Bitte log checken

cosinus · 10.10.2009, 13:07

Kann sein oder auch nicht. Mach bitte das mit Combofix.

Jack_xD · 10.10.2009, 13:14

ComboFix 09-10-08.04 - Alex 10.10.2009 13:59.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.2046.1462 [GMT 2:00]
ausgeführt von:: c:\dokumente und einstellungen\Alex\Desktop\cofi.exe
Benutzte Befehlsschalter :: c:\dokumente und einstellungen\Alex\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((( Dateien erstellt von 2009-09-10 bis 2009-10-10 ))))))))))))))))))))))))))))))
.

2009-10-10 11:05 . 2009-10-10 11:12 -------- d-----w- C:\cofi
2009-10-08 15:35 . 2009-10-08 15:35 -------- d-sh--w- c:\windows\ftpcache
2009-10-04 11:42 . 2009-10-04 11:42 -------- d-----w- c:\programme\WinSCP
2009-09-20 14:27 . 2008-10-16 12:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-20 09:37 . 2009-09-20 09:37 -------- d-----w- c:\programme\Malwarebytes
2009-09-19 14:13 . 2009-09-19 14:13 -------- d-----w- c:\dokumente und einstellungen\Alex\Anwendungsdaten\Malwarebytes
2009-09-19 14:13 . 2009-09-19 14:13 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2009-09-19 11:40 . 2009-09-19 11:40 -------- d-----w- c:\programme\Trend Micro
2009-09-19 09:35 . 2009-09-19 09:35 253952 ------w- c:\windows\Setup1.exe
2009-09-19 09:35 . 2009-09-19 09:35 74752 ----a-w- c:\windows\ST6UNST.EXE
2009-09-16 14:37 . 2009-09-16 14:37 -------- d--h--w- c:\windows\PIF
2009-09-13 15:03 . 2009-09-13 15:09 -------- d-----w- c:\dokumente und einstellungen\Alex\Anwendungsdaten\eXPert PDF Editor
2009-09-13 15:02 . 2009-09-13 15:02 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\eXPert PDF 4
2009-09-11 22:09 . 2009-09-11 22:09 -------- d-----w- c:\programme\Gemeinsame Dateien\Apple
2009-09-11 22:08 . 2009-09-19 12:42 -------- d-----w- c:\programme\QuickTime
2009-09-11 22:08 . 2009-09-11 22:08 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Apple Computer

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-10 11:54 . 2009-06-13 17:41 -------- d-----w- c:\dokumente und einstellungen\Alex\Anwendungsdaten\Skype
2009-10-10 08:26 . 2009-06-13 17:47 -------- d-----w- c:\dokumente und einstellungen\Alex\Anwendungsdaten\skypePM
2009-10-04 11:52 . 2009-06-19 18:04 -------- d-----w- c:\dokumente und einstellungen\Alex\Anwendungsdaten\Hamachi
2009-10-04 09:08 . 2009-06-16 14:03 -------- d---a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP
2009-10-03 18:44 . 2009-06-19 13:49 -------- d-----w- c:\programme\Gemeinsame Dateien\DVDVideoSoft
2009-09-25 14:13 . 2009-06-19 21:25 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Spyware Terminator
2009-09-25 14:13 . 2009-06-19 21:25 -------- d-----w- c:\dokumente und einstellungen\Alex\Anwendungsdaten\Spyware Terminator
2009-09-25 14:13 . 2009-06-19 21:25 -------- d-----w- c:\programme\Crawler
2009-09-25 14:00 . 2009-06-19 21:25 -------- d-----w- c:\programme\Spyware Terminator
2009-09-19 08:44 . 2009-06-13 09:33 -------- d--h--w- c:\programme\InstallShield Installation Information
2009-09-14 10:07 . 2009-06-13 18:01 -------- d-----w- c:\programme\ooVoo
2009-09-08 17:14 . 2009-06-14 16:25 -------- d-----w- c:\programme\Rockstar Games
2009-09-04 10:50 . 2009-06-13 12:20 32584 ----a-w- c:\dokumente und einstellungen\Alex\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2009-09-03 18:02 . 2009-09-03 18:02 -------- d-----w- c:\programme\JRE
2009-09-03 18:02 . 2009-08-22 15:29 -------- d-----w- c:\programme\OpenOffice.org 3
2009-09-03 06:40 . 2009-06-14 16:43 -------- d-----w- c:\programme\7-Zip
2009-09-02 23:26 . 2009-06-27 18:30 -------- d-----w- c:\programme\Teamspeak2_RC2
2009-08-31 16:18 . 2009-06-13 09:37 5891584 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2009-08-31 08:28 . 2009-06-13 09:37 405504 ----a-w- c:\windows\vncutil.exe
2009-08-26 20:50 . 2009-08-07 18:38 -------- d-----w- c:\programme\SARL Audio Client
2009-08-24 14:01 . 2009-06-13 09:37 18702336 ----a-w- c:\windows\RTHDCPL.EXE
2009-08-22 15:30 . 2009-08-22 15:30 -------- d-----w- c:\dokumente und einstellungen\Alex\Anwendungsdaten\OpenOffice.org
2009-08-14 12:17 . 2009-08-14 12:17 -------- d-----w- c:\programme\HyCam2
2009-08-05 15:42 . 2009-06-13 09:25 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 14:10 . 2009-06-13 09:37 831488 ----a-w- c:\windows\RtlExUpd.dll
2009-08-05 08:59 . 2008-04-14 12:00 206336 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 12:31 . 2009-06-13 09:37 2170880 ----a-w- c:\windows\MicCal.exe
2009-07-23 19:01 . 2009-07-23 19:01 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 14:40 . 2009-06-13 09:37 41472 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2009-07-17 19:01 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 21:43 . 2008-04-14 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\programme\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\programme\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2008-04-14 . E7EF7580241236552C7114FC71166CB6 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ICQ"="c:\programme\ICQ6.5\ICQ.exe" [2009-03-01 172792]
"oovoo.exe"="c:\programme\ooVoo\oovoo.exe" [2009-09-02 17385144]
"Skype"="c:\programme\Skype\Phone\Skype.exe" [2009-09-02 25623336]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"TrayServer"="c:\programme\MAGIX\Video_deluxe_2008\TrayServer.exe" [2008-01-17 90112]
"StartCCC"="c:\programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-02 98304]
"TPPOLL"="c:\programme\TOPRO\TPPOLL.EXE" [2005-03-02 24576]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-08-24 18702336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
Ralink Wireless Utility.lnk - c:\programme\RALINK\Common\RaUI.exe [2009-6-13 614400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\ICQ6.5\\ICQ.exe"=
"c:\\Programme\\ooVoo\\ooVoo.exe"=
"c:\\Programme\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Dokumente und Einstellungen\\Alex\\Eigene Dateien\\samp02Xserver.win32\\samp-server.exe"=
"c:\\Programme\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=
"c:\\Dokumente und Einstellungen\\Alex\\Eigene Dateien\\Backup samp02Xserver.win32\\samp02Xserver.win32\\samp-server.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\DKSpeak.exe"=
"c:\\Dokumente und Einstellungen\\Alex\\Eigene Dateien\\samp03svr_RC8-1_win32\\samp-server.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP

oVoo TCP Port 443
"443:UDP"= 443:UDP

oVoo UDP Port 443
"37674:TCP"= 37674:TCP

oVoo TCP Port 37674
"37674:UDP"= 37674:UDP

oVoo UDP Port 37674
"37675:UDP"= 37675:UDP

oVoo UDP Port 37675
"2074:UDP"= 2074:UDP

KSpeak UDP
"2074:TCP"= 2074:TCP

KSpeak TCP

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [13.06.2009 11:33 22168]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [19.06.2009 23:25 142592]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [30.07.2008 07:51 277736]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [13.06.2009 11:25 108289]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [13.06.2009 14:00 89600]
R3 CAM1690;USB PC Camera;c:\windows\system32\drivers\cam1690.sys [21.11.2007 17:37 181888]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [13.06.2009 11:37 1684736]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [25.07.2009 20:26 16512]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\programme\MAGIX\Common\Database\bin\fbserver.exe [16.06.2009 13:58 1527900]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Inhalt des "geplante Tasks" Ordners

2009-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programme\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.de/
IE: Add to AMV Converter... - c:\programme\MP3 Player Utilities 4.07\AMVConverter\grab.html
IE: MediaManager tool grab multimedia file - c:\programme\MP3 Player Utilities 4.07\MediaManager\grab.html
IE: Save YouTube Video - c:\programme\Gemeinsame Dateien\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm
IE: Save YouTube Video as MP3 - c:\programme\Gemeinsame Dateien\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Trusted Zone: microsoft.com \*.windowsupdate
Trusted Zone: windowsupdate.com
DPF: {3188FB46-456D-4C07-8A11-F5F3BBBA8AF2} - hxxp://www.seetoo.com/downloadAddon.php?platform=Win32&browser=ie&ref=icq&c=cb0250c3f2a8f1b7c&browserVersion=7.0
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
FF - ProfilePath - c:\dokumente und einstellungen\Alex\Anwendungsdaten\Mozilla\Firefox\Profiles\lyih958e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de
FF - component: c:\programme\Gemeinsame Dateien\DVDVideoSoft\Dll\FFContextMenuY\components\FFContextMenu.dll
FF - component: c:\programme\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\programme\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\programme\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-10 14:03
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-1960408961-2025429265-682003330-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1960408961-2025429265-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B2D377E7-A79B-20FF-550F-234DF183BE0E}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"gapineapmpjfng"=hex:61,69,65,66,6a,68,64,69,6b,61,63,64,65,6c,62,65,63,69,67,
66,64,6e,64,67,62,65,6a,63,6b,6f,6e,69,6a,6d,68,62,70,6b,69,6c,68,63,6f,64,\
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2228)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\programme\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\programme\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\programme\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_ger.nlr
c:\programme\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\programme\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WudfHost.exe
c:\programme\Avira\AntiVir Desktop\avguard.exe
c:\programme\Spyware Terminator\sp_rsser.exe
c:\programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\programme\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\programme\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2009-10-10 14:08 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2009-10-10 12:08
ComboFix2.txt 2009-10-10 11:12

Vor Suchlauf: 13 Verzeichnis(se), 116.935.573.504 Bytes frei
Nach Suchlauf: 14 Verzeichnis(se), 116.897.345.536 Bytes frei

199 --- E O F --- 2009-09-09 08:40

vor ein paar minuten ging mir mein internet aufeinmal weg. ich weis nicht wieso. musste neustart machen

cosinus · 10.10.2009, 13:22

Logfile mit GMER bitte erstellen => GMER - Anleitung

Jack_xD · 10.10.2009, 14:31

so endlich durchgescannt xD in der zeit ist wieder mein internet abgeschmiert oO vieleicht eine verteidigung vom nem rootkid oO

GMER 1.0.15.15125 - GMER - Rootkit Detector and Remover
Rootkit scan 2009-10-10 15:26:14
Windows 5.1.2600 Service Pack 3
Running: zc30gpvs.exe; Driver: C:\DOKUME~1\Alex\LOKALE~1\Temp\fwlyakow.sys

---- System - GMER 1.0.15 ----

SSDT F7B141AE ZwCreateKey
SSDT F7B141A4 ZwCreateThread
SSDT F7B141B3 ZwDeleteKey
SSDT F7B141BD ZwDeleteValueKey
SSDT spvx.sys ZwEnumerateKey [0xF72A4CA4]
SSDT spvx.sys ZwEnumerateValueKey [0xF72A5032]
SSDT F7B141C2 ZwLoadKey
SSDT spvx.sys ZwOpenKey [0xF72860C0]
SSDT F7B14190 ZwOpenProcess
SSDT F7B14195 ZwOpenThread
SSDT spvx.sys ZwQueryKey [0xF72A510A]
SSDT spvx.sys ZwQueryValueKey [0xF72A4F8A]
SSDT F7B141CC ZwReplaceKey
SSDT F7B141C7 ZwRestoreKey
SSDT F7B141B8 ZwSetValueKey
SSDT F7B1419F ZwTerminateProcess

INT 0x62 ? 89E75BF8
INT 0x63 ? 89E75BF8
INT 0x63 ? 89E75BF8
INT 0x63 ? 89B18F00
INT 0x63 ? 89B18F00
INT 0x63 ? 89E75BF8
INT 0x64 ? 89B18F00
INT 0x74 ? 89B18F00
INT 0x82 ? 89E75BF8
INT 0x84 ? 89B18F00

---- Kernel code sections - GMER 1.0.15 ----

? spvx.sys Das System kann die angegebene Datei nicht finden. !
? Combo-Fix.sys Das System kann die angegebene Datei nicht finden. !
.text USBPORT.SYS!DllUnload F6BD48AC 5 Bytes JMP 89B184E0
.text axbibxrf.SYS F6B27386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text axbibxrf.SYS F6B273AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text axbibxrf.SYS F6B273C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text axbibxrf.SYS F6B273C9 1 Byte [30]
.text axbibxrf.SYS F6B273C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
? C:\cofi4781c\catchme.sys Das System kann die angegebene Datei nicht finden. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS Das System kann die angegebene Datei nicht finden. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7287042] spvx.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F728713E] spvx.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72870C0] spvx.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F7287800] spvx.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72876D6] spvx.sys
IAT \SystemRoot\System32\Drivers\axbibxrf.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\axbibxrf.SYS[HAL.dll!READ_PORT_UCHAR] 1C8D9E88
IAT \SystemRoot\System32\Drivers\axbibxrf.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\axbibxrf.SYS[HAL.dll!KfRaiseIrql] 00001CA9
IAT \SystemRoot\System32\Drivers\axbibxrf.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\axbibxrf.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\axbibxrf.SYS[HAL.dll!HalTranslateBusAddress] 8186C636
IAT \SystemRoot\System32\Drivers\axbibxrf.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\axbibxrf.SYS[HAL.dll!KfReleaseSpinLock] 1C8386C6
IAT \SystemRoot\System32\Drivers\axbibxrf.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\axbibxrf.SYS[HAL.dll!READ_PORT_USHORT] 001C8E86
IAT \SystemRoot\System32\Drivers\axbibxrf.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\axbibxrf.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CAA
IAT \SystemRoot\System32\Drivers\axbibxrf.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\axbibxrf.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB19E

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [0046D810] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [0046D4D0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [0046D740] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [0046D5A0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [0046D4D0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [0046D810] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [0046D4D0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [0046D5A0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [0046D810] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [0046D4D0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [0046D5A0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [0046D810] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [0046D810] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [0046D4D0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [0046D4D0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [0046D810] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [0046D740] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [0046D4D0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [0046D810] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [0046D5A0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [0046D740] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [0046D4D0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [0046D810] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [0046D5A0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [0046D670] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [0046D740] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [0046D5A0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [0046D4D0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [0046D810] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetFocus] [00468470] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [0046D4D0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [0046D5A0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [0046D810] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [0046D740] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [0046D670] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SetFocus] [00468470] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetScrollInfo] [00467EF0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SetScrollInfo] [00468020] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetScrollPos] [00467F50] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [0046D810] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [0046D4D0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [0046D5A0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [0046D740] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [0046D670] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!SetFocus] [00468470] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [0046D5A0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [0046D740] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [0046D810] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [0046D4D0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!SetFocus] [00468470] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\IPHLPAPI.DLL [KERNEL32.dll!GetProcAddress] [0046D810] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\IPHLPAPI.DLL [KERNEL32.dll!LoadLibraryA] [0046D4D0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [0046D5A0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [0046D4D0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [0046D810] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryW] [0046D5A0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryExA] [0046D670] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [0046D810] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [0046D4D0] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)
IAT C:\Programme\ooVoo\oovoo.exe[160] @ C:\WINDOWS\system32\USERENV.dll [USER32.dll!SetFocus] [00468470] C:\Programme\ooVoo\oovoo.exe (ooVoo/ooVoo LLC)

Jack_xD · 10.10.2009, 14:32

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89E741F8
Device \Driver\usbstor \Device\0000008e 899BB500
Device \Driver\usbstor \Device\0000008f 899BB500
Device \Driver\usbuhci \Device\USBPDO-0 899CF500
Device \Driver\usbuhci \Device\USBPDO-1 899CF500
Device \Driver\usbuhci \Device\USBPDO-2 899CF500
Device \Driver\usbuhci \Device\USBPDO-3 899CF500
Device \Driver\usbehci \Device\USBPDO-4 89A2E500
Device \Driver\NetBT \Device\NetBT_Tcpip_{32DDE47B-DC0E-4892-B821-8FF42F4A6645} 899DD500
Device \Driver\sptd \Device\2816082248 spvx.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{E1536E61-4EF4-47DB-95E3-2F86B409F41D} 899DD500
Device \Driver\Ftdisk \Device\HarddiskVolume1 89E061F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{A797B89B-1EC1-4AD5-A354-5B4E8BA5B481} 899DD500
Device \Driver\Cdrom \Device\CdRom0 89B121F8
Device \Driver\Cdrom \Device\CdRom1 89B121F8
Device \Driver\atapi \Device\Ide\IdePort0 [F71FFB40] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdePort1 [F71FFB40] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdePort2 [F71FFB40] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdePort3 [F71FFB40] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 [F71FFB40] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-1b [F71FFB40] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-13 [F71FFB40] atapi.sys[unknown section]
Device \Driver\Cdrom \Device\CdRom2 89B121F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 899DD500
Device \Driver\PCI_PNP2248 \Device\0000004a spvx.sys
Device \Driver\NetBT \Device\NetbiosSmb 899DD500
Device \Driver\usbuhci \Device\USBFDO-0 899CF500
Device \Driver\usbuhci \Device\USBFDO-1 899CF500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 899DA500
Device \Driver\usbuhci \Device\USBFDO-2 899CF500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 899DA500
Device \Driver\usbuhci \Device\USBFDO-3 899CF500
Device \Driver\usbehci \Device\USBFDO-4 89A2E500
Device \Driver\Ftdisk \Device\FtControl 89E061F8
Device \Driver\usbstor \Device\0000007f 899BB500
Device \Driver\usbstor \Device\0000008c 899BB500
Device \Driver\axbibxrf \Device\Scsi\axbibxrf1Port4Path0Target0Lun0 8990E500
Device \Driver\axbibxrf \Device\Scsi\axbibxrf1 8990E500
Device \Driver\usbstor \Device\0000008d 899BB500
Device \FileSystem\Cdfs \Cdfs 899BE500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xB4 0x6D 0x90 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD2 0x9D 0x1B 0x04 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programme\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xDB 0xE2 0x85 0x77 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x30 0x9A 0xE5 0x53 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xB4 0x6D 0x90 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD2 0x9D 0x1B 0x04 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programme\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xDB 0xE2 0x85 0x77 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x30 0x9A 0xE5 0x53 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B2D377E7-A79B-20FF-550F-234DF183BE0E}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B2D377E7-A79B-20FF-550F-234DF183BE0E}@gapineapmpjfng 0x61 0x69 0x65 0x66 ...

---- EOF - GMER 1.0.15 ----

cosinus · 10.10.2009, 15:10

Die meinsten Einträge dürften okay sein, es handelt sich zB um die von Daemon-Tools. Das Tool bringt da auf eine mehr oder weniger schöne Art und Weise seinen treiber rein. Die von oovoo dürften auch legimtim sein.

Bleiben die, die Avira und auch GMER gefunden hat:

Zitat:

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{B2D377E7-A79B-20FF-550F-234DF183BE0E}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{B2D377E7-A79B-20FF-550F-234DF183BE0E}@gapineapmpjfng 0x61 0x69 0x65 0x66

Kannst Du die mit dem Anti-Rootkit-Tool von Avira löschen oder in Quarantäne stellen?

Jack_xD · 10.10.2009, 15:23

es steht zwar als auswahl da aber ich kann es nicht anklicken

cosinus · 10.10.2009, 16:10

Ich kann diese Einträge nicht wirklich einordnen

Möglich, dass es noch Reste von einem bösartigen Rootkit sind, vllt sind das aber auch Bestandteile von den Daemon-Tools oder so. Probier mal mit Rootrepeal Dein Glück.

Jack_xD · 10.10.2009, 16:26

ok und in welchen raster soll ich scannen??

cosinus · 10.10.2009, 16:32

Haken bei "Drivers", "Stealth Objects" und "Hidden Services"

Jack_xD · 10.10.2009, 16:38

Drivers:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/10 17:33
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: acedrv11.sys
Image Path: C:\WINDOWS\system32\drivers\acedrv11.sys
Address: 0xAB1D9000 Size: 270720 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF723E000 Size: 188800 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2154496 File Visible: - Signed: -
Status: -

Name: AegisP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AegisP.sys
Address: 0xF7857000 Size: 19232 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xAE66F000 Size: 138496 File Visible: - Signed: -
Status: -

Name: AmdK8.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AmdK8.sys
Address: 0xF7577000 Size: 65536 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF71F6000 Size: 98304 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0x00000000 Size: 0 File Visible: - Signed: -
Status: -

Name: ati2cqag.dll
Image Path: C:\WINDOWS\System32\ati2cqag.dll
Address: 0xBF068000 Size: 651264 File Visible: - Signed: -
Status: -

Name: ati2dvag.dll
Image Path: C:\WINDOWS\System32\ati2dvag.dll
Address: 0xBF012000 Size: 352256 File Visible: - Signed: -
Status: -

Name: ati2mtag.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Address: 0xF6C3F000 Size: 4452352 File Visible: - Signed: -
Status: -

Name: ati3duag.dll
Image Path: C:\WINDOWS\System32\ati3duag.dll
Address: 0xBF1EE000 Size: 3014656 File Visible: - Signed: -
Status: -

Name: AtiHdmi.sys
Image Path: C:\WINDOWS\system32\drivers\AtiHdmi.sys
Address: 0xAE7BB000 Size: 110592 File Visible: - Signed: -
Status: -

Name: atikvmag.dll
Image Path: C:\WINDOWS\System32\atikvmag.dll
Address: 0xBF107000 Size: 552960 File Visible: - Signed: -
Status: -

Name: atiok3x2.dll
Image Path: C:\WINDOWS\System32\atiok3x2.dll
Address: 0xBF18E000 Size: 393216 File Visible: - Signed: -
Status: -

Name: ativvaxx.dll
Image Path: C:\WINDOWS\System32\ativvaxx.dll
Address: 0xBF4CE000 Size: 2142208 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF7B7F000 Size: 3072 File Visible: - Signed: -
Status: -

Name: avgio.sys
Image Path: C:\Programme\Avira\AntiVir Desktop\avgio.sys
Address: 0xF79E1000 Size: 6144 File Visible: - Signed: -
Status: -

Name: avgntflt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\avgntflt.sys
Address: 0xAB861000 Size: 81920 File Visible: - Signed: -
Status: -

Name: avipbb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\avipbb.sys
Address: 0xAE4F5000 Size: 114688 File Visible: - Signed: -
Status: -

Name: BANTExt.sys
Image Path: C:\WINDOWS\System32\Drivers\BANTExt.sys
Address: 0xF7B13000 Size: 2144 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF79D3000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7897000 Size: 12288 File Visible: - Signed: -
Status: -

Name: cam1690.sys
Image Path: C:\WINDOWS\System32\Drivers\cam1690.sys
Address: 0xAE4C8000 Size: 181888 File Visible: - Signed: -
Status: -

Name: catchme.sys
Image Path: C:\cofi4781c\catchme.sys
Address: 0xF77D7000 Size: 31744 File Visible: No Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF7537000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF75A7000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF74C7000 Size: 53248 File Visible: - Signed: -
Status: -

Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xF74F7000 Size: 60416 File Visible: No Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF74B7000 Size: 36352 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF7637000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAE39E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79F1000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xAE7AB000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7A85000 Size: 4096 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xA9C21000 Size: 143744 File Visible: - Signed: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys
Address: 0xF7887000 Size: 27392 File Visible: - Signed: -
Status: -

Name: fetnd5bv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
Address: 0xF75C7000 Size: 42496 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF76D7000 Size: 44672 File Visible: - Signed: -
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\flpydisk.sys
Address: 0xF778F000 Size: 20480 File Visible: - Signed: -
Status: -

Name: fltMgr.sys
Image Path: fltMgr.sys
Address: 0xF71D6000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF79D1000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF720E000 Size: 126336 File Visible: - Signed: -
Status: -

Name: fwlyakow.sys
Image Path: C:\DOKUME~1\Alex\LOKALE~1\Temp\fwlyakow.sys
Address: 0xAA755000 Size: 87040 File Visible: No Signed: -
Status: -

Name: gagp30kx.sys
Image Path: gagp30kx.sys
Address: 0xF7507000 Size: 46464 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806E5000 Size: 134400 File Visible: - Signed: -
Status: -

Name: hamachi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hamachi.sys
Address: 0xF775F000 Size: 18560 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xF6C03000 Size: 163840 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xF7587000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF779F000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xAE7EE000 Size: 10368 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xAAC1B000 Size: 264832 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF7597000 Size: 42112 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xAE6B9000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xAE760000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF7487000 Size: 37632 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF7767000 Size: 25216 File Visible: - Signed: -
Status: -

Name: kbdhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xAE7DE000 Size: 14720 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7987000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xA896E000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF6BE0000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF71AD000 Size: 92928 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF79D5000 Size: 4224 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF776F000 Size: 23552 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xAE7DA000 Size: 12288 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF7497000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xAB40F000 Size: 180608 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xAE511000 Size: 455296 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF77B7000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF7617000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF70A2000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF70C6000 Size: 105344 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF70E0000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF797B000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF6AFC000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF7647000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF76B7000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xAE6DF000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF77BF000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF710D000 Size: 574976 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2154496 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7AEF000 Size: 2944 File Visible: - Signed: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xF6B13000 Size: 80384 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF770F000 Size: 19712 File Visible: - Signed: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF7A35000 Size: 7040 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF722D000 Size: 68224 File Visible: - Signed: -
Status: -

Name: PCI_PNP2248
Image Path: \Driver\PCI_PNP2248
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7A4F000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF7707000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2154496 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF63D5000 Size: 147456 File Visible: - Signed: -
Status: -

Name: PROCEXP90.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xF79DD000 Size: 6464 File Visible: No Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF6AC3000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF7727000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF74E7000 Size: 37376 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF7973000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF75E7000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF75F7000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF7607000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF772F000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2154496 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xAE581000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF79D7000 Size: 4224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF75B7000 Size: 57728 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAACE7000 Size: 49152 File Visible: No Signed: -
Status: -

Name: RT61.sys
Image Path: C:\WINDOWS\system32\DRIVERS\RT61.sys
Address: 0xAA6F8000 Size: 380928 File Visible: - Signed: -
Status: -

Name: RtkHDAud.sys
Image Path: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Address: 0xF63F9000 Size: 6078464 File Visible: - Signed: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS
Address: 0xF726D000 Size: 98304 File Visible: - Signed: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xF7977000 Size: 15744 File Visible: - Signed: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xF75D7000 Size: 65536 File Visible: - Signed: -
Status: -

Name: sp_rsdrv2.sys
Image Path: C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
Address: 0xAE5AC000 Size: 142592 File Visible: - Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spvx.sys
Image Path: spvx.sys
Address: 0xF7285000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF71C4000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xAB047000 Size: 333952 File Visible: - Signed: -
Status: -

Name: ssmdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
Address: 0xF77C7000 Size: 23040 File Visible: - Signed: -
Status: -

Name: STREAM.SYS
Image Path: C:\WINDOWS\System32\Drivers\STREAM.SYS
Address: 0xF7547000 Size: 53248 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF79C1000 Size: 4352 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xAB801000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xAE707000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF788F000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF7627000 Size: 40704 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF69C5000 Size: 384768 File Visible: - Signed: -
Status: -

Name: usbaudio.sys
Image Path: C:\WINDOWS\system32\drivers\usbaudio.sys
Address: 0xF7567000 Size: 60032 File Visible: - Signed: -
Status: -

Name: usbccgp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Address: 0xF77AF000 Size: 32128 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF79CF000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF781F000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF7677000 Size: 59520 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF6BBC000 Size: 147456 File Visible: - Signed: -
Status: -

Name: USBSTOR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Address: 0xF77F7000 Size: 26368 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF7817000 Size: 20608 File Visible: - Signed: -
Status: -

Name: usbvideo.sys
Image Path: C:\WINDOWS\System32\Drivers\usbvideo.sys
Address: 0xAE3DE000 Size: 121984 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF77A7000 Size: 20992 File Visible: - Signed: -
Status: -

Name: viaide.sys
Image Path: viaide.sys
Address: 0xF798B000 Size: 5376 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF6C2B000 Size: 81920 File Visible: - Signed: -
Status: -

Name: videX32.sys
Image Path: videX32.sys
Address: 0xF7717000 Size: 32768 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF74A7000 Size: 53760 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xF76A7000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF7837000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xAB3D2000 Size: 83072 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\WMILIB.SYS
Address: 0xF7989000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2154496 File Visible: - Signed: -
Status: -

Name: WudfPf.sys
Image Path: WudfPf.sys
Address: 0xF719A000 Size: 77696 File Visible: - Signed: -
Status: -

Name: xfilt.sys
Image Path: xfilt.sys
Address: 0xF74D7000 Size: 36864 File Visible: - Signed: -
Status: -

Jack_xD · 10.10.2009, 16:39

Stealth Objekts:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/10 17:33
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x89e741f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x89e741f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x89e741f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x89e741f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89e741f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89e741f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x89e741f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x89e741f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89e741f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89e741f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89e741f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89e741f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89e741f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89e741f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89e741f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89e741f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x89e741f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89e741f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89e741f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89e741f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89e741f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x89e741f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x899f8500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x899f8500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x899f8500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x899f8500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x899f8500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x899f8500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x899f8500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x899f8500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x899f8500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x899f8500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x899f8500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x899f8500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x899f8500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x899f8500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x899f8500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x899f8500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x899f8500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x899f8500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x89b121f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x89b121f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x89b121f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x89b121f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89b121f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89b121f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89b121f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89b121f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x89b121f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89b121f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x89b121f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE]
Process: System Address: 0x899bb500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CLOSE]
Process: System Address: 0x899bb500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_READ]
Process: System Address: 0x899bb500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_WRITE]
Process: System Address: 0x899bb500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x899bb500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x899bb500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_POWER]
Process: System Address: 0x899bb500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x899bb500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_PNP]
Process: System Address: 0x899bb500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x899cf500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x899cf500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x899cf500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x899cf500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x899cf500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x899cf500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x899cf500 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x89e061f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x89e061f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x89e061f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89e061f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89e061f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89e061f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89e061f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x89e061f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x89e061f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89e061f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x89e061f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x899dd500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x899dd500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x899dd500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x899dd500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x899dd500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x899dd500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x89a2e500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x89a2e500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89a2e500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89a2e500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x89a2e500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89a2e500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x89a2e500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x899da500 Size: 121

Object: Hidden Code [Driver: Cdfs؅捃䙐؁఍敋ꁹ, IRP_MJ_CREATE]
Process: System Address: 0x899be500 Size: 121

Object: Hidden Code [Driver: Cdfs؅捃䙐؁఍敋ꁹ, IRP_MJ_CLOSE]
Process: System Address: 0x899be500 Size: 121

Object: Hidden Code [Driver: Cdfs؅捃䙐؁఍敋ꁹ, IRP_MJ_READ]
Process: System Address: 0x899be500 Size: 121

Object: Hidden Code [Driver: Cdfs؅捃䙐؁఍敋ꁹ, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x899be500 Size: 121

Object: Hidden Code [Driver: Cdfs؅捃䙐؁఍敋ꁹ, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x899be500 Size: 121

Object: Hidden Code [Driver: Cdfs؅捃䙐؁఍敋ꁹ, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x899be500 Size: 121

Object: Hidden Code [Driver: Cdfs؅捃䙐؁఍敋ꁹ, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x899be500 Size: 121

Object: Hidden Code [Driver: Cdfs؅捃䙐؁఍敋ꁹ, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x899be500 Size: 121

Object: Hidden Code [Driver: Cdfs؅捃䙐؁఍敋ꁹ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x899be500 Size: 121

Object: Hidden Code [Driver: Cdfs؅捃䙐؁఍敋ꁹ, IRP_MJ_SHUTDOWN]
Process: System Address: 0x899be500 Size: 121

Object: Hidden Code [Driver: Cdfs؅捃䙐؁఍敋ꁹ, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x899be500 Size: 121

Object: Hidden Code [Driver: Cdfs؅捃䙐؁఍敋ꁹ, IRP_MJ_CLEANUP]
Process: System Address: 0x899be500 Size: 121

Object: Hidden Code [Driver: Cdfs؅捃䙐؁఍敋ꁹ, IRP_MJ_PNP]
Process: System Address: 0x899be500 Size: 121

Und Hidden Services gabs keine

cosinus · 11.10.2009, 05:51

Mach nochmal Combofix-Scripten, diesmal aber bitte diesen Text in die CFscript.txt reinschreiben, der Rest wie gehabt:

Code:

ATTFilter

RegNull::
[HKEY_USERS\S-1-5-21-1960408961-2025429265-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B2D377E7-A79B-20FF-550F-234DF183BE0E}*]

Jack_xD · 11.10.2009, 10:03

ComboFix 09-10-10.02 - Alex 11.10.2009 10:55.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.2046.1376 [GMT 2:00]
ausgeführt von:: c:\dokumente und einstellungen\Alex\Desktop\cofi.exe
Benutzte Befehlsschalter :: c:\dokumente und einstellungen\Alex\Desktop\CFscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((( Dateien erstellt von 2009-09-11 bis 2009-10-11 ))))))))))))))))))))))))))))))
.

2009-10-10 11:58 . 2009-10-10 12:08 -------- d-----w- C:\cofi4781c
2009-10-10 11:05 . 2009-10-10 11:12 -------- d-----w- C:\cofi
2009-10-08 15:35 . 2009-10-08 15:35 -------- d-sh--w- c:\windows\ftpcache
2009-10-04 11:42 . 2009-10-04 11:42 -------- d-----w- c:\programme\WinSCP
2009-09-20 14:27 . 2008-10-16 12:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-20 09:37 . 2009-09-20 09:37 -------- d-----w- c:\programme\Malwarebytes
2009-09-19 14:13 . 2009-09-19 14:13 -------- d-----w- c:\dokumente und einstellungen\Alex\Anwendungsdaten\Malwarebytes
2009-09-19 14:13 . 2009-09-19 14:13 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2009-09-19 11:40 . 2009-09-19 11:40 -------- d-----w- c:\programme\Trend Micro
2009-09-19 09:35 . 2009-09-19 09:35 253952 ------w- c:\windows\Setup1.exe
2009-09-19 09:35 . 2009-09-19 09:35 74752 ----a-w- c:\windows\ST6UNST.EXE
2009-09-16 14:37 . 2009-09-16 14:37 -------- d--h--w- c:\windows\PIF
2009-09-13 15:03 . 2009-09-13 15:09 -------- d-----w- c:\dokumente und einstellungen\Alex\Anwendungsdaten\eXPert PDF Editor
2009-09-13 15:02 . 2009-09-13 15:02 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\eXPert PDF 4
2009-09-11 22:09 . 2009-09-11 22:09 -------- d-----w- c:\programme\Gemeinsame Dateien\Apple
2009-09-11 22:08 . 2009-09-19 12:42 -------- d-----w- c:\programme\QuickTime
2009-09-11 22:08 . 2009-09-11 22:08 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Apple Computer

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-11 08:58 . 2009-06-13 17:41 -------- d-----w- c:\dokumente und einstellungen\Alex\Anwendungsdaten\Skype
2009-10-11 08:38 . 2009-06-13 17:47 -------- d-----w- c:\dokumente und einstellungen\Alex\Anwendungsdaten\skypePM
2009-10-04 11:52 . 2009-06-19 18:04 -------- d-----w- c:\dokumente und einstellungen\Alex\Anwendungsdaten\Hamachi
2009-10-04 09:08 . 2009-06-16 14:03 -------- d---a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP
2009-10-03 18:44 . 2009-06-19 13:49 -------- d-----w- c:\programme\Gemeinsame Dateien\DVDVideoSoft
2009-09-25 14:13 . 2009-06-19 21:25 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Spyware Terminator
2009-09-25 14:13 . 2009-06-19 21:25 -------- d-----w- c:\dokumente und einstellungen\Alex\Anwendungsdaten\Spyware Terminator
2009-09-25 14:13 . 2009-06-19 21:25 -------- d-----w- c:\programme\Crawler
2009-09-25 14:00 . 2009-06-19 21:25 -------- d-----w- c:\programme\Spyware Terminator
2009-09-19 08:44 . 2009-06-13 09:33 -------- d--h--w- c:\programme\InstallShield Installation Information
2009-09-14 10:07 . 2009-06-13 18:01 -------- d-----w- c:\programme\ooVoo
2009-09-08 17:14 . 2009-06-14 16:25 -------- d-----w- c:\programme\Rockstar Games
2009-09-04 10:50 . 2009-06-13 12:20 32584 ----a-w- c:\dokumente und einstellungen\Alex\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2009-09-03 18:02 . 2009-09-03 18:02 -------- d-----w- c:\programme\JRE
2009-09-03 18:02 . 2009-08-22 15:29 -------- d-----w- c:\programme\OpenOffice.org 3
2009-09-03 06:40 . 2009-06-14 16:43 -------- d-----w- c:\programme\7-Zip
2009-09-02 23:26 . 2009-06-27 18:30 -------- d-----w- c:\programme\Teamspeak2_RC2
2009-08-31 16:18 . 2009-06-13 09:37 5891584 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2009-08-31 08:28 . 2009-06-13 09:37 405504 ----a-w- c:\windows\vncutil.exe
2009-08-26 20:50 . 2009-08-07 18:38 -------- d-----w- c:\programme\SARL Audio Client
2009-08-24 14:01 . 2009-06-13 09:37 18702336 ----a-w- c:\windows\RTHDCPL.EXE
2009-08-22 15:30 . 2009-08-22 15:30 -------- d-----w- c:\dokumente und einstellungen\Alex\Anwendungsdaten\OpenOffice.org
2009-08-14 12:17 . 2009-08-14 12:17 -------- d-----w- c:\programme\HyCam2
2009-08-05 15:42 . 2009-06-13 09:25 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 14:10 . 2009-06-13 09:37 831488 ----a-w- c:\windows\RtlExUpd.dll
2009-08-05 08:59 . 2008-04-14 12:00 206336 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 12:31 . 2009-06-13 09:37 2170880 ----a-w- c:\windows\MicCal.exe
2009-07-23 19:01 . 2009-07-23 19:01 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 14:40 . 2009-06-13 09:37 41472 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2009-07-17 19:01 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 21:43 . 2008-04-14 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\programme\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\programme\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2008-04-14 . E7EF7580241236552C7114FC71166CB6 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ICQ"="c:\programme\ICQ6.5\ICQ.exe" [2009-03-01 172792]
"oovoo.exe"="c:\programme\ooVoo\oovoo.exe" [2009-09-02 17385144]
"Skype"="c:\programme\Skype\Phone\Skype.exe" [2009-09-02 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"TrayServer"="c:\programme\MAGIX\Video_deluxe_2008\TrayServer.exe" [2008-01-17 90112]
"StartCCC"="c:\programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-02 98304]
"TPPOLL"="c:\programme\TOPRO\TPPOLL.EXE" [2005-03-02 24576]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-08-24 18702336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
Ralink Wireless Utility.lnk - c:\programme\RALINK\Common\RaUI.exe [2009-6-13 614400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\ICQ6.5\\ICQ.exe"=
"c:\\Programme\\ooVoo\\ooVoo.exe"=
"c:\\Programme\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Dokumente und Einstellungen\\Alex\\Eigene Dateien\\samp02Xserver.win32\\samp-server.exe"=
"c:\\Programme\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=
"c:\\Dokumente und Einstellungen\\Alex\\Eigene Dateien\\Backup samp02Xserver.win32\\samp02Xserver.win32\\samp-server.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\DKSpeak.exe"=
"c:\\Dokumente und Einstellungen\\Alex\\Eigene Dateien\\samp03svr_RC8-1_win32\\samp-server.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP

oVoo TCP Port 443
"443:UDP"= 443:UDP

oVoo UDP Port 443
"37674:TCP"= 37674:TCP

oVoo TCP Port 37674
"37674:UDP"= 37674:UDP

oVoo UDP Port 37674
"37675:UDP"= 37675:UDP

oVoo UDP Port 37675
"2074:UDP"= 2074:UDP

KSpeak UDP
"2074:TCP"= 2074:TCP

KSpeak TCP

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [13.06.2009 11:33 22168]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [19.06.2009 23:25 142592]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [30.07.2008 07:51 277736]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [13.06.2009 11:25 108289]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [13.06.2009 14:00 89600]
R3 CAM1690;USB PC Camera;c:\windows\system32\drivers\cam1690.sys [21.11.2007 17:37 181888]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [13.06.2009 11:37 1684736]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [25.07.2009 20:26 16512]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\programme\MAGIX\Common\Database\bin\fbserver.exe [16.06.2009 13:58 1527900]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Inhalt des "geplante Tasks" Ordners

2009-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programme\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.de/
IE: Add to AMV Converter... - c:\programme\MP3 Player Utilities 4.07\AMVConverter\grab.html
IE: MediaManager tool grab multimedia file - c:\programme\MP3 Player Utilities 4.07\MediaManager\grab.html
IE: Save YouTube Video - c:\programme\Gemeinsame Dateien\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm
IE: Save YouTube Video as MP3 - c:\programme\Gemeinsame Dateien\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Trusted Zone: microsoft.com \*.windowsupdate
Trusted Zone: windowsupdate.com
DPF: {3188FB46-456D-4C07-8A11-F5F3BBBA8AF2} - hxxp://www.seetoo.com/downloadAddon.php?platform=Win32&browser=ie&ref=icq&c=cb0250c3f2a8f1b7c&browserVersion=7.0
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
FF - ProfilePath - c:\dokumente und einstellungen\Alex\Anwendungsdaten\Mozilla\Firefox\Profiles\lyih958e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de
FF - component: c:\programme\Gemeinsame Dateien\DVDVideoSoft\Dll\FFContextMenuY\components\FFContextMenu.dll
FF - component: c:\programme\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\programme\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\programme\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-10-11 10:58
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-1960408961-2025429265-682003330-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3696)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Zeit der Fertigstellung: 2009-10-11 10:59
ComboFix-quarantined-files.txt 2009-10-11 08:59
ComboFix2.txt 2009-10-10 12:08
ComboFix3.txt 2009-10-10 11:12

Vor Suchlauf: 14 Verzeichnis(se), 116.897.492.992 Bytes frei
Nach Suchlauf: 15 Verzeichnis(se), 116.862.246.912 Bytes frei

177 --- E O F --- 2009-09-09 08:40

cosinus · 11.10.2009, 10:07

Hat geklappt, der Eintrag ist nicht mehr da. Offensichtlich jedenfalls.
Kannst ja zur Überprüfung noch mal mit dem Anti-Rootkit-Tool von Avira scannen.

10.10.2009, 13:07	#16
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Bitte log checken Kann sein oder auch nicht. Mach bitte das mit Combofix. __________________ Logfiles bitte immer in CODE-Tags posten

10.10.2009, 13:22	#18
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Bitte log checken Logfile mit GMER bitte erstellen => GMER - Anleitung __________________ __________________

10.10.2009, 16:10	#23
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Bitte log checken Ich kann diese Einträge nicht wirklich einordnen Möglich, dass es noch Reste von einem bösartigen Rootkit sind, vllt sind das aber auch Bestandteile von den Daemon-Tools oder so. Probier mal mit Rootrepeal Dein Glück. __________________ Logfiles bitte immer in CODE-Tags posten

10.10.2009, 16:32	#25
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Bitte log checken Haken bei "Drivers", "Stealth Objects" und "Hidden Services" __________________ Logfiles bitte immer in CODE-Tags posten

11.10.2009, 05:51	#28
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Bitte log checken Mach nochmal Combofix-Scripten, diesmal aber bitte diesen Text in die CFscript.txt reinschreiben, der Rest wie gehabt: Code: ATTFilter RegNull:: [HKEY_USERS\S-1-5-21-1960408961-2025429265-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B2D377E7-A79B-20FF-550F-234DF183BE0E}] __________________ Logfiles bitte immer in CODE-Tags posten*

Bitte log checken

Log-Analyse und Auswertung: Bitte log checken