log.txt 2. Teil:

======List of files/folders modified in the last 1 months======

2009-07-22 22:09:10 ----D---- C:\WINDOWS\system32
2009-07-22 22:09:08 ----RD---- C:\Programme
2009-07-22 21:55:22 ----D---- C:\Programme\Mozilla Firefox
2009-07-22 21:32:48 ----D---- C:\WINDOWS\Temp
2009-07-22 21:31:47 ----D---- C:\WINDOWS
2009-07-22 21:29:43 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-07-22 21:24:48 ----D---- C:\WINDOWS\system32\drivers
2009-07-22 20:51:13 ----D---- C:\WINDOWS\Prefetch
2009-07-22 18:52:21 ----D---- C:\WINDOWS\Debug
2009-07-22 18:52:20 ----D---- C:\WINDOWS\Minidump
2009-07-22 18:04:21 ----D---- C:\WINDOWS\system32\CatRoot2
2009-07-22 18:04:16 ----A---- C:\WINDOWS\ModemLog_Creatix V.9X DSP Data Fax Modem.txt
2009-07-20 00:17:21 ----SD---- C:\WINDOWS\Tasks
2009-07-19 22:31:11 ----RASH---- C:\boot.ini
2009-07-19 22:31:11 ----A---- C:\WINDOWS\win.ini
2009-07-19 22:31:11 ----A---- C:\WINDOWS\system.ini
2009-07-19 20:26:09 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2009-07-19 20:24:20 ----D---- C:\Programme\Electronic Arts
2009-07-19 20:24:11 ----D---- C:\Config.Msi
2009-07-19 20:24:06 ----SHD---- C:\WINDOWS\Installer
2009-07-19 20:23:17 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Electronic Arts
2009-07-19 19:21:04 ----HD---- C:\WINDOWS\inf
2009-07-19 19:13:58 ----D---- C:\WINDOWS\WinSxS
2009-07-19 16:46:27 ----A---- C:\WINDOWS\NeroDigital.ini
2009-07-18 15:52:24 ----SHD---- C:\RECYCLER
2009-07-18 14:22:51 ----D---- C:\teen
2009-07-18 14:06:14 ----D---- C:\Programme\Gemeinsame Dateien
2009-07-18 13:29:50 ----D---- C:\Dokumente und Einstellungen
2009-07-15 23:07:49 ----D---- C:\WINDOWS\$hf_mig$
2009-07-15 23:07:44 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-07-12 20:32:09 ----A---- C:\crashAddress.txt
2009-07-07 17:10:56 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 WS2IFSL;Windows Socket 2.0 Non-IFS-Dienstanbieter-Unterstützungsumgebung; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-29 12032]
R3 CardReaderFilter;Card Reader Filter; \??\C:\WINDOWS\system32\Drivers\USBCRFT.SYS []
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-12-05 10368]
R3 RT61;Linksys Wireless-G PCI Adapter Driver(RT61); C:\WINDOWS\system32\DRIVERS\RT61.sys [2006-12-12 356096]
R3 usbehci;Miniporttreiber für erweiterten Microsoft USB 2.0-Hostcontroller; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;Microsoft USB-Standardhubtreiber; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbstor;USB-Massenspeichertreiber; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Miniporttreiber für universellen Microsoft USB-Hostcontroller; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S1 AmdK8;AMD Athlon64-Prozessortreiber; C:\WINDOWS\System32\DRIVERS\AmdK8.sys [2004-05-08 38912]
S1 avgio;avgio; \??\C:\Programme\Avira\AntiVir Desktop\avgio.sys []
S1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-07-19 96104]
S1 mitetrqjibcoprxi;mitetrqjibcoprxi; C:\WINDOWS\system32\drivers\mitetrqjibcoprxi.sys []
S1 ssmdrv;ssmdrv; C:\WINDOWS\System32\DRIVERS\ssmdrv.sys [2009-07-19 28520]
S2 atksgt;atksgt; C:\WINDOWS\System32\DRIVERS\atksgt.sys [2006-11-12 271360]
S2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-07-19 55640]
S2 BTSERIAL;Bluetooth Serial Driver; \??\C:\WINDOWS\System32\drivers\btserial.sys []
S2 BTSLBCSP;Bluetooth Port Client Driver; \??\C:\WINDOWS\System32\drivers\btslbcsp.sys []
S2 lirsgt;lirsgt; C:\WINDOWS\System32\DRIVERS\lirsgt.sys [2006-11-12 18048]
S2 NwlnkIpx;NWLink IPX/SPX/NetBIOS-kompatibles Transportprotokoll; C:\WINDOWS\System32\DRIVERS\nwlnkipx.sys [2004-08-04 88448]
S2 NwlnkNb;NWLink-NetBIOS; C:\WINDOWS\System32\DRIVERS\nwlnknb.sys [2002-08-29 63232]
S2 NwlnkSpx;NWLink SPX/SPXII-Protokoll; C:\WINDOWS\System32\DRIVERS\nwlnkspx.sys [2002-08-29 55936]
S3 ageco31m;ageco31m; C:\WINDOWS\system32\drivers\ageco31m.sys []
S3 Arp1394;1394-ARP-Clientprotokoll; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2004-08-04 60800]
S3 BTDriver;Virtueller Bluetooth-Kommunikationstreiber; C:\WINDOWS\System32\DRIVERS\btport.sys [2004-11-29 30299]
S3 BTKRNL;Bluetooth-Bus-Enumerator; C:\WINDOWS\System32\DRIVERS\btkrnl.sys [2004-11-29 1337850]
S3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2004-11-29 55320]
S3 Cap7134;MEDION (7134) WDM Video Capture; C:\WINDOWS\System32\DRIVERS\Cap7134.sys [2003-06-05 350752]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [2004-08-04 17024]
S3 cmuda;C-Media WDM Audio Interface; C:\WINDOWS\system32\drivers\cmuda.sys [2004-04-23 818496]
S3 cxvafakj;cxvafakj; \??\C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\cxvafakj.sys []
S3 EL90XBC;3Com EtherLink XL 90XB/C-Adaptertreiber; C:\WINDOWS\System32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
S3 EPUSBSTOR;EPSON USB Storage Driver; C:\WINDOWS\System32\DRIVERS\epusbsto.sys [2001-09-10 17976]
S3 FETNDIS;VIA PCI 10/100-MBit/s-Fast Ethernetadapter-NT-Treiber; C:\WINDOWS\System32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\System32\DRIVERS\fetnd5b.sys [2004-04-15 42496]
S3 GTNDIS5;GTNDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\GTNDIS5.SYS []
S3 hamachi;Hamachi Network Interface; C:\WINDOWS\System32\DRIVERS\hamachi.sys [2008-01-20 25280]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver; \??\C:\WINDOWS\system32\drivers\hitmanpro35.sys []
S3 Intels51;Creatix V.9X DSP Data Fax Modem; C:\WINDOWS\System32\DRIVERS\CtxS51.sys [2004-03-12 845092]
S3 ms_mpu401;Microsoft MPU-401 MIDI UART-Treiber; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-04 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 NIC1394;1394-Netzwerktreiber; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2004-08-04 61824]
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-07-12 2459968]
S3 PhTVTune;MEDION TV-TUNER 7134 MK2/3; C:\WINDOWS\System32\DRIVERS\PhTVTune.sys [2003-06-12 24704]
S3 PortlUSB;PortlUSB; C:\WINDOWS\System32\DRIVERS\MS-5530.sys [2004-06-24 7552]
S3 PRISM_A00;CREATIX 802.11g Driver; C:\WINDOWS\System32\DRIVERS\PRISMA00.sys [2004-01-16 380736]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\System32\DRIVERS\SLIP.sys [2004-08-04 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\System32\DRIVERS\StreamIP.sys [2004-08-04 15360]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-02-18 30464]
S3 usbewt;usbewt; \??\C:\WINDOWS\system32\usbewt.sys []
S3 usbprint;Microsoft USB-Druckerklasse; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;USB-Scannertreiber; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-04 15104]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]
S3 X10UIF;%DESCRIPTION%; C:\WINDOWS\System32\Drivers\x10uif.sys [2001-11-14 10761]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S2 6to4;6to4; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S2 AntiVirMailService;Avira AntiVir MailGuard; C:\Programme\Avira\AntiVir Desktop\avmailc.exe [2009-07-19 194817]
S2 AntiVirSchedulerService;Avira AntiVir Planer; C:\Programme\Avira\AntiVir Desktop\sched.exe [2009-07-19 108289]
S2 AntiVirService;Avira AntiVir Guard; C:\Programme\Avira\AntiVir Desktop\avguard.exe [2009-07-19 185089]
S2 AntiVirWebService;Avira AntiVir WebGuard; C:\Programme\Avira\AntiVir Desktop\AVWEBGRD.EXE [2009-07-19 434945]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2004-08-04 268800]
S2 InteractiveLogon;InteractiveLogon; C:\WINDOWS\System32\Fast.exe [2001-10-19 49216]
S2 msncache;msncache; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\System32\wdfmgr.exe [2004-08-11 38912]
S3 aspnet_state;ASP.NET-Statusdienst; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S4 Apple Mobile Device;Apple Mobile Device; C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-02-18 110592]
S4 Bonjour Service;Bonjour-Dienst; C:\Programme\Bonjour\mDNSResponder.exe [2007-07-24 229376]
S4 btwdins;Bluetooth Service; C:\Programme\Bluetooth\Bluetooth Software\bin\btwdins.exe [2004-11-29 254007]
S4 CA_LIC_CLNT;CA-Lizenz-Client; C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe [2002-09-20 77824]
S4 CA_LIC_SRVR;CA-Lizenzserver; C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe [2002-09-20 77824]
S4 de_serv;AVM FRITZ!web Routing Service; C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe []
S4 EPSONStatusAgent2;EPSON Printer Status Agent2; C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe [2001-10-25 90112]
S4 IDriverT;InstallDriver Table Manager; C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S4 IGDCTRL;AVM IGD CTRL Service; C:\Programme\FRITZ!DSL\IGDCTRL.EXE [2007-09-04 87344]
S4 iPod Service;iPod-Dienst; C:\Programme\iPod\bin\iPodService.exe [2008-02-19 504104]
S4 LogWatch;Ereignisprotokoll-Überwachung; C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe [2002-09-20 53248]
S4 MDM;Machine Debug Manager; C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe [2003-06-20 322120]
S4 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\System32\nvsvc32.exe [2004-07-12 114755]
S4 ServiceLayer;ServiceLayer; C:\Programme\PC Connectivity Solution\ServiceLayer.exe [2006-11-06 210432]
S4 sopidkc;sopidkc Service; C:\WINDOWS\system32\sopidkc.exe []
S4 usnjsvc;Messenger USN Journal Reader-Service für freigegebene Ordner; C:\Programme\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S4 x10nets;X10 Device Network Service; C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe [2001-11-12 20480]

-----------------EOF-----------------

und das Logfile vom Trojaner Remover Teil 1:

***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.7.9.2584. For information, email support@simplysup.com
[Unregistered version]
Scan started at: 22:30:26 22 Jul 2009
Using Database v7350
Operating System: Windows XP Home Edition (SP2) [Build: 5.1.2600]
File System: NTFS
UserData directory: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Simply Super Software\Trojan Remover\
Database directory: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Simply Super Software\Trojan Remover\Data\
Logfile directory: C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Programme\Trojan Remover\
Running with Administrator privileges

************************************************************
PC appears to be in SAFE MODE with Network Support.

************************************************************


************************************************************
22:30:26: ----- SCANNING FOR ROOTKIT SERVICES -----
No hidden Services were detected.

************************************************************
22:30:26: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
Key value: [Explorer.exe]
File: Explorer.exe
C:\WINDOWS\Explorer.exe
1036288 bytes
Created: 21.11.2006 23:30
Modified: 13.06.2007 15:21
Company: Microsoft Corporation
----------
This key's "Userinit" value calls the following program(s):
Key value: [C:\WINDOWS\system32\userinit.exe,]
File: C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\userinit.exe
25088 bytes
Created: 03.09.2004 13:58
Modified: 04.08.2004 09:58
Company: Microsoft Corporation
----------
This key's "System" value appears to be blank
----------
This key's "UIHost" value calls the following program:
Key value: [logonui.exe]
File: logonui.exe
C:\WINDOWS\system32\logonui.exe
515072 bytes
Created: 21.11.2006 23:31
Modified: 04.08.2004 09:57
Company: Microsoft Corporation
----------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value Name: load
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: HitmanPro35
Value Data: "C:\Programme\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
C:\Programme\Hitman Pro 3.5\HitmanPro35.exe
4519672 bytes
Created: 20.07.2009 17:37
Modified: 20.07.2009 17:37
Company: SurfRight B.V.
--------------------
Value Name: TrojanScanner
Value Data: C:\Programme\Trojan Remover\Trjscan.exe /boot
C:\Programme\Trojan Remover\Trjscan.exe
1059720 bytes
Created: 22.07.2009 22:09
Modified: 01.06.2009 17:06
Company: Simply Super Software
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Value Name: Malwarebytes' Anti-Malware
Value Data: C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe
414992 bytes
Created: 22.07.2009 21:24
Modified: 13.07.2009 13:36
Company: Malwarebytes Corporation
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Value Name: FlashPlayerUpdate
Value Data: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
218496 bytes
Created: 25.03.2008 05:21
Modified: 25.03.2008 05:21
Company: Adobe Systems, Inc.
--------------------

************************************************************
22:30:27: Scanning -----SHELLEXECUTEHOOKS-----
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File: shell32.dll - this file is expected and has been left in place
----------

************************************************************
22:30:27: Scanning -----HIDDEN REGISTRY ENTRIES-----
Taskdir check completed
----------
HKLM\Software\Microsoft\Windows\CurrentVersion\Run - key empty or not accessible
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices - key empty or not accessible
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad - key empty or not accessible
HKCU\Software\Microsoft\Windows\CurrentVersion\Run - key empty or not accessible
No Hidden File-loading Registry Entries found
----------

************************************************************
22:30:27: Scanning -----ACTIVE SCREENSAVER-----
No active ScreenSaver found to scan.

************************************************************
22:30:27: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----

************************************************************
22:30:27: Scanning ----- SERVICEDLL REGISTRY KEYS -----
Key: 6to4
Path: C:\WINDOWS\system32\6to4v32.dll
C:\WINDOWS\system32\6to4v32.dll - [file not found to scan]
--------------------
Key: AppMgmt
%SystemRoot%\System32\appmgmts.dll - file is globally excluded (file cannot be found)
--------------------
Key: HidServ
%SystemRoot%\System32\hidserv.dll - file is globally excluded (file cannot be found)
--------------------
Key: msncache
Path: C:\WINDOWS\system32\msncache.dll
C:\WINDOWS\system32\msncache.dll - has a *known* Malware filename: INFO.STEALER
C:\WINDOWS\system32\msncache.dll - this registry value has been removed [file not found to scan]
C:\WINDOWS\system32\msncache.dll - unable to take ownership/change permissions
C:\WINDOWS\system32\msncache.dll - marked for renaming when the PC is restarted (if it exists)
--------------------

************************************************************
22:30:33: Scanning ----- SERVICES REGISTRY KEYS -----
Key: AmdK8
ImagePath: System32\DRIVERS\AmdK8.sys
C:\WINDOWS\System32\DRIVERS\AmdK8.sys
38912 bytes
Created: 03.09.2004 14:56
Modified: 08.05.2004 10:22
Company: Microsoft Corporation
----------
Key: AntiVirMailService
ImagePath: "C:\Programme\Avira\AntiVir Desktop\avmailc.exe"
C:\Programme\Avira\AntiVir Desktop\avmailc.exe
194817 bytes
Created: 19.07.2009 19:20
Modified: 19.07.2009 20:42
Company: Avira GmbH
----------
Key: AntiVirSchedulerService
ImagePath: "C:\Programme\Avira\AntiVir Desktop\sched.exe"
C:\Programme\Avira\AntiVir Desktop\sched.exe
108289 bytes
Created: 19.07.2009 19:20
Modified: 19.07.2009 20:42
Company: Avira GmbH
----------
Key: AntiVirService
ImagePath: "C:\Programme\Avira\AntiVir Desktop\avguard.exe"
C:\Programme\Avira\AntiVir Desktop\avguard.exe
185089 bytes
Created: 19.07.2009 19:20
Modified: 19.07.2009 20:42
Company: Avira GmbH
----------
Key: AntiVirWebService
ImagePath: "C:\Programme\Avira\AntiVir Desktop\AVWEBGRD.EXE"
C:\Programme\Avira\AntiVir Desktop\AVWEBGRD.EXE
434945 bytes
Created: 19.07.2009 19:20
Modified: 19.07.2009 20:42
Company: Avira GmbH
----------
Key: Apple Mobile Device
ImagePath: "C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
110592 bytes
Created: 18.02.2008 12:16
Modified: 18.02.2008 12:16
Company: Apple, Inc.
----------
Key: atksgt
ImagePath: System32\DRIVERS\atksgt.sys
C:\WINDOWS\System32\DRIVERS\atksgt.sys
271360 bytes
Created: 12.11.2006 16:49
Modified: 12.11.2006 16:49
Company: [no info]
----------
Key: avgio
ImagePath: \??\C:\Programme\Avira\AntiVir Desktop\avgio.sys
C:\Programme\Avira\AntiVir Desktop\avgio.sys
11608 bytes
Created: 19.07.2009 19:20
Modified: 13.02.2009 11:35
Company: Avira GmbH
----------
Key: Bonjour Service
ImagePath: C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Bonjour\mDNSResponder.exe
229376 bytes
Created: 24.07.2007 16:17
Modified: 24.07.2007 16:17
Company: Apple Inc.
----------
Key: BTSERIAL
ImagePath: \??\C:\WINDOWS\System32\drivers\btserial.sys
C:\WINDOWS\System32\drivers\btserial.sys
23271 bytes
Created: 29.11.2004 20:34
Modified: 29.11.2004 20:34
Company: Broadcom Corporation.
----------
Key: BTSLBCSP
ImagePath: \??\C:\WINDOWS\System32\drivers\btslbcsp.sys
C:\WINDOWS\System32\drivers\btslbcsp.sys
222876 bytes
Created: 29.11.2004 20:34
Modified: 29.11.2004 20:34
Company: Broadcom Corporation.
----------
Key: btwdins
ImagePath: C:\Programme\Bluetooth\Bluetooth Software\bin\btwdins.exe
C:\Programme\Bluetooth\Bluetooth Software\bin\btwdins.exe
254007 bytes
Created: 29.11.2004 20:50
Modified: 29.11.2004 20:50
Company: Broadcom Corporation.
----------
Key: Cap7134
ImagePath: System32\DRIVERS\Cap7134.sys
C:\WINDOWS\System32\DRIVERS\Cap7134.sys
350752 bytes
Created: 03.09.2004 15:06
Modified: 05.06.2003 09:04
Company: Philips Semiconductors
----------
Key: CardReaderFilter
ImagePath: \??\C:\WINDOWS\system32\Drivers\USBCRFT.SYS
C:\WINDOWS\system32\Drivers\USBCRFT.SYS
13440 bytes
Created: 03.09.2004 15:54
Modified: 19.07.2009 20:54
Company: ICSI Technology Ltd.
----------
Key: CA_LIC_CLNT
ImagePath: C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe
77824 bytes
Created: 20.09.2002 16:27
Modified: 20.09.2002 16:27
Company: Computer Associates
----------
Key: CA_LIC_SRVR
ImagePath: C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe
C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe
77824 bytes
Created: 20.09.2002 16:41
Modified: 20.09.2002 16:41
Company: Computer Associates
----------
Key: cmuda
ImagePath: system32\drivers\cmuda.sys
C:\WINDOWS\system32\drivers\cmuda.sys
818496 bytes
Created: 03.09.2004 15:04
Modified: 23.04.2004 15:14
Company: C-Media Inc
----------
Key: d347bus
ImagePath: System32\DRIVERS\d347bus.sys
C:\WINDOWS\System32\DRIVERS\d347bus.sys
155136 bytes
Created: 11.10.2005 21:05
Modified: 22.08.2004 16:31
Company:
----------
Key: d347prt
ImagePath: System32\Drivers\d347prt.sys
C:\WINDOWS\System32\Drivers\d347prt.sys
5248 bytes
Created: 11.10.2005 21:05
Modified: 22.08.2004 16:31
Company:
----------
Key: de_serv
ImagePath: C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe - [file not found to scan]
----------
Key: EPSONStatusAgent2
ImagePath: C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe
C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe
90112 bytes
Created: 06.05.2007 15:46
Modified: 25.10.2001 02:02
Company: SEIKO EPSON CORPORATION
----------
Key: EPUSBSTOR
ImagePath: System32\DRIVERS\epusbsto.sys
C:\WINDOWS\System32\DRIVERS\epusbsto.sys
17976 bytes
Created: 10.09.2001 01:00
Modified: 10.09.2001 01:00
Company: SEIKO EPSON CORPORATION
----------
Key: FETNDISB
ImagePath: System32\DRIVERS\fetnd5b.sys
C:\WINDOWS\System32\DRIVERS\fetnd5b.sys
42496 bytes
Created: 10.08.2004 17:05
Modified: 15.04.2004 10:57
Company: VIA Technologies, Inc.
----------
Key: hamachi
ImagePath: System32\DRIVERS\hamachi.sys
C:\WINDOWS\System32\DRIVERS\hamachi.sys
25280 bytes
Created: 15.05.2007 01:55
Modified: 20.01.2008 17:23
Company: LogMeIn, Inc.
----------
Key: hitmanpro35
ImagePath: \??\C:\WINDOWS\system32\drivers\hitmanpro35.sys
C:\WINDOWS\system32\drivers\hitmanpro35.sys
11904 bytes
Created: 20.07.2009 17:37
Modified: 22.07.2009 18:04
Company:
----------
Key: IDriverT
ImagePath: "C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe"
C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
69632 bytes
Created: 04.04.2005 01:41
Modified: 04.04.2005 01:41
Company: Macrovision Corporation
----------
Key: IGDCTRL
ImagePath: C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
87344 bytes
Created: 04.09.2007 10:14
Modified: 04.09.2007 10:14
Company: AVM Berlin
----------
Key: Intels51
ImagePath: System32\DRIVERS\CtxS51.sys
C:\WINDOWS\System32\DRIVERS\CtxS51.sys
845092 bytes
Created: 03.09.2004 14:57
Modified: 12.03.2004 18:23
Company: Intel Corporation
----------
Key: InteractiveLogon
ImagePath: C:\WINDOWS\System32\Fast.exe -service
C:\WINDOWS\System32\Fast.exe
49216 bytes
Created: 19.10.2001 12:14
Modified: 19.10.2001 12:14
Company: Microsoft Corporation
----------
Key: iPod Service
ImagePath: C:\Programme\iPod\bin\iPodService.exe
C:\Programme\iPod\bin\iPodService.exe
504104 bytes
Created: 19.02.2008 14:10
Modified: 19.02.2008 14:10
Company: Apple Inc.
----------
Key: lirsgt
ImagePath: System32\DRIVERS\lirsgt.sys
C:\WINDOWS\System32\DRIVERS\lirsgt.sys
18048 bytes
Created: 12.11.2006 16:49
Modified: 12.11.2006 16:49
Company: [no info]
----------
Key: LogWatch
ImagePath: C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
53248 bytes
Created: 20.09.2002 16:29
Modified: 20.09.2002 16:29
Company: Computer Associates
----------
Key: MDM
ImagePath: "C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
322120 bytes
Created: 20.06.2003 09:25
Modified: 20.06.2003 09:25
Company: Microsoft Corporation
----------
Key: mitetrqjibcoprxi
ImagePath: \systemroot\system32\drivers\mitetrqjibcoprxi.sys
C:\WINDOWS\system32\drivers\mitetrqjibcoprxi.sys - [file not found to scan]
----------
Key: NwlnkIpx
ImagePath: System32\DRIVERS\nwlnkipx.sys
C:\WINDOWS\System32\DRIVERS\nwlnkipx.sys
88448 bytes
Created: 03.09.2004 13:58
Modified: 04.08.2004 08:03
Company: Microsoft Corporation
----------
Key: NwlnkNb
ImagePath: System32\DRIVERS\nwlnknb.sys
C:\WINDOWS\System32\DRIVERS\nwlnknb.sys
63232 bytes
Created: 03.09.2004 13:58
Modified: 29.08.2002 14:00
Company: Microsoft Corporation
----------
Key: NwlnkSpx
ImagePath: System32\DRIVERS\nwlnkspx.sys
C:\WINDOWS\System32\DRIVERS\nwlnkspx.sys
55936 bytes
Created: 03.09.2004 13:58
Modified: 29.08.2002 14:00
Company: Microsoft Corporation
----------
Key: PhTVTune
ImagePath: System32\DRIVERS\PhTVTune.sys
C:\WINDOWS\System32\DRIVERS\PhTVTune.sys
24704 bytes
Created: 03.09.2004 15:06
Modified: 12.06.2003 09:47
Company: Philips Semiconductors
----------
Key: PortlUSB
ImagePath: System32\DRIVERS\MS-5530.sys
C:\WINDOWS\System32\DRIVERS\MS-5530.sys
7552 bytes
Created: 25.12.2005 01:49
Modified: 24.06.2004 15:52
Company: PortalPlayer, Inc.
----------
Key: PRISM_A00
ImagePath: System32\DRIVERS\PRISMA00.sys
C:\WINDOWS\System32\DRIVERS\PRISMA00.sys
380736 bytes
Created: 03.09.2004 15:08
Modified: 16.01.2004 10:31
Company:
----------
Key: ServiceLayer
ImagePath: "C:\Programme\PC Connectivity Solution\ServiceLayer.exe"
C:\Programme\PC Connectivity Solution\ServiceLayer.exe
210432 bytes
Created: 06.11.2006 15:21
Modified: 06.11.2006 15:21
Company: Nokia.
----------
Key: sopidkc
ImagePath: C:\WINDOWS\system32\sopidkc.exe
C:\WINDOWS\system32\sopidkc.exe - has a *known* Malware filename: TROJAN.AGENT
C:\WINDOWS\system32\sopidkc.exe - this registry value has been removed [file not found to scan]
C:\WINDOWS\system32\sopidkc.exe - process is either not running or could not be terminated
C:\WINDOWS\system32\sopidkc.exe - unable to take ownership/change permissions
C:\WINDOWS\system32\sopidkc.exe - marked for renaming when the PC is restarted (if it exists)
----------
Key: sptd
ImagePath: System32\Drivers\sptd.sys - this file is globally excluded
----------
Key: SwPrv
ImagePath: C:\WINDOWS\System32\dllhost.exe /Processid:{0D1AC3F3-FED8-407B-B56C-3CEC7AD960FB}
C:\WINDOWS\System32\dllhost.exe
5120 bytes
Created: 03.09.2004 13:57
Modified: 04.08.2004 09:57
Company: Microsoft Corporation
----------
Key: usbewt
ImagePath: \??\C:\WINDOWS\system32\usbewt.sys
C:\WINDOWS\system32\usbewt.sys
2304 bytes
Created: 03.09.2004 13:58
Modified: 04.08.2004 09:57
Company: [no info]
----------
Key: usnjsvc
ImagePath: "C:\Programme\MSN Messenger\usnsvc.exe"
C:\Programme\MSN Messenger\usnsvc.exe
97136 bytes
Created: 19.01.2007 12:54
Modified: 19.01.2007 12:54
Company: Microsoft Corporation
----------
Key: viaagp1
ImagePath: System32\DRIVERS\viaagp1.sys
C:\WINDOWS\System32\DRIVERS\viaagp1.sys
27904 bytes
Created: 02.07.2003 04:42
Modified: 02.07.2003 04:42
Company: VIA Technologies, Inc.
----------
Key: X10UIF
ImagePath: System32\Drivers\x10uif.sys
C:\WINDOWS\System32\Drivers\x10uif.sys
10761 bytes
Created: 05.09.2004 18:51
Modified: 14.11.2001 18:07
Company: X10 Wireless Technology, Inc.
----------
Key: cxvafakj
ImagePath: \??\C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\cxvafakj.sys
C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\cxvafakj.sys - [file not found to scan]
----------

************************************************************
22:30:46: Scanning -----VXD ENTRIES-----
Checking the following VxD entries:
C:\WINDOWS\system32\JAVASUP.VXD
7315 bytes
Created: 03.09.2004 18:36
Modified: 28.02.2003 16:54
Company: [no info]
VxD Key = JAVASUP
----------
----------

************************************************************
22:30:46: Scanning ----- WINLOGON\NOTIFY DLLS -----

************************************************************
22:30:47: Scanning ----- CONTEXTMENUHANDLERS -----
Key: ICQLiteMenu
CLSID: {73B24247-042E-4EF5-ADC2-42F62E6FD654}
Path: C:\Programme\ICQLite\ICQLiteShell.dll
C:\Programme\ICQLite\ICQLiteShell.dll
57451 bytes
Created: 07.08.2008 18:03
Modified: 07.05.2006 18:28
Company:
----------
Key: Shell Extension for Malware scanning
CLSID: {45AC2688-0253-4ED8-97DE-B5370FA7D48A}
Path: C:\Programme\Avira\AntiVir Desktop\shlext.dll
C:\Programme\Avira\AntiVir Desktop\shlext.dll
286977 bytes
Created: 19.07.2009 19:20
Modified: 19.07.2009 20:42
Company: Avira GmbH
----------
Key: WinRAR
CLSID: {B41DB860-8EE4-11D2-9906-E49FADC173CA}
Path: C:\Programme\WinRAR\rarext.dll
C:\Programme\WinRAR\rarext.dll
125952 bytes
Created: 11.10.2005 20:42
Modified: 31.07.2005 21:10
Company: [no info]
----------

************************************************************
22:30:47: Scanning ----- FOLDER\COLUMNHANDLERS -----
Key: {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}
File: "C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"
C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll
339968 bytes
Created: 21.01.2008 16:48
Modified: 21.01.2008 16:48
Company: Sun Microsystems, Inc.
----------
Key: {F9DB5320-233E-11D1-9F84-707F02C10627}
File: C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
110592 bytes
Created: 14.12.2004 02:20
Modified: 14.12.2004 02:20
Company: Adobe Systems, Inc.
----------

************************************************************
22:30:47: Scanning ----- BROWSER HELPER OBJECTS -----
Key: {2DB79541-9A81-4F96-A151-D56B93119937}
BHO: C:\WINDOWS\system32\kvokbgnl.dll
C:\WINDOWS\system32\kvokbgnl.dll
325120 bytes
Created: 01.06.2009 06:37
Modified: 01.06.2009 06:37
Company:
----------
Key: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
BHO: C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
501400 bytes
Created: 16.04.2007 15:42
Modified: 14.03.2007 03:43
Company: Sun Microsystems, Inc.
----------

************************************************************
22:30:47: Scanning ----- SHELLSERVICEOBJECTS -----

************************************************************
22:30:47: Scanning ----- SHAREDTASKSCHEDULER ENTRIES -----

************************************************************
22:30:47: Scanning ----- IMAGEFILE DEBUGGERS -----
No "Debugger" entries found.

************************************************************
22:30:48: Scanning ----- APPINIT_DLLS -----
AppInitDLLs entry = [sockspy.dll,C:\DOKUME~1\marcel\LOKALE~1\Temp\101722501747mmx.dll]
sockspy.dll - this reference will be removed [file not found to scan]
----------
C:\DOKUME~1\marcel\LOKALE~1\Temp\101722501747mmx.dll - this reference will be removed [file not found to scan]
----------

************************************************************
22:30:58: Scanning ----- SECURITY PROVIDER DLLS -----

************************************************************
22:30:58: Scanning ------ COMMON STARTUP GROUP ------
[C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart]
The Common Startup Group attempts to load the following file(s) at boot time:
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
-HS- 84 bytes
Created: 31.03.2008 18:58
Modified: 03.09.2004 14:05
Company: [no info]
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini - no action taken on this file
--------------------

************************************************************
No User Startup Groups were located to check

************************************************************
22:30:58: Scanning ----- SCHEDULED TASKS -----
Scheduled Tasks not scanned: running in SAFE mode so Task Scheduler service not running

************************************************************
22:30:58: Scanning ----- SHELLICONOVERLAYIDENTIFIERS -----

************************************************************
22:30:58: Scanning ----- DEVICE DRIVER ENTRIES -----
Value: vidc.VP60
File: C:\WINDOWS\System32\vp6vfw.dll
C:\WINDOWS\System32\vp6vfw.dll
-R- 442368 bytes
Created: 21.08.2005 15:43
Modified: 18.08.2004 10:34
Company: On2.com
----------
Value: vidc.VP61
File: C:\WINDOWS\System32\vp6vfw.dll
C:\WINDOWS\System32\vp6vfw.dll - file already scanned
----------
Value: msacm.lhacm
File: lhacm.acm
C:\WINDOWS\system32\lhacm.acm
34064 bytes
Created: 09.09.2005 20:50
Modified: 09.09.2005 20:50
Company: Microsoft Corporation
----------
Value: msacm.siren
File: sirenacm.dll
C:\WINDOWS\system32\sirenacm.dll
51056 bytes
Created: 19.01.2007 12:53
Modified: 19.01.2007 12:53
Company: Microsoft Corp.
----------

************************************************************
22:31:00: ----- ADDITIONAL CHECKS -----
PE386 rootkit checks completed
----------
Winlogon registry rootkit checks completed
----------
Heuristic checks for hidden files/drivers completed
----------
Layered Service Provider entries checks completed
----------
==============================
Restrictive Windows Explorer Policies found in force on this computer:
HKCU\Software\Microsoft\Internet Explorer\Download
CheckExeSignatures - default policy reset
RunInvalidSignatures - default policy reset
All Policy Values listed have been removed or reset
==============================
Windows Explorer Policies checks completed
----------
Checking autorun.inf in N:\
N:\autorun.inf
-RH- 36 bytes
Created: 17.07.2007 17:43
Modified: 17.10.2002 09:56
Company: [no info]
----------
--------------------
Desktop Wallpaper entry is blank
----------
Web Desktop Wallpaper entry is blank
----------
Checks for rogue DNS NameServers completed
----------
Checking for specific malicious files:
C:\WINDOWS\system32\uacinit.dll - file appears to be stealthed from normal viewing
C:\WINDOWS\system32\uacinit.dll - Trojan.Agent
C:\WINDOWS\system32\uacinit.dll - file renamed to: C:\WINDOWS\system32\uacinit.dll.vir
----------
Additional checks completed

**

und Trojan Remover Log Teil 2:

**********************************************************
22:31:19: Scanning ----- RUNNING PROCESSES -----

C:\WINDOWS\System32\smss.exe
50688 bytes
Created: 03.09.2004 13:58
Modified: 04.08.2004 09:58
Company: Microsoft Corporation
[1 loaded module]
--------------------
C:\WINDOWS\system32\csrss.exe
6144 bytes
Created: 03.09.2004 13:57
Modified: 04.08.2004 09:57
Company: Microsoft Corporation
[11 loaded modules in total]
--------------------
C:\WINDOWS\system32\winlogon.exe
507392 bytes
Created: 03.09.2004 13:58
Modified: 04.08.2004 09:58
Company: Microsoft Corporation
[58 loaded modules in total]
--------------------
C:\WINDOWS\system32\services.exe
111104 bytes
Created: 03.09.2004 13:58
Modified: 09.02.2009 12:04
Company: Microsoft Corporation
[38 loaded modules in total]
--------------------
C:\WINDOWS\system32\lsass.exe
13312 bytes
Created: 03.09.2004 13:58
Modified: 04.08.2004 09:57
Company: Microsoft Corporation
[50 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe
14336 bytes
Created: 03.09.2004 13:58
Modified: 04.08.2004 09:58
Company: Microsoft Corporation
[File appears to be locked by another process]
[69 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe - file already scanned
[48 loaded modules in total]
--------------------
C:\WINDOWS\System32\svchost.exe - file already scanned
[92 loaded modules in total]
--------------------
C:\WINDOWS\System32\svchost.exe - file already scanned
[39 loaded modules in total]
--------------------
C:\WINDOWS\System32\svchost.exe - file already scanned
[37 loaded modules in total]
--------------------
C:\WINDOWS\Explorer.EXE - file already scanned
[84 loaded modules in total]
--------------------
C:\WINDOWS\system32\NOTEPAD.EXE
70144 bytes
Created: 03.09.2004 13:58
Modified: 04.08.2004 09:58
Company: Microsoft Corporation
[30 loaded modules in total]
--------------------
C:\WINDOWS\system32\NOTEPAD.EXE - file already scanned
[30 loaded modules in total]
--------------------
C:\Programme\Mozilla Firefox\firefox.exe
307704 bytes
Created: 29.03.2006 15:15
Modified: 22.07.2009 18:55
Company: Mozilla Corporation
[67 loaded modules in total]
--------------------
C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Simply Super Software\Trojan Remover\sem2D.exe
FileSize: 3015544
[This is a Trojan Remover component]
[56 loaded modules in total]
--------------------

************************************************************
22:31:45: Checking HOSTS file
No malicious entries were found in the HOSTS file

************************************************************
22:31:45: Scanning ------ %TEMP% DIRECTORY ------
C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\etilqs_pESDjPuRuOT7FnINBtLb appears to be in-use/locked
************************************************************
22:31:45: Scanning ------ C:\WINDOWS\Temp DIRECTORY ------
************************************************************
22:31:49: Scanning ------ ROOT DIRECTORY ------

************************************************************
22:31:49: ------ Scan for other files to remove ------
C:\WINDOWS\system32\comsa32.sys has been deleted
C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\tmpC.tmp has been deleted
----------
2 malware-related files deleted (or marked for deletion)

************************************************************
=== CHANGES WERE MADE TO THE WINDOWS REGISTRY ===
=== ONE OR MORE FILES WERE RENAMED OR REMOVED ===
Scan completed at: 22:31:49 22 Jul 2009
Total Scan time: 00:01:23
-------------------------------------------------------------------------
One or more files could not be moved or renamed as requested.
They may be in use by Windows, so Trojan Remover needs
to restart the system in order to deal with these files.
22.07.2009 22:32:06: restart commenced
************************************************************


***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.7.9.2584. For information, email support@simplysup.com
[Unregistered version]
Scan started at: 22:09:48 22 Jul 2009
Using Database v7350
Operating System: Windows XP Home Edition (SP2) [Build: 5.1.2600]
File System: NTFS
UserData directory: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Simply Super Software\Trojan Remover\
Database directory: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Simply Super Software\Trojan Remover\Data\
Logfile directory: C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Programme\Trojan Remover\
Running with Administrator privileges

************************************************************
PC appears to be in SAFE MODE with Network Support.

************************************************************


************************************************************
22:09:49: ----- SCANNING FOR ROOTKIT SERVICES -----
No hidden Services were detected.

************************************************************
22:09:49: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
Key value: [Explorer.exe]
File: Explorer.exe
C:\WINDOWS\Explorer.exe
1036288 bytes
Created: 21.11.2006 23:30
Modified: 13.06.2007 15:21
Company: Microsoft Corporation
----------
This key's "Userinit" value calls the following program(s):
Key value: [C:\WINDOWS\system32\userinit.exe,]
File: C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\userinit.exe
25088 bytes
Created: 03.09.2004 13:58
Modified: 04.08.2004 09:58
Company: Microsoft Corporation
----------
This key's "System" value appears to be blank
----------
This key's "UIHost" value calls the following program:
Key value: [logonui.exe]
File: logonui.exe
C:\WINDOWS\system32\logonui.exe
515072 bytes
Created: 21.11.2006 23:31
Modified: 04.08.2004 09:57
Company: Microsoft Corporation
----------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value Name: load
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: HitmanPro35
Value Data: "C:\Programme\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
C:\Programme\Hitman Pro 3.5\HitmanPro35.exe
4519672 bytes
Created: 20.07.2009 17:37
Modified: 20.07.2009 17:37
Company: SurfRight B.V.
--------------------
Value Name: TrojanScanner
Value Data: C:\Programme\Trojan Remover\Trjscan.exe /boot
C:\Programme\Trojan Remover\Trjscan.exe
1059720 bytes
Created: 22.07.2009 22:09
Modified: 01.06.2009 17:06
Company: Simply Super Software
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Value Name: Malwarebytes' Anti-Malware
Value Data: C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe
414992 bytes
Created: 22.07.2009 21:24
Modified: 13.07.2009 13:36
Company: Malwarebytes Corporation
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Value Name: FlashPlayerUpdate
Value Data: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
218496 bytes
Created: 25.03.2008 05:21
Modified: 25.03.2008 05:21
Company: Adobe Systems, Inc.
--------------------

************************************************************
22:09:50: Scanning -----SHELLEXECUTEHOOKS-----
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File: shell32.dll - this file is expected and has been left in place
----------

************************************************************
22:09:50: Scanning -----HIDDEN REGISTRY ENTRIES-----
Taskdir check completed
----------
HKLM\Software\Microsoft\Windows\CurrentVersion\Run - key empty or not accessible
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices - key empty or not accessible
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad - key empty or not accessible
HKCU\Software\Microsoft\Windows\CurrentVersion\Run - key empty or not accessible
No Hidden File-loading Registry Entries found
----------

************************************************************
22:09:50: Scanning -----ACTIVE SCREENSAVER-----
No active ScreenSaver found to scan.

************************************************************
22:09:50: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----

************************************************************
22:09:50: Scanning ----- SERVICEDLL REGISTRY KEYS -----
Key: 6to4
Path: C:\WINDOWS\system32\6to4v32.dll
C:\WINDOWS\system32\6to4v32.dll - [file not found to scan]
--------------------
Key: AppMgmt
%SystemRoot%\System32\appmgmts.dll - file is globally excluded (file cannot be found)
--------------------
Key: HidServ
%SystemRoot%\System32\hidserv.dll - file is globally excluded (file cannot be found)
--------------------
Key: msncache
Path: C:\WINDOWS\system32\msncache.dll
C:\WINDOWS\system32\msncache.dll - has a *known* Malware filename: INFO.STEALER
C:\WINDOWS\system32\msncache.dll - no action taken on this file [file not found to scan]
--------------------
ServiceDLL registry keys scan stopped at user request
The Services registry keys were not scanned
The VxD Entries were not scanned
The Winlogon\Notify DLLs were not scanned
The ContextMenuHandlers were not scanned
The Browser Helper Objects were not scanned
The ShellServiceObjects were not scanned
The SharedTaskScheduler DLLs were not scanned
The Imagefile Debuggers were not scanned
The AppInit_DLLs were not scanned
The Security Provider DLLs were not scanned
The Global Startup Group was not scanned
The User Startup Groups were not scanned
The Scheduled Tasks were not scanned
The ShellIconOverylayIdentifiers were not scanned
The Device Drivers were not scanned
Heuristic Scans were not carried out
Running Processes were not scanned
The HOSTS file was not checked
The check on Explorer.exe was not carried out

************************************************************
=== NO CHANGES HAVE BEEN MADE TO YOUR SYSTEM FILES ===
Scan completed at: 22:11:25 22 Jul 2009
Total Scan time: 00:01:36
************************************************************

Anleitung Avenger (by swandog46)

Lade dir das Tool Hopsassa und speichere es auf dem Desktop:

• Doppelklick auf das Avenger-Symbol

• Kopiere nun folgenden Text in das weiße Feld bei -> "input script here"

Code: Alles auswählenAufklappen

ATTFilter

Drivers to delete:
cxvafakj
sopidkc
6to4
msncache
usbewt
mitetrqjibcoprxi
         

• Schliesse nun alle Programme und Browser-Fenster

• Um den Avenger zu starten klicke auf -> Execute
• Dann bestätigen mit "Yes" das der Rechner neu startet

• Nachdem das System neu gestartet ist, findest du einen Report vom Avenger unter -> C:\avenger.txt

• Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.

irgendwie hat das nicht funktioniert habe execute gedrückt nachdem ich das script eingefügt habe und dann neugestartet aber kein logfile da

Versuche es nochmal, hast du von hand neugestartet? wenn Ja, lass es bitte Avenger erledigen.

nee habe nicht von hand gestartet, hab das avenger machen lassen. habe auch zum zweiten mal das script so wie du es geschrieben hast reinkopiert und "execute" geklickt. avenger neustarten lassen, aber kein logfile

dann such das Logfile unter C:\Avenger.

habe ich bereits, aber leider kein logfile vorhanden

Starte HijackThis nochmal - do a system scan only - markiere (haken setzen) folgende Einträge:

Zitat:

O4 - HKCU\..\Run: [Cognac] C:\DOKUME~1\xxxxx\LOKALE~1\Temp\4F.tmp.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SmartAds browser enhancer kvokbgnl - {2DB79541-9A81-4F96-A151-D56B93119937} - C:\WINDOWS\system32\kvokbgnl.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - (no file)
O2 - BHO: du-little browser enhancer - {C6E31EB8-D613-1C9E-161A-F76D2CFB1FAA} - C:\WINDOWS\system32\wjlcnwmxfseqdzfr.dll (file missing)
O20 - AppInit_DLLs: sockspy.dll,C:\DOKUME~1\xxxxxx\LOKALE~1\Temp\10172 2501747mmx.dll

Fix Checked.

Was ist den diese Hitman Pro 3.5 exe? Wozu wird das benötigt?

sry mein Fehler, war noch im abgesicherten Modus.

Hier das Log aus Avenger:


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "a8tre1us" found!
Could not open driver a8tre1us for rootkit scan. Error:c0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Rootkit scan completed.


Warning: Invalid contents in ServiceGroupOrder key!
There may be a driver loading earlier than Avenger!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\cxvafakj" not found!
Deletion of driver "cxvafakj" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "sopidkc" deleted successfully.
Driver "6to4" deleted successfully.
Driver "msncache" deleted successfully.
Driver "usbewt" deleted successfully.
Driver "mitetrqjibcoprxi" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "ah6n6xg3" found!
Could not open driver ah6n6xg3 for rootkit scan. Error:c0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Rootkit scan completed.


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\cxvafakj" not found!
Deletion of driver "cxvafakj" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\sopidkc" not found!
Deletion of driver "sopidkc" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\6to4" not found!
Deletion of driver "6to4" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msncache" not found!
Deletion of driver "msncache" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\usbewt" not found!
Deletion of driver "usbewt" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\mitetrqjibcoprxi" not found!
Deletion of driver "mitetrqjibcoprxi" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.



Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "hfvg" found!
Could not open driver hfvg for rootkit scan. Error:c0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Hidden driver "ah6n6xg3" found!
Could not open driver ah6n6xg3 for rootkit scan. Error:c0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Rootkit scan completed.


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\cxvafakj" not found!
Deletion of driver "cxvafakj" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\sopidkc" not found!
Deletion of driver "sopidkc" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\6to4" not found!
Deletion of driver "6to4" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msncache" not found!
Deletion of driver "msncache" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\usbewt" not found!
Deletion of driver "usbewt" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\mitetrqjibcoprxi" not found!
Deletion of driver "mitetrqjibcoprxi" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

hitman pro ist ein antivirenprogramm, welches mehrere antispy und antivirenprogramme umfasst, diese downloaded und einzeln durchgeht. sollte es zumindest, aber funzt bei mir nicht.

schon ein mal vielen Dank für deine Hilfe !!

sooo habe das was du da geschrieben hast fixiert, wobei ein Teil der Prozesse schon gar nicht mehr da war

Zitat:

hitman pro ist ein antivirenprogramm, welches mehrere antispy und antivirenprogramme umfasst, diese downloaded und einzeln durchgeht. sollte es zumindest, aber funzt bei mir nicht.

Dann deinstalliere es, es reicht eh ein Antivir Programm

So weiter geht es - Suche den ordner Malwarebytes auf unter deinem Arbeitsplatz, benenne dort die exe Datei in 1234.com um und versuche Malwarebytes jetzt zum Laufen zu bringen.

gut zum laufen bekommen. soll ich dort nen vollständigen suchlauf durchführen?