TROJ_AUTORUN.JBK auf USB-Stick

Javaguru · 28.07.2009, 09:35

Moin,
nun hat es auch mich erwischt: TROJ_AUTORUN.JBK ist meine Heimsuchung.
Was er genau auf meinem Rechner fieses macht, weiß ich noch nicht. Auf jeden Fall infiziert er alle USB-Sticks, indem er eine autorun.inf ins USB-Stick-Wurzelverzeichnis schreibt. Zusätzlich wird ein verstecktes Verzeichnis RECYCLE angelegt, in welchem die passende recycled.exe hinterlegt wird. In der autorun.inf wird natürlich auf diese exe verwiesen. Nun, wenn man das weiß, kann man natürlich sowohl Verzeichnis als auch die autorun.inf löschen. Doch der Virus ist damit ja nicht entfernt, sondern lediglich ein Teil seines Machwerks. Personal AntiVir (free) mit alter (Juni) Signatur findet keinen Virus; ein Update schlägt fehl mit dem Hinweis auf eine ungültige Lizenzdatei. OfficeScan von TrendMicro findet "nur" einen IRC-Trojaner, den er gleich in die Quarantäne schiebt. Dennoch bleibt das USB-Stick-Verhalten. D.h. seit OfficeScan einen ungültigen Zugriff des Systems auf <USB-Stick-LW>\autorun.inf feststellt und blockiert, wird nur noch das RECYCLE-Verzeichnis angelegt. Aber weg ist der Virus damit offenbar noch nicht.

Hat hier jemand eine Idee, wie ich den weg bekomme? Anbei das traditionelle HJT-Log, in dem - für mich erstaunlich - es keinen Registry-Eintrag mit recycled.exe gibt. Obwohl ich ihn selbst in einem Kauderwelsch-Schlüssel unter
HKEY_CURRENT_USER\Software\Microsoft Windows\CurrentVersion\explorer\mountpoints2\...
gefunden habe.

Weiterhin - dass mein Firefox portable in den PortableApps (USB-Stick) beim Klick auf Google-Suchergebnisse über Umwege auf irgendwas mit 12find landet, finde ich nicht normal - Virus oder "einfache Umleitung"? Ich meine, dieser USB-Stick wurde auch von dem o.a. autorun-Eumel infiziert. Inzwischen habe ich das RECYCLE-Verzeichnis von dort entfernt, ebenso die autorun.inf. Trotzdem bleibt diese redirect-"Funktion" beim FF. Ah, cool - stelle gerade fest, dass ich mit diesem infizierten FF-portable auch keine Dateien mehr hochladen kann bei abload oder imageshack - bei Klick auf die Buttons passiert nix...

Hier das HJT-Log des infizierten Laptops:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:22:26, on 28.07.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\Programme\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
D:\Avira\AntiVir PersonalEdition Classic\avguard.exe
d:\Trend Micro\OfficeScan\PCCSRV\Apache2\bin\Apache.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Dell Network Assistant\hnm_svc.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
D:\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Programme\Dell\QuickSet\NICCONFIGSVC.exe
D:\Trend Micro\OfficeScan Client\ntrtscan.exe
D:\Trend Micro\OfficeScan\PCCSRV\web\service\ofcservice.exe
D:\Trend Micro\OfficeScan\PCCSRV\Apache2\bin\Apache.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\Gemeinsame Dateien\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
D:\Sandboxie\SbieSvc.exe
D:\Trend Micro\OfficeScan Client\tmlisten.exe
D:\Trend Micro\OfficeScan\PCCSRV\Web\Service\DbServer.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
D:\Trend Micro\OfficeScan\PCCSRV\WSS\iCRCService.exe
D:\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Programme\Gemeinsame Dateien\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
D:\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Dell\QuickSet\quickset.exe
C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe
C:\Programme\Creative\Mixer\CTSVolFE.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
D:\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Photoshop Elements 6.0\apdproxy.exe
C:\Programme\Gemeinsame Dateien\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
D:\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Dell Support\DSAgnt.exe
D:\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Gemeinsame Dateien\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Programme\Dell Network Assistant\ezi_hnm2.exe
C:\Programme\Digital Line Detect\DLG.exe
D:\Trend Micro\OfficeScan\PCCSRV\Apache2\bin\ApacheMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\totalcmd\TOTALCMD.EXE
C:\WINDOWS\system32\taskmgr.exe
D:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.de/ig/dell?hl=de&client=dell-row&channel=de
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.de/hws/sb/dell-row/de/side.html?channel=de
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.de/hws/sb/dell-row/de/side.html?channel=de
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.de/ig/dell?hl=de&client=dell-row&channel=de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.de/hws/sb/dell-row/de/side.html?channel=de
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.de/ig/dell?hl=de&client=dell-row&channel=de
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://updates.installshield.com/GetUpdates.asp?p={1A15507A-8551-4626-915D-3D5FA095CC1B}&r=10.0&v=ISUA%204.50&u={C3357C5B-2B29-49AC-AAC5-C3B0BA784826}&l=1031&K=ZCE9CB0A8BEBCF7FFBEAC87386E8B978FC9BC978F59FCF0EFCEAC90BFE9CBD09889DC708FDEAC
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSN helper - {61DC85A0-4A32-4c38-92CF-24652B3F416C} - locsock32.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Programme\BAE\BAE.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Free Download Manager\iefdmcks.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Programme\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Programme\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "D:\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Programme\Gemeinsame Dateien\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "D:\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Programme\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Monitor Apache Servers.lnk = Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Free Download Manager\dllink.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://D:\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - D:\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - D:\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2 - Apache Software Foundation - d:\Trend Micro\OfficeScan\PCCSRV\Apache2\bin\Apache.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Programme\Dell Network Assistant\hnm_svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: MySQL - Unknown owner - D:\MySQL.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Programme\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - D:\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScan Master Service (ofcservice) - Trend Micro Inc. - D:\Trend Micro\OfficeScan\PCCSRV\web\service\ofcservice.exe
O23 - Service: OfficeScan Control Manager Agent (OfficeScanCMAgent) - Trend Micro Inc. - D:\Trend Micro\OfficeScan\PCCSRV\CMAgent\OfcCMAgent.exe
O23 - Service: OfficeScan Active Directory Integration Service (OSCEIntegrationService) - Unknown owner - D:\Trend Micro\OfficeScan\PCCSRV\web\service\osceintegrationservice.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - D:\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - D:\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Programme\Gemeinsame Dateien\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Programme\Gemeinsame Dateien\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Programme\Gemeinsame Dateien\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - D:\Sandboxie\SbieSvc.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOKUME~1\HARALD~1\LOKALE~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - D:\Trend Micro\OfficeScan Client\..\BM\TMBMSRV.exe
O23 - Service: Trend Micro Smart Scan Server (TMiCRCScanService) - Trend Micro Inc. - D:\Trend Micro\OfficeScan\PCCSRV\WSS\iCRCService.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - D:\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - D:\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Programme\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 14061 bytes

kira · 28.07.2009, 18:06

Hallo und Herzlich Willkommen!

Zitat:

Wenn ein System kompromittiert wurde, ist das System nicht mehr vertrauenswürdig
Eine Neuinstallation garantiert die rückstandsfreie Entfernung der Infektion - Sicherheitskonzept v. SETI@home/Punkt 1.

Falls du doch für die Systemreinigung entscheidest:

- Die Anweisungen bitte gründlich lesen und immer streng einhalten, da ich die Reihenfolge nach bestimmten Kriterien vorbereitet habe:

1.
ich brauche mehr `Übersicht` bzw Daten über einen längeren Zeitraum - dazu bitte Versteckte - und Systemdateien sichtbar machen::
→ Klicke unter Start auf Arbeitsplatz.
→ Klicke im Menü Extras auf Ordneroptionen.
→ Dateien und Ordner/Erweiterungen bei bekannten Dateitypen ausblenden → Haken entfernen
→ Geschützte und Systemdateien ausblenden → Haken entfernen
→ Versteckte Dateien und Ordner/Alle Dateien und Ordner anzeigen → Haken setzen.
→ Bei "Geschützte Systemdateien ausblenden" darf kein Häkchen sein und "Alle Dateien und Ordner anzeigen" muss aktiviert sein.

2.
Für XP und Win2000 (ansonsten auslassen)
→ lade Dir das filelist.zip auf deinen Desktop herunter
→ entpacke die Zip-Datei auf deinen Desktop
→ starte nun mit einem Doppelklick auf die Datei "filelist.bat" - Dein Editor (Textverarbeitungsprogramm) wird sich öffnen
→ kopiere aus die erzeugten Logfile alle 7 Verzeichnisse ("C\...") usw - aber nur die Einträge der letzten 6 Monate - hier in deinem Thread
** vor jedem Eintrag steht ein Datum, also Einträge, die älter als 6 Monate sind bitte herauslöschen!

3.
Ich würde gerne noch all deine installierten Programme sehen:
Lade dir das Tool CCleaner herunter
installieren ("Füge CCleaner Yahoo! Toolbar hinzu" abwählen)→ starten→ unter Options settings-> "german" einstellen
dann klick auf "Extra (um die installierten Programme auch anzuzeigen)→ weiter auf "Als Textdatei speichern..."
wird eine Textdatei (*.txt) erstellt, kopiere dazu den Inhalt und füge ihn da ein

4.
Um einen tieferen Einblick in dein System, um eine mögliche Infektion mit einem Rootkit/Info v.wikipedia.org) aufzuspüren, werden wir ein Tool - Gmer - einsetzen :

- also lade Dir Gmer herunter und entpacke es auf deinen Desktop
- starte gmer.exe
- [b]schließe alle Programme, ausserdem Antiviren und andere Schutzprogramme usw müssen deaktiviert sein, keine Verbindung zum Internet, WLAN auch trennen)
- bitte nichts am Pc machen während der Scan läuft!
- klicke auf "Scan", um das Tool zu starten
- wenn der Scan fertig ist klicke auf "Copy" (das Log wird automatisch in die Zwischenablage kopiert)
- mit "Ok" wird GMER beendet.
- das Log aus der Zwischenablage hier in Deinem Thread vollständig hineinkopieren

** keine Verbindung zu einem Netzwerk und Internet - WLAN nicht vergessen
Wenn der Scan beendet ist, bitte alle Programme und Tools wieder aktivieren!

5.
Lade und installiere das Tool RootRepeal herunter

- setze einen Hacken bei: "Drivers", "Stealth Objects" und "Hidden Services" dann klick auf "OK"
- nach der Scan, klick auf "Save Report"
- speichere das Logfile als RootRepeal.txt auf dem Desktop und Kopiere den Inhalt hier in den Thread
Damit dein Thread übersichtlicher und schön lesbar bleibt, am besten nutze den Code-Tags für deinen Post:
→ vor dein log schreibst du:[code]
hier kommt dein logfile rein
→ dahinter:[/code]

gruß
Coverflow

Javaguru · 29.07.2009, 13:38

>Hallo und Herzlich Willkommen!

Danke.

>Falls du doch für die Systemreinigung entscheidest:

Mache ich - ich will wissen, wer oder was mich da so ärgert, sprich wie ich mir den Vogel eingefangen habe, damit ich das zukünftig vermeiden kann.

>2.
Biddeschön die Ausgabe aus Filelist:

Zitat:

----- Root -----------------------------

Verzeichnis von C:\

29.07.2009 08:54 43 filelist.txt
29.07.2009 08:44 2.145.845.248 hiberfil.sys
29.07.2009 08:44 2.145.386.496 pagefile.sys

----- Windows --------------------------

Verzeichnis von C:\WINDOWS

29.07.2009 08:52 8.336 WINCMD.INI
29.07.2009 08:47 159 wiadebug.log
29.07.2009 08:47 50 wiaservc.log
29.07.2009 08:46 0 0.log
29.07.2009 08:45 4.184 ModemLog_Conexant HDA D110 MDC V.92 Modem.txt
29.07.2009 08:45 1.958.439 WindowsUpdate.log
29.07.2009 08:44 2.048 bootstat.dat
29.07.2009 08:43 32.618 SchedLgU.Txt
28.07.2009 11:14 876 win.ini
27.07.2009 11:25 15.053.875 OFCMAS.LOG
27.07.2009 11:25 90 TmComm.log
27.07.2009 11:25 87.842 OFCNT.LOG
21.07.2009 08:44 51.975 wmsetup.log
21.07.2009 00:01 69.889 ehOCGen.log
21.07.2009 00:01 161.465 MedCtrOC.log
21.07.2009 00:01 64.986 ocmsn.log
21.07.2009 00:01 576.787 tsoc.log
21.07.2009 00:01 241.242 ntdtcsetup.log
21.07.2009 00:01 1.374 imsins.log
21.07.2009 00:01 1.397.781 iis6.log
21.07.2009 00:01 63.028 tabletoc.log
21.07.2009 00:01 398.933 comsetup.log
21.07.2009 00:01 8.653 KB973346.log
21.07.2009 00:01 232.733 netfxocm.log
21.07.2009 00:01 608.611 ocgen.log
21.07.2009 00:01 62.635 msgsocm.log
21.07.2009 00:01 144.617 plusoc.log
21.07.2009 00:01 1.259.431 FaxSetup.log
21.07.2009 00:01 390.700 msmqinst.log
21.07.2009 00:01 1.374 imsins.BAK
21.07.2009 00:01 20.219 KB971633.log
20.07.2009 22:05 1.522 Sandboxie.ini
20.07.2009 19:13 15.129 KB961371.log
07.07.2009 21:52 530 wcx_ftp.ini
22.06.2009 22:28 2.185 setupact.log
22.06.2009 22:28 529.006 setupapi.log
22.06.2009 18:05 25.315 KB961501.log
22.06.2009 18:05 18.049 KB969898.log
22.06.2009 18:03 25.120 KB970238.log
22.06.2009 18:03 213.154 updspapi.log
22.06.2009 18:03 100.111 KB969897-IE7.log
22.06.2009 18:03 18.094 KB968537.log
01.05.2009 14:15 69 NeroDigital.ini
30.04.2009 22:22 568 ChssBase.ini
21.04.2009 07:56 49.994 spupdsvc.log
20.04.2009 18:08 34.512 KB959426.log
20.04.2009 18:08 33.090 KB961373.log
20.04.2009 18:08 109.340 KB963027-IE7.log
20.04.2009 18:05 20.596 KB956572.log
20.04.2009 18:05 23.591 KB952004.log
20.04.2009 18:05 22.338 KB960803.log
20.04.2009 18:05 13.679 KB923561.log
18.03.2009 15:07 4.591 actsetup.log
18.03.2009 15:07 534 ODBC.INI
16.03.2009 23:07 35.390 DirectX.log
16.03.2009 18:59 17.580 KB960225.log
16.03.2009 18:59 17.638 KB958690.log
07.03.2009 23:43 2.657 xpsp1hfm.log
24.02.2009 23:40 15.947 KB967715.log
12.02.2009 19:19 13.955 KB960715.log
12.02.2009 19:19 20.179 KB961260-IE7.log

----- System ---

Verzeichnis von C:\WINDOWS\system

----- System 32 (Achtung: Zeitfenster beachten!) ---

Verzeichnis von C:\WINDOWS\system32

29.07.2009 08:46 2.206 wpa.dbl
27.07.2009 11:25 423.422 perfh009.dat
27.07.2009 11:25 69.556 perfc009.dat
27.07.2009 11:25 441.408 perfh007.dat
27.07.2009 11:25 83.316 perfc007.dat
27.07.2009 11:25 1.001.696 PerfStringBackup.INI
27.07.2009 11:25 439.674 prfh0407.dat
27.07.2009 11:25 83.316 prfc0407.dat
20.07.2009 21:43 42.496 locsock32.dll
20.07.2009 21:43 15.477 lpd
20.07.2009 21:43 69.120 inform.dat
07.07.2009 17:10 24.539.592 MRT.exe
22.06.2009 22:26 385.608 FNTCACHE.DAT
16.06.2009 16:36 119.808 t2embed.dll
16.06.2009 16:36 81.920 fontsub.dll
03.06.2009 21:09 1.296.896 quartz.dll
07.05.2009 17:32 348.160 localspl.dll
04.05.2009 18:03 3.774 jupdate-1.6.0_13-b03.log
29.04.2009 06:42 827.392 wininet.dll
29.04.2009 06:42 1.159.680 urlmon.dll
29.04.2009 06:42 233.472 webcheck.dll
29.04.2009 06:42 105.984 url.dll
29.04.2009 06:42 102.912 occache.dll
29.04.2009 06:42 671.232 mstime.dll
29.04.2009 06:42 44.544 pngfilt.dll
29.04.2009 06:42 477.696 mshtmled.dll
29.04.2009 06:42 193.024 msrating.dll
29.04.2009 06:42 3.596.288 mshtml.dll
29.04.2009 06:42 459.264 msfeeds.dll
29.04.2009 06:42 27.648 jsproxy.dll
29.04.2009 06:42 1.830.912 inetcpl.cpl
29.04.2009 06:42 52.224 msfeedsbs.dll
29.04.2009 06:41 268.288 iertutil.dll
29.04.2009 06:41 6.066.176 ieframe.dll
29.04.2009 06:41 44.544 iernonce.dll
29.04.2009 06:41 78.336 ieencode.dll
29.04.2009 06:41 385.024 iedkcs32.dll
29.04.2009 06:41 230.400 ieaksie.dll
29.04.2009 06:41 153.088 ieakeng.dll
29.04.2009 06:41 383.488 ieapfltr.dll
29.04.2009 06:41 133.120 extmgr.dll
29.04.2009 06:41 124.928 advpack.dll
29.04.2009 06:41 63.488 icardie.dll
29.04.2009 06:41 347.136 dxtmsft.dll
29.04.2009 06:41 214.528 dxtrans.dll
28.04.2009 11:05 389.120 html.iec
28.04.2009 11:05 13.824 ieudinit.exe
28.04.2009 11:05 70.656 ie4uinit.exe
25.04.2009 07:26 161.792 ieakui.dll
19.04.2009 21:46 1.847.296 win32k.sys
15.04.2009 16:51 585.216 rpcrt4.dll
21.03.2009 16:06 1.063.424 kernel32.dll
09.03.2009 05:19 144.792 javaw.exe
09.03.2009 05:19 148.888 javaws.exe
09.03.2009 05:19 144.792 java.exe
09.03.2009 05:19 410.984 deploytk.dll
09.03.2009 02:53 73.728 javacpl.cpl
06.03.2009 16:19 286.720 pdh.dll
24.02.2009 22:03 56 ezsidmv.dat
09.02.2009 13:21 2.026.496 ntkrnlpa.exe
09.02.2009 13:21 2.147.840 ntoskrnl.exe
09.02.2009 13:21 111.104 services.exe
09.02.2009 12:51 736.768 lsasrv.dll
09.02.2009 12:51 401.408 rpcss.dll
09.02.2009 12:51 678.400 advapi32.dll
09.02.2009 12:51 740.352 ntdll.dll
06.02.2009 12:39 35.328 sc.exe
03.02.2009 21:57 56.832 secur32.dll

----- Prefetch -------------------------

Verzeichnis von C:\WINDOWS\Prefetch

29.07.2009 08:54 11.464 FIND.EXE-0EEAD1A7.pf
29.07.2009 08:54 12.348 CMD.EXE-034B0549.pf
29.07.2009 08:53 30.928 AVWSC.EXE-38C86EF0.pf
29.07.2009 08:52 68.516 WMIPRVSE.EXE-0D449B4F.pf
29.07.2009 08:52 59.466 JAVA.EXE-09AD08D6.pf
29.07.2009 08:52 97.780 TOTALCMD.EXE-2B24920D.pf
29.07.2009 08:50 33.048 RUNDLL32.EXE-6B727682.pf
29.07.2009 08:49 79.836 PHOTODOWNLOADER.EXE-19BBA97E.pf
29.07.2009 08:49 14.130 RUNDLL32.EXE-6E8D4657.pf
29.07.2009 08:48 5.758 CGIRQINI.EXE-2340B911.pf
29.07.2009 08:48 13.174 CPSHELPRUNNER10.EXE-013C6968.pf
29.07.2009 08:48 5.328 CGIONSTART.EXE-3A2E6468.pf
29.07.2009 08:48 38.514 EZI_HNM2.EXE-17BF654D.pf
29.07.2009 08:48 80.376 DOT1XCFG.EXE-1D3BE19B.pf
29.07.2009 08:48 44.906 DSAGNT.EXE-19DF4D6F.pf
29.07.2009 08:48 11.538 APACHEMONITOR.EXE-3943BA66.pf
29.07.2009 08:48 14.722 RUNDLL32.EXE-4E321F6C.pf
29.07.2009 08:48 12.174 DLG.EXE-2B1154B0.pf
29.07.2009 08:47 36.740 IMAPI.EXE-201490BB.pf
29.07.2009 08:47 63.724 ROXWATCHTRAY10.EXE-0EF315C2.pf
29.07.2009 08:47 20.144 AGENT.EXE-04D86242.pf
29.07.2009 08:47 11.016 SVCHOST.EXE-2D5FBD18.pf
29.07.2009 08:47 27.778 TEATIMER.EXE-18B5FBEC.pf
29.07.2009 08:47 31.118 ZCFGSVC.EXE-295082BD.pf
29.07.2009 08:47 19.226 PCCNTMON.EXE-08A93A5E.pf
29.07.2009 08:47 46.592 IFRMEWRK.EXE-1AD7CBD5.pf
29.07.2009 08:47 17.376 TFSWCTRL.EXE-2D67C816.pf
29.07.2009 08:47 18.594 APDPROXY.EXE-0CA28987.pf
29.07.2009 08:47 40.862 AVGNT.EXE-2D6E13E5.pf
29.07.2009 08:47 18.072 JUSCHED.EXE-063A1F6E.pf
29.07.2009 08:47 11.526 ISUSPM.EXE-0D47C79C.pf
29.07.2009 08:47 24.006 ISSCH.EXE-0CA829D3.pf
29.07.2009 08:47 16.982 DVDLAUNCHER.EXE-0A1DFA3C.pf
29.07.2009 08:47 11.084 CTSVOLFE.EXE-11028694.pf
29.07.2009 08:47 13.530 SYNTPENH.EXE-33F656F5.pf
29.07.2009 08:47 16.858 EHTRAY.EXE-337AC592.pf
29.07.2009 08:47 35.570 STSYSTRA.EXE-250DA2AC.pf
29.07.2009 08:47 17.538 VERCLSID.EXE-28F52AD2.pf
29.07.2009 08:46 15.348 RUNDLL32.EXE-6C39F68C.pf
29.07.2009 08:46 62.796 EXPLORER.EXE-02121B1A.pf
29.07.2009 08:46 35.674 USERINIT.EXE-0743FDA9.pf
29.07.2009 08:46 15.948 ATI2EVXX.EXE-07A42849.pf
29.07.2009 08:46 40.116 WGATRAY.EXE-350D4455.pf
29.07.2009 08:46 98.152 TMBMSRV.EXE-2AEFEDF7.pf
29.07.2009 08:46 79.824 WUAUCLT.EXE-1360D60A.pf
29.07.2009 08:46 1.308.736 NTOSBOOT-B00DFAAD.pf
29.07.2009 08:42 32.562 LOGONUI.EXE-312BE1BF.pf
29.07.2009 08:37 26.404 ALG.EXE-275708CF.pf
29.07.2009 08:36 14.234 CTFMON.EXE-05E57A5E.pf
29.07.2009 08:36 10.034 WSCNTFY.EXE-0B14C27D.pf
29.07.2009 08:36 27.872 QUICKSET.EXE-0836EF39.pf
29.07.2009 08:36 22.806 AU.EXE-01FCA325.pf
29.07.2009 08:36 6.978 CNTAOSMGR.EXE-15EC198A.pf
29.07.2009 08:36 5.464 CGILOG.EXE-0023EBFA.pf
29.07.2009 08:36 50.176 OSCEINTEGRATIONSERVICE.EXE-38B73BE4.pf
28.07.2009 15:12 16.872 DEFRAG.EXE-2858C7E2.pf
28.07.2009 15:12 56.172 DFRGNTFS.EXE-38C3807C.pf
28.07.2009 15:12 326.178 Layout.ini
28.07.2009 14:18 32.446 VLC.EXE-2E68006D.pf
28.07.2009 14:11 34.258 I_VIEW32.EXE-39EBFEC1.pf
28.07.2009 14:06 35.660 PV.EXE-017C877C.pf
28.07.2009 14:06 11.012 NIRCMD.EXE-08D0B8C8.pf
28.07.2009 14:06 37.508 FLASH_DISINFECTOR.EXE-1FA4308B.pf
28.07.2009 13:52 17.096 NOTEPAD.EXE-2F2D61E1.pf
28.07.2009 13:44 17.644 TASKMGR.EXE-06144C13.pf
28.07.2009 13:44 62.822 AVSCAN.EXE-33404D72.pf
28.07.2009 13:43 16.340 AVCENTER.EXE-1EA53793.pf
28.07.2009 13:42 16.554 REGEDIT.EXE-2AE3423E.pf
28.07.2009 13:38 43.004 RUNDLL32.EXE-527366BD.pf
28.07.2009 13:08 53.184 SPYBOTSD.EXE-334991F2.pf
28.07.2009 13:08 6.130 CGIONSCAN.EXE-1707D567.pf
28.07.2009 13:03 59.660 TSC.EXE-295428DE.pf
28.07.2009 13:03 39.426 PCCNT.EXE-04D6F0E2.pf
28.07.2009 12:04 34.846 RUNDLL32.EXE-5C896E5A.pf
28.07.2009 11:23 24.246 ROXMEDIADB10.EXE-0BC4C8F1.pf
28.07.2009 11:23 4.960 ICRCSERVICE.EXE-13EEA8AF.pf
28.07.2009 11:23 20.398 WMIAPSRV.EXE-02740A4B.pf
28.07.2009 11:19 26.240 DWWIN.EXE-2C373FB7.pf
28.07.2009 11:19 45.000 DUMPREP.EXE-0AF2BF67.pf
28.07.2009 11:14 33.000 IKERNEL.EXE-1B931CCC.pf
28.07.2009 11:14 10.070 SET1B.TMP-10E0BEBA.pf
28.07.2009 11:14 17.710 RUNDLL32.EXE-54094682.pf
28.07.2009 11:13 11.852 _IU14D2N.TMP-2DFC25B2.pf
28.07.2009 11:13 12.344 UNINS000.EXE-3070B827.pf
28.07.2009 11:11 7.742 887453.TMP-0127AF84.pf
28.07.2009 11:11 23.148 UNINSTALLER.EXE-012CB46F.pf
28.07.2009 11:11 67.240 JAVA.EXE-3AB644D1.pf
28.07.2009 11:10 14.014 IMAGEDRIVE.EXE-3A3469C8.pf
28.07.2009 11:10 35.068 NEROSTARTSMART.EXE-37596D5F.pf
28.07.2009 11:10 24.568 UNNERO.EXE-08A90497.pf
28.07.2009 11:10 6.894 NEROCHECK.EXE-30941580.pf
28.07.2009 11:09 29.580 UNNERO.EXE-14EFFF8B.pf
28.07.2009 11:08 7.526 JQSNOTIFY.EXE-12F9814B.pf
28.07.2009 11:08 13.158 FLASHGOT.EXE-0DA63F27.pf
28.07.2009 11:08 83.890 FIREFOX.EXE-1B8392AB.pf
28.07.2009 11:08 23.784 238645.TMP-13D0B0FF.pf
28.07.2009 11:07 35.924 UNINSTALLER.EXE-0A20432A.pf
28.07.2009 11:05 35.650 RUNDLL32.EXE-4532DDE6.pf
28.07.2009 11:05 20.678 HIJACKTHIS.EXE-375DC4F0.pf
28.07.2009 11:01 7.276 NBEXEC.EXE-1A1C9C97.pf
28.07.2009 11:01 64.958 JAVA.EXE-0CAD724B.pf
28.07.2009 11:01 26.148 NETBEANS.EXE-08AAB65A.pf
28.07.2009 09:44 56.982 HELPSVC.EXE-1C192440.pf
28.07.2009 09:29 16.062 RUNDLL32.EXE-5186486E.pf
28.07.2009 09:26 19.260 RUNDLL32.EXE-5E750E30.pf
28.07.2009 09:21 14.354 HJTINSTALL202.EXE-34E875F2.pf
28.07.2009 09:20 33.040 RUNDLL32.EXE-6E306DCB.pf
28.07.2009 09:19 34.566 FLASH_DISINFECTOR.EXE-35132B7C.pf
28.07.2009 09:05 24.308 REGSVR32.EXE-396DEA2C.pf
28.07.2009 09:04 48.804 UPDATE.EXE-05CC34D3.pf
28.07.2009 09:04 19.518 PREUPD.EXE-2781591E.pf
27.07.2009 15:33 16.152 VS7JIT.EXE-0EE4A492.pf
112 Datei(en) 4.918.390 Bytes
0 Verzeichnis(se), 4.269.584.384 Bytes frei

----- Tasks ----------------------------

Verzeichnis von C:\WINDOWS\tasks

29.07.2009 08:45 6 SA.DAT

----- Windows/Temp -----------------------

Verzeichnis von C:\WINDOWS\Temp

29.07.2009 08:46 409 WGANotify.settings
29.07.2009 08:46 255 WGAErrLog.txt
29.07.2009 08:46 0 JET8AB6.tmp
29.07.2009 08:45 0 ib36
29.07.2009 08:45 0 ib35
29.07.2009 08:45 0 ib34
29.07.2009 08:45 0 ib33
29.07.2009 08:45 0 ib32
29.07.2009 08:45 16.384 Perflib_Perfdata_670.dat
29.07.2009 08:37 0 JETBEA3.tmp
28.07.2009 11:23 0 JET4DD8.tmp
28.07.2009 09:03 0 JETA68B.tmp
27.07.2009 12:28 0 JET90AD.tmp
27.07.2009 11:00 0 JET5176.tmp
27.07.2009 10:54 0 JET942.tmp
27.07.2009 06:05 0 JET395.tmp
24.07.2009 08:01 0 JETE474.tmp
23.07.2009 07:48 0 JETE06D.tmp
22.07.2009 21:32 0 JET3CA7.tmp
22.07.2009 07:47 0 JETE01F.tmp
21.07.2009 18:51 0 JET560A.tmp
21.07.2009 08:06 0 JETD66A.tmp
20.07.2009 21:20 0 JET4FF0.tmp
20.07.2009 15:03 0 JETDB9A.tmp
11.07.2009 18:45 0 JETCA35.tmp
07.07.2009 20:54 0 JETCBFA.tmp
05.07.2009 16:25 0 JETCD23.tmp
26.06.2009 08:03 0 JETB4C9.tmp
25.06.2009 07:54 0 JETB5F2.tmp
24.06.2009 07:51 0 JETCF27.tmp
23.06.2009 07:51 0 JETCFA4.tmp
22.06.2009 22:26 0 JET1DA5.tmp
22.06.2009 16:10 0 JETD429.tmp
03.06.2009 05:32 0 JETD6D8.tmp
29.05.2009 07:48 0 JETDDAE.tmp
28.05.2009 07:48 0 JETC822.tmp
27.05.2009 08:05 0 JETD9A6.tmp
26.05.2009 07:54 0 JETE35B.tmp
25.05.2009 16:50 0 JETF83A.tmp
24.05.2009 09:31 0 JETCC78.tmp
21.05.2009 19:08 0 JET4CF2.tmp
08.05.2009 07:44 0 JETF7DD.tmp
07.05.2009 21:42 0 JETC2C3.tmp
07.05.2009 07:47 0 JETC9B8.tmp
06.05.2009 21:15 0 JETC64D.tmp
06.05.2009 07:39 0 JET15E4.tmp
05.05.2009 07:52 0 JET1279.tmp
04.05.2009 15:02 0 JETDCB4.tmp
03.05.2009 08:50 0 JETC5F.tmp
02.05.2009 09:16 0 JET42EF.tmp
01.05.2009 09:01 0 JET729B.tmp
30.04.2009 09:08 0 JETE3D8.tmp
29.04.2009 15:57 0 JETA89F.tmp
29.04.2009 08:52 0 JETF27E.tmp
28.04.2009 19:31 0 JET2A57.tmp
24.04.2009 22:56 0 JETE9B4.tmp
24.04.2009 07:57 0 JETD5DE.tmp
23.04.2009 07:48 0 JETE167.tmp
22.04.2009 07:45 0 JETFBB5.tmp
21.04.2009 07:56 0 JETC6E.tmp
20.04.2009 14:45 0 JET2797.tmp
08.04.2009 20:24 0 JETBC07.tmp
06.04.2009 14:57 0 JETE5DB.tmp
03.04.2009 07:59 0 JETF424.tmp
02.04.2009 20:20 0 JETEA60.tmp
02.04.2009 17:12 0 JET2B02.tmp
02.04.2009 12:03 0 JETCC77.tmp
02.04.2009 11:58 0 JETD428.tmp
02.04.2009 08:05 0 JET3CA6.tmp
02.04.2009 08:05 0 ib31
02.04.2009 08:05 0 ib30
02.04.2009 08:05 0 ib29
02.04.2009 08:05 0 ib28
02.04.2009 08:05 0 ib27
01.04.2009 19:54 0 JET4253.tmp
01.04.2009 08:04 0 JETD59F.tmp
31.03.2009 22:32 0 JET3227.tmp
31.03.2009 08:14 0 JET4ED6.tmp
30.03.2009 14:43 0 JET1A2A.tmp
29.03.2009 19:51 0 JET56F4.tmp
20.03.2009 13:50 0 JETE00F.tmp
20.03.2009 08:45 0 JET1690.tmp
20.03.2009 08:44 0 ib26
20.03.2009 08:44 0 ib25
20.03.2009 08:44 0 ib24
20.03.2009 08:44 0 ib23
20.03.2009 08:44 0 ib22
19.03.2009 22:06 0 JETF55C.tmp
19.03.2009 09:01 0 JET5118.tmp
18.03.2009 19:25 0 JETE956.tmp
18.03.2009 08:56 0 JETEA9E.tmp
17.03.2009 09:04 0 JETE917.tmp
16.03.2009 23:11 0 JET4244.tmp
16.03.2009 22:39 0 JETC445.tmp
16.03.2009 16:10 0 JETEF03.tmp
08.03.2009 00:33 0 JETD6B8.tmp
08.03.2009 00:25 0 JET4418.tmp
07.03.2009 23:53 1.020 ~ROMFN_000006E4
07.03.2009 23:52 0 JETC416.tmp
07.03.2009 23:48 16.384 Perflib_Perfdata_760.dat
22.02.2009 14:11 16.384 Perflib_Perfdata_b20.dat
22.02.2009 14:03 0 ib21
22.02.2009 14:03 0 ib20
22.02.2009 14:03 0 ib18
22.02.2009 14:03 0 ib19
22.02.2009 14:03 0 ib17
07.02.2009 00:57 0 UpdA.tmp

----- Temp -----------------------------

Verzeichnis von C:\DOKUME~1\HARALD~1\LOKALE~1\Temp

29.07.2009 08:52 207.732 jusched.log
29.07.2009 08:49 938 TWAIN.LOG
29.07.2009 08:49 4 Twain001.Mtx
29.07.2009 08:49 156 Twunk001.MTX
29.07.2009 08:48 0 ~ROMFN_000012D8
28.07.2009 11:11 184 cln1A.bat
28.07.2009 11:11 65.536 887453.tmp
28.07.2009 11:08 184 cln16.bat
28.07.2009 11:08 65.536 238645.tmp
27.07.2009 15:13 72.973 amt.log
27.07.2009 15:13 82.849 alm.log
27.07.2009 06:10 0 xx4
27.07.2009 06:10 0 xx3
27.07.2009 06:10 0 xx5
27.07.2009 06:10 0 xx6
27.07.2009 06:10 0 xx2
27.07.2009 06:09 24.543 java_install_reg.log
24.06.2009 12:31 58 jar_cache4185064170159402330.tmp
24.06.2009 12:31 639 jar_cache6242685453036729131.tmp
24.06.2009 12:31 906 jar_cache5684307387341225260.tmp
24.06.2009 12:31 217 jar_cache884439901491641790.tmp
24.06.2009 12:31 645 jar_cache4768332822491279048.tmp
24.06.2009 12:31 1.007 jar_cache6612242060810845673.tmp
23.06.2009 15:58 217 jar_cache6716854072102124232.tmp
23.06.2009 15:58 58 jar_cache2746175807249934506.tmp
23.06.2009 15:58 906 jar_cache7852787973425879728.tmp
23.06.2009 15:58 639 jar_cache1489904888118141144.tmp
23.06.2009 15:58 453 jar_cache4645525004439657625.tmp
23.06.2009 15:58 103 jar_cache3815360440955882660.tmp
23.06.2009 15:58 1.007 jar_cache4161649917250615413.tmp
23.06.2009 15:58 603 jar_cache560267627409731613.tmp
23.06.2009 15:58 645 jar_cache7063760619275058201.tmp
05.05.2009 17:52 304 wahtmltmp00.htm
04.05.2009 18:03 2.361 java_install_sp.log
04.05.2009 18:02 1.532.928 a58839.mst
04.05.2009 18:02 9.635 jinstall.cfg
02.05.2009 10:20 0 bit12.tmp
02.05.2009 09:25 0 bit11.tmp
01.05.2009 18:28 0 bit54.tmp
01.05.2009 16:35 0 bit52.tmp
01.05.2009 14:33 0 bit50.tmp
01.05.2009 11:00 0 bit20.tmp
01.05.2009 09:56 0 bit1F.tmp
01.05.2009 09:25 0 bit17.tmp
01.05.2009 09:25 0 bit16.tmp
01.05.2009 09:14 0 bit14.tmp
30.04.2009 15:30 0 bit4B.tmp
30.04.2009 10:16 0 bit1C.tmp
30.04.2009 09:23 0 bit15.tmp
29.04.2009 18:32 0 bitF.tmp
29.04.2009 17:10 0 bitE.tmp
29.04.2009 12:58 0 bit1B.tmp
29.04.2009 12:24 0 bit1A.tmp
29.04.2009 11:56 0 bit19.tmp
02.04.2009 08:05 1.020 ~ROMFN_00000B14
29.03.2009 19:55 12 Fritz2718125.cib
29.03.2009 19:55 12 Fritz2718125.cit
25.03.2009 09:02 607.640 jre-6u13-windows-i586-p-iftw.exe
20.03.2009 08:45 1.020 ~ROMFN_00000F9C
19.03.2009 22:50 127 Fritz2718125.cbt
19.03.2009 22:50 162 Fritz2718125.cbp
19.03.2009 22:50 26 Fritz2718125.cba
19.03.2009 22:50 32 Fritz2718125.cbm
19.03.2009 22:50 90 Fritz2718125.cbc
19.03.2009 22:50 28 Fritz2718125.cbe
19.03.2009 22:50 228 Fritz2718125.cbg
19.03.2009 22:50 92 Fritz2718125.cbh
19.03.2009 22:50 96 Fritz2718125.cbs
19.03.2009 22:50 110 Fritz2718125.cbj
19.03.2009 22:50 159 Fritz2718125.ini
18.03.2009 15:13 506 msinterr.txt
18.03.2009 15:13 296.502 vsinstall71.txt
18.03.2009 15:12 12.516 setup.log
18.03.2009 15:12 25.989.462 VSMsiLog35DA.txt
18.03.2009 15:01 206.134 DepCheck71.txt
07.03.2009 23:44 0 is68.tmp
07.03.2009 23:41 6.998 netfx.log
07.03.2009 23:41 2.406 dotNetFx.log
24.02.2009 22:02 18.929.152 Skype.msi
22.02.2009 14:42 69.795 Nikon-Gebrauchtpreise-Kamera-Zubehoer-I DSLR-Forum.pdf
22.02.2009 14:38 48.735 Nikon-Gebrauchtpreise-Objektive-Zubehoer-I DSLR-Forum.pdf
22.02.2009 14:36 28.700 etilqs_HxyV54tODr4jUqsOgKPI
22.02.2009 14:10 295.680 java_install.log
22.02.2009 14:09 1.532.928 6376f.mst
22.02.2009 14:07 1.020 ~ROMFN_00000D10
29.01.2009 14:59 52.068 b6b8_appcompat.txt
14.01.2009 10:12 16.384 ~DF8532.tmp

Die nächsten Ausgaben folgen in den nächsten Beiträgen...

Javaguru · 29.07.2009, 13:39

>3.
Die von CCleaner aufgelisteten installierten Programme:

Zitat:

7-Zip 4.42
Acronis*True*Image*Home
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 6.0
Adobe Reader 7.1.0 - Deutsch
Adobe Stock Photos CS3
AnyDVD
Apache HTTP Server 2.0.63
ARTEuro
ATI Catalyst Control Center
ATI Display Driver
Avira AntiVir Personal - Free Antivirus
Azureus
Broadcom Management Programs
Capture NX
CCleaner (remove only)
ChessBase 9
Conexant HDA D110 MDC V.92 Modem
Deep Fritz 11
Deep Shredder 11 UCI
Dell Network Assistant
Dell Support 3.2
Dell System Restore
Digital Line Detect
DVDFab Platinum 2.9.7.8
Free Download Manager 2.1
Fritz11
Fruit Beta 05/11/03
GemMaster Mystic
GnuPG For Windows
HIARCS 11.2 MP UCI
HIARCS 11.2 SP UCI
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Intel(R) PROSet/Wireless Software
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_09
Java 2 SDK, SE v1.4.2_09
Java(TM) 6 Update 13
Java(TM) SE Development Kit 6
Java(TM) SE Runtime Environment 6 Update 1
Junior 10
KeyEventDemo
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 German Language Pack
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Office Enterprise 2007
Microsoft Office Project Professional 2007
Microsoft Office Visio Professional 2007 Trial
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Works
mIRC
mirkes.de Tiny Hexer
Mixer
Modem Helper
Mozilla Firefox (3.0.11)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MySQL Server 5.0
Neat Image v5.2 Pro+
NetWaiting
Nikon Message Center
Noiseware Community Edition
Norton PartitionMagic 8.0
Opera 9.26
Otto
Picture Control Utility
PowerDVD 5.7
QuickSet
RealPlayer
Roxio Central Audio
Roxio Central Copy
Roxio Central Core
Roxio Central Data
Roxio Central Tools
Roxio CinePlayer Decoder Pack
Roxio Disc Gallery
Roxio File Backup
Roxio Update Manager
Roxio WinOnCD 10
Rybka 3 Aquarium
Sandboxie 3.38
Search Assist
Shredder 11 Opening Book
Skype™ 4.0
Sonic DLA
Sonic Encoders
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sound Blaster Audigy ADVANCED MB Demo
Spybot - Search & Destroy
Synaptics Pointing Device Driver
The Bat! International Pack v3.95.06
The Bat! Professional v4.1.9
TightVNC 1.2.9
Total Commander (Remove or Repair)
Trend Micro OfficeScan Client
Trend Micro OfficeScan Server
TrueCrypt
URL Assistant
USB Video Device Driver
ViewNX
Winamp (remove only)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows XP Service Pack 3
WinMerge 2.4.2.0
WinRAR
YouTube FLV to AVI converter Pro 2.2.5
Zweitausendeins Schachweltmeister Deep Junior 10

>4.
Biddeschön die gmer-Ausgabe (dauerte ordentlich lange, ein paar Stunden...^^):

Zitat:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-29 14:00:28
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwClose [0xB9F8D028]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwCreateKey [0xB9F8CFE0]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwCreatePagingFile [0xB9F80B00]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwEnumerateKey [0xB9F815DC]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwEnumerateValueKey [0xB9F8D120]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwOpenFile [0xB9F80B40]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwOpenKey [0xB9F8CFA4]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwQueryKey [0xB9F815FC]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwQueryValueKey [0xB9F8D076]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwSetSystemPowerState [0xB9F8C550]

---- Kernel code sections - GMER 1.0.15 ----

.text win32k.sys!EngAcquireSemaphore + 20E2 BF8082D1 5 Bytes JMP 88CD84D0
.text win32k.sys!EngFreeUserMem + 5BD2 BF80EE58 5 Bytes JMP 88CD8430
.text win32k.sys!EngCreateBitmap + D9A0 BF84582C 5 Bytes JMP 88CD8610
.text win32k.sys!EngMultiByteToWideChar + 2F22 BF85277C 5 Bytes JMP 88CD8750
.text win32k.sys!EngGradientFill + 5100 BF8B3C90 5 Bytes JMP 88CD8570
.text win32k.sys!EngAlphaBlend + 9285 BF8C3136 5 Bytes JMP 88CD86B0
.text win32k.sys!PATHOBJ_vGetBounds + 74E1 BF8F004B 5 Bytes JMP 88CD87F0

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegQueryValueA] 00D4FF90
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] 00D4FC80
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 00D48770
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 00D49CB0
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CloseHandle] 00D4CE20
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 00D4AA00
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 00D49FE0
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileW] 00D4C160
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] 00D4F160
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalLock] 00D4F1A0
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcessHeap] 00D502E0
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FindFirstFileW] 00D4ED50
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!DuplicateHandle] 00D4CD80
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] 00D4B520
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 00D4A6B0
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetEnvironmentStringsW] 00D4AFA0
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!IsDebuggerPresent] 00D50860
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!ReadFile] 00D4C4B0
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetFilePointer] 00D4CBE0
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFileEx] 00D4D810
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingW] 00D4D2F0
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFile] 00D4D790
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!OpenFileMappingW] 00D4E2B0
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!UnmapViewOfFile] 00D4D980
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] 00D4A360
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!TerminateProcess] 00D4B3D0
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalAlloc] 00D4F280
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FlushViewOfFile] 00D4D430
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileSize] 00D4CD20
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!WriteFile] 00D4C8E0
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileType] 00D4CF30
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetACP] 00D50300
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingA] 00D4D230
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadIconW] 00D505A0
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadCursorW] 00D50540
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateDialogParamW] 00D50790
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DialogBoxParamW] 00D50830
IAT C:\Programme\Dell Network Assistant\ezi_hnm2.exe[5468] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadStringW] 00D50660

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A851D28

AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)

Device \FileSystem\Fastfat \FatCdrom 8A45D6A0
Device \FileSystem\Udfs \UdfsCdRom 8A47F548
Device \FileSystem\Udfs \UdfsCdRom tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk 8A47F548
Device \FileSystem\Udfs \UdfsDisk tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)

Device \Driver\Cdrom \Device\CdRom0 8A4EC778
Device \FileSystem\Rdbss \Device\FsWrap 89AFDAF8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)

Device \Driver\Cdrom \Device\CdRom1 8A4EC778
Device \Driver\atapi \Device\Ide\IdePort0 8A4ECA88
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8A4ECA88
Device \Driver\atapi \Device\Ide\IdePort1 8A4ECA88
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 8A4ECA88

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)

Device \FileSystem\Srv \Device\LanmanServer 8A482F10

AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89B17E80
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89B17E80
Device \FileSystem\Npfs \Device\NamedPipe 89B1F1E8
Device \FileSystem\Msfs \Device\Mailslot 8A2F7C50
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 8A41BF00
Device \Driver\a347scsi \Device\Scsi\a347scsi1 8A41BF00
Device \FileSystem\Fastfat \Fat 8A45D6A0

AttachedDevice \FileSystem\Fastfat \Fat TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 8A62DB98
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 8A62DB98
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 8A62DB98
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 8A62DB98
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 8A62DB98
Device \FileSystem\Cdfs \Cdfs 89B045A0
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Modules - GMER 1.0.15 ----

Module _________ B9EE2000-B9EFA000 (98304 bytes)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40@ujdew 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40@ljej40 0x93 0x95 0x5D 0x56 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40@ljej41 0x0E 0x95 0x5D 0x56 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40@ljej42 0x0E 0x95 0x5D 0x56 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40@ljej43 0x0E 0x95 0x5D 0x56 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40@ljej44 0x0E 0x95 0x5D 0x56 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}@DisplayName Alcohol 120%
Reg HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6@ProductName Alcohol 120%

---- EOF - GMER 1.0.15 ----

Javaguru · 29.07.2009, 13:43

>5.
Biddeschön die Ausgabe von RootRepeal. Bei HiddenServices hat er nichts gefunden.
[code]
ROOTREPEAL (c) AD, 2007-2009

Program Version: Version 1.3.3.0
Windows Version: Windows XP Media Center Edition SP3

Drivers
-------------------
Name:
Image Path:
Address: 0xB9EE2000 Size: 98304 File Visible: No Signed: -
Status: -

Name:
Image Path:
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xBA118000 Size: 57344 File Visible: - Signed: -
Status: -

Name: a347bus.sys
Image Path: a347bus.sys
Address: 0xB9F7F000 Size: 160640 File Visible: - Signed: -
Status: -

Name: a347scsi.sys
Image Path: a347scsi.sys
Address: 0xBA5AC000 Size: 5248 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xB9F50000 Size: 188800 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2154496 File Visible: - Signed: -
Status: -

Name: AegisP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AegisP.sys
Address: 0xBA470000 Size: 19232 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xB0A85000 Size: 138496 File Visible: - Signed: -
Status: -

Name: AnyDVD.sys
Image Path: C:\WINDOWS\System32\Drivers\AnyDVD.sys
Address: 0xBA448000 Size: 20096 File Visible: - Signed: -
Status: -

Name: APPDRV.SYS
Image Path: C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
Address: 0xB0C62000 Size: 16128 File Visible: - Signed: -
Status: -

Name: arp1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Address: 0xBA258000 Size: 60800 File Visible: - Signed: -
Status: -

Name: ati2cqag.dll
Image Path: C:\WINDOWS\System32\ati2cqag.dll
Address: 0xBF055000 Size: 282624 File Visible: - Signed: -
Status: -

Name: ati2dvag.dll
Image Path: C:\WINDOWS\System32\ati2dvag.dll
Address: 0xBF012000 Size: 274432 File Visible: - Signed: -
Status: -

Name: ati2mtag.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Address: 0xB946E000 Size: 1638400 File Visible: - Signed: -
Status: -

Name: ati3duag.dll
Image Path: C:\WINDOWS\System32\ati3duag.dll
Address: 0xBF0DC000 Size: 2756608 File Visible: - Signed: -
Status: -

Name: atikvmag.dll
Image Path: C:\WINDOWS\System32\atikvmag.dll
Address: 0xBF09A000 Size: 270336 File Visible: - Signed: -
Status: -

Name: ativvaxx.dll
Image Path: C:\WINDOWS\System32\ativvaxx.dll
Address: 0xBF37D000 Size: 1753088 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xBA7C3000 Size: 3072 File Visible: - Signed: -
Status: -

Name: avgio.sys
Image Path: D:\Avira\AntiVir PersonalEdition Classic\avgio.sys
Address: 0xBA618000 Size: 6144 File Visible: - Signed: -
Status: -

Name: avgntflt.sys
Image Path: D:\Avira\AntiVir PersonalEdition Classic\avgntflt.sys
Address: 0xAC52D000 Size: 81920 File Visible: - Signed: -
Status: -

Name: avipbb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\avipbb.sys
Address: 0xB0924000 Size: 69632 File Visible: - Signed: -
Status: -

Name: avmbtpar.sys
Image Path: C:\WINDOWS\system32\DRIVERS\avmbtpar.sys
Address: 0xB95FE000 Size: 60032 File Visible: - Signed: -
Status: -

Name: avmbtser.sys
Image Path: C:\WINDOWS\system32\DRIVERS\avmbtser.sys
Address: 0xBA1B8000 Size: 61056 File Visible: - Signed: -
Status: -

Name: avmbtsnd.sys
Image Path: C:\WINDOWS\system32\drivers\avmbtsnd.sys
Address: 0xBA198000 Size: 49664 File Visible: - Signed: -
Status: -

Name: avmcowan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\avmcowan.sys
Address: 0xB967E000 Size: 53248 File Visible: - Signed: -
Status: -

Name: avmdsloe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\avmdsloe.sys
Address: 0xB966E000 Size: 39552 File Visible: - Signed: -
Status: -

Name: avmndsl.sys
Image Path: C:\WINDOWS\system32\DRIVERS\avmndsl.sys
Address: 0xB965E000 Size: 38720 File Visible: - Signed: -
Status: -

Name: BATTC.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xBA4C0000 Size: 16384 File Visible: - Signed: -
Status: -

Name: bcm4sbxp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
Address: 0xBA138000 Size: 45312 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xBA600000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xBA4B8000 Size: 12288 File Visible: - Signed: -
Status: -

Name: capi_cip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\capi_cip.sys
Address: 0xB917E000 Size: 374144 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xBA2E8000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xBA178000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xBA0E8000 Size: 53248 File Visible: - Signed: -
Status: -

Name: CmBatt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Address: 0xB9C71000 Size: 13952 File Visible: - Signed: -
Status: -

Name: compbatt.sys
Image Path: compbatt.sys
Address: 0xBA4BC000 Size: 10240 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xBA0D8000 Size: 36352 File Visible: - Signed: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xB9EFA000 Size: 154112 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xB968E000 Size: 61440 File Visible: - Signed: -
Status: -

Name: drvmcdb.sys
Image Path: drvmcdb.sys
Address: 0xB9E83000 Size: 85344 File Visible: - Signed: -
Status: -

Name: drvnddm.sys
Image Path: C:\WINDOWS\system32\drivers\drvnddm.sys
Address: 0xBA2D8000 Size: 38240 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB08AF000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA63E000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xB0945000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xBA70A000 Size: 4096 File Visible: - Signed: -
Status: -

Name: ElbyCDIO.sys
Image Path: C:\WINDOWS\System32\Drivers\ElbyCDIO.sys
Address: 0xBA60A000 Size: 8064 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xB08D8000 Size: 143744 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xBA268000 Size: 44672 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xB9EAA000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xBA5FC000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xB9F20000 Size: 126336 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806E5000 Size: 134400 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xB9432000 Size: 163840 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xBA4A0000 Size: 28672 File Visible: - Signed: -
Status: -

Name: HSF_CNXT.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Address: 0xB0C6A000 Size: 717952 File Visible: - Signed: -
Status: -

Name: HSF_DPV.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
Address: 0xB0D1A000 Size: 1035008 File Visible: - Signed: -
Status: -

Name: HSFHWAZL.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
Address: 0xB0E17000 Size: 201600 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xADFE3000 Size: 264832 File Visible: - Signed: -
Status: -

Name: i2omgmt.SYS
Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Address: 0xB9C79000 Size: 8576 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xBA158000 Size: 52992 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xBA168000 Size: 42112 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xBA318000 Size: 40448 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xB0AA7000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xB0B4E000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xBA0A8000 Size: 37632 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xBA440000 Size: 25216 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xBA5A8000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xAC412000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xB91FE000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xB9E6C000 Size: 92288 File Visible: - Signed: -
Status: -

Name: mdmxsdk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Address: 0xAE120000 Size: 11840 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xBA602000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xBA478000 Size: 30336 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xBA438000 Size: 23552 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xBA0B8000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xAE1C9000 Size: 180608 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xB095D000 Size: 455296 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xBA4B0000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xB961E000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xB9C35000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xB9D1E000 Size: 105344 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xB9DB2000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xB9C55000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xAE436000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB9167000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xBA1D8000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xBA218000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xB0ACD000 Size: 162816 File Visible: - Signed: -
Status: -

Name: nic1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Address: 0xBA1A8000 Size: 61824 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xBA340000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xB9DDF000 Size: 574976 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2154496 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xBA799000 Size: 2944 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xBA108000 Size: 61696 File Visible: - Signed: -
Status: -

Name: omci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\omci.sys
Address: 0xBA468000 Size: 17088 File Visible: - Signed: -
Status: -

Name: packet.sys
Image Path: C:\WINDOWS\system32\DRIVERS\packet.sys
Address: 0xAE652000 Size: 12672 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xBA330000 Size: 19712 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xB9F3F000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xBA670000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xBA328000 Size: 28672 File Visible: - Signed: -
Status: -

Name: Pcouffin.sys
Image Path: C:\WINDOWS\System32\Drivers\Pcouffin.sys
Address: 0xB960E000 Size: 47360 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2154496 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xB91DA000 Size: 147456 File Visible: - Signed: -
Status: -

Name: PQNTDrv.SYS
Image Path: C:\WINDOWS\System32\Drivers\PQNTDrv.SYS
Address: 0xBA70E000 Size: 2688 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB912E000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xBA458000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xBA0F8000 Size: 36320 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xB9163000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xB964E000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xB963E000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xB962E000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xBA460000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2154496 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xB09CD000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xBA604000 Size: 4224 File Visible: - Signed: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xB90FE000 Size: 196224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xBA188000 Size: 57728 File Visible: - Signed: -
Status: -

Name: rimmptsk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
Address: 0xBA430000 Size: 28544 File Visible: - Signed: -
Status: -

Name: rimsptsk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
Address: 0xBA148000 Size: 51328 File Visible: - Signed: -
Status: -

Name: rixdptsk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
Address: 0xB9250000 Size: 307968 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAC4BD000 Size: 49152 File Visible: No Signed: -
Status: -

Name: s24trans.sys
Image Path: C:\WINDOWS\system32\DRIVERS\s24trans.sys
Address: 0xAE64A000 Size: 13568 File Visible: - Signed: -
Status: -

Name: SbieDrv.sys
Image Path: D:\Sandboxie\SbieDrv.sys
Address: 0xAD432000 Size: 126976 File Visible: - Signed: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS
Address: 0xB9ECA000 Size: 98304 File Visible: - Signed: -
Status: -

Name: sdbus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\sdbus.sys
Address: 0xB929C000 Size: 79232 File Visible: - Signed: -
Status: -

Name: snapman.sys
Image Path: snapman.sys
Address: 0xB9D38000 Size: 107104 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xB9E98000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xADF69000 Size: 333952 File Visible: - Signed: -
Status: -

Name: sscdbhk5.sys
Image Path: C:\WINDOWS\system32\drivers\sscdbhk5.sys
Address: 0xBA5E2000 Size: 5568 File Visible: - Signed: -
Status: -

Name: ssmdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
Address: 0xBA378000 Size: 21248 File Visible: - Signed: -
Status: -

Name: ssrtln.sys
Image Path: C:\WINDOWS\system32\drivers\ssrtln.sys
Address: 0xBA498000 Size: 23488 File Visible: - Signed: -
Status: -

Name: sthda.sys
Image Path: C:\WINDOWS\system32\drivers\sthda.sys
Address: 0xB0E49000 Size: 1111840 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xBA5E4000 Size: 4352 File Visible: - Signed: -
Status: -

Name: SynTP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Address: 0xB9221000 Size: 191872 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xAD3A2000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xB0AF5000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xBA450000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xBA1C8000 Size: 40704 File Visible: - Signed: -
Status: -

Name: tfsnboio.sys
Image Path: C:\WINDOWS\system32\dla\tfsnboio.sys
Address: 0xBA3F8000 Size: 25824 File Visible: - Signed: -
Status: -

Name: tfsncofs.sys
Image Path: C:\WINDOWS\system32\dla\tfsncofs.sys
Address: 0xBA2F8000 Size: 34784 File Visible: - Signed: -
Status: -

Name: tfsndrct.sys
Image Path: C:\WINDOWS\system32\dla\tfsndrct.sys
Address: 0xBA6B9000 Size: 4064 File Visible: - Signed: -
Status: -

Name: tfsndres.sys
Image Path: C:\WINDOWS\system32\dla\tfsndres.sys
Address: 0xBA6B6000 Size: 2208 File Visible: - Signed: -
Status: -

Name: tfsnifs.sys
Image Path: C:\WINDOWS\system32\dla\tfsnifs.sys
Address: 0xAE5E8000 Size: 86528 File Visible: - Signed: -
Status: -

Name: tfsnopio.sys
Image Path: C:\WINDOWS\system32\dla\tfsnopio.sys
Address: 0xAE7E3000 Size: 15168 File Visible: - Signed: -
Status: -

Name: tfsnpool.sys
Image Path: C:\WINDOWS\system32\dla\tfsnpool.sys
Address: 0xBA5B0000 Size: 6304 File Visible: - Signed: -
Status: -

Name: tfsnudf.sys
Image Path: C:\WINDOWS\system32\dla\tfsnudf.sys
Address: 0xAE5CF000 Size: 98656 File Visible: - Signed: -
Status: -

Name: tfsnudfa.sys
Image Path: C:\WINDOWS\system32\dla\tfsnudfa.sys
Address: 0xAE5B6000 Size: 100544 File Visible: - Signed: -
Status: -

Name: tifsfilt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
Address: 0xBA3F0000 Size: 32320 File Visible: - Signed: -
Status: -

Name: timntr.sys
Image Path: timntr.sys
Address: 0xB9D53000 Size: 388800 File Visible: - Signed: -
Status: -

Name: tmactmon.sys
Image Path: C:\WINDOWS\system32\drivers\tmactmon.sys
Address: 0xAE164000 Size: 77824 File Visible: - Signed: -
Status: -

Name: tmcomm.sys
Image Path: C:\WINDOWS\system32\drivers\tmcomm.sys
Address: 0xAE19F000 Size: 172032 File Visible: - Signed: -
Status: -

Name: tmevtmgr.sys
Image Path: C:\WINDOWS\system32\drivers\tmevtmgr.sys
Address: 0xAE336000 Size: 61440 File Visible: - Signed: -
Status: -

Name: TmPreFlt.sys
Image Path: D:\Trend Micro\OfficeScan Client\TmPreFlt.sys
Address: 0xBA2C8000 Size: 53248 File Visible: - Signed: -
Status: -

Name: tmtdi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tmtdi.sys
Address: 0xB09F8000 Size: 71680 File Visible: - Signed: -
Status: -

Name: TmXPFlt.sys
Image Path: D:\Trend Micro\OfficeScan Client\TmXPFlt.sys
Address: 0xAE5FE000 Size: 294912 File Visible: - Signed: -
Status: -

Name: truecrypt.sys
Image Path: C:\WINDOWS\System32\drivers\truecrypt.sys
Address: 0xB0A52000 Size: 208512 File Visible: - Signed: -
Status: -

Name: Udfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Udfs.SYS
Address: 0xB08C7000 Size: 66048 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB90A0000 Size: 384768 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xBA5E0000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xBA428000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xBA208000 Size: 59520 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB92B0000 Size: 147456 File Visible: - Signed: -
Status: -

Name: USBSTOR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Address: 0xBA370000 Size: 26368 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xBA420000 Size: 20608 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xBA4A8000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB945A000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xBA0C8000 Size: 53760 File Visible: - Signed: -
Status: -

Name: VSApiNt.sys
Image Path: D:\Trend Micro\OfficeScan Client\VSApiNt.sys
Address: 0xAE66E000 Size: 1213344 File Visible: - Signed: -
Status: -

Name: w39n51.sys
Image Path: C:\WINDOWS\system32\DRIVERS\w39n51.sys
Address: 0xB92D4000 Size: 1429632 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xBA248000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xBA3B8000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xAD1ED000 Size: 83072 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xBA5AA000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2154496 File Visible: - Signed: -
Status: -
[/code]

Javaguru · 29.07.2009, 13:44

Und last but not least:
Biddeschön der zweite Teil der Ausgabe von RootRepeal.
[code]

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/07/29 14:16
Program Version: Version 1.3.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a878e48 Size: 11

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x8a492838 Size: 11

Object: Hidden Code [Driver: UdfsЅఆ䵃慖, IRP_MJ_READ]
Process: System Address: 0x8a487f10 Size: 11

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a4698a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CLOSE]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_READ]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_WRITE]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_EA]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CLEANUP]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_POWER]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_PNP]
Process: System Address: 0x8a445b88 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_READ]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x8a491160 Size: 99

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x8a4d4a68 Size: 11

Object: Hidden Code [Driver: Srv, IRP_MJ_READ]
Process: System Address: 0x899420d8 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8a4d4e98 Size: 11

Object: Hidden Code [Driver: NpfsЅఆ剒敬0, IRP_MJ_READ]
Process: System Address: 0x8a2a7260 Size: 11

Object: Hidden Code [Driver: Msfsࠅఆ剒敬π, IRP_MJ_READ]
Process: System Address: 0x8a5cce28 Size: 11

Object: Hidden Code [Driver: tfsndrctȆఄ䵃奌䌨, IRP_MJ_READ]
Process: System Address: 0x8a4e4678 Size: 11

Object: Hidden Code [Driver: tfsnboioࠆ扏煓ࠁఊ瑔摦─逈, IRP_MJ_READ]
Process: System Address: 0x8a4ae168 Size: 11

Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ]
Process: System Address: 0x8a2aba00 Size: 11

Object: Hidden Code [Driver: tfsnudfaІ䵃慖Ёఏ灇敦珨, IRP_MJ_READ]
Process: System Address: 0x897ad5f0 Size: 11

Object: Hidden Code [Driver: tfsnudf, IRP_MJ_READ]
Process: System Address: 0x8a2842f0 Size: 11

Object: Hidden Code [Driver: Cdfs؅扏煓؁అ浗灩PROCESSO, IRP_MJ_READ]
Process: System Address: 0x8a4844d0 Size: 11

Object: Hidden Code [Driver: tfsncofsȆ䵃慖ȁఉ瑎捦܉@考, IRP_MJ_READ]
Process: System Address: 0x8a4e4798 Size: 11
[/code]

Schon mal vielen Dank für die Hilfe!

BTW System neu aufsetzen - also den USB-Stick plätten und die PortableApps neu installieren? Oder bekomme ich vielleicht doch, wenn ja wie, die Google-Umleitung im Firefox portable weg, ohne dass Restschädlinge bleiben?

kira · 29.07.2009, 22:56

hi

1.
Schalte alle Anwendungen und Programme ab (aus dem Autostart & Dienste), die möglicherweise die Bereinigung behindern könnten Antivirenprogramm und Firewall nicht abschalten!!:

Code:

ATTFilter

 **Spybot + TeaTimer

oder fixe mit HijackThis:
Schliesse alle Programme einschliesslich Internet Explorer und fixe mit Hijackthis die Einträge aus der nachfolgenden Codebox (HijackThis starten→ Einträge auswählen→ Häckhen setzen→ "Fix checked"klicken→ PC neu aufstarten):

Zitat:

O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe

2.
Lade Dir Malwarebytes Anti-Malware von→ malwarebytes.org

Installieren und per Doppelklick starten.
Deutsch einstellen und gleich mal die Datenbanken zu aktualisieren - online updaten
"Komplett Scan durchführen" wählen (überall Haken setzen)
wenn der Scanvorgang beendet ist, klicke auf "Zeige Resultate"
alle Funde markieren und auf "Löschen" - "Ausgewähltes entfernen") klicken.
Poste das Ergebnis hier in den Thread - den Bericht findest Du unter "Scan-Berichte"

eine bebilderte Anleitung findest Du hier: Malwarebytes Anti-Malware

3.
starte dein System neu auf

4.
- **Speichermedien wie Externe Festplatte/USB-Stick usw bitte anschließen, halte dabei die Shift-Taste gedrückt!

- Lade das Combofix von einem der folgenden Download Spiegel herunter:
BleepingComputer - ForoSpyware

- Wichtig!: installiere auf den Desktop
- Antiviren, - und andere Schutz/Spyprogramme bitte deaktivieren
- Schließe jeder externe Datenträger (USB Stick und USB Festplatte etc) an dein Computer an - dabei die Shift-Taste bitte unbedingt gedrückt halten!
- Per Doppelklick die ComboFix.exe starten und den Anweisungen folgen
- Falls die Microsoft-Windows-Wiederherstellungskonsole auf dein Rechner nicht installiert ist, und wenn du direkt gefragt wirst, es zu ermöglichen stimme dem Lizenzvertrag zu. Danach erscheint ein Fenster zur Bestätigung, ansonsten wird ComboFix mit der Arbeit fortfahren
- bestätige mit "ja", damit den Suchlauf automatisch beginnen kann

Zitat:

Achtung! Während ComboFix läuft: Ab sofort die Maus nicht mehr bewegen oder/und auf dem PC irgendetwas machen!!
** Für alle die das Tool benutzen, eine gewisse Vorsicht geboten, also die Reihenfolge und Anweisungen gründlich lesen und streng einhalten!!

- wird ein Log-Datei - C:\ComboFix.txt erstellt, deren Inhalte bitte posten
** Eine bebilderte Anleitung findest Du hier: bleepingcomputer.com/combofix/Anleitung

5.
poste erneut:
Trend Micro HijackThis-Logfile

Javaguru · 30.07.2009, 11:06

Moin,

>2. (MalwareBytes)
>Poste das Ergebnis hier in den Thread - den Bericht findest Du unter "Scan-Berichte"[/list]
Biddeschön:

Zitat:

Malwarebytes' Anti-Malware 1.39
Datenbank Version: 2529
Windows 5.1.2600 Service Pack 3

30.07.2009 11:09:49
mbam-log-2009-07-30 (11-09-49).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|E:\|F:\|)
Durchsuchte Objekte: 332620
Laufzeit: 2 hour(s), 4 minute(s), 9 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 1
Infizierte Registrierungsschlüssel: 4
Infizierte Registrierungswerte: 6
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 3

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
C:\WINDOWS\system32\locsock32.dll (Trojan.Agent) -> Delete on reboot.

Infizierte Registrierungsschlüssel:
HKEY_CLASSES_ROOT\CLSID\{61dc85a0-4a32-4c38-92cf-24652b3f416c} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{61dc85a0-4a32-4c38-92cf-24652b3f416c} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{544735c9-ae13-4721-9de7-d529be675038} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{61dc85a0-4a32-4c38-92cf-24652b3f416c} (Password.Stealer) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D3 (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\BN (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D1 (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D2 (Spyware.Ambler) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\WINDOWS\system32\locsock32.dll (Trojan.Agent) -> Delete on reboot.
d:\mIRC603\SmartICQ\dat\SysTray.dll (Trojan.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inform.dat (Malware.Trace) -> Quarantined and deleted successfully.

>4. (Combofix)
>- wird ein Log-Datei - C:\ComboFix.txt erstellt, deren Inhalte bitte posten

Biddeschön:

Zitat:

ComboFix 09-07-28.01 - Harald Maiser 30.07.2009 11:37.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.2046.1427 [GMT 2:00]
ausgeführt von:: d:\antivirus\Combofix\CoFi.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Trend Micro OfficeScan Virenschutz *On-access scanning disabled* (Outdated) {64C2C4B2-8E48-48D5-9BE8-CDD1201B7030}
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\kb913800.exe

.
((((((((((((((((((((((( Dateien erstellt von 2009-06-28 bis 2009-07-30 ))))))))))))))))))))))))))))))
.

2009-07-30 06:25 . 2009-07-30 06:25 -------- d-----w- c:\dokumente und einstellungen\Harald Maiser\Anwendungsdaten\Malwarebytes
2009-07-30 06:25 . 2009-07-13 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-30 06:25 . 2009-07-30 06:25 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2009-07-30 06:25 . 2009-07-13 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-27 09:26 . 2009-04-03 17:47 52752 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-07-27 09:26 . 2009-04-03 17:47 50192 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2009-07-27 09:26 . 2009-07-27 09:26 -------- d-----w- c:\windows\system32\log
2009-07-27 09:21 . 2009-07-27 09:25 439674 ----a-w- c:\windows\system32\prfh0407.dat
2009-07-27 09:21 . 2009-07-27 09:25 83316 ----a-w- c:\windows\system32\prfc0407.dat
2009-07-27 09:19 . 2009-02-23 10:32 78352 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2009-07-27 09:05 . 2009-07-27 09:05 -------- d-----w- c:\dokumente und einstellungen\Harald Maiser\Anwendungsdaten\InstallShield
2009-07-27 04:10 . 2009-04-03 17:47 151568 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-07-27 04:09 . 2009-07-27 04:11 -------- d-----w- c:\dokumente und einstellungen\Harald Maiser\.housecall6.6

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-30 09:30 . 2007-02-06 17:11 -------- d---a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP
2009-07-28 09:14 . 2006-09-06 17:49 -------- d-----w- c:\dokumente und einstellungen\Harald Maiser\Anwendungsdaten\ChessBase
2009-07-28 09:08 . 2007-11-11 12:57 169936 ----a-w- c:\dokumente und einstellungen\Harald Maiser\Anwendungsdaten\Mozilla\Firefox\Profiles\uwp9vpog.default\FlashGot.exe
2009-07-27 09:25 . 2005-08-19 23:34 83316 ----a-w- c:\windows\system32\perfc007.dat
2009-07-27 09:25 . 2005-08-19 23:34 441408 ----a-w- c:\windows\system32\perfh007.dat
2009-07-27 09:17 . 2006-08-31 17:01 -------- d--h--w- c:\programme\InstallShield Installation Information
2009-06-16 14:36 . 2005-08-19 23:34 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-19 23:33 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:09 . 2005-08-19 23:34 1296896 ------w- c:\windows\system32\quartz.dll
2009-05-07 15:32 . 2005-08-19 23:33 348160 ----a-w- c:\windows\system32\localspl.dll
2009-05-04 16:02 . 2009-05-04 16:02 152576 ----a-w- c:\dokumente und einstellungen\Harald Maiser\Anwendungsdaten\Sun\Java\jre1.6.0_13\lzma.dll
2006-10-13 20:40 . 2006-09-20 07:39 88 --sh--r- c:\windows\system32\5D4C34FC96.sys
2006-11-10 10:12 . 2006-09-20 07:46 56 --sh--r- c:\windows\system32\96FC344C5D.sys
2006-11-10 10:12 . 2006-09-20 07:39 6580 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DellSupport"="c:\programme\Dell Support\DSAgnt.exe" [2006-07-16 389120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SynTPEnh"="c:\programme\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Dell QuickSet"="c:\programme\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"IntelZeroConfig"="c:\programme\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\programme\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"DVDLauncher"="c:\programme\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"CTSVolFE.exe"="c:\programme\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\programme\Gemeinsame Dateien\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"avgnt"="d:\avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Adobe Photo Downloader"="d:\photoshop elements 6.0\apdproxy.exe" [2007-09-10 67488]
"RoxWatchTray"="c:\programme\Gemeinsame Dateien\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 240112]
"SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"OfficeScanNT Monitor"="d:\trend micro\OfficeScan Client\pccntmon.exe" [2009-06-09 746792]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\dokumente und einstellungen\All Users\Startmen�\Programme\Autostart\
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2006-8-31 7168]
Digital Line Detect.lnk - c:\programme\Digital Line Detect\DLG.exe [2006-8-31 24576]
Monitor Apache Servers.lnk - d:\trend micro\OfficeScan\PCCSRV\Apache2\bin\ApacheMonitor.exe [2008-1-17 41042]

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Harald Maiser^Startmenü^Programme^Autostart^Adobe Gamma.lnk]
path=c:\dokumente und einstellungen\Harald Maiser\Startmenü\Programme\Autostart\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\BPFTP\\G6FTPSrv.exe"=
"c:\\Programme\\Messenger\\msmsgs.exe"=
"d:\\Azureus\\Azureus.exe"=
"d:\\Firefox\\firefox.exe"=
"d:\\JDK1.6.0\\bin\\java.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
"d:\\RealVNC\\VNC4\\vncviewer.exe"=
"d:\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Programme\\Bonjour\\mDNSResponder.exe"=
"d:\\Adobe Dreamweaver CS3\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"d:\\Photoshop Elements 6.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Programme\\Dell Network Assistant\\ezi_hnm2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Skype\\Phone\\Skype.exe"=
"d:\\Roxio\\Creator Classic 10\\Creator10.exe"=
"d:\\Roxio\\Digital Home 10\\RoxioUPnPRenderer10.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"46229:TCP"= 46229:TCP:Azureus TCP
"46229:UDP"= 46229:UDP:Azureus UDP
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"27186:TCP"= 27186:TCP:Trend Micro OfficeScan Listener

R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;d:\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [11.09.2007 00:45 124832]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\programme\Gemeinsame Dateien\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [24.08.2007 16:52 166384]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [27.07.2009 11:26 50192]
R2 TmFilter;Trend Micro Filter;d:\trend micro\OfficeScan Client\TmXPFlt.sys [27.07.2009 11:19 225296]
R2 TmPreFilter;Trend Micro PreFilter;d:\trend micro\OfficeScan Client\tmpreflt.sys [27.07.2009 11:19 36368]
R3 AVMBTPARALLEL;AVM Bluetooth Druckeranschluss;c:\windows\system32\drivers\avmbtpar.sys [23.08.2004 02:00 60032]
R3 AVMBTSERIAL;AVM Bluetooth Kommunikationsanschluss;c:\windows\system32\drivers\avmbtser.sys [23.08.2004 02:00 61056]
R3 AVMBTSND;AVM Bluetooth Audio Driver;c:\windows\system32\drivers\avmbtsnd.sys [23.08.2004 02:00 49664]
R3 AVMCOWAN;AVM ISDN CoNDIS WAN CAPI Treiber;c:\windows\system32\drivers\avmcowan.sys [23.08.2004 02:00 53248]
R3 AVMDSLPPPOE;AVM DSL PPPoE CAPI Treiber;c:\windows\system32\drivers\avmdsloe.sys [11.06.2003 02:00 39552]
R3 AVMNDSL;AVM DSL NDIS WAN CAPI Treiber;c:\windows\system32\drivers\avmndsl.sys [11.06.2003 02:00 38992]
R3 CAPI_CIP;AVM Bluetooth CAPI-Controller;c:\windows\system32\drivers\capi_cip.sys [23.08.2004 02:00 374144]
R3 OSCEIntegrationService;OfficeScan Active Directory Integration Service;d:\trend micro\OfficeScan\PCCSRV\Web\Service\OSCEIntegrationService.exe [27.07.2009 11:18 394560]
R3 RoxMediaDB10;RoxMediaDB10;c:\programme\Gemeinsame Dateien\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [24.08.2007 16:52 1083888]
R3 TMiCRCScanService;Trend Micro Smart Scan Server;d:\trend micro\OfficeScan\PCCSRV\WSS\iCRCService.exe [27.07.2009 11:18 304536]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;d:\roxio\Digital Home 10\RoxioUpnpService10.exe [24.08.2007 16:53 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\programme\Gemeinsame Dateien\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [24.08.2007 16:52 309744]
S2 SessionLauncher;SessionLauncher;c:\dokume~1\HARALD~1\LOKALE~1\Temp\DX9\SessionLauncher.exe --> c:\dokume~1\HARALD~1\LOKALE~1\Temp\DX9\SessionLauncher.exe [?]
S3 bfhubase;BlueFRITZ! USB 2.5(WinXP/2000);c:\windows\system32\drivers\bfhubase.sys [23.08.2004 02:00 796192]
S3 FDLUBASE;AVM FRITZ!Card DSL SL USB (WinXP/2000);c:\windows\system32\drivers\fdlubase.sys [11.06.2003 02:00 659200]
S3 NETBFPAN;AVM Bluetooth Netzwerkadapter;c:\windows\system32\drivers\netbfpan.sys [23.08.2004 02:00 35914]
S3 NETFWDSL;AVM FRITZ!web DSL PPP;c:\windows\system32\DRIVERS\NETFWDSL.SYS --> c:\windows\system32\DRIVERS\NETFWDSL.SYS [?]
S3 OfficeScanCMAgent;OfficeScan Control Manager Agent;d:\trend micro\OfficeScan\PCCSRV\CmAgent\OfcCMAgent.exe [27.07.2009 11:18 152864]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;d:\roxio\Digital Home 10\RoxioUPnPRenderer10.exe [24.08.2007 16:53 72176]
S3 SbieDrv;SbieDrv;d:\sandboxie\SbieDrv.sys [28.05.2009 15:32 108032]
S3 TmProxy;OfficeScan NT Proxy Service;d:\trend micro\OfficeScan Client\TmProxy.exe [27.07.2009 11:19 652552]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = www.google.de/ig/dell?hl=de&client=dell-row&channel=de
uInternet Connection Wizard,ShellNext = hxxp://updates.installshield.com/GetUpdates.asp?p={1A15507A-8551-4626-915D-3D5FA095CC1B}&r=10.0&v=ISUA%204.50&u={C3357C5B-2B29-49AC-AAC5-C3B0BA784826}&l=1031&K=ZCE9CB0A8BEBCF7FFBEAC87386E8B978FC9BC978F59FCF0EFCEAC90BFE9CBD09889DC708FDEAC
uInternet Settings,ProxyOverride = *.local
IE: Download all with Free Download Manager - file://d:\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://d:\free download manager\dlselected.htm
IE: Download with Free Download Manager - file://d:\free download manager\dllink.htm
IE: Nach Microsoft &Excel exportieren - d:\micros~1\OFFICE11\EXCEL.EXE/3000
IE: Nach Microsoft E&xel exportieren - d:\micros~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\dokumente und einstellungen\Harald Maiser\Anwendungsdaten\Mozilla\Firefox\Profiles\uwp9vpog.default\
FF - plugin: d:\realplayer\Netscape6\nppl3260.dll
FF - plugin: d:\realplayer\Netscape6\nprjplug.dll
FF - plugin: d:\realplayer\Netscape6\nprpjplug.dll
.

**************************************************************************

driver loading error catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-30 11:40
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"d:\mysql server 5.0\bin\mysqld-nt\" --defaults-file=\"d:\mysql server 5.0\my.ini\" MySQL"
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(1144)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1200)
c:\windows\system32\relog_ap.dll
.
Zeit der Fertigstellung: 2009-07-30 11:43
ComboFix-quarantined-files.txt 2009-07-30 09:42

Vor Suchlauf: 4.169.547.776 Bytes frei
Nach Suchlauf: 4.374.843.392 Bytes frei

WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

184 --- E O F --- 2009-07-20 22:01

Javaguru · 30.07.2009, 11:07

>5.
poste erneut:
Trend Micro HijackThis-Logfile

Und zu guter letzt:

Zitat:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:39, on 30.07.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\Programme\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
d:\Trend Micro\OfficeScan\PCCSRV\Apache2\bin\Apache.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Dell Network Assistant\hnm_svc.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
D:\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Programme\Dell\QuickSet\NICCONFIGSVC.exe
D:\Trend Micro\OfficeScan\PCCSRV\web\service\ofcservice.exe
D:\Trend Micro\OfficeScan\PCCSRV\Apache2\bin\Apache.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\Gemeinsame Dateien\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Dell\QuickSet\quickset.exe
C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe
C:\Programme\Creative\Mixer\CTSVolFE.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
D:\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Gemeinsame Dateien\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Programme\Java\jre6\bin\jusched.exe
D:\Trend Micro\OfficeScan\PCCSRV\Web\Service\DbServer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Dell Support\DSAgnt.exe
C:\Programme\Dell Network Assistant\ezi_hnm2.exe
C:\Programme\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
D:\Trend Micro\OfficeScan\PCCSRV\WSS\iCRCService.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Programme\Gemeinsame Dateien\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
D:\Trend Micro\OfficeScan Client\Misc\xpupg.exe
C:\WINDOWS\explorer.exe
D:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.de/ig/dell?hl=de&client=dell-row&channel=de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.de/ig/dell?hl=de&client=dell-row&channel=de
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://updates.installshield.com/GetUpdates.asp?p={1A15507A-8551-4626-915D-3D5FA095CC1B}&r=10.0&v=ISUA%204.50&u={C3357C5B-2B29-49AC-AAC5-C3B0BA784826}&l=1031&K=ZCE9CB0A8BEBCF7FFBEAC87386E8B978FC9BC978F59FCF0EFCEAC90BFE9CBD09889DC708FDEAC
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Programme\BAE\BAE.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Free Download Manager\iefdmcks.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Programme\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Programme\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avgnt] "D:\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Programme\Gemeinsame Dateien\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "D:\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Programme\Dell Support\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Monitor Apache Servers.lnk = Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Free Download Manager\dllink.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://D:\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - D:\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - D:\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2 - Apache Software Foundation - d:\Trend Micro\OfficeScan\PCCSRV\Apache2\bin\Apache.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Programme\Dell Network Assistant\hnm_svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: MySQL - Unknown owner - D:\MySQL.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Programme\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - D:\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScan Master Service (ofcservice) - Trend Micro Inc. - D:\Trend Micro\OfficeScan\PCCSRV\web\service\ofcservice.exe
O23 - Service: OfficeScan Control Manager Agent (OfficeScanCMAgent) - Trend Micro Inc. - D:\Trend Micro\OfficeScan\PCCSRV\CMAgent\OfcCMAgent.exe
O23 - Service: OfficeScan Active Directory Integration Service (OSCEIntegrationService) - Unknown owner - D:\Trend Micro\OfficeScan\PCCSRV\web\service\osceintegrationservice.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - D:\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - D:\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Programme\Gemeinsame Dateien\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Programme\Gemeinsame Dateien\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Programme\Gemeinsame Dateien\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - D:\Sandboxie\SbieSvc.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOKUME~1\HARALD~1\LOKALE~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - D:\Trend Micro\OfficeScan Client\..\BM\TMBMSRV.exe
O23 - Service: Trend Micro Smart Scan Server (TMiCRCScanService) - Trend Micro Inc. - D:\Trend Micro\OfficeScan\PCCSRV\WSS\iCRCService.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - D:\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - D:\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Programme\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12616 bytes

john.doe · 30.07.2009, 17:44

@Coverflow

Lies bitte => http://www.trojaner-board.de/452517-post17.html

ciao, andreas

Javaguru · 01.08.2009, 16:54

Ich nehme an, dass hier keine weitere Antwort mehr erfolgt?!

john.doe · 02.09.2009, 21:33

Doch. Du bist entlassen.

ciao, andreas

Javaguru · 03.09.2009, 04:38

Na dann:
Danke für die Hilfe.

TROJ_AUTORUN.JBK auf USB-Stick

Plagegeister aller Art und deren Bekämpfung: TROJ_AUTORUN.JBK auf USB-Stick