:c:\program files\Pinnacle\Studio 11\programs\PMSRegisterFile.exe:PMSRegisterFile
"{F59E6626-1F8B-4FBB-B19B-9C7AE85B3121}"= UDP:c:\program files\Pinnacle\Studio 11\programs\umi.exe:umi
"{68FF82A3-3058-493D-8B1F-A57BC96B1A9E}"= TCP:c:\program files\Pinnacle\Studio 11\programs\umi.exe:umi
"{DB56250B-B310-4191-8873-0F09C0B2322D}"= UDP:d:\spiele\Assassin Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{DC73C218-318E-48FC-8753-F0B61DCF4C69}"= TCP:d:\spiele\Assassin Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{02210E2F-D7AD-4A25-B2AF-371F138A6D83}"= UDP:d:\spiele\Assassin Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{C5844419-5449-492C-90AC-9F19CB664CD9}"= TCP:d:\spiele\Assassin Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{259770B8-0276-4F0A-A55B-2D947CFF5A65}"= UDP:d:\spiele\Assassin Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"{E3531C93-7D4D-46B6-9365-8C3903BAAB51}"= TCP:d:\spiele\Assassin Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"TCP Query User{1135383C-915B-47C6-9CA2-F25168447A19}d:\\spiele\\l4d\\left4dead.exe"= UDP:d:\spiele\l4d\left4dead.exe:left4dead
"UDP Query User{8D125133-030B-4456-B8A8-1B797FD451D8}d:\\spiele\\l4d\\left4dead.exe"= TCP:d:\spiele\l4d\left4dead.exe:left4dead
"{1B9A6B65-E222-4C5F-9EA4-521EF688FEF3}"= UDP:c:\program files\KONAMI\Pro Evolution Soccer 2008\PES2008.exe:Pro Evolution Soccer 2008
"{84003545-C781-4E08-92A1-AAB9C8D2926C}"= TCP:c:\program files\KONAMI\Pro Evolution Soccer 2008\PES2008.exe:Pro Evolution Soccer 2008
"{ED741592-54D3-4690-A992-DFBB4AF61951}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{318A81F3-1304-4BAC-9558-24645F402CDD}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{09E8DDF0-EB05-4D04-A048-7F44D2E4A931}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{32B51EBF-E1CE-476B-AFF2-C0BEAFB87F00}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3D359123-1B48-4485-A3D2-BD8C29446E3E}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{FF11BB28-AC0E-4058-A842-73A5DC8F317C}c:\\program files\\hamachi\\hamachi.exe"= UDP:c:\program files\hamachi\hamachi.exe:Hamachi Client
"UDP Query User{3383504C-AEE4-4299-8B66-CBD7E0D3ADC6}c:\\program files\\hamachi\\hamachi.exe"= TCP:c:\program files\hamachi\hamachi.exe:Hamachi Client
"TCP Query User{A3AB9276-91E0-4BA5-B4AC-A4E0F4E3F0D5}c:\\program files\\pinnacle\\studio 11\\programs\\studio.exe"= UDP:c:\program files\pinnacle\studio 11\programs\studio.exe:Studio program file
"UDP Query User{D6D3C35F-BDA8-4C42-87C7-A029CEDD2AB2}c:\\program files\\pinnacle\\studio 11\\programs\\studio.exe"= TCP:c:\program files\pinnacle\studio 11\programs\studio.exe:Studio program file
"TCP Query User{FB94EB49-D7C8-4F29-997D-B44DACE99FF5}c:\\program files\\sopcast\\adv\\sopadver.exe"= UDP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"UDP Query User{0A12ACCE-767F-4A46-B00C-2E8C0231E089}c:\\program files\\sopcast\\adv\\sopadver.exe"= TCP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"TCP Query User{4E4B6038-8B68-4A21-9B8D-EDBAB9AA89CE}c:\\program files\\sopcast\\sopcast.exe"= UDP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"UDP Query User{0D84A102-0684-4B8E-A0F2-93E274B70EC4}c:\\program files\\sopcast\\sopcast.exe"= TCP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"TCP Query User{4A1E61B5-E465-46AE-899C-032DB7EA5F04}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{B06BB3AC-0BB5-4945-B9CC-F3A323C74568}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{5FB83C88-E318-47C9-B10C-5DCBF3279846}c:\\program files\\zattoo\\zattood.exe"= UDP:c:\program files\zattoo\zattood.exe:zattood
"UDP Query User{38906346-6DAC-4F4A-A971-8D67AF51831B}c:\\program files\\zattoo\\zattood.exe"= TCP:c:\program files\zattoo\zattood.exe:zattood
"TCP Query User{957FAD11-31AF-428D-A651-BC63D9A05EC5}c:\\program files\\zattoo\\zattoo.exe"= UDP:c:\program files\zattoo\zattoo.exe:
"UDP Query User{A0A05013-3225-46AE-B0AD-79776B7A8B78}c:\\program files\\zattoo\\zattoo.exe"= TCP:c:\program files\zattoo\zattoo.exe:
"{97DF106E-AF70-4CBE-9810-654D572920DB}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{8FC2DF34-9314-4BEE-8900-C98AFE66BDE6}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{F61FE197-16B8-4C7D-840C-88A84633DF02}"= UDP:d:\spiele\Pro Evoution Soccer 9\pes2009.exe:Pro Evolution Soccer 2009
"{1E724311-86FC-4AEC-B226-1E657B210F4E}"= TCP:d:\spiele\Pro Evoution Soccer 9\pes2009.exe:Pro Evolution Soccer 2009
"{162AE01E-E29E-479F-816E-003154FEDE99}"= UDP:d:\spiele\Pro Evoution Soccer 9\pes2009.exe:Pro Evolution Soccer 2009
"{D07DC848-A156-4426-9EA9-A9C997906060}"= TCP:d:\spiele\Pro Evoution Soccer 9\pes2009.exe:Pro Evolution Soccer 2009
"{2F350793-5B46-4205-A975-9CB36B3A4340}"= UDP:c:\users\Flo\Desktop\09120\pes2009.exe:Pro Evolution Soccer 2009
"{566D73A2-5586-4D79-903F-16CAD600EEA0}"= TCP:c:\users\Flo\Desktop\09120\pes2009.exe:Pro Evolution Soccer 2009
|
|
22.07.2009, 19:47
| #10 |
| | TR/ATRAPS.GenCode:
ATTFilter [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [15.05.2009 01:05 108289]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\System32\drivers\l160x86.sys [02.02.2009 00:01 46592]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Zusätzlicher Suchlauf -------
.
uInternet Settings,ProxyOverride = *.local
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Flo\AppData\Roaming\Mozilla\Firefox\Profiles\e0dvt2am.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - google.de
FF - component: c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-22 20:41
Windows 6.0.6002 Service Pack 2 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
[HKEY_USERS\S-1-5-21-4130345303-399438028-616338062-1000\Software\SecuROM\License information*]
"datasecu"=hex:f7,ff,fc,c4,2b,65,11,bf,0f,5d,65,05,d9,32,dc,98,92,b1,bb,2a,12,
5b,3d,d1,4f,a7,5c,ad,ef,73,cd,3e,e7,c7,6c,69,db,0a,42,bc,81,f0,02,6f,0e,07,\
"rkeysecu"=hex:3f,d3,92,50,d2,06,6f,97,aa,bd,cf,2b,0d,74,4a,1a
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,ea,d4,81,df,c4,
ea,62,82,e2,63,26,f1,3f,c8,ff,68,85,0a,6c,d5,c7,84,37,51,e2,63,26,f1,3f,c8,\
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0,92,4b,c7,ef,a3,12,1d,53,3e,
61,0a,22,6a,9c,d6,61,af,45,84,18,ac,4f,31,bd,7f,ba,ef,7a,6a,9c,d6,61,af,45,\
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,d0,4c,ca,0b,09,
54,91,aa,ff,7c,85,e0,43,d4,0e,fe,32,0c,62,c4,22,bc,5d,f7,ff,7c,85,e0,43,d4,\
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,4f,1d,9b,d1,61,
8c,f0,23,86,8c,21,01,be,91,eb,e7,51,4c,a1,77,aa,47,9c,c6,86,8c,21,01,be,91,\
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,fb,33,28,4f,e7,
f0,db,9d,f5,1d,4d,73,a8,13,5c,05,b2,f1,56,58,66,26,a1,af,f5,1d,4d,73,a8,13,\
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,3c,1d,04,eb,00,
f2,d6,7c,df,20,58,62,78,6b,cf,c8,f4,de,cd,9a,d6,d8,3b,90,df,20,58,62,78,6b,\
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,b7,66,0c,81,ef,
db,3c,c5,fb,a7,78,e6,12,2f,9a,ea,c1,59,9c,64,d4,9d,95,83,fb,a7,78,e6,12,2f,\
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,cd,eb,1a,c8,58,
70,2a,fc,01,3a,48,fc,e8,04,4a,f1,82,0c,14,69,e8,04,b2,d6,01,3a,48,fc,e8,04,\
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,e3,fe,2f,05,0f,
1e,09,c4,f6,0f,4e,58,98,5b,89,c9,5d,2a,a2,b9,85,83,7b,55,f6,0f,4e,58,98,5b,\
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,74,3a,73,05,57,
40,ec,4e,3d,ce,ea,26,2d,45,aa,78,72,01,eb,10,7a,d6,29,8f,3d,ce,ea,26,2d,45,\
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,fb,75,05,65,e9,
51,e1,37,2a,b7,cc,b5,b9,7f,41,e7,e6,13,a0,19,9a,a8,45,01,2a,b7,cc,b5,b9,7f,\
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\Windows\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,7a,32,bc,e6,5c,
10,4e,aa,6c,43,2d,1e,aa,22,2f,9c,cd,3d,ca,fb,32,c0,d9,58,6c,43,2d,1e,aa,22,\
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Zeit der Fertigstellung: 2009-07-22 20:42
ComboFix-quarantined-files.txt 2009-07-22 18:42
Vor Suchlauf: 11 Verzeichnis(se), 39.421.788.160 Bytes frei
Nach Suchlauf: 11 Verzeichnis(se), 39.380.447.232 Bytes frei
309 --- E O F --- 2009-07-22 05:31
|
|
23.07.2009, 09:01
| #11 | ||
| /// Helfer-Team | TR/ATRAPS.GenZitat:
Laut Deiner Beschreibung ist in der Bereich eine Varianten der "autorun-Familie" unterlaufen könnten Festplatten, die mit dem Virus "Virus.Win32.AutoRun" befallen waren/sind - Die sind Malware, die sich über externe Datenträger verbreitet Zitat:
1. CombiFix entfernen: Start --> Ausführen -->Kopiere rein Combofix /u --> OK Entferne auf C:\ Qoobox (falls noch vorhanden) -->Papierkorb leeren oder einfach nur entfernen, C:\ Qoobox (falls noch vorhanden) auch löschen-->Papierkorb leeren 2. Den kompletten Rechner zu überprüfen (Systemprüfung ohne Säuberung) mit Kaspersky Online - Scanner - wähle "My Computer" aus: im Internet Explorer: - "Extras→ Internetoptionen→ Sicherheit": - alles auf Standardstufe stellen - Active X erlauben - Dies ist notwendig, damit auf deine Festplatte zugegriffen werden kann - speichere die Ergebnis als *.txt Datei und poste das Logfile des Scans |
|
23.07.2009, 10:59
| #12 |
| | TR/ATRAPS.Gen Hi, also nochmals vielen vielen dank, dass du dir das alles anschaust. Noch ne Frage vorne weg: Deine Einschätzung inwieweit ist mein PC jetzt gefährdet/infiziert? Oder passt bis jetzt alles? Benutze Firefox, wie ist das da mit Active x? Wo find diese Option? Gruß und danke flo |
|
23.07.2009, 12:15
| #13 | ||
| /// Helfer-Team | TR/ATRAPS.GenZitat:
Zitat:
http://www.microsoft.com/switzerland...ttings/ie.mspx http://www.heise.de/security/dienste/browsercheck/ http://www.bsi-fuer-buerger.de/brows...l7schritt3.htm |
|
23.07.2009, 12:50
| #14 |
| | TR/ATRAPS.Gen Dieser Datenträger N gehört mir nicht und besitze ich im Moment auch nicht mehr....wichtig? Es geht nur um einem Rechner und die externe Festplatte, was mit dem Datenträger N hätte geschehen sollen, liegt außerhalb meines Interessenbereichs :-). flo |
|
23.07.2009, 13:12
| #15 |
| /// Helfer-Team | TR/ATRAPS.Gen Okay, dann bitte mit Punkt 2. - Kaspersky - weiter: http://www.trojaner-board.de/75404-t...tml#post450436 alle Speichermedien weiterhin anschließen! |
|
| Themen zu TR/ATRAPS.Gen |
| adobe, antivir guard, avg, avira, bho, brief, browser, defender, desktop, firefox, hijack, hijackthis, internet, internet explorer, kontodaten, logfile, mozilla, object, plug-in, registry, rundll, scan, senden, software, trojaner, vista, warum, windows |
Linear-Darstellung
