|
Plagegeister aller Art und deren Bekämpfung: Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigtWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
13.11.2009, 17:04 | #16 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt GMER, Teil IX: Code:
ATTFilter .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtDeleteFile 7C91D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtFreeVirtualMemory 7C91D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtLoadDriver 7C91D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtSetInformationProcess 7C91DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtUnloadDriver 7C91DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!RtlAllocateHeap 7C9200C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!LdrLoadDll 7C9263C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!LdrUnloadDll 7C92738B 5 Bytes JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!LdrGetProcedureAddress 7C927EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95} .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ADVAPI32.dll!OpenServiceW 77DB6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ADVAPI32.dll!OpenServiceA 77DC4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ADVAPI32.dll!CreateServiceA 77E07211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ADVAPI32.dll!CreateServiceW 77E073A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] SHELL32.dll!ShellExecuteExW 7E6B996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] SHELL32.dll!ShellExecuteEx 7E6F0EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] SHELL32.dll!ShellExecuteA 7E6F11E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] SHELL32.dll!ShellExecuteW 7E765D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtDeleteFile 7C91D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtFreeVirtualMemory 7C91D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtLoadDriver 7C91D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtSetInformationProcess 7C91DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtUnloadDriver 7C91DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!RtlAllocateHeap 7C9200C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!LdrLoadDll 7C9263C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!LdrUnloadDll 7C92738B 5 Bytes JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!LdrGetProcedureAddress 7C927EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95} .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] ADVAPI32.dll!OpenServiceW 77DB6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] ADVAPI32.dll!OpenServiceA 77DC4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] ADVAPI32.dll!CreateServiceA 77E07211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] ADVAPI32.dll!CreateServiceW 77E073A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] ole32.dll!CoCreateInstanceEx 774D0526 5 Bytes JMP 10008450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\FreePDF_XP\fpassist.exe[2112] ole32.dll!CoGetClassObject 774E56C5 5 Bytes JMP 10008590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) |
13.11.2009, 17:06 | #17 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt GMER, Teil X:
__________________Code:
ATTFilter .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 00391950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 00398B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 003918D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes JMP 00391890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes JMP 003919B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtDeleteFile 7C91D23E 5 Bytes JMP 00391910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtFreeVirtualMemory 7C91D38E 5 Bytes JMP 00391A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtLoadDriver 7C91D46E 5 Bytes JMP 00391970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes JMP 003918F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 00391930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtSetInformationProcess 7C91DC9E 5 Bytes JMP 003919D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtUnloadDriver 7C91DEBE 5 Bytes JMP 00391990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 003918B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!RtlAllocateHeap 7C9200C4 5 Bytes JMP 00391A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!LdrLoadDll 7C9263C3 5 Bytes JMP 00394550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!LdrUnloadDll 7C92738B 5 Bytes JMP 00398A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!LdrGetProcedureAddress 7C927EA8 5 Bytes JMP 003919F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00391B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00391D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 00391AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00391AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00391D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00391A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00391A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00391A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00391D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 00391CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 00391D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00391B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 00391C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00391C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 00391B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [B7, 83] {MOV BH, 0x83} .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 00391BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00391B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00391B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 00391CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 00391CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 00391C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00391BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 00391C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 00391C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 00391BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00391D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 00391AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 00398700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ADVAPI32.dll!OpenServiceW 77DB6FFD 7 Bytes JMP 00391480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ADVAPI32.dll!OpenServiceA 77DC4C66 7 Bytes JMP 00391640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ADVAPI32.dll!CreateServiceA 77E07211 7 Bytes JMP 00391000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ADVAPI32.dll!CreateServiceW 77E073A9 7 Bytes JMP 00391250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] SHELL32.dll!ShellExecuteExW 7E6B996B 5 Bytes JMP 00391E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] SHELL32.dll!ShellExecuteEx 7E6F0EB5 5 Bytes JMP 00391DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] SHELL32.dll!ShellExecuteA 7E6F11E0 5 Bytes JMP 00391DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] SHELL32.dll!ShellExecuteW 7E765D48 5 Bytes JMP 00391DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ole32.dll!CoCreateInstanceEx 774D0526 5 Bytes JMP 00398450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ole32.dll!CoGetClassObject 774E56C5 5 Bytes JMP 00398590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtDeleteFile 7C91D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtFreeVirtualMemory 7C91D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtLoadDriver 7C91D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtSetInformationProcess 7C91DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtUnloadDriver 7C91DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!RtlAllocateHeap 7C9200C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!LdrLoadDll 7C9263C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!LdrUnloadDll 7C92738B 5 Bytes JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!LdrGetProcedureAddress 7C927EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95} .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ADVAPI32.dll!OpenServiceW 77DB6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ADVAPI32.dll!OpenServiceA 77DC4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ADVAPI32.dll!CreateServiceA 77E07211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ADVAPI32.dll!CreateServiceW 77E073A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] SHELL32.dll!ShellExecuteExW 7E6B996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] SHELL32.dll!ShellExecuteEx 7E6F0EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] SHELL32.dll!ShellExecuteA 7E6F11E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] SHELL32.dll!ShellExecuteW 7E765D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ole32.dll!CoCreateInstanceEx 774D0526 5 Bytes JMP 10008450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ole32.dll!CoGetClassObject 774E56C5 5 Bytes JMP 10008590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) |
13.11.2009, 17:07 | #18 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt GMER, Teil XI:
__________________Code:
ATTFilter .text C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtDeleteFile 7C91D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtFreeVirtualMemory 7C91D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtLoadDriver 7C91D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtSetInformationProcess 7C91DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtUnloadDriver 7C91DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!RtlAllocateHeap 7C9200C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!LdrLoadDll 7C9263C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!LdrUnloadDll 7C92738B 5 Bytes JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!LdrGetProcedureAddress 7C927EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95} .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] ADVAPI32.dll!OpenServiceW 77DB6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] ADVAPI32.dll!OpenServiceA 77DC4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] ADVAPI32.dll!CreateServiceA 77E07211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] ADVAPI32.dll!CreateServiceW 77E073A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] WININET.dll!InternetConnectA 408CDEAE 5 Bytes JMP 10001E30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] WININET.dll!InternetConnectW 408CF862 5 Bytes JMP 10001E50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] ole32.dll!CoCreateInstanceEx 774D0526 5 Bytes JMP 10008450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] ole32.dll!CoGetClassObject 774E56C5 5 Bytes JMP 10008590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] SHELL32.dll!ShellExecuteExW 7E6B996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] SHELL32.dll!ShellExecuteEx 7E6F0EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] SHELL32.dll!ShellExecuteA 7E6F11E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Java\jre6\bin\jusched.exe[2240] SHELL32.dll!ShellExecuteW 7E765D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtDeleteFile 7C91D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtFreeVirtualMemory 7C91D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtLoadDriver 7C91D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtSetInformationProcess 7C91DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtUnloadDriver 7C91DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!RtlAllocateHeap 7C9200C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!LdrLoadDll 7C9263C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!LdrUnloadDll 7C92738B 5 Bytes JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!LdrGetProcedureAddress 7C927EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95} .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] ADVAPI32.dll!OpenServiceW 77DB6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] ADVAPI32.dll!OpenServiceA 77DC4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] ADVAPI32.dll!CreateServiceA 77E07211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] ADVAPI32.dll!CreateServiceW 77E073A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] ole32.dll!CoCreateInstanceEx 774D0526 5 Bytes JMP 10008450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] ole32.dll!CoGetClassObject 774E56C5 5 Bytes JMP 10008590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] SHELL32.dll!ShellExecuteExW 7E6B996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] SHELL32.dll!ShellExecuteEx 7E6F0EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] SHELL32.dll!ShellExecuteA 7E6F11E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[2248] SHELL32.dll!ShellExecuteW 7E765D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) |
13.11.2009, 17:09 | #19 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt GMER, Teil XII: Code:
ATTFilter .text C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtDeleteFile 7C91D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtFreeVirtualMemory 7C91D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtLoadDriver 7C91D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtSetInformationProcess 7C91DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtUnloadDriver 7C91DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!RtlAllocateHeap 7C9200C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!LdrLoadDll 7C9263C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!LdrUnloadDll 7C92738B 5 Bytes JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!LdrGetProcedureAddress 7C927EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95} .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] ADVAPI32.dll!OpenServiceW 77DB6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] ADVAPI32.dll!OpenServiceA 77DC4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] ADVAPI32.dll!CreateServiceA 77E07211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] ADVAPI32.dll!CreateServiceW 77E073A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] ole32.dll!CoCreateInstanceEx 774D0526 5 Bytes JMP 10008450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] ole32.dll!CoGetClassObject 774E56C5 5 Bytes JMP 10008590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] SHELL32.dll!ShellExecuteExW 7E6B996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] SHELL32.dll!ShellExecuteEx 7E6F0EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] SHELL32.dll!ShellExecuteA 7E6F11E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[2288] SHELL32.dll!ShellExecuteW 7E765D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) |
13.11.2009, 17:10 | #20 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt GMER, Schluss: Code:
ATTFilter .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtDeleteFile 7C91D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtFreeVirtualMemory 7C91D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtLoadDriver 7C91D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtSetInformationProcess 7C91DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtUnloadDriver 7C91DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!RtlAllocateHeap 7C9200C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!LdrLoadDll 7C9263C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!LdrUnloadDll 7C92738B 5 Bytes JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!LdrGetProcedureAddress 7C927EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95} .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ADVAPI32.dll!OpenServiceW 77DB6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ADVAPI32.dll!OpenServiceA 77DC4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ADVAPI32.dll!CreateServiceA 77E07211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ADVAPI32.dll!CreateServiceW 77E073A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ole32.dll!CoCreateInstanceEx 774D0526 5 Bytes JMP 10008450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ole32.dll!CoGetClassObject 774E56C5 5 Bytes JMP 10008590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] shell32.dll!ShellExecuteExW 7E6B996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] shell32.dll!ShellExecuteEx 7E6F0EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] shell32.dll!ShellExecuteA 7E6F11E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] shell32.dll!ShellExecuteW 7E765D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F74636E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F74637B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F7463780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F7463740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F7463740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F74637B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F74636E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F7463780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F7463780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F7463740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F74637B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F74636E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F7463740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F7463780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F74636E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F74637B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F74636E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F74637B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F7463740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F7463780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F7463740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F74637B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F74636E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F7463740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F7463780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F74636E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F74637B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO) AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO) AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO) AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- EOF - GMER 1.0.15 ---- |
13.11.2009, 17:24 | #21 |
/// Selecta Jahrusso | Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt Hast Du Combofix nocheinmal laufen lassen ? Während dieser Scans soll(en):
__________________ --> Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt |
13.11.2009, 17:45 | #22 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt Combofix habe ich laufen lassen und vorher die Scanner abgestellt. Das Gepostete ist der aktuelle Log. Internet muss aus gewesen sein, der Scan lief problemlos. RootRepeal mach ich gleich. |
13.11.2009, 17:58 | #23 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt RootRepeal war erstaunlich schnell fertig (keine 2 Minuten): Code:
ATTFilter ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2009/11/13 17:53 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: afwyikod.sys Image Path: C:\DOKUME~1\Liebig\LOKALE~1\Temp\afwyikod.sys Address: 0xB6855000 Size: 91136 File Visible: No Signed: - Status: - Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xB82A0000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF79A5000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB453E000 Size: 49152 File Visible: No Signed: - Status: - Name: tmcomm.sys Image Path: C:\WINDOWS\system32\drivers\tmcomm.sys Address: 0xB6DE4000 Size: 97280 File Visible: No Signed: - Status: - Name: uphcleanhlp.sys Image Path: C:\WINDOWS\system32\Drivers\uphcleanhlp.sys Address: 0xB6F08000 Size: 8960 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! Path: c:\dokumente und einstellungen\liebig\lokale einstellungen\temp\etilqs_gpwutkdtda6queykj9hr Status: Allocation size mismatch (API: 4096, Raw: 0) Path: c:\dokumente und einstellungen\liebig\lokale einstellungen\temp\etilqs_gqdpzx1zm9wgxgkm3lh3 Status: Allocation size mismatch (API: 4096, Raw: 0) Path: c:\dokumente und einstellungen\liebig\anwendungsdaten\flock\browser\profiles\ti1dzm8r.default\flock-data.sqlite-journal Status: Size mismatch (API: 5672, Raw: 4640) SSDT ------------------- #: 011 Function Name: NtAdjustPrivilegesToken Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8587d46 #: 031 Function Name: NtConnectPort Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8587250 #: 037 Function Name: NtCreateFile Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb85878ea #: 041 Function Name: NtCreateKey Status: Hooked by "<unknown>" at address 0xb9e4977e #: 046 Function Name: NtCreatePort Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8587132 #: 050 Function Name: NtCreateSection Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8589254 #: 052 Function Name: NtCreateSymbolicLinkObject Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858952c #: 053 Function Name: NtCreateThread Status: Hooked by "<unknown>" at address 0xb9e49774 #: 063 Function Name: NtDeleteKey Status: Hooked by "<unknown>" at address 0xb9e49783 #: 065 Function Name: NtDeleteValueKey Status: Hooked by "<unknown>" at address 0xb9e4978d #: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8586a5a #: 097 Function Name: NtLoadDriver Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8588ed6 #: 098 Function Name: NtLoadKey Status: Hooked by "<unknown>" at address 0xb9e49792 #: 105 Function Name: NtMakeTemporaryObject Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb85874d4 #: 116 Function Name: NtOpenFile Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8587b2e #: 122 Function Name: NtOpenProcess Status: Hooked by "<unknown>" at address 0xb9e49760 #: 125 Function Name: NtOpenSection Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8587764 #: 128 Function Name: NtOpenThread Status: Hooked by "<unknown>" at address 0xb9e49765 #: 192 Function Name: NtRenameKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8588688 #: 193 Function Name: NtReplaceKey Status: Hooked by "<unknown>" at address 0xb9e4979c #: 200 Function Name: NtRequestWaitReplyPort Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb85889f0 #: 204 Function Name: NtRestoreKey Status: Hooked by "<unknown>" at address 0xb9e49797 #: 210 Function Name: NtSecureConnectPort Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8588c72 #: 240 Function Name: NtSetSystemInformation Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8589084 #: 247 Function Name: NtSetValueKey Status: Hooked by "<unknown>" at address 0xb9e49788 #: 249 Function Name: NtShutdownSystem Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858746e #: 255 Function Name: NtSystemDebugControl Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8587658 #: 257 Function Name: NtTerminateProcess Status: Hooked by "<unknown>" at address 0xb9e4976f #: 258 Function Name: NtTerminateThread Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8586eca #: 263 Function Name: NtUnloadKey Status: Hooked by "C:\WINDOWS\system32\Drivers\uphcleanhlp.sys" at address 0xb6f086d0 Shadow SSDT ------------------- #: 013 Function Name: NtGdiBitBlt Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858b308 #: 122 Function Name: NtGdiDeleteObjectApp Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858ba2c #: 227 Function Name: NtGdiMaskBlt Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858b43c #: 233 Function Name: NtGdiOpenDCW Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858b8ec #: 237 Function Name: NtGdiPlgBlt Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858b57c #: 292 Function Name: NtGdiStretchBlt Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858b6b0 #: 310 Function Name: NtUserBlockInput Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858b188 #: 319 Function Name: NtUserCallHwndParamLock Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858a3da #: 383 Function Name: NtUserGetAsyncKeyState Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858ae58 #: 389 Function Name: NtUserGetClipboardData Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858b7ea #: 414 Function Name: NtUserGetKeyboardState Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858abc6 #: 416 Function Name: NtUserGetKeyState Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858ad08 #: 460 Function Name: NtUserMessageCall Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858a8aa #: 465 Function Name: NtUserMoveWindow Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858a112 #: 475 Function Name: NtUserPostMessage Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858a55c #: 476 Function Name: NtUserPostThreadMessage Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858a708 #: 491 Function Name: NtUserRegisterRawInputDevices Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858afa8 #: 502 Function Name: NtUserSendInput Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858aa6c #: 509 Function Name: NtUserSetClipboardViewer Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858b09e #: 529 Function Name: NtUserSetParent Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858a282 #: 549 Function Name: NtUserSetWindowsHookEx Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858ba92 #: 552 Function Name: NtUserSetWinEventHook Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858bcc6 ==EOF== Besten Dank für jede Unterstützung und ein schönes WE alle miteinander. Cu, Steffen Geändert von ElSteffe (13.11.2009 um 18:09 Uhr) |
13.11.2009, 19:04 | #24 |
/// Selecta Jahrusso | Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt Und wer sagte was von "noch einmal ausführen"? Scripten mit Combofix
Code:
ATTFilter File:: c:\windows\system32\39.tmp
Hinweis: Das obige Script ist nur für diesen einen User in dieser Situtation erstellt worden. Es ist auf keinen anderen Rechner portierbar und darf nicht anderweitig verwandt werden, da es das System nachhaltig schädigen kann.
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
13.11.2009, 19:31 | #25 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt *lach* sorry, da liegt ein Missverständnis vor Du hattest Deine Anleitung zu Combofix gar nicht in meinem Beitrag gepostet, das mit dem Rüberziehen der tmp-Datei ist mir völlig neu. Kurze Erläuterung: als ich hierher kam, hatte ich Combofix bereits benutzt. Siehe meine Bemerkung "Combofix meldete ein Rootkit und desinfizierte die Datei". Danach habe ich Combofix deinstalliert und das Log gelöscht, weil das Rootkit beseitigt schien. Erst als der Fehler trotzdem wieder auftrat, bin ich hier ins Forum gekommen. Das "nochmal ausführen" hat insofern gar nicht stattgefunden. Es handelt sich vielmehr um ein erneutes Herunterladen und Laufenlassen, um hier ein Log bzw das Ergebnis des Suchlaufs posten zu können. Das Ganze hat eigentlich den Zweck herauszufinden, was jetzt nach der Desinfektion noch im System herumspuken und die langsamen Shutdowns verursachen könnte. Vielleicht hätten wir uns den Combofix-Kram sparen können, das Log mit dem Namen der desinfizierten Datei existiert leider nicht mehr. Ich werde aber gleich den Ablauf, den Du als Letztes geschildert hast, durchführen. Vielleicht bringt das dabei entstehende Log zusätzlich was, auch wenn ich nicht verstehe, wozu das Rüberziehen einer Textdatei mit nem Dateinamen drin (nuja, zumindest weiss ich jetzt, wo diese Datei, die mir schon aufgefallen ist, herkommt *g*) auf das Combofixsymbol gut sein soll. Vermutlich wird diese Datei dann irgendwie mitverwendet. Ich hab nur keine Ahnung von Scripten und vom Inhalt der Datei, drum fehlt mir da wohl vom Sinn her ein Mosaikstein :-). Geändert von ElSteffe (13.11.2009 um 20:28 Uhr) |
13.11.2009, 20:23 | #26 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt Hier der Log vom Combofix incl der Temp-Datei: Code:
ATTFilter ComboFix 09-11-13.06 - Liebig 13.11.2009 20:06.3.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.1535.1024 [GMT 1:00] ausgeführt von:: c:\dokumente und einstellungen\Liebig\Desktop\ComboFix.exe Benutzte Befehlsschalter :: c:\dokumente und einstellungen\Liebig\Desktop\cfscript.txt AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning disabled* (Updated) {804E5358-FFA4-00EB-0D24-347CA8A3377C} AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning disabled* (Updated) {804E5358-FFA4-011E-0D24-347CA8A3377C} AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning enabled* (Outdated) {00000000-0000-0000-0000-000000000000} AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning enabled* (Updated) {804E5358-FFA4-00DA-0D24-347CA8A3377C} AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning enabled* (Updated) {804E5358-FFA4-010C-0D24-347CA8A3377C} AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning enabled* (Updated) {804E5358-FFA4-011C-0D24-347CA8A3377C} FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B} FILE :: "c:\windows\system32\39.tmp" . ((((((((((((((((((((((( Dateien erstellt von 2009-10-13 bis 2009-11-13 )))))))))))))))))))))))))))))) . 2009-11-12 19:19 . 2009-11-12 19:19 -------- d-----w- c:\programme\microsoft frontpage 2009-11-12 12:40 . 2009-11-12 12:40 -------- d---a-w- c:\windows\rundll16.exe 2009-11-12 11:55 . 2009-11-12 11:55 -------- d-----w- c:\programme\Gemeinsame Dateien\MicroWorld 2009-11-11 22:05 . 2009-11-11 22:05 -------- d---a-w- c:\windows\VDLL.DLL 2009-11-11 22:05 . 2009-11-11 22:05 -------- d---a-w- c:\windows\system32\runouce.exe 2009-11-11 22:05 . 2009-11-11 22:05 -------- d---a-w- c:\windows\RUNDL132.EXE 2009-11-11 22:02 . 2009-11-11 22:02 632064 ----a-w- c:\windows\system32\msvcr80.dll 2009-11-11 22:02 . 2009-11-11 22:02 554240 ----a-w- c:\windows\system32\msvcp80.dll 2009-11-11 22:02 . 2009-11-11 22:02 34048 ----a-w- c:\windows\system32\eEmpty.exe 2009-11-11 22:02 . 2008-04-14 02:23 140800 ----a-w- c:\windows\system32\T.COM 2009-11-11 22:02 . 2008-04-14 02:22 153600 ----a-w- c:\windows\R.COM 2009-11-11 18:37 . 2009-11-11 18:37 -------- d-----r- c:\dokumente und einstellungen\NetworkService\Favoriten 2009-11-11 18:36 . 2009-11-11 18:36 -------- d-sh--w- c:\dokumente und einstellungen\NetworkService\IETldCache 2009-11-10 16:33 . 2009-11-10 16:33 -------- d-----w- C:\Brother 2009-11-10 12:14 . 2008-05-18 17:54 9216 ----a-w- c:\windows\system32\drivers\videX32.sys 2009-11-08 15:12 . 2009-03-25 05:29 130432 ----a-w- c:\windows\system32\drivers\Rtnicxp.sys 2009-11-08 15:12 . 2009-03-03 11:18 73728 ----a-w- c:\windows\system32\RtNicProp32.dll 2009-11-08 14:19 . 2006-09-20 15:25 5627904 ----a-w- c:\windows\system32\nvdisps.dll 2009-11-08 14:19 . 2006-09-20 15:25 2904064 ----a-w- c:\windows\system32\nvvitvs.dll 2009-11-08 14:19 . 2006-09-20 15:25 2035712 ----a-w- c:\windows\system32\nvwss.dll 2009-11-08 14:19 . 2006-09-20 15:25 188416 ----a-w- c:\windows\system32\nvmccss.dll 2009-11-08 14:19 . 2006-09-20 15:25 888832 ----a-w- c:\windows\system32\nvmobls.dll 2009-11-08 14:19 . 2006-09-20 15:25 3051520 ----a-w- c:\windows\system32\nvgames.dll 2009-11-06 14:34 . 2009-11-10 23:05 -------- d-----w- c:\programme\Setup Files 2009-11-05 19:02 . 2009-11-05 19:02 158312 ----a-w- c:\dokumente und einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\FontCache3.0.0.0.dat 2009-11-04 13:36 . 2009-11-10 21:54 -------- d-----w- c:\programme\Uniblue 2009-11-03 23:22 . 2009-11-03 23:22 152576 ----a-w- c:\dokumente und einstellungen\Liebig\Anwendungsdaten\Sun\Java\jre1.6.0_17\lzma.dll 2009-10-20 10:35 . 2009-08-06 17:24 44768 ----a-w- c:\windows\system32\wups2.dll 2009-10-20 10:35 . 2008-10-16 13:13 202776 ----a-w- c:\windows\system32\wuweb.dll 2009-10-20 10:35 . 2009-08-06 17:24 35552 -c--a-w- c:\windows\system32\dllcache\wups.dll 2009-10-20 10:35 . 2009-08-06 17:24 35552 ----a-w- c:\windows\system32\wups.dll 2009-10-20 10:35 . 2008-10-16 13:12 323608 ----a-w- c:\windows\system32\wucltui.dll 2009-10-20 10:35 . 2008-10-16 13:13 1809944 ----a-w- c:\windows\system32\wuaueng.dll 2009-10-20 10:35 . 2008-10-16 13:09 51224 ------w- c:\windows\system32\wuauclt.exe 2009-10-20 10:35 . 2008-10-16 13:12 561688 ----a-w- c:\windows\system32\wuapi.dll 2009-10-20 10:35 . 2008-10-16 13:09 92696 ----a-w- c:\windows\system32\cdm.dll . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-12 19:29 . 2009-06-25 16:47 -------- d-----w- c:\programme\Trillian 2009-11-11 19:26 . 2008-08-10 01:05 -------- d---a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP 2009-11-10 23:31 . 2008-02-22 19:24 -------- d-----w- c:\programme\Flock 2009-11-10 20:59 . 2004-08-04 12:00 86770 ----a-w- c:\windows\system32\perfc007.dat 2009-11-10 20:59 . 2004-08-04 12:00 501756 ----a-w- c:\windows\system32\perfh007.dat 2009-11-10 16:33 . 2008-12-09 17:01 50 ----a-w- c:\windows\system32\bridf06a.dat 2009-11-10 16:32 . 2009-03-28 15:47 57 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Brother\BrLog\BrCollectDir\BR_cat.bat 2009-11-07 15:46 . 2006-01-27 11:34 -------- d-----w- c:\programme\AVM_update 2009-11-06 16:32 . 2009-09-03 16:35 586107 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aescript.dll 2009-11-06 16:32 . 2009-09-03 16:35 2093432 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aeheur.dll 2009-11-05 16:39 . 2009-11-04 13:37 -------- d-----w- c:\dokumente und einstellungen\Liebig\Anwendungsdaten\Uniblue 2009-11-05 16:39 . 2009-11-05 16:38 -------- dc-h--w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\{C4C0E335-EDDF-46A0-A57D-F3802AE44275} 2009-11-05 16:38 . 2006-01-27 14:08 69392 ----a-w- c:\dokumente und einstellungen\Liebig\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT 2009-11-05 14:21 . 2009-09-03 16:35 422261 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aepack.dll 2009-11-05 14:21 . 2009-09-03 16:35 364916 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aegen.dll 2009-11-05 14:21 . 2009-09-03 16:35 184694 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aecore.dll 2009-11-04 00:25 . 2008-05-01 13:05 -------- d-----w- c:\programme\UPHClean 2009-11-03 23:23 . 2006-03-23 18:27 -------- d-----w- c:\programme\Java 2009-11-01 08:43 . 2007-08-17 19:36 -------- d-----w- c:\programme\Eumex 504PC USB 2009-10-29 18:38 . 2009-11-05 16:39 2838480 -c--a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}\speedupmypc2009.exe 2009-10-17 12:31 . 2009-03-19 16:54 -------- d-----w- c:\programme\Avira 2009-10-15 10:10 . 2006-01-26 11:36 -------- d-----w- c:\programme\Gemeinsame Dateien\Adobe 2009-10-12 17:21 . 2006-01-27 20:17 -------- d-----w- c:\programme\Winamp 2009-10-11 03:17 . 2008-12-26 16:42 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-10-02 22:15 . 2009-09-03 16:35 479604 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aerdl.dll 2009-10-02 22:15 . 2009-09-03 16:35 393587 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aeemu.dll 2009-09-19 12:11 . 2008-01-02 19:26 179792 ----a-w- c:\windows\system32\guard32.dll 2009-09-19 12:11 . 2008-01-02 19:26 87104 ----a-w- c:\windows\system32\drivers\inspect.sys 2009-09-19 12:11 . 2008-01-02 19:26 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys 2009-09-19 12:11 . 2008-01-02 19:26 132296 ----a-w- c:\windows\system32\drivers\cmdGuard.sys 2009-09-16 13:07 . 2006-01-29 15:26 -------- d-----w- c:\programme\ChessBase 2009-09-15 15:58 . 2009-09-03 16:35 106867 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aevdf.dll 2009-09-11 14:17 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-09-03 15:24 . 2009-09-03 16:35 237940 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aehelp.dll 2009-09-03 15:24 . 2009-09-03 16:35 127346 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aescn.dll 2009-08-29 07:54 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll 2009-08-26 19:41 . 2009-08-26 19:41 152576 ----a-w- c:\dokumente und einstellungen\Liebig\Anwendungsdaten\Sun\Java\jre1.6.0_15\lzma.dll 2009-08-26 18:11 . 2009-03-19 16:54 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll 2008-02-28 11:30 . 2008-02-28 11:30 14852 ----a-w- c:\programme\settings.dat 2006-10-26 18:40 . 2006-10-26 18:40 13 ----a-w- c:\programme\ATT00019.txt . ------- Sigcheck ------- [-] 2006-10-18 20:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll [-] 2006-10-18 20:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\dllcache\mspmsnsv.dll . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\programme\QuickTime\qttask.exe" [2008-05-27 413696] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-09-20 7680000] "COMODO Firewall Pro"="c:\programme\COMODO\Firewall\cfp.exe" [2009-09-19 1799952] "UnlockerAssistant"="c:\programme\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872] "QuickTime Task"="c:\programme\QuickTime\qttask.exe" [2008-05-27 413696] "FreePDF Assistant"="c:\programme\FreePDF_XP\fpassist.exe" [2008-07-22 357376] "avgnt"="c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "SSBkgdUpdate"="c:\programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648] "PaperPort PTD"="c:\programme\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393] "IndexSearch"="c:\programme\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960] "BrMfcWnd"="c:\programme\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592] "ControlCenter3"="c:\programme\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824] "COMODO Internet Security"="c:\programme\COMODO\Firewall\cfp.exe" [2009-09-19 1799952] "SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [2009-10-11 149280] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-09-20 86016] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-12-10 1519616] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\guard32.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService] @="service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "d:\\Daten_alt\\Programme\\Zubehör\\Backgammon\\backgw32.exe"= R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [02.01.2008 20:26 132296] R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [02.01.2008 20:26 25160] R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [19.03.2009 17:54 108289] R2 AVMPORT;AVMPORT;c:\windows\system32\drivers\avmport.sys [27.01.2006 23:55 59520] R2 CAPI20;Eumex 504PC USB;c:\windows\system32\drivers\Capi20.sys [17.08.2007 20:36 964428] R3 AVMCOWAN;AVMCOWAN;c:\windows\system32\drivers\avmcowan.sys [24.11.2005 01:00 53632] R3 fpcibase;FRITZ!Card PCI;c:\windows\system32\drivers\fpcibase.sys [26.01.2006 11:46 537600] S2 DETEWECP;Telekom ISDN Port;c:\windows\system32\drivers\detewecp.sys [17.08.2007 20:36 38480] S3 AVMWAN;NDIS WAN CAPI Treiber;c:\windows\system32\drivers\avmwan.sys [26.01.2006 11:46 38608] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\39.tmp --> c:\windows\system32\39.tmp [?] S3 MsibiosDevice;MsibiosDevice;\??\c:\programme\MSI\Live Update 4\LU4\msibios.sys --> c:\programme\MSI\Live Update 4\LU4\msibios.sys [?] S3 NETFRITZ;AVM FRITZ!web PPP over ISDN;c:\windows\system32\drivers\Netfritz.sys [27.01.2006 12:44 316928] S3 WEBNTACCESS;WEBNTACCESS;c:\windows\system32\Ntaccess.sys [14.04.2008 02:21 17920] S4 SAVAdminService;Sophos Anti-Virus Statusreporter;"c:\programme\Sophos\Sophos Anti-Virus\SAVAdminService.exe" --> c:\programme\Sophos\Sophos Anti-Virus\SAVAdminService.exe [?] S4 SAVService;Sophos Anti-Virus;"c:\programme\Sophos\Sophos Anti-Virus\SavService.exe" --> c:\programme\Sophos\Sophos Anti-Virus\SavService.exe [?] S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys --> c:\windows\system32\DRIVERS\SophosBootDriver.sys [?] --- Andere Dienste/Treiber im Speicher --- *Deregistered* - afwyikod *Deregistered* - mbr *Deregistered* - PROCEXP113 *Deregistered* - uphcleanhlp . . ------- Zusätzlicher Suchlauf ------- . uStart Page = about:blank uInternet Connection Wizard,ShellNext = iexplore DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-13 20:19 Windows 5.1.2600 Service Pack 3 NTFS detected NTDLL code modification: ZwClose, ZwOpenFile Scanne versteckte Prozesse... Scanne versteckte Autostarteinträge... Scanne versteckte Dateien... Scan erfolgreich abgeschlossen versteckte Dateien: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\39.tmp" . --------------------- Durch laufende Prozesse gestartete DLLs --------------------- - - - - - - - > 'winlogon.exe'(808) c:\windows\system32\guard32.dll - - - - - - - > 'lsass.exe'(864) c:\windows\system32\guard32.dll - - - - - - - > 'explorer.exe'(7504) c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Zeit der Fertigstellung: 2009-11-13 20:21 ComboFix-quarantined-files.txt 2009-11-13 19:21 ComboFix2.txt 2009-11-13 19:02 ComboFix3.txt 2009-11-13 15:03 Vor Suchlauf: 10 Verzeichnis(se), 22.460.784.640 Bytes frei Nach Suchlauf: 12 Verzeichnis(se), 22.443.253.760 Bytes frei - - End Of File - - 30048EF9FC21C713C35980A01DAD8446 |
14.11.2009, 14:28 | #27 |
/// Selecta Jahrusso | Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt schritt 1 Wende bitte Malwarebytes nach Anleitung an. schritt 2 CustomScan mit OTL
Code:
ATTFilter netsvcs %SYSTEMDRIVE%\iaStor.sys /s /md5 %SYSTEMDRIVE%\atapi.sys /s /md5
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
15.11.2009, 14:01 | #28 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt Malwarebytes hat nichts gefunden: Code:
ATTFilter Malwarebytes' Anti-Malware 1.41 Datenbank Version: 3174 Windows 5.1.2600 Service Pack 3 15.11.2009 13:55:17 mbam-log-2009-11-15 (13-55-17).txt Scan-Methode: Vollständiger Scan (C:\|D:\|) Durchsuchte Objekte: 132670 Laufzeit: 23 minute(s), 14 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 0 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: (Keine bösartigen Objekte gefunden) |
15.11.2009, 14:12 | #29 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt OTL, Teil I (eine Extras.txt wurde diesmal nicht erstellt *wunder*): Code:
ATTFilter OTL by OldTimer - Version 3.1.5.0 Folder = C:\Dokumente und Einstellungen\Liebig\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 1,50 Gb Total Physical Memory | 1,13 Gb Available Physical Memory | 75,23% Memory free 4,00 Gb Paging File | 4,00 Gb Available in Paging File | 100,00% Paging File free Paging file location(s): [Binary data over 100 bytes] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme Drive C: | 29,29 Gb Total Space | 20,92 Gb Free Space | 71,41% Space Free | Partition Type: NTFS Drive D: | 45,23 Gb Total Space | 41,96 Gb Free Space | 92,77% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: LIEBIG-2DA4E295 Current User Name: Liebig Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: On Skip Microsoft Files: On File Age = 14 Days Output = Minimal Quick Scan ========== Processes (SafeList) ========== PRC - C:\Dokumente und Einstellungen\Liebig\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH) PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH) PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) ========== Modules (SafeList) ========== MOD - C:\Dokumente und Einstellungen\Liebig\Desktop\OTL.exe (OldTimer Tools) MOD - C:\WINDOWS\system32\guard32.dll (COMODO) MOD - C:\WINDOWS\system32\wbem\framedyn.dll (Microsoft Corporation) MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (Microsoft Corporation) ========== Win32 Services (SafeList) ========== SRV - (Sophos AutoUpdate Service) -- File not found SRV - (SAVService) -- File not found SRV - (SAVAdminService) -- File not found SRV - (MySql) -- File not found SRV - (JavaQuickStarterService) -- C:\Programme\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.) SRV - (cmdAgent) -- C:\Programme\COMODO\Firewall\cmdagent.exe (COMODO) SRV - (AntiVirService) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH) SRV - (AntiVirSchedulerService) -- C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH) SRV - (FontCache3.0.0.0) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation) SRV - (idsvc) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation) SRV - (NetTcpPortSharing) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation) SRV - (clr_optimization_v2.0.50727_32) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation) SRV - (aspnet_state) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation) SRV - (helpsvc) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll (Microsoft Corporation) SRV - (NVSvc) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation) SRV - (UPHClean) -- C:\Programme\UPHClean\uphclean.exe (Microsoft Corporation) SRV - (IDriverT) -- C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data] IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://de.msn.com/?ocid=iehp IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 96 3E E4 49 FA 4F CA 01 [binary data] IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 [2009.09.15 16:13:10 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\Mozilla\Extensions [2009.09.15 16:13:10 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\Mozilla\Extensions\{a463f10c-3994-11da-9945-000d60ca027b} O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated) O2 - BHO: (PicLens for Internet Explorer) - {53349B29-8E4B-447A-9068-5C83EB591753} - C:\Programme\PicLensIE\PicLens.dll (Cooliris Inc.) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.) O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {00000000-0000-0000-0000-000000000000} - No CLSID value found. O4 - HKLM..\Run: [avgnt] C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [BrMfcWnd] C:\Programme\Brother\Brmfcmon\BrMfcWnd.exe () O4 - HKLM..\Run: [COMODO Firewall Pro] C:\Programme\COMODO\Firewall\cfp.exe (COMODO) O4 - HKLM..\Run: [COMODO Internet Security] C:\Programme\COMODO\Firewall\cfp.exe (COMODO) O4 - HKLM..\Run: [ControlCenter3] C:\Programme\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.) O4 - HKLM..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe (shbox.de) O4 - HKLM..\Run: [IndexSearch] C:\Programme\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.) O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe () O4 - HKLM..\Run: [PaperPort PTD] C:\Programme\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.) O4 - HKLM..\Run: [QuickTime Task] C:\Programme\QuickTime\qttask.exe (Apple Inc.) O4 - HKLM..\Run: [SSBkgdUpdate] C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Scansoft, Inc.) O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.) O4 - HKLM..\Run: [UnlockerAssistant] C:\Programme\Unlocker\UnlockerAssistant.exe () O4 - HKCU..\Run: [QuickTime Task] C:\Programme\QuickTime\qttask.exe (Apple Inc.) O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClearRecentDocsOnExit = 1 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe File not found O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} Reg Error: Key error. (YInstStarter Class) O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/scanner/sources/de/scan8/oscan8.cab (Reg Error: Key error.) O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} http://liveupdate.msi.com.tw/autobios/LOnline/install.cab (WebSDev Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\ipp - No CLSID value found O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp - No CLSID value found O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation) O20 - AppInit_DLLs: (C:\WINDOWS\system32\guard32.dll) - C:\WINDOWS\system32\guard32.dll (COMODO) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home O31 - SafeBoot: AlternateShell - cmd.exe O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.01.26 11:54:59 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck) - File not found O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation) O34 - HKLM BootExecute: (*) - File not found O34 - HKLM BootExecute: (OODBS) - File not found O35 - comfile [open] -- "%1" %* File not found O35 - exefile [open] -- "%1" %* File not found NetSvcs: Ias - C:\WINDOWS\system32\ias [2006.01.26 11:54:19 | 00,000,000 | ---D | M] NetSvcs: Iprip - File not found NetSvcs: Irmon - File not found NetSvcs: Nwsapagent - File not found NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation) NetSvcs: WmdmPmSp - File not found NetSvcs: helpsvc - C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll (Microsoft Corporation) ========== Files/Folders - Created Within 14 Days ========== [2009.11.15 13:30:38 | 00,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\Malwarebytes [2009.11.15 13:30:13 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2009.11.15 13:30:11 | 00,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes [2009.11.15 13:30:10 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2009.11.15 13:30:10 | 00,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware [2009.11.15 13:28:38 | 04,045,544 | ---- | C] (Malwarebytes Corporation ) -- C:\Dokumente und Einstellungen\Liebig\Desktop\mbam-setup.exe [2009.11.13 20:35:59 | 00,000,000 | RH-D | C] -- C:\Dokumente und Einstellungen\Liebig\Recent [2009.11.13 19:44:53 | 00,000,000 | RHSD | C] -- C:\cmdcons [2009.11.13 19:40:03 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2009.11.13 19:40:03 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2009.11.13 19:40:03 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2009.11.13 19:40:03 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2009.11.13 19:38:39 | 00,000,000 | ---D | C] -- C:\Qoobox [2009.11.13 17:50:45 | 00,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Liebig\Desktop\RootRepeal [2009.11.13 16:09:01 | 00,529,408 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Liebig\Desktop\OTL.exe [2009.11.13 16:03:06 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp [2009.11.13 15:45:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT [2009.11.12 20:19:58 | 00,000,000 | ---D | C] -- C:\Programme\xerox [2009.11.12 20:19:58 | 00,000,000 | ---D | C] -- C:\Programme\movie maker [2009.11.12 20:19:57 | 00,000,000 | ---D | C] -- C:\Programme\netmeeting [2009.11.12 20:19:57 | 00,000,000 | ---D | C] -- C:\Programme\msn gaming zone [2009.11.12 20:19:56 | 00,000,000 | ---D | C] -- C:\Programme\windows media player [2009.11.12 20:19:56 | 00,000,000 | ---D | C] -- C:\Programme\microsoft frontpage [2009.11.12 17:04:32 | 00,000,000 | ---D | C] -- C:\Config.Msi [2009.11.12 13:40:13 | 00,000,000 | ---D | C] -- C:\WINDOWS\rundll16.exe [2009.11.12 12:55:25 | 00,000,000 | ---D | C] -- C:\Programme\Gemeinsame Dateien\MicroWorld [2009.11.11 23:05:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\VDLL.DLL [2009.11.11 23:05:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\runouce.exe [2009.11.11 23:05:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\RUNDL132.EXE [2009.11.11 23:02:19 | 00,034,048 | ---- | C] (MicroWorld Technologies Inc.) -- C:\WINDOWS\System32\eEmpty.exe [2009.11.10 17:33:23 | 00,000,000 | ---D | C] -- C:\Brother [2009.11.08 16:12:56 | 00,130,432 | ---- | C] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\System32\drivers\Rtnicxp.sys [2009.11.06 15:34:21 | 00,000,000 | ---D | C] -- C:\Programme\Setup Files [2009.11.05 19:39:29 | 00,000,000 | ---D | C] -- D:\Liebig\Eigene Dateien\My Drivers [2009.11.05 17:38:45 | 00,000,000 | -H-D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{C4C0E335-EDDF-46A0-A57D-F3802AE44275} [2009.11.04 14:37:08 | 00,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\Uniblue [2009.11.04 14:36:57 | 00,000,000 | ---D | C] -- C:\Programme\Uniblue [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] |
15.11.2009, 14:13 | #30 |
| Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt OTL, Teil II: Code:
ATTFilter ========== Files - Modified Within 14 Days ========== [2009.11.15 13:30:24 | 00,000,682 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2009.11.15 13:28:38 | 04,045,544 | ---- | M] (Malwarebytes Corporation ) -- C:\Dokumente und Einstellungen\Liebig\Desktop\mbam-setup.exe [2009.11.15 13:17:49 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2009.11.15 13:17:29 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml [2009.11.15 13:15:34 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2009.11.15 13:15:30 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2009.11.15 13:15:27 | 16,101,41696 | -HS- | M] () -- C:\hiberfil.sys [2009.11.14 01:47:57 | 00,260,608 | ---- | M] () -- C:\WINDOWS\PEV.exe [2009.11.13 20:36:00 | 07,864,320 | ---- | M] () -- C:\Dokumente und Einstellungen\Liebig\NTUSER.DAT [2009.11.13 20:36:00 | 00,000,190 | -HS- | M] () -- C:\Dokumente und Einstellungen\Liebig\ntuser.ini [2009.11.13 20:32:19 | 00,000,177 | ---- | M] () -- C:\WINDOWS\ChssBase.ini [2009.11.13 20:19:16 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini [2009.11.13 19:44:59 | 00,000,281 | RHS- | M] () -- C:\boot.ini [2009.11.13 19:38:20 | 03,559,628 | R--- | M] () -- C:\Dokumente und Einstellungen\Liebig\Desktop\ComboFix.exe [2009.11.13 18:03:01 | 05,455,908 | ---- | M] () -- C:\Dokumente und Einstellungen\Liebig\Desktop\Sportkongress_2009_auswahl.zip [2009.11.13 17:50:09 | 00,464,491 | ---- | M] () -- C:\Dokumente und Einstellungen\Liebig\Desktop\RootRepeal.zip [2009.11.13 16:19:35 | 00,291,840 | ---- | M] () -- C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe [2009.11.13 16:09:11 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Liebig\Desktop\OTL.exe [2009.11.12 20:28:24 | 00,001,592 | ---- | M] () -- C:\Dokumente und Einstellungen\Liebig\Desktop\Trillian.lnk [2009.11.12 12:55:51 | 00,000,028 | ---- | M] () -- C:\WINDOWS\Lic.xxx [2009.11.12 00:58:39 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2009.11.11 23:02:18 | 00,034,048 | ---- | M] (MicroWorld Technologies Inc.) -- C:\WINDOWS\System32\eEmpty.exe [2009.11.10 21:59:08 | 01,158,866 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2009.11.10 21:59:08 | 00,501,756 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat [2009.11.10 21:59:08 | 00,483,428 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2009.11.10 21:59:08 | 00,086,770 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat [2009.11.10 21:59:08 | 00,072,906 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2009.11.10 17:53:32 | 00,000,425 | ---- | M] () -- C:\WINDOWS\BRWMARK.INI [2009.11.10 17:53:32 | 00,000,027 | ---- | M] () -- C:\WINDOWS\BRPP2KA.INI [2009.11.10 17:49:30 | 00,294,072 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2009.11.10 17:33:59 | 00,001,011 | ---- | M] () -- C:\WINDOWS\Brpfx04a.ini [2009.11.10 17:33:59 | 00,000,149 | ---- | M] () -- C:\WINDOWS\brpcfx.ini [2009.11.10 17:33:59 | 00,000,050 | ---- | M] () -- C:\WINDOWS\System32\bridf06a.dat [2009.11.09 19:01:47 | 06,384,498 | -H-- | M] () -- C:\Dokumente und Einstellungen\Liebig\Lokale Einstellungen\Anwendungsdaten\IconCache.db [2009.11.05 17:56:03 | 00,000,709 | ---- | M] () -- C:\Dokumente und Einstellungen\Liebig\CommandDispatchers.xml [2009.11.05 17:56:00 | 00,001,367 | ---- | M] () -- C:\Dokumente und Einstellungen\Liebig\cleaner-config.xml [2009.11.05 17:39:13 | 00,000,845 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\SpeedUpMyPC 2009.lnk [2009.11.05 17:38:41 | 00,069,392 | ---- | M] () -- C:\Dokumente und Einstellungen\Liebig\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT [2009.11.04 15:35:04 | 00,000,844 | ---- | M] () -- C:\Dokumente und Einstellungen\Liebig\Desktop\RegistryBooster.lnk [2009.11.04 14:48:42 | 00,000,991 | ---- | M] () -- C:\WINDOWS\win.ini [2009.11.04 14:48:42 | 00,000,211 | ---- | M] () -- C:\Boot.bak [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files Created - No Company Name ========== [2009.11.15 13:30:24 | 00,000,682 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2009.11.13 19:44:59 | 00,000,211 | ---- | C] () -- C:\Boot.bak [2009.11.13 19:44:55 | 00,262,448 | ---- | C] () -- C:\cmldr [2009.11.13 19:40:03 | 00,260,608 | ---- | C] () -- C:\WINDOWS\PEV.exe [2009.11.13 19:40:03 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2009.11.13 19:40:03 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2009.11.13 19:40:03 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe [2009.11.13 19:40:03 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2009.11.13 19:38:13 | 03,559,628 | R--- | C] () -- C:\Dokumente und Einstellungen\Liebig\Desktop\ComboFix.exe [2009.11.13 18:03:01 | 05,455,908 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\Desktop\Sportkongress_2009_auswahl.zip [2009.11.13 17:50:05 | 00,464,491 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\Desktop\RootRepeal.zip [2009.11.13 16:19:34 | 00,291,840 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe [2009.11.12 02:42:50 | 16,101,41696 | -HS- | C] () -- C:\hiberfil.sys [2009.11.11 23:02:52 | 00,000,028 | ---- | C] () -- C:\WINDOWS\Lic.xxx [2009.11.11 23:02:20 | 00,000,522 | ---- | C] () -- C:\WINDOWS\System32\Microsoft.VC80.CRT.manifest [2009.11.08 16:12:56 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll [2009.11.05 17:56:01 | 00,000,709 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\CommandDispatchers.xml [2009.11.05 17:56:00 | 00,001,367 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\cleaner-config.xml [2009.11.05 17:39:13 | 00,000,845 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\SpeedUpMyPC 2009.lnk [2009.11.04 15:34:22 | 00,000,844 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\Desktop\RegistryBooster.lnk [2009.03.28 16:48:04 | 00,027,114 | ---- | C] () -- C:\WINDOWS\maxlink.ini [2009.03.19 19:47:16 | 00,000,521 | ---- | C] () -- C:\WINDOWS\my.ini [2009.03.11 18:48:37 | 00,063,488 | ---- | C] () -- C:\WINDOWS\xobglu16.dll [2009.03.11 18:48:37 | 00,033,244 | ---- | C] () -- C:\WINDOWS\xobglu32.dll [2008.12.09 18:06:32 | 00,000,425 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI [2008.12.09 18:06:32 | 00,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI [2008.12.09 18:01:40 | 00,001,011 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini [2008.12.09 18:01:40 | 00,000,149 | ---- | C] () -- C:\WINDOWS\brpcfx.ini [2008.12.09 18:00:00 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll [2008.10.16 16:23:30 | 00,000,530 | ---- | C] () -- C:\WINDOWS\System32\tx13_ic.ini [2008.10.16 16:23:29 | 00,131,072 | ---- | C] () -- C:\WINDOWS\System32\CSVSpecialProcessing.dll [2008.10.16 16:23:29 | 00,102,400 | ---- | C] () -- C:\WINDOWS\System32\SARzilla.dll [2008.05.01 18:53:48 | 00,000,000 | ---- | C] () -- C:\WINDOWS\OODCNT.INI [2008.05.01 15:40:57 | 06,384,498 | -H-- | C] () -- C:\Dokumente und Einstellungen\Liebig\Lokale Einstellungen\Anwendungsdaten\IconCache.db [2008.03.11 17:10:48 | 00,000,079 | ---- | C] () -- C:\WINDOWS\SW_Win2000X1.DLL [2008.03.11 17:10:42 | 00,000,027 | ---- | C] () -- C:\WINDOWS\SW_Win2146X32.DLL [2008.03.11 17:06:56 | 00,004,106 | ---- | C] () -- C:\WINDOWS\CX_SearchHistory.INI [2008.02.28 14:23:02 | 00,000,043 | ---- | C] () -- C:\WINDOWS\gswin32.ini [2008.02.28 13:16:17 | 00,116,224 | ---- | C] () -- C:\WINDOWS\System32\redmonnt.dll [2008.02.28 12:30:38 | 00,014,852 | ---- | C] () -- C:\Programme\settings.dat [2008.02.01 08:18:14 | 00,009,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\FlashSys.sys [2007.11.06 16:31:06 | 00,000,000 | ---- | C] () -- C:\WINDOWS\LiveBilliards.INI [2007.09.10 14:27:35 | 00,049,253 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\Lokale Einstellungen\Anwendungsdaten\FASTWiz.log [2007.05.08 17:13:10 | 00,000,035 | ---- | C] () -- C:\WINDOWS\System32\backgw.ini [2006.10.26 19:40:43 | 00,000,013 | ---- | C] () -- C:\Programme\ATT00019.txt [2006.07.11 17:55:45 | 00,000,336 | ---- | C] () -- C:\WINDOWS\WININIT.INI [2006.06.29 13:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont [2006.06.29 13:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont [2006.05.02 23:38:24 | 00,000,748 | ---- | C] () -- C:\WINDOWS\SetBrowser.ini [2006.04.18 14:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont [2006.04.18 14:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont [2006.03.10 19:47:43 | 00,000,215 | ---- | C] () -- C:\WINDOWS\AntiDial.ini [2006.02.08 15:37:23 | 00,000,305 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\addr_file.html [2006.01.29 16:32:17 | 00,000,177 | ---- | C] () -- C:\WINDOWS\ChssBase.ini [2006.01.28 14:59:47 | 00,000,487 | ---- | C] () -- C:\WINDOWS\Capictrl.INI [2006.01.28 02:31:15 | 00,001,706 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\iwatch.txt [2006.01.28 00:00:44 | 00,000,059 | ---- | C] () -- C:\WINDOWS\WINPHONE.INI [2006.01.27 21:18:03 | 00,000,508 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2006.01.27 21:17:41 | 00,000,155 | ---- | C] () -- C:\WINDOWS\winamp.ini [2006.01.27 19:06:02 | 00,038,400 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2006.01.27 15:08:49 | 00,069,392 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT [2006.01.26 15:05:13 | 00,000,139 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\Lokale Einstellungen\Anwendungsdaten\fusioncache.dat [2006.01.26 14:11:10 | 00,003,972 | ---- | C] () -- C:\WINDOWS\System32\drivers\PciBus.sys [2006.01.26 12:48:28 | 00,000,000 | ---- | C] () -- C:\WINDOWS\ZDDBView.INI [2006.01.26 12:48:21 | 00,000,022 | ---- | C] () -- C:\WINDOWS\zdbui32.ini [2006.01.26 12:00:50 | 00,000,062 | -HS- | C] () -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\desktop.ini [2006.01.26 11:44:46 | 00,000,062 | -HS- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini [2005.12.10 03:06:00 | 01,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll [2005.12.10 03:06:00 | 01,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll [2005.12.10 03:06:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll [2005.12.10 03:06:00 | 00,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll [2005.12.10 03:06:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll [2005.12.10 03:06:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll [2005.12.10 03:06:00 | 00,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll [2004.08.04 13:00:00 | 00,000,991 | ---- | C] () -- C:\WINDOWS\win.ini [2004.08.04 13:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini [2002.03.04 10:16:34 | 00,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll [1999.01.22 19:46:56 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL ========== LOP Check ========== [2009.08.30 16:08:51 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Canneverbe Limited [2007.09.20 16:04:03 | 00,000,000 | -H-D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\MailFrontier [2009.02.12 16:52:15 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\n7-89-o9-3r-4t-r9 [2009.03.28 16:47:37 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ScanSoft [2009.11.11 20:26:48 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP [2009.11.05 17:39:14 | 00,000,000 | -H-D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{C4C0E335-EDDF-46A0-A57D-F3802AE44275} [2008.12.14 18:42:41 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\Canneverbe_Limited [2008.01.14 17:32:45 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\ChessBase [2008.02.22 20:27:19 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\Flock [2008.07.01 21:51:10 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\ICQ [2009.05.19 21:28:54 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\MySQL [2008.12.09 18:37:12 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\PC-FAX TX [2009.04.21 17:03:17 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\ScanSoft [2009.11.05 17:39:42 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\Uniblue [2004.08.04 13:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini [2009.11.15 13:15:34 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\iaStor.sys /s /md5 > < %SYSTEMDRIVE%\atapi.sys /s /md5 > [2008.04.13 19:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys [2008.04.13 19:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys [2008.04.13 19:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys [2008.04.13 19:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=52532E3216CC137EF44AFC758A0435D8 -- C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\i386\atapi.sys ========== Alternate Data Streams ========== @Alternate Data Stream - 147 bytes -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:DFC5A2B2 @Alternate Data Stream - 127 bytes -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:D1B5B4F1 @Alternate Data Stream - 114 bytes -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:A8ADE5D8 < End of report > |
Themen zu Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt |
5 minuten, ablauf, antivir, combofix, computer, dateien, down, escan, fehler, frage, hijack, hijackthis, internet, mcafee, problem, programme, rechner, registry, registry booster, rootkit, security, shutdown, speedupmypc, temp-ordner, treiber, trojaner, virus, virustotal.com, wiederholt, windows, windows xp |