| |
| |||||||
Log-Analyse und Auswertung: Crash beim Ausführen userinit.exeWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
29.08.2009, 14:50
| #1 |
 |  Crash beim Ausführen userinit.exe Hallo zusammen! Seit neuestem crasht mein XP nach der Laden eines Benutzerprofils. Der Fehler erfolgt in der userinit.exe. Ich muss dann explorer.exe immer händisch über den task manager starten. Danach stürzt der IE öfters ab. Systemwiederherstellung bringt nur Erfolg bis zum nächsten Booten. Beim 2. Booten dann wieder der selbe Mist. Avira findet im abgesicherten Modus nichts. Ccleaner ist ebenfalls durchgeführt, registry also bereinigt. Seht ihr vielleicht etwas auffälliges im HiJack-File? Nutze einen IBM Thinkpad T30. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:39:20, on 29.08.2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\Java\jre6\bin\jqs.exe C:\Programme\CyberLink\Shared files\RichVideo.exe C:\Programme\Analog Devices\SoundMAX\SMAgent.exe c:\programme\lenovo\system update\suservice.exe C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Programme\Synaptics\SynTP\SynTPLpr.exe C:\Programme\Synaptics\SynTP\SynTPEnh.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe C:\Programme\Analog Devices\SoundMAX\Smax4.exe C:\WINDOWS\system32\IMWEBSTA.EXE C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe C:\Programme\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe C:\Programme\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Programme\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Internet Explorer\iexplore.exe C:\Programme\Internet Explorer\iexplore.exe C:\Programme\Internet Explorer\iexplore.exe C:\Dokumente und Einstellungen\Surf\Desktop\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiegel.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8181 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe, O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [TP4EX] tp4ex.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Programme\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [IMWEBSTA.EXE] IMWEBSTA.EXE START O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe O4 - HKLM\..\Run: [LanguageShortcut] C:\Programme\CyberLink\PowerDVD\Language\Language.exe O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user') O8 - Extra context menu item: add to &BOM - C:\\PROGRA~1\\BIET-O~1\\\\AddToBOM.hta O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: PACSPTISVR - Unknown owner - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\CyberLink\Shared files\RichVideo.exe O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SsBeSvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programme\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\programme\lenovo\system update\suservice.exe O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe -- End of file - 7626 bytes Schöne Grüße Jack |
|
29.08.2009, 17:28
| #2 |
| /// Winkelfunktion /// TB-Süch-Tiger™   | Crash beim Ausführen userinit.exe Hallo und
__________________ Code:
ATTFilter F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
Stell sicher, daß Dir auch alle Dateien angezeigt werden, danach folgende Dateien bei Virustotal.com auswerten lassen und alle Ergebnisse posten, und zwar so, daß man die der einzelnen Virenscanner sehen kann. Bitte mit Dateigrößen und Prüfsummen: Code:
ATTFilter C:\WINDOWS\system32\sdra64.exe
Die Logfiles kannst Du zB alle in eine Datei zippen und auf File-Upload.net hochladen und hier verlinken, denn 1. sind manche Logfiles fürs Board nämlich zu groß und 2. kann ich mit einem Klick mir gleich alle auf einmal runterladen.
__________________ |
|
29.08.2009, 19:49
| #3 |
| | Crash beim Ausführen userinit.exe Hallo
__________________ Hier schonmal der Anfang, Rest der to-do-liste folgt: Virustotal Die Datei mit 128kb lässt sich nicht hochladen: 0 bytes size received / Se ha recibido un archivo vacio Wenn ich Versuche eine Kopie der Datei auf meinem Desktop zu erstellen, bekomme ich die Fehlermeldung, dass Datei in Benutzung ist. |
|
29.08.2009, 21:28
| #4 |
| | Crash beim Ausführen userinit.exe ...ein Trojaner....komische Sache....sabei bin ich zu 98% mit eingeschränkten Userrechten im Internet unterwegs. Und ab und an muss man halt als Admin ins Netz, um sich Updates zu ziehen... ...weiter gehts.... Malwarebytes-Anti-Malware Code:
ATTFilter Malwarebytes' Anti-Malware 1.40
Datenbank Version: 2713
Windows 5.1.2600 Service Pack 2
29.08.2009 22:15:17
mbam-log-2009-08-29 (22-15-17).txt
Scan-Methode: Vollständiger Scan (C:\|E:\|F:\|)
Durchsuchte Objekte: 175252
Laufzeit: 1 hour(s), 18 minute(s), 40 second(s)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 7
Infizierte Registrierungswerte: 1
Infizierte Dateiobjekte der Registrierung: 3
Infizierte Verzeichnisse: 1
Infizierte Dateien: 3
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Userinit.exe (Security.Hijack) -> Quarantined and deleted successfully.
Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
Infizierte Verzeichnisse:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.
Infizierte Dateien:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
|
|
29.08.2009, 21:30
| #5 |
| | Crash beim Ausführen userinit.exe et voila RSIT Code:
ATTFilter Logfile of random's system information tool 1.06 (written by random/random) Run by Admin at 2009-08-29 22:19:39 Microsoft Windows XP Professional Service Pack 2 System drive C: has 52 GB (54%) free of 95 GB Total RAM: 1023 MB (62% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:20:04, on 29.08.2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\Java\jre6\bin\jqs.exe C:\Programme\CyberLink\Shared files\RichVideo.exe C:\Programme\Analog Devices\SoundMAX\SMAgent.exe c:\programme\lenovo\system update\suservice.exe C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Programme\Synaptics\SynTP\SynTPLpr.exe C:\Programme\Synaptics\SynTP\SynTPEnh.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe C:\Programme\Analog Devices\SoundMAX\Smax4.exe C:\Programme\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe C:\WINDOWS\system32\IMWEBSTA.EXE C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe C:\Programme\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Programme\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\Dokumente und Einstellungen\Admin\Desktop\RSIT.exe C:\Dokumente und Einstellungen\Surf\Desktop\Admin.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiegel.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8181 O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [TP4EX] tp4ex.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Programme\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [IMWEBSTA.EXE] IMWEBSTA.EXE START O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe O4 - HKLM\..\Run: [LanguageShortcut] C:\Programme\CyberLink\PowerDVD\Language\Language.exe O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user') O8 - Extra context menu item: add to &BOM - C:\\PROGRA~1\\BIET-O~1\\\\AddToBOM.hta O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: PACSPTISVR - Unknown owner - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\CyberLink\Shared files\RichVideo.exe O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SsBeSvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programme\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\programme\lenovo\system update\suservice.exe O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe -- End of file - 7547 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\AppleSoftwareUpdate.job C:\WINDOWS\tasks\User_Feed_Synchronization-{15EE8390-F83A-4BB6-8E2A-9E8954B0C477}.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] Adobe PDF Reader - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] Java(tm) Plug-In 2 SSV Helper - C:\Programme\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}] JQSIEStartDetectorImpl Class - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"=C:\Programme\Synaptics\SynTP\SynTPLpr.exe [2007-08-10 110592] "SynTPEnh"=C:\Programme\Synaptics\SynTP\SynTPEnh.exe [2007-08-10 512000] "ATIPTA"=C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe [2006-11-16 344064] "EZEJMNAP"=C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe [2007-04-27 243248] "TPHOTKEY"=C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe [2006-10-02 94208] "TP4EX"=C:\WINDOWS\system32\tp4ex.exe [2005-10-17 65536] "SoundMAX"=C:\Programme\Analog Devices\SoundMAX\Smax4.exe [2004-08-06 860160] "IMWEBSTA.EXE"=IMWEBSTA.EXE START [] "TVT Scheduler Proxy"=C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe [2007-08-01 540672] "LanguageShortcut"=C:\Programme\CyberLink\PowerDVD\Language\Language.exe [2006-04-13 49152] "avgnt"=C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-07-17 266497] "Adobe Reader Speed Launcher"=C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-10-10 39792] "SunJavaUpdateSched"=C:\Programme\Java\jre6\bin\jusched.exe [2009-03-09 148888] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-10-10 39792] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Programme\QuickTime\QTTask.exe [2007-10-19 286720] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe [2005-12-07 30208] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP] C:\Programme\Analog Devices\SoundMAX\SMax4PNP.exe [2004-04-01 1368064] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia] C:\Programme\Vidalia Bundle\Vidalia\vidalia.exe [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Microsoft Office.lnk] C:\PROGRA~1\MICROS~1\Office10\OSA.EXE [2001-02-13 83360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] C:\WINDOWS\system32\Ati2evxx.dll [2006-11-16 46080] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tpfnf2] C:\WINDOWS\system32\notifyf2.dll [2005-07-05 28672] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tphotkey] C:\WINDOWS\system32\tphklock.dll [2005-11-30 24576] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon] C:\WINDOWS\system32\WgaLogon.dll [2007-08-07 236928] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll [2007-08-07 133632] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "HonorAutoRunSetting"= [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\Programme\Vidalia Bundle\Privoxy\privoxy.exe"="C:\Programme\Vidalia Bundle\Privoxy\privoxy.exe:*:Enabled:Privoxy" "C:\Programme\Vidalia Bundle\Tor\tor.exe"="C:\Programme\Vidalia Bundle\Tor\tor.exe:*:Enabled:Tor" "C:\Programme\Vidalia Bundle\Vidalia\vidalia.exe"="C:\Programme\Vidalia Bundle\Vidalia\vidalia.exe:*:Enabled:Vidalia" "C:\Programme\mIRC\mirc.exe"="C:\Programme\mIRC\mirc.exe:*:Enabled:mIRC" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52563300-9dd0-11dc-9740-000d601254e2}] shell\AutoRun\command - E:\TrueCrypt\TrueCrypt.exe /q background /e /m rm /v "myusb" shell\dismount\command - E:\TrueCrypt\TrueCrypt.exe /q /d shell\start\command - E:\TrueCrypt\TrueCrypt.exe ======List of files/folders created in the last 1 months====== 2009-08-29 21:46:06 ----D---- C:\rsit 2009-08-29 20:51:59 ----D---- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Malwarebytes 2009-08-29 20:51:51 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes 2009-08-29 20:51:50 ----D---- C:\Programme\Malwarebytes' Anti-Malware 2009-08-29 11:45:35 ----D---- C:\Programme\CCleaner 2009-08-28 22:15:31 ----A---- C:\WINDOWS\system32\cgwxrtydb.exe 2009-08-28 22:10:45 ----A---- C:\WINDOWS\system32\vrptnhaoi.exe 2009-08-28 22:10:45 ----A---- C:\WINDOWS\system32\vkghgytv.exe 2009-08-27 22:43:30 ----A---- C:\WINDOWS\system32\rwwtrtypi.exe 2009-08-27 22:43:30 ----A---- C:\WINDOWS\system32\qdke.exe 2009-08-27 22:43:30 ----A---- C:\WINDOWS\system32\pvmxiayjh.exe 2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\kjpjrxytr.exe 2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\kjkuzecdz.exe 2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\kewlsuyxs.exe 2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\kewlrvyji.exe 2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\kapehtcvr.exe 2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\kamjhuflb.exe 2009-08-26 21:06:19 ----HDC---- C:\WINDOWS\$NtUninstallKB970653-v3$ 2009-08-26 21:02:28 ----D---- C:\Programme\Registry Cleaner 2009-08-26 17:29:15 ----A---- C:\WINDOWS\system32\wkbodxrtn.exe 2009-08-26 17:29:15 ----A---- C:\WINDOWS\system32\plmecyf.exe 2009-08-26 17:29:15 ----A---- C:\WINDOWS\system32\nlhivuy.exe 2009-08-26 17:29:15 ----A---- C:\WINDOWS\system32\iphitvvral.exe 2009-08-26 17:29:15 ----A---- C:\WINDOWS\system32\iiqnuztubm.exe 2009-08-22 15:57:25 ----D---- C:\Programme\af0.net 2009-08-17 09:37:59 ----HDC---- C:\WINDOWS\$NtUninstallKB961118$ 2009-08-16 20:47:33 ----D---- C:\WINDOWS\system32\XPSViewer 2009-08-16 20:47:27 ----D---- C:\Programme\MSBuild 2009-08-16 20:47:24 ----D---- C:\WINDOWS\system32\en-US 2009-08-16 20:47:14 ----D---- C:\Programme\Reference Assemblies 2009-08-16 20:46:40 ----N---- C:\WINDOWS\system32\xpsshhdr.dll 2009-08-16 20:46:40 ----N---- C:\WINDOWS\system32\prntvpt.dll 2009-08-16 20:46:39 ----N---- C:\WINDOWS\system32\xpssvcs.dll 2009-08-16 20:46:39 ----D---- C:\8c405b5565b668b722d68efb5e 2009-08-16 20:46:16 ----D---- C:\WINDOWS\SxsCaPendDel 2009-08-16 20:42:33 ----HDC---- C:\WINDOWS\$NtUninstallWIC$ 2009-08-16 12:48:04 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$ 2009-08-13 17:49:09 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$ 2009-08-13 17:48:23 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$ 2009-08-13 17:47:06 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9L$ 2009-08-13 00:32:39 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$ 2009-08-13 00:32:30 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$ 2009-08-13 00:32:21 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$ 2009-08-13 00:29:56 ----D---- C:\WINDOWS\ServicePackFiles 2009-08-13 00:29:51 ----HDC---- C:\WINDOWS\$NtUninstallKB958470$ 2009-08-13 00:29:37 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$ 2009-08-13 00:29:11 ----HDC---- C:\WINDOWS\$NtUninstallKB971032$ ======List of files/folders modified in the last 1 months====== 2009-08-29 22:18:16 ----D---- C:\WINDOWS\Temp 2009-08-29 22:18:09 ----D---- C:\WINDOWS 2009-08-29 22:17:23 ----RD---- C:\Programme 2009-08-29 22:17:23 ----D---- C:\WINDOWS\system32\drivers 2009-08-29 22:17:23 ----D---- C:\WINDOWS\system32 2009-08-29 22:16:42 ----A---- C:\WINDOWS\SchedLgU.Txt 2009-08-29 22:16:23 ----D---- C:\WINDOWS\Prefetch 2009-08-29 21:02:29 ----SD---- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Microsoft 2009-08-29 21:01:56 ----D---- C:\WINDOWS\system32\CatRoot2 2009-08-29 11:50:38 ----D---- C:\WINDOWS\Minidump 2009-08-29 11:50:38 ----D---- C:\WINDOWS\Debug 2009-08-28 22:19:43 ----SHD---- C:\WINDOWS\Installer 2009-08-28 22:19:43 ----SHD---- C:\Config.Msi 2009-08-27 22:50:09 ----D---- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Mozilla 2009-08-27 22:33:30 ----SD---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft 2009-08-27 22:10:18 ----D---- C:\WINDOWS\inf 2009-08-27 22:10:10 ----D---- C:\WINDOWS\system32\CatRoot 2009-08-27 20:09:50 ----D---- C:\WINDOWS\system32\config 2009-08-27 20:09:28 ----D---- C:\WINDOWS\system32\wbem 2009-08-27 20:09:27 ----D---- C:\WINDOWS\Registration 2009-08-24 18:39:08 ----A---- C:\WINDOWS\win.ini 2009-08-24 18:39:07 ----A---- C:\WINDOWS\system.ini 2009-08-17 09:38:11 ----D---- C:\WINDOWS\system32\dllcache 2009-08-17 09:37:27 ----D---- C:\WINDOWS\$hf_mig$ 2009-08-16 21:43:28 ----D---- C:\WINDOWS\Microsoft.NET 2009-08-16 21:43:27 ----RSD---- C:\WINDOWS\assembly 2009-08-16 20:52:10 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI 2009-08-16 20:51:40 ----D---- C:\WINDOWS\WinSxS 2009-08-16 20:47:22 ----RSD---- C:\WINDOWS\Fonts 2009-08-16 20:46:53 ----D---- C:\WINDOWS\system32\spool 2009-08-13 17:44:39 ----D---- C:\WINDOWS\system32\Setup 2009-08-13 00:32:23 ----D---- C:\Programme\Outlook Express 2009-08-11 17:51:23 ----SD---- C:\WINDOWS\Tasks 2009-08-05 11:05:18 ----A---- C:\WINDOWS\system32\mswebdvd.dll 2009-08-01 12:04:35 ----D---- C:\Programme\Registry System Wizard 2009-08-01 12:00:15 ----D---- C:\Programme\JAP 2009-07-30 02:49:14 ----A---- C:\WINDOWS\system32\MRT.exe ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 avgio;avgio; \??\C:\Programme\Avira\AntiVir PersonalEdition Classic\avgio.sys [] R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-05-27 75096] R1 intelppm;Intel-Prozessortreiber; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 40192] R1 Smapint;Smapint; C:\WINDOWS\System32\drivers\Smapint.sys [2006-10-02 14848] R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-11-08 21248] R1 TDSMAPI;TDSMAPI; C:\WINDOWS\System32\drivers\TDSMAPI.SYS [2006-10-02 9343] R1 TPHKDRV;TPHKDRV; C:\WINDOWS\system32\drivers\TPHKDRV.sys [2005-07-05 17699] R1 truecrypt;truecrypt; C:\WINDOWS\System32\drivers\truecrypt.sys [2007-05-03 188672] R2 irda;IrDA-Protokoll; C:\WINDOWS\system32\DRIVERS\irda.sys [2004-08-04 87424] R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2004-04-07 116176] R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-11-16 1133568] R3 avgntflt;avgntflt; \??\C:\Programme\Avira\AntiVir PersonalEdition Classic\avgntflt.sys [] R3 CmBatt;Microsoft-Netzteiltreiber; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-04 14080] R3 E100B;Intel(R) PRO-Adaptertreiber; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-18 117760] R3 IBMPMDRV;IBMPMDRV; C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys [2007-05-31 21424] R3 IMWEB51;High Rate Wireless LAN Mini-PCI LAN Driver; C:\WINDOWS\system32\DRIVERS\IMWEBN51.sys [2003-06-04 648704] R3 NSCIRDA;NSC-Infrarotgerätetreiber; C:\WINDOWS\system32\DRIVERS\nscirda.sys [2004-08-04 28672] R3 psadd;Lenovo Parties Service Access Device Driver; C:\WINDOWS\system32\DRIVERS\psadd.sys [2007-02-19 21376] R3 Rasirda;WAN-Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584] R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2004-06-23 266880] R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2007-08-10 177664] R3 usbhub;USB2-aktivierter Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2006-10-23 59264] R3 USBSTOR;USB-Massenspeichertreiber; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496] R3 usbuhci;Miniporttreiber für universellen Microsoft USB-Hostcontroller; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2006-10-23 20608] S1 SABKUTIL;SABKUTIL; \??\C:\Programme\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [] S3 ac97intc;Intel(r) 82801 Audiotreiber-Installationsdienst (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256] S3 SABProcEnum;SABProcEnum; \??\C:\Programme\SuperAdBlocker.com\Super Ad Blocker\SABProcEnum.sys [] S3 usbccgp;Microsoft Standard-USB-Haupttreiber; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616] S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2007-08-07 77568] S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2007-08-07 82944] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 AntiVirScheduler;Avira AntiVir Personal – Free Antivirus Planer; C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-10-23 68865] R2 AntiVirService;Avira AntiVir Personal – Free Antivirus Guard; C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-10-23 151297] R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2006-11-16 364544] R2 IBMPMSVC;ThinkPad PM Service; C:\WINDOWS\system32\ibmpmsvc.exe [2007-05-31 36400] R2 Irmon;Infrarotüberwachung; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336] R2 JavaQuickStarterService;Java Quick Starter; C:\Programme\Java\jre6\bin\jqs.exe [2009-03-09 152984] R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Programme\CyberLink\Shared files\RichVideo.exe [2006-05-04 167936] R2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Programme\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056] R2 SUService;System Update; c:\programme\lenovo\system update\suservice.exe [2007-10-24 13312] R2 TVT Scheduler;TVT Scheduler; C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe [2007-08-01 1126400] S3 aspnet_state;ASP.NET-Zustandsdienst; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312] S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632] S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104] S3 IDriverT;InstallDriver Table Manager; C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632] S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664] S3 MSCSPTISRV;MSCSPTISRV; C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\MSCSPTISRV.exe [2006-12-14 45056] S3 PACSPTISVR;PACSPTISVR; C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\PACSPTISVR.exe [2006-12-14 57344] S3 SonicStage Back-End Service;SonicStage Back-End Service; C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SsBeSvc.exe [2007-02-05 112184] S3 SPTISRV;Sony SPTI Service; C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SPTISRV.exe [2006-12-14 69632] S3 SSScsiSV;SonicStage SCSI Service; C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SSScsiSV.exe [2007-02-05 75320] S3 WMPNetworkSvc;Windows Media Player-Netzwerkfreigabedienst; C:\Programme\Windows Media Player\WMPNetwk.exe [2006-11-03 920576] S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336] S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096] -----------------EOF----------------- |
|
31.08.2009, 11:47
| #6 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Crash beim Ausführen userinit.exe Moin, im Moment hab ich nicht soo viel Zeit, heute Abend kann ich die Logs auswerten.
__________________ --> Crash beim Ausführen userinit.exe |
|
31.08.2009, 17:48
| #7 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Crash beim Ausführen userinit.exe So, bitte 1x Combofix anwenden. Bitte genau lesen und umsetzen!!! ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Wichtig! Bitte die combofix.exe per Rechtsklick, "Ziel speichern unter" unter smss.exe abspeichern! Besonders hartnäckige Malware erkennt eine combofix.exe und würde sich vor ihr gezielt verstecken! Das Programm jedoch noch nicht starten sondern zuerst folgendes tun:
Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten. Poste alle Logfiles bitte mit Codetags umschlossen (#-Button) also so: HTML-Code: [code] Hier das Logfile rein! [/code]
__________________ Logfiles bitte immer in CODE-Tags posten |
|
19.09.2009, 20:25
| #8 |
| | Crash beim Ausführen userinit.exe So, hier nun das Log von Combofix, die userinit.exe ist übrigens seit den Schritten unten nicht mehr gecrasht. Mein subjektives Gefühl also gut.... Code:
ATTFilter ComboFix 09-09-18.02 - Admin 19.09.2009 21:13.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.1023.503 [GMT 2:00]
ausgeführt von:: c:\dokumente und einstellungen\Admin\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.
((((((((((((((((((((((( Dateien erstellt von 2009-08-19 bis 2009-09-19 ))))))))))))))))))))))))))))))
.
2009-09-19 18:01 . 2009-09-19 18:01 -------- d-----w- c:\programme\trend micro
2009-09-12 11:17 . 2008-05-09 10:54 90112 ------w- c:\windows\system32\dllcache\wshext.dll
2009-09-12 11:17 . 2008-05-09 10:54 180224 ------w- c:\windows\system32\dllcache\scrobj.dll
2009-09-12 11:17 . 2008-05-09 10:54 172032 ------w- c:\windows\system32\dllcache\scrrun.dll
2009-09-12 11:17 . 2008-05-09 08:45 135168 ------w- c:\windows\system32\dllcache\cscript.exe
2009-09-12 11:17 . 2008-05-08 11:24 155648 ------w- c:\windows\system32\dllcache\wscript.exe
2009-09-11 20:53 . 2009-09-11 20:53 -------- d-----w- c:\windows\system32\bits
2009-09-09 21:38 . 2009-06-21 21:45 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-08-30 10:43 . 2009-08-30 10:43 -------- d-----w- c:\dokumente und einstellungen\Admin\DoctorWeb
2009-08-29 19:46 . 2009-08-29 19:46 -------- d-----w- C:\rsit
2009-08-29 19:02 . 2009-08-29 19:02 -------- d-----w- c:\dokumente und einstellungen\Admin\Lokale Einstellungen\Anwendungsdaten\Identities
2009-08-29 18:51 . 2009-08-29 18:51 -------- d-----w- c:\dokumente und einstellungen\Admin\Anwendungsdaten\Malwarebytes
2009-08-29 18:51 . 2009-08-03 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-29 18:51 . 2009-08-29 18:51 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2009-08-29 18:51 . 2009-08-29 18:51 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware
2009-08-29 18:51 . 2009-08-03 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-29 09:45 . 2009-08-29 09:45 -------- d-----w- c:\programme\CCleaner
2009-08-28 20:15 . 2009-08-28 20:15 58112 ----a-w- c:\windows\system32\cgwxrtydb.exe
2009-08-27 20:43 . 2009-08-27 20:43 58112 ----a-w- c:\windows\system32\wqwevttp.exe
2009-08-27 20:36 . 2009-08-27 20:36 58112 ----a-w- c:\windows\system32\wupdzeyji.exe
2009-08-27 18:09 . 2009-08-27 18:09 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-26 19:02 . 2009-08-27 18:08 -------- d-----w- c:\programme\Registry Cleaner
2009-08-26 15:29 . 2009-08-26 15:29 32639 ----a-w- c:\windows\system32\nlhivuy.exe
2009-08-23 19:16 . 2009-08-23 19:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-22 13:57 . 2009-08-22 13:57 -------- d-----w- c:\programme\af0.net
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-12 21:20 . 2004-08-04 12:00 84722 ----a-w- c:\windows\system32\perfc007.dat
2009-09-12 21:20 . 2004-08-04 12:00 459396 ----a-w- c:\windows\system32\perfh007.dat
2009-09-12 08:59 . 2008-04-17 05:32 18080 ----a-w- c:\dokumente und einstellungen\Surf\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2009-09-01 21:36 . 2009-06-01 15:31 92884 ----a-w- c:\dokumente und einstellungen\Surf\Lokale Einstellungen\Anwendungsdaten\temp.reg
2009-09-01 21:36 . 2009-06-01 15:31 88188 ----a-w- c:\dokumente und einstellungen\Surf\Lokale Einstellungen\Anwendungsdaten\IESetting.reg
2009-09-01 21:36 . 2009-06-01 15:31 2976 ----a-w- c:\dokumente und einstellungen\Surf\Lokale Einstellungen\Anwendungsdaten\Policies.reg
2009-09-01 21:36 . 2009-06-01 15:31 1724 ----a-w- c:\dokumente und einstellungen\Surf\Lokale Einstellungen\Anwendungsdaten\sLanguage.reg
2009-08-28 20:37 . 2007-09-17 18:21 17304 ----a-w- c:\dokumente und einstellungen\Admin\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2009-08-27 20:43 . 2009-08-27 20:43 58112 ----a-w- c:\windows\system32\vwvtotcua.exe
2009-08-27 20:36 . 2009-08-27 20:36 58112 ----a-w- c:\windows\system32\wqwehnfqr.exe
2009-08-16 18:47 . 2009-08-16 18:47 -------- d-----w- c:\programme\MSBuild
2009-08-16 18:47 . 2009-08-16 18:47 -------- d-----w- c:\programme\Reference Assemblies
2009-08-05 08:59 . 2004-08-04 12:00 206336 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-01 10:04 . 2008-08-30 20:00 -------- d-----w- c:\programme\Registry System Wizard
2009-08-01 10:00 . 2009-01-02 20:16 -------- d-----w- c:\programme\JAP
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 21:43 . 2007-08-07 10:18 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 16:55 . 2007-08-07 10:20 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 18:34 . 2004-08-04 12:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:34 . 2004-08-04 12:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:34 . 2004-08-04 12:00 533504 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:34 . 2004-08-04 12:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:34 . 2004-08-04 12:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:34 . 2004-08-04 12:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:34 . 2004-08-04 12:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:34 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:34 . 2004-08-04 12:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:34 . 2004-08-04 12:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:34 . 2004-08-04 12:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:34 . 2004-08-04 12:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 08:25 . 2007-08-07 10:16 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2007-08-07 10:15 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2007-08-07 10:14 737792 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2007-08-07 10:14 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-22 11:49 . 2004-08-04 12:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2004-08-04 12:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2004-08-04 12:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2004-08-04 12:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
.
------- Sigcheck -------
[-] 2007-08-07 10:17 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\programme\Synaptics\SynTP\SynTPLpr.exe" [2007-08-10 110592]
"SynTPEnh"="c:\programme\Synaptics\SynTP\SynTPEnh.exe" [2007-08-10 512000]
"ATIPTA"="c:\programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-11-16 344064]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]
"TVT Scheduler Proxy"="c:\programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe" [2007-08-01 540672]
"LanguageShortcut"="c:\programme\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 49152]
"avgnt"="c:\programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\programme\QuickTime\qttask.exe" [2007-10-19 286720]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-16 65536]
"IMWEBSTA.EXE"="IMWEBSTA.EXE" - c:\windows\system32\IMWEBSTA.exe [2003-04-29 209920]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-03-08 128512]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 21:45 28672 ----a-w- c:\windows\system32\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 18:16 24576 ----a-w- c:\windows\system32\tphklock.dll
[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Microsoft Office.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\Vidalia Bundle\\Privoxy\\privoxy.exe"=
"c:\\Programme\\Vidalia Bundle\\Tor\\tor.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8181:TCP"= 8181:TCP:Tor
R3 IMWEB51;High Rate Wireless LAN Mini-PCI LAN Driver;c:\windows\system32\drivers\IMWEBN51.sys [17.09.2007 21:30 648704]
S1 SABKUTIL;SABKUTIL;\??\c:\programme\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\programme\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
--- Andere Dienste/Treiber im Speicher ---
*Deregistered* - afyaauaw
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Inhalt des "geplante Tasks" Ordners
2009-06-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programme\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
2009-09-19 c:\windows\Tasks\User_Feed_Synchronization-{15EE8390-F83A-4BB6-8E2A-9E8954B0C477}.job
- c:\windows\system32\msfeedssync.exe [2007-08-07 03:31]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.spiegel.de/
uInternet Settings,ProxyServer = localhost:8181
IE: add to &BOM - c:\\PROGRA~1\\BIET-O~1\\\\AddToBOM.hta
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-19 21:17
Windows 5.1.2600 Service Pack 3 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
- - - - - - - > 'winlogon.exe'(744)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
c:\windows\system32\notifyf2.dll
- - - - - - - > 'winlogon.exe'(2932)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
c:\windows\system32\notifyf2.dll
- - - - - - - > 'explorer.exe'(3192)
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Zeit der Fertigstellung: 2009-09-19 21:19
ComboFix-quarantined-files.txt 2009-09-19 19:19
ComboFix2.txt 2009-09-19 19:06
Vor Suchlauf: 13 Verzeichnis(se), 55.107.547.136 Bytes frei
Nach Suchlauf: 14 Verzeichnis(se), 55.100.485.632 Bytes frei
193 --- E O F --- 2009-09-12 20:37
|
|
20.09.2009, 15:29
| #9 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Crash beim Ausführen userinit.exe Bitte mal den Avenger anwenden Vorbereitungen: a) Deaktiviere den Hintergrundwächter vom Virenscanner. b) Stöpsele alle externen Datenträger vom Rechner ab. Danach: 1.) Lade Dir von hier Avenger: Swandog46's Public Anti-Malware Tools (Download, linksseitig) 2.) Entpack das zip-Archiv, führe die Datei "avenger.exe" aus (unter Vista per Rechtsklick => als Administrator ausführen). Die Haken unten wie abgebildet setzen:  3.) Kopiere Dir exakt die Zeilen aus dem folgenden Code-Feld: Code:
ATTFilter files to delete:
c:\windows\system32\cgwxrtydb.exe
c:\windows\system32\wqwevttp.exe
c:\windows\system32\wupdzeyji.exe
c:\windows\system32\nlhivuy.exe
c:\windows\system32\vwvtotcua.exe
c:\windows\system32\wqwehnfqr.exe
C:\WINDOWS\system32\vrptnhaoi.exe
C:\WINDOWS\system32\vkghgytv.exe
C:\WINDOWS\system32\rwwtrtypi.exe
C:\WINDOWS\system32\qdke.exe
C:\WINDOWS\system32\pvmxiayjh.exe
C:\WINDOWS\system32\kjpjrxytr.exe
C:\WINDOWS\system32\kjkuzecdz.exe
C:\WINDOWS\system32\kewlsuyxs.exe
C:\WINDOWS\system32\kewlrvyji.exe
C:\WINDOWS\system32\kapehtcvr.exe
C:\WINDOWS\system32\kamjhuflb.exe
C:\WINDOWS\system32\wkbodxrtn.exe
C:\WINDOWS\system32\plmecyf.exe
C:\WINDOWS\system32\nlhivuy.exe
C:\WINDOWS\system32\iphitvvral.exe
C:\WINDOWS\system32\iiqnuztubm.exe
folders to delete:
c:\programme\af0.net
5.) Der Code-Text hier aus meinem Beitrag müsste nun unter "Input Script here" in "The Avenger" zu sehen sein. 6.) Falls dem so ist, klick unten rechts auf "Execute". Bestätige die nächste Abfrage mit "Ja", die Frage zu "Reboot now" (Neustart des Systems) ebenso. 7.) Nach dem Neustart erhältst Du ein LogFile von Avenger eingeblendet. Kopiere dessen Inhalt und poste ihn hier.
__________________ Logfiles bitte immer in CODE-Tags posten |
|
20.09.2009, 18:14
| #10 |
| | Crash beim Ausführen userinit.exe Schönen Dank für die bisherigen Hilfen! Hier nu das Ergebnis von avenger: Code:
ATTFilter
Error: file "C:\WINDOWS\system32\kewlrvyji.exe" not found!
Deletion of file "C:\WINDOWS\system32\kewlrvyji.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\kapehtcvr.exe" not found!
Deletion of file "C:\WINDOWS\system32\kapehtcvr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
File "C:\WINDOWS\system32\kamjhuflb.exe" deleted successfully.
Error: file "C:\WINDOWS\system32\wkbodxrtn.exe" not found!
Deletion of file "C:\WINDOWS\system32\wkbodxrtn.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\plmecyf.exe" not found!
Deletion of file "C:\WINDOWS\system32\plmecyf.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\nlhivuy.exe" not found!
Deletion of file "C:\WINDOWS\system32\nlhivuy.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\iphitvvral.exe" not found!
Deletion of file "C:\WINDOWS\system32\iphitvvral.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\iiqnuztubm.exe" not found!
Deletion of file "C:\WINDOWS\system32\iiqnuztubm.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Folder "c:\programme\af0.net" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
|
|
21.09.2009, 18:49
| #12 |
| | Crash beim Ausführen userinit.exe Teil 2: Code:
ATTFilter
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{15EE8390-F83A-4BB6-8E2A-9E8954B0C477}.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Programme\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"=C:\Programme\Synaptics\SynTP\SynTPLpr.exe [2007-08-10 110592]
"SynTPEnh"=C:\Programme\Synaptics\SynTP\SynTPEnh.exe [2007-08-10 512000]
"ATIPTA"=C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe [2006-11-16 344064]
"EZEJMNAP"=C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe [2007-04-27 243248]
"TPHOTKEY"=C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe [2006-10-02 94208]
"TP4EX"=C:\WINDOWS\system32\tp4ex.exe [2005-10-17 65536]
"IMWEBSTA.EXE"=IMWEBSTA.EXE START []
"TVT Scheduler Proxy"=C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe [2007-08-01 540672]
"LanguageShortcut"=C:\Programme\CyberLink\PowerDVD\Language\Language.exe [2006-04-13 49152]
"avgnt"=C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-07-17 266497]
"Adobe Reader Speed Launcher"=C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-10-10 39792]
"SunJavaUpdateSched"=C:\Programme\Java\jre6\bin\jusched.exe [2009-03-09 148888]
"QuickTime Task"=C:\Programme\QuickTime\qttask.exe [2007-10-19 286720]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-10-10 39792]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Programme\QuickTime\QTTask.exe [2007-10-19 286720]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe [2005-12-07 30208]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Programme\Analog Devices\SoundMAX\SMax4PNP.exe [2004-04-01 1368064]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
C:\Programme\Vidalia Bundle\Vidalia\vidalia.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~1\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2006-11-16 46080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tpfnf2]
C:\WINDOWS\system32\notifyf2.dll [2005-07-05 28672]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tphotkey]
C:\WINDOWS\system32\tphklock.dll [2005-11-30 24576]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-08-07 236928]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll [2007-08-07 133632]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Programme\Vidalia Bundle\Privoxy\privoxy.exe"="C:\Programme\Vidalia Bundle\Privoxy\privoxy.exe:*:Enabled:Privoxy"
"C:\Programme\Vidalia Bundle\Tor\tor.exe"="C:\Programme\Vidalia Bundle\Tor\tor.exe:*:Enabled:Tor"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52563300-9dd0-11dc-9740-000d601254e2}]
shell\AutoRun\command - E:\TrueCrypt\TrueCrypt.exe /q background /e /m rm /v "myusb"
shell\dismount\command - E:\TrueCrypt\TrueCrypt.exe /q /d
shell\start\command - E:\TrueCrypt\TrueCrypt.exe
======List of files/folders created in the last 1 months======
2009-09-20 19:44:49 ----D---- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\InstallShield
2009-09-20 19:10:28 ----D---- C:\Avenger
2009-09-20 19:10:28 ----A---- C:\avenger.txt
2009-09-20 19:09:16 ----SHD---- C:\RECYCLER
2009-09-19 21:19:53 ----D---- C:\WINDOWS\temp
2009-09-19 21:19:50 ----A---- C:\ComboFix.txt
2009-09-19 20:52:23 ----A---- C:\WINDOWS\zip.exe
2009-09-19 20:52:23 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-09-19 20:52:23 ----A---- C:\WINDOWS\SWSC.exe
2009-09-19 20:52:23 ----A---- C:\WINDOWS\SWREG.exe
2009-09-19 20:52:23 ----A---- C:\WINDOWS\sed.exe
2009-09-19 20:52:23 ----A---- C:\WINDOWS\PEV.exe
2009-09-19 20:52:23 ----A---- C:\WINDOWS\NIRCMD.exe
2009-09-19 20:52:23 ----A---- C:\WINDOWS\grep.exe
2009-09-19 20:51:59 ----D---- C:\WINDOWS\ERDNT
2009-09-19 20:49:51 ----D---- C:\Qoobox
2009-09-19 20:01:11 ----D---- C:\Programme\trend micro
2009-09-12 22:37:18 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2009-09-12 22:37:04 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2009-09-12 22:36:54 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-09-12 22:36:37 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2009-09-12 11:01:07 ----A---- C:\WINDOWS\OEWABLog.txt
2009-09-11 23:09:00 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2009-09-11 23:08:50 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2009-09-11 23:08:40 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2009-09-11 23:08:29 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2009-09-11 23:08:13 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2009-09-11 23:08:02 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-09-11 23:07:50 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2009-09-11 23:07:38 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2009-09-11 23:07:22 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$
2009-09-11 23:07:07 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2009-09-11 23:06:48 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-09-11 23:06:37 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2009-09-11 23:06:26 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-09-11 23:06:15 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-09-11 23:05:50 ----HDC---- C:\WINDOWS\$NtUninstallKB961118$
2009-09-11 23:05:38 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2009-09-11 23:05:26 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-09-11 23:05:13 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-09-11 23:05:00 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-09-11 23:04:49 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-09-11 23:04:38 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-09-11 23:04:26 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-09-11 23:04:15 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-09-11 23:04:06 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2009-09-11 23:03:56 ----HDC---- C:\WINDOWS\$NtUninstallKB956844$
2009-09-11 23:03:46 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-09-11 23:03:33 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-09-11 23:03:22 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-09-11 23:03:03 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-09-11 23:02:42 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-09-11 23:02:32 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-09-11 23:02:21 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2009-09-11 23:02:08 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-09-11 23:01:56 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-09-11 23:01:42 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-09-11 23:01:29 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-09-11 23:01:19 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2009-09-11 23:01:09 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-09-11 23:00:58 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2009-09-11 23:00:44 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-09-11 23:00:31 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-09-11 23:00:21 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-09-11 23:00:09 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-09-11 23:00:00 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2009-09-11 22:59:48 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-09-11 22:55:21 ----A---- C:\WINDOWS\setuplog.txt
2009-09-11 22:53:13 ----D---- C:\WINDOWS\system32\bits
2009-09-11 22:38:00 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-09-10 00:22:12 ----HDC---- C:\WINDOWS\$NtUninstallKB956844_0$
2009-09-10 00:22:04 ----HDC---- C:\WINDOWS\$NtUninstallKB968816_WM9$
2009-09-10 00:21:59 ----A---- C:\WINDOWS\imsins.BAK
2009-08-30 12:39:54 ----A---- C:\WINDOWS\ntbtlog.txt
2009-08-29 21:46:06 ----D---- C:\rsit
2009-08-29 20:51:59 ----D---- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Malwarebytes
2009-08-29 20:51:51 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2009-08-29 20:51:50 ----D---- C:\Programme\Malwarebytes' Anti-Malware
2009-08-29 11:45:35 ----D---- C:\Programme\CCleaner
2009-08-28 22:10:45 ----A---- C:\WINDOWS\system32\vjwirddob.exe
2009-08-28 22:10:45 ----A---- C:\WINDOWS\system32\vjvive.exe
2009-08-28 22:10:45 ----A---- C:\WINDOWS\system32\suqxjdip.exe
2009-08-28 22:10:45 ----A---- C:\WINDOWS\system32\rngevfyo.exe
2009-08-28 22:10:45 ----A---- C:\WINDOWS\system32\qwqxra.exe
2009-08-28 22:10:45 ----A---- C:\WINDOWS\system32\quserh.exe
2009-08-28 22:10:45 ----A---- C:\WINDOWS\system32\qsudjf.exe
2009-08-28 22:10:45 ----A---- C:\WINDOWS\system32\qkrfptis.exe
2009-08-28 22:10:45 ----A---- C:\WINDOWS\system32\pqvtvtdu.exe
2009-08-28 22:10:45 ----A---- C:\WINDOWS\system32\kmperc.exe
2009-08-28 22:10:45 ----A---- C:\WINDOWS\system32\jzwhkx.exe
2009-08-28 22:10:45 ----A---- C:\WINDOWS\system32\jvvhkbxoy.exe
2009-08-28 22:10:45 ----A---- C:\WINDOWS\system32\jsuxkcak.exe
2009-08-28 22:10:45 ----A---- C:\WINDOWS\system32\jsuigl.exe
2009-08-28 22:10:45 ----A---- C:\WINDOWS\system32\jqjyglfu.exe
2009-08-27 22:43:30 ----A---- C:\WINDOWS\system32\uzutjdtst.exe
2009-08-27 22:43:30 ----A---- C:\WINDOWS\system32\uozdrcywa.exe
2009-08-27 22:43:30 ----A---- C:\WINDOWS\system32\sujymbdk.exe
2009-08-27 22:43:30 ----A---- C:\WINDOWS\system32\oqwdwexqi.exe
2009-08-27 22:43:30 ----A---- C:\WINDOWS\system32\oooygabg.exe
2009-08-27 22:43:30 ----A---- C:\WINDOWS\system32\okoima.exe
2009-08-27 22:43:30 ----A---- C:\WINDOWS\system32\noofmytz.exe
2009-08-27 22:43:30 ----A---- C:\WINDOWS\system32\mqqhmahn.exe
2009-08-27 22:43:30 ----A---- C:\WINDOWS\system32\kwrcmccwl.exe
2009-08-27 22:43:30 ----A---- C:\WINDOWS\system32\komtja.exe
2009-08-27 22:43:30 ----A---- C:\WINDOWS\system32\jurioxbwa.exe
2009-08-27 22:43:30 ----A---- C:\WINDOWS\system32\gontghdk.exe
2009-08-27 22:43:30 ----A---- C:\WINDOWS\system32\gjqtne.exe
2009-08-27 22:43:29 ----A---- C:\WINDOWS\system32\nvjfgblr.exe
2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\wnmjzaytb.exe
2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\wjkvhlyei.exe
2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\puwvijcjr.exe
2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\pumobofqh.exe
2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\pukjzqclz.exe
2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\pqpvroyer.exe
2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\pgpjijytb.exe
2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\pdkeivfos.exe
2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\mvmtzlfxr.exe
2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\mtwobuclb.exe
2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\mlpehqfxr.exe
2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\mlmniacez.exe
2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\mjmobuclb.exe
2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\mjmdixfoi.exe
2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\memuhxces.exe
2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\kxwornyuz.exe
2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\kvmehvcuz.exe
2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\kupqrxfqs.exe
2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\ktwesxfnb.exe
2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\kqptrayuz.exe
2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\kopvhayjz.exe
2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\knwviacar.exe
2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\kjwnrnfqs.exe
2009-08-27 22:36:04 ----A---- C:\WINDOWS\system32\kjptivftb.exe
2009-08-26 21:06:19 ----HDC---- C:\WINDOWS\$NtUninstallKB970653-v3$
2009-08-26 21:02:28 ----D---- C:\Programme\Registry Cleaner
======List of files/folders modified in the last 1 months======
2009-09-21 19:37:21 ----D---- C:\WINDOWS\Prefetch
2009-09-21 19:21:08 ----D---- C:\WINDOWS
2009-09-21 17:57:42 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-09-20 21:13:25 ----D---- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Mozilla
2009-09-20 19:10:30 ----RD---- C:\Programme
2009-09-20 19:10:29 ----D---- C:\WINDOWS\system32
2009-09-20 19:10:28 ----D---- C:\WINDOWS\system32\drivers
2009-09-19 21:17:52 ----A---- C:\WINDOWS\system.ini
2009-09-19 21:15:56 ----D---- C:\WINDOWS\AppPatch
2009-09-19 21:15:52 ----D---- C:\Programme\Gemeinsame Dateien
2009-09-19 21:12:40 ----D---- C:\WINDOWS\system32\CatRoot2
2009-09-19 21:00:33 ----SHD---- C:\WINDOWS\Installer
2009-09-12 23:20:13 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-09-12 23:13:13 ----D---- C:\Config.Msi
2009-09-12 22:37:24 ----D---- C:\WINDOWS\inf
2009-09-12 22:37:22 ----D---- C:\WINDOWS\system32\dllcache
2009-09-12 22:37:15 ----D---- C:\WINDOWS\$hf_mig$
2009-09-12 22:36:55 ----D---- C:\WINDOWS\WinSxS
2009-09-12 22:35:49 ----SD---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft
2009-09-12 11:00:27 ----D---- C:\WINDOWS\Debug
2009-09-12 10:56:47 ----D---- C:\WINDOWS\system32\Setup
2009-09-12 10:56:47 ----D---- C:\Programme\Messenger
2009-09-12 10:56:46 ----D---- C:\WINDOWS\system32\wbem
2009-09-12 10:56:44 ----RSD---- C:\WINDOWS\Fonts
2009-09-11 23:09:21 ----D---- C:\WINDOWS\system32\CatRoot
2009-09-11 23:08:31 ----D---- C:\Programme\Outlook Express
2009-09-11 22:59:23 ----D---- C:\WINDOWS\security
2009-09-11 22:54:08 ----D---- C:\WINDOWS\ehome
2009-09-11 22:54:06 ----D---- C:\WINDOWS\system32\inetsrv
2009-09-11 22:54:05 ----D---- C:\WINDOWS\network diagnostic
2009-09-11 22:54:05 ----D---- C:\WINDOWS\ime
2009-09-11 22:54:05 ----D---- C:\WINDOWS\Help
2009-09-11 22:53:19 ----D---- C:\WINDOWS\system32\de-de
2009-09-11 22:53:18 ----D---- C:\WINDOWS\system32\usmt
2009-09-11 22:53:15 ----D---- C:\WINDOWS\l2schemas
2009-09-11 22:53:14 ----D---- C:\WINDOWS\system32\de
2009-09-11 22:53:13 ----D---- C:\WINDOWS\PeerNet
2009-09-11 22:53:13 ----D---- C:\Programme\Movie Maker
2009-09-11 22:49:04 ----D---- C:\WINDOWS\ServicePackFiles
2009-09-11 22:48:41 ----D---- C:\WINDOWS\system32\Restore
2009-09-11 22:48:40 ----D---- C:\WINDOWS\system32\npp
2009-09-11 22:48:37 ----D---- C:\WINDOWS\msagent
2009-09-11 22:48:35 ----D---- C:\WINDOWS\srchasst
2009-09-11 22:48:33 ----D---- C:\Programme\NetMeeting
2009-09-11 22:48:30 ----D---- C:\WINDOWS\system32\Com
2009-09-11 22:48:25 ----D---- C:\Programme\Windows Media Player
2009-09-11 22:48:24 ----D---- C:\Programme\Windows NT
2009-09-11 22:48:18 ----D---- C:\Programme\Gemeinsame Dateien\System
2009-09-11 22:47:51 ----D---- C:\WINDOWS\system32\oobe
2009-09-11 22:47:46 ----D---- C:\WINDOWS\system
2009-09-11 22:42:30 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-09-03 19:49:02 ----D---- C:\WINDOWS\Microsoft.NET
2009-08-29 21:02:29 ----SD---- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Microsoft
2009-08-29 11:50:38 ----D---- C:\WINDOWS\Minidump
2009-08-28 23:38:20 ----A---- C:\WINDOWS\system32\MRT.exe
2009-08-27 20:09:50 ----D---- C:\WINDOWS\system32\config
2009-08-27 20:09:27 ----D---- C:\WINDOWS\Registration
2009-08-24 18:39:08 ----A---- C:\WINDOWS\win.ini
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 avgio;avgio; \??\C:\Programme\Avira\AntiVir PersonalEdition Classic\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-05-27 75096]
R1 intelppm;Intel-Prozessortreiber; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 40448]
R1 Smapint;Smapint; C:\WINDOWS\System32\drivers\Smapint.sys [2006-10-02 14848]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-11-08 21248]
R1 TDSMAPI;TDSMAPI; C:\WINDOWS\System32\drivers\TDSMAPI.SYS [2006-10-02 9343]
R1 TPHKDRV;TPHKDRV; C:\WINDOWS\system32\drivers\TPHKDRV.sys [2005-07-05 17699]
R2 irda;IrDA-Protokoll; C:\WINDOWS\system32\DRIVERS\irda.sys [2008-04-13 88192]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2004-04-07 116176]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-11-16 1133568]
R3 avgntflt;avgntflt; \??\C:\Programme\Avira\AntiVir PersonalEdition Classic\avgntflt.sys []
R3 CmBatt;Microsoft-Netzteiltreiber; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 E100B;Intel(R) PRO-Adaptertreiber; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-18 117760]
R3 IBMPMDRV;IBMPMDRV; C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys [2007-05-31 21424]
R3 IMWEB51;High Rate Wireless LAN Mini-PCI LAN Driver; C:\WINDOWS\system32\DRIVERS\IMWEBN51.sys [2003-06-04 648704]
R3 NSCIRDA;NSC-Infrarotgerätetreiber; C:\WINDOWS\system32\DRIVERS\nscirda.sys [2008-04-13 28672]
R3 psadd;Lenovo Parties Service Access Device Driver; C:\WINDOWS\system32\DRIVERS\psadd.sys [2007-02-19 21376]
R3 Rasirda;WAN-Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2004-06-23 266880]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2007-08-10 177664]
R3 usbhub;USB2-aktivierter Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB-Massenspeichertreiber; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Miniporttreiber für universellen Microsoft USB-Hostcontroller; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 SABKUTIL;SABKUTIL; \??\C:\Programme\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys []
S3 ac97intc;Intel(r) 82801 Audiotreiber-Installationsdienst (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
S3 catchme;catchme; \??\C:\DOKUME~1\Admin\LOKALE~1\Temp\catchme.sys []
S3 SABProcEnum;SABProcEnum; \??\C:\Programme\SuperAdBlocker.com\Super Ad Blocker\SABProcEnum.sys []
S3 usbccgp;Microsoft Standard-USB-Haupttreiber; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2007-08-07 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2007-08-07 82944]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 AntiVirScheduler;Avira AntiVir Personal – Free Antivirus Planer; C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-10-23 68865]
R2 AntiVirService;Avira AntiVir Personal – Free Antivirus Guard; C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-10-23 151297]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2006-11-16 364544]
R2 IBMPMSVC;ThinkPad PM Service; C:\WINDOWS\system32\ibmpmsvc.exe [2007-05-31 36400]
R2 Irmon;Infrarotüberwachung; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 JavaQuickStarterService;Java Quick Starter; C:\Programme\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Programme\CyberLink\Shared files\RichVideo.exe [2006-05-04 167936]
R2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Programme\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]
R2 SUService;System Update; c:\programme\lenovo\system update\suservice.exe [2007-10-24 13312]
R2 TVT Scheduler;TVT Scheduler; C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe [2007-08-01 1126400]
S3 aspnet_state;ASP.NET-Zustandsdienst; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 MSCSPTISRV;MSCSPTISRV; C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\MSCSPTISRV.exe [2006-12-14 45056]
S3 PACSPTISVR;PACSPTISVR; C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\PACSPTISVR.exe [2006-12-14 57344]
S3 SonicStage Back-End Service;SonicStage Back-End Service; C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SsBeSvc.exe [2007-02-05 112184]
S3 SPTISRV;Sony SPTI Service; C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SPTISRV.exe [2006-12-14 69632]
S3 SSScsiSV;SonicStage SCSI Service; C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SSScsiSV.exe [2007-02-05 75320]
S3 WMPNetworkSvc;Windows Media Player-Netzwerkfreigabedienst; C:\Programme\Windows Media Player\WMPNetwk.exe [2006-11-03 920576]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
-----------------EOF-----------------
|
|
21.09.2009, 18:54
| #13 | |
| | Crash beim Ausführen userinit.exeZitat:
Hey hallo! :-) Unten das Logfile von RSIT. Sollte ich noch mit was anderem scannen/posten? Irgendwas stimmt noch nicht. Gestern hat sich mein Avira mit folgenden Events gemeldet: Code:
ATTFilter In der Datei 'C:\System Volume Information\_restore{D133078A-318B-4396-AD36-B31996161C7B}\RP894\A0087405.exe'
wurde ein Virus oder unerwünschtes Programm 'TR/Spy.Bebloh.A.12' [trojan] gefunden.
In der Datei 'C:\System Volume Information\_restore{D133078A-318B-4396-AD36-B31996161C7B}\RP894\A0087399.exe'
wurde ein Virus oder unerwünschtes Programm 'TR/Spy.Bebloh.A.12' [trojan] gefunden.
In der Datei 'C:\System Volume Information\_restore{D133078A-318B-4396-AD36-B31996161C7B}\RP893\A0087094.exe'
wurde ein Virus oder unerwünschtes Programm 'TR/PCK.Krap.W.894' [trojan] gefunden.
Teil 1 Code:
ATTFilter Logfile of random's system information tool 1.06 (written by random/random) Run by Admin at 2009-09-21 19:38:33 Microsoft Windows XP Professional Service Pack 3 System drive C: has 52 GB (54%) free of 95 GB Total RAM: 1023 MB (72% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:38:39, on 21.09.2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\Java\jre6\bin\jqs.exe C:\Programme\CyberLink\Shared files\RichVideo.exe C:\Programme\Analog Devices\SoundMAX\SMAgent.exe c:\programme\lenovo\system update\suservice.exe C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Programme\Synaptics\SynTP\SynTPLpr.exe C:\Programme\Synaptics\SynTP\SynTPEnh.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe C:\WINDOWS\system32\IMWEBSTA.EXE C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Programme\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe C:\Programme\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe C:\Dokumente und Einstellungen\Admin\Desktop\RSIT.exe C:\WINDOWS\system32\wuauclt.exe C:\Programme\trend micro\Admin.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiegel.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8181 O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [TP4EX] tp4ex.exe O4 - HKLM\..\Run: [IMWEBSTA.EXE] IMWEBSTA.EXE START O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe O4 - HKLM\..\Run: [LanguageShortcut] C:\Programme\CyberLink\PowerDVD\Language\Language.exe O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user') O8 - Extra context menu item: add to &BOM - C:\\PROGRA~1\\BIET-O~1\\\\AddToBOM.hta O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: PACSPTISVR - Unknown owner - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\CyberLink\Shared files\RichVideo.exe O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SsBeSvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programme\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\programme\lenovo\system update\suservice.exe O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe -- End of file - 6838 bytes ======Scheduled tasks folder====== |
|
21.09.2009, 19:14
| #14 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Crash beim Ausführen userinit.exe 1.) Deaktiviere die Systemwiederherstellung, im Verlauf der Infektion wurden auch Malwaredateien in Wiederherstellungspunkten mitgesichert - die sind alle nun unbrauchbar, da ein Zurücksetzen des Systems durch einen Wiederherstellungspunkt wahrscheinlich wieder eine Infektion nach sich ziehen würde. 2.) Bitte nochmal den Avenger wie oben beschrieben anwenden. Diesmal aber bitte den Text unten im Codefeld benutzen. Pass auf, ist ne laaange Liste Code:
ATTFilter files to delete:
C:\WINDOWS\system32\vjwirddob.exe
C:\WINDOWS\system32\vjvive.exe
C:\WINDOWS\system32\suqxjdip.exe
C:\WINDOWS\system32\rngevfyo.exe
C:\WINDOWS\system32\qwqxra.exe
C:\WINDOWS\system32\quserh.exe
C:\WINDOWS\system32\qsudjf.exe
C:\WINDOWS\system32\qkrfptis.exe
C:\WINDOWS\system32\pqvtvtdu.exe
C:\WINDOWS\system32\kmperc.exe
C:\WINDOWS\system32\jzwhkx.exe
C:\WINDOWS\system32\jvvhkbxoy.exe
C:\WINDOWS\system32\jsuxkcak.exe
C:\WINDOWS\system32\jsuigl.exe
C:\WINDOWS\system32\jqjyglfu.exe
C:\WINDOWS\system32\uzutjdtst.exe
C:\WINDOWS\system32\uozdrcywa.exe
C:\WINDOWS\system32\sujymbdk.exe
C:\WINDOWS\system32\oqwdwexqi.exe
C:\WINDOWS\system32\oooygabg.exe
C:\WINDOWS\system32\okoima.exe
C:\WINDOWS\system32\noofmytz.exe
C:\WINDOWS\system32\mqqhmahn.exe
C:\WINDOWS\system32\kwrcmccwl.exe
C:\WINDOWS\system32\komtja.exe
C:\WINDOWS\system32\jurioxbwa.exe
C:\WINDOWS\system32\gontghdk.exe
C:\WINDOWS\system32\gjqtne.exe
C:\WINDOWS\system32\nvjfgblr.exe
C:\WINDOWS\system32\wnmjzaytb.exe
C:\WINDOWS\system32\wjkvhlyei.exe
C:\WINDOWS\system32\puwvijcjr.exe
C:\WINDOWS\system32\pumobofqh.exe
C:\WINDOWS\system32\pukjzqclz.exe
C:\WINDOWS\system32\pqpvroyer.exe
C:\WINDOWS\system32\pgpjijytb.exe
C:\WINDOWS\system32\pdkeivfos.exe
C:\WINDOWS\system32\mvmtzlfxr.exe
C:\WINDOWS\system32\mtwobuclb.exe
C:\WINDOWS\system32\mlpehqfxr.exe
C:\WINDOWS\system32\mlmniacez.exe
C:\WINDOWS\system32\mjmobuclb.exe
C:\WINDOWS\system32\mjmdixfoi.exe
C:\WINDOWS\system32\memuhxces.exe
C:\WINDOWS\system32\kxwornyuz.exe
C:\WINDOWS\system32\kvmehvcuz.exe
C:\WINDOWS\system32\kupqrxfqs.exe
C:\WINDOWS\system32\ktwesxfnb.exe
C:\WINDOWS\system32\kqptrayuz.exe
C:\WINDOWS\system32\kopvhayjz.exe
C:\WINDOWS\system32\knwviacar.exe
C:\WINDOWS\system32\kjwnrnfqs.exe
C:\WINDOWS\system32\kjptivftb.exe
__________________ Logfiles bitte immer in CODE-Tags posten |
|
22.09.2009, 19:38
| #15 |
| | Crash beim Ausführen userinit.exe Hey hallo! Hätte ich Avenger im abgesicherten Modus ausführen müssen?? Direkt nach dem Reboot und dem erstellen des Log-Files durch Avenger hat sich Antivir Guard so 7-8x gemeldet  Code:
ATTFilter In der Datei 'C:\Avenger\vjvive.exe'
wurde ein Virus oder unerwünschtes Programm 'TR/Spy.Bebloh.A.12' [trojan] gefunden.
Ausgeführte Aktion: Datei löschen
 Hier das Log von Avenger: Code:
ATTFilter Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "c:\windows\system32\cgwxrtydb.exe" deleted successfully.
File "c:\windows\system32\wqwevttp.exe" deleted successfully.
File "c:\windows\system32\wupdzeyji.exe" deleted successfully.
File "c:\windows\system32\nlhivuy.exe" deleted successfully.
File "c:\windows\system32\vwvtotcua.exe" deleted successfully.
File "c:\windows\system32\wqwehnfqr.exe" deleted successfully.
Error: file "C:\WINDOWS\system32\vrptnhaoi.exe" not found!
Deletion of file "C:\WINDOWS\system32\vrptnhaoi.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
File "C:\WINDOWS\system32\vkghgytv.exe" deleted successfully.
File "C:\WINDOWS\system32\rwwtrtypi.exe" deleted successfully.
Error: file "C:\WINDOWS\system32\qdke.exe" not found!
Deletion of file "C:\WINDOWS\system32\qdke.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\pvmxiayjh.exe" not found!
Deletion of file "C:\WINDOWS\system32\pvmxiayjh.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
File "C:\WINDOWS\system32\kjpjrxytr.exe" deleted successfully.
Error: file "C:\WINDOWS\system32\kjkuzecdz.exe" not found!
Deletion of file "C:\WINDOWS\system32\kjkuzecdz.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
File "C:\WINDOWS\system32\kewlsuyxs.exe" deleted successfully.
Error: file "C:\WINDOWS\system32\kewlrvyji.exe" not found!
Deletion of file "C:\WINDOWS\system32\kewlrvyji.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\kapehtcvr.exe" not found!
Deletion of file "C:\WINDOWS\system32\kapehtcvr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
File "C:\WINDOWS\system32\kamjhuflb.exe" deleted successfully.
Error: file "C:\WINDOWS\system32\wkbodxrtn.exe" not found!
Deletion of file "C:\WINDOWS\system32\wkbodxrtn.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\plmecyf.exe" not found!
Deletion of file "C:\WINDOWS\system32\plmecyf.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\nlhivuy.exe" not found!
Deletion of file "C:\WINDOWS\system32\nlhivuy.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\iphitvvral.exe" not found!
Deletion of file "C:\WINDOWS\system32\iphitvvral.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\iiqnuztubm.exe" not found!
Deletion of file "C:\WINDOWS\system32\iiqnuztubm.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Folder "c:\programme\af0.net" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Service Pack 3)
Tue Sep 22 20:24:05 2009
20:24:05: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "C:\WINDOWS\system32\vjwirddob.exe" deleted successfully.
File "C:\WINDOWS\system32\vjvive.exe" deleted successfully.
File "C:\WINDOWS\system32\suqxjdip.exe" deleted successfully.
File "C:\WINDOWS\system32\rngevfyo.exe" deleted successfully.
File "C:\WINDOWS\system32\qwqxra.exe" deleted successfully.
File "C:\WINDOWS\system32\quserh.exe" deleted successfully.
File "C:\WINDOWS\system32\qsudjf.exe" deleted successfully.
File "C:\WINDOWS\system32\qkrfptis.exe" deleted successfully.
File "C:\WINDOWS\system32\pqvtvtdu.exe" deleted successfully.
File "C:\WINDOWS\system32\kmperc.exe" deleted successfully.
File "C:\WINDOWS\system32\jzwhkx.exe" deleted successfully.
File "C:\WINDOWS\system32\jvvhkbxoy.exe" deleted successfully.
File "C:\WINDOWS\system32\jsuxkcak.exe" deleted successfully.
File "C:\WINDOWS\system32\jsuigl.exe" deleted successfully.
File "C:\WINDOWS\system32\jqjyglfu.exe" deleted successfully.
File "C:\WINDOWS\system32\uzutjdtst.exe" deleted successfully.
File "C:\WINDOWS\system32\uozdrcywa.exe" deleted successfully.
File "C:\WINDOWS\system32\sujymbdk.exe" deleted successfully.
File "C:\WINDOWS\system32\oqwdwexqi.exe" deleted successfully.
File "C:\WINDOWS\system32\oooygabg.exe" deleted successfully.
File "C:\WINDOWS\system32\okoima.exe" deleted successfully.
File "C:\WINDOWS\system32\noofmytz.exe" deleted successfully.
File "C:\WINDOWS\system32\mqqhmahn.exe" deleted successfully.
File "C:\WINDOWS\system32\kwrcmccwl.exe" deleted successfully.
File "C:\WINDOWS\system32\komtja.exe" deleted successfully.
File "C:\WINDOWS\system32\jurioxbwa.exe" deleted successfully.
File "C:\WINDOWS\system32\gontghdk.exe" deleted successfully.
File "C:\WINDOWS\system32\gjqtne.exe" deleted successfully.
File "C:\WINDOWS\system32\nvjfgblr.exe" deleted successfully.
File "C:\WINDOWS\system32\wnmjzaytb.exe" deleted successfully.
File "C:\WINDOWS\system32\wjkvhlyei.exe" deleted successfully.
File "C:\WINDOWS\system32\puwvijcjr.exe" deleted successfully.
File "C:\WINDOWS\system32\pumobofqh.exe" deleted successfully.
File "C:\WINDOWS\system32\pukjzqclz.exe" deleted successfully.
File "C:\WINDOWS\system32\pqpvroyer.exe" deleted successfully.
File "C:\WINDOWS\system32\pgpjijytb.exe" deleted successfully.
File "C:\WINDOWS\system32\pdkeivfos.exe" deleted successfully.
File "C:\WINDOWS\system32\mvmtzlfxr.exe" deleted successfully.
File "C:\WINDOWS\system32\mtwobuclb.exe" deleted successfully.
File "C:\WINDOWS\system32\mlpehqfxr.exe" deleted successfully.
File "C:\WINDOWS\system32\mlmniacez.exe" deleted successfully.
File "C:\WINDOWS\system32\mjmobuclb.exe" deleted successfully.
File "C:\WINDOWS\system32\mjmdixfoi.exe" deleted successfully.
File "C:\WINDOWS\system32\memuhxces.exe" deleted successfully.
File "C:\WINDOWS\system32\kxwornyuz.exe" deleted successfully.
File "C:\WINDOWS\system32\kvmehvcuz.exe" deleted successfully.
File "C:\WINDOWS\system32\kupqrxfqs.exe" deleted successfully.
File "C:\WINDOWS\system32\ktwesxfnb.exe" deleted successfully.
File "C:\WINDOWS\system32\kqptrayuz.exe" deleted successfully.
File "C:\WINDOWS\system32\kopvhayjz.exe" deleted successfully.
File "C:\WINDOWS\system32\knwviacar.exe" deleted successfully.
File "C:\WINDOWS\system32\kjwnrnfqs.exe" deleted successfully.
File "C:\WINDOWS\system32\kjptivftb.exe" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
|
|
| Themen zu Crash beim Ausführen userinit.exe |
| abgesicherten modus, adobe, antivir, antivirus, bho, dateien, desktop, einstellungen, excel, explorer.exe, fehler, hijackthis, hkus\s-1-5-18, hotkey, ics, internet, internet explorer, lenovo, messenger, micro, microsoft, pdf, plug-in, programme, registry, sdra64.exe, software, starten., system32, userinit.exe, windows, windows xp |
Linear-Darstellung
