Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 13.11.2009, 17:04   #16
ElSteffe
 
Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt - Standard

Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt



GMER, Teil IX:

Code:
ATTFilter
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtAllocateVirtualMemory               7C91CF6E 5 Bytes  JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtClose                               7C91CFEE 5 Bytes  JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtCreateFile                          7C91D0AE 5 Bytes  JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtCreateProcess                       7C91D14E 5 Bytes  JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtCreateProcessEx                     7C91D15E 5 Bytes  JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtDeleteFile                          7C91D23E 5 Bytes  JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtFreeVirtualMemory                   7C91D38E 5 Bytes  JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtLoadDriver                          7C91D46E 5 Bytes  JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtOpenFile                            7C91D59E 5 Bytes  JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtProtectVirtualMemory                7C91D6EE 5 Bytes  JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtSetInformationProcess               7C91DC9E 5 Bytes  JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtUnloadDriver                        7C91DEBE 5 Bytes  JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtWriteVirtualMemory                  7C91DFAE 5 Bytes  JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!RtlAllocateHeap                       7C9200C4 5 Bytes  JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!LdrLoadDll                            7C9263C3 5 Bytes  JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!LdrUnloadDll                          7C92738B 5 Bytes  JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!LdrGetProcedureAddress                7C927EA8 5 Bytes  JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!CreateFileA                        7C801A28 5 Bytes  JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!VirtualProtect                     7C801AD4 5 Bytes  JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!LoadLibraryExW                     7C801AF5 7 Bytes  JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!LoadLibraryExA                     7C801D53 5 Bytes  JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!LoadLibraryA                       7C801D7B 5 Bytes  JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!CreateProcessW                     7C802336 5 Bytes  JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!CreateProcessA                     7C80236B 5 Bytes  JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!GetProcAddress                     7C80AE40 5 Bytes  JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!LoadLibraryW                       7C80AEEB 5 Bytes  JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!GetModuleHandleA                   7C80B741 5 Bytes  JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!GetModuleHandleW                   7C80E4DD 5 Bytes  JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!CreateFileW                        7C810800 5 Bytes  JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!MoveFileWithProgressW              7C81F72E 5 Bytes  JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!MoveFileW                          7C821261 5 Bytes  JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!OpenFile                           7C821982 2 Bytes  JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!OpenFile + 3                       7C821985 2 Bytes  [7E, 93] {JLE 0xffffffffffffff95}
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!CopyFileExW                        7C827B32 7 Bytes  JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!CopyFileA                          7C8286EE 5 Bytes  JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!CopyFileW                          7C82F87B 5 Bytes  JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!DeleteFileA                        7C831EDD 5 Bytes  JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!DeleteFileW                        7C831F63 5 Bytes  JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!MoveFileExW                        7C83568B 5 Bytes  JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!MoveFileA                          7C835EBF 5 Bytes  JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!MoveFileWithProgressA              7C835EDE 5 Bytes  JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!MoveFileExA                        7C85E49B 5 Bytes  JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!CopyFileExA                        7C85F39C 5 Bytes  JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!WinExec                            7C86250D 5 Bytes  JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] kernel32.dll!LoadModule                         7C86261E 5 Bytes  JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] USER32.dll!EndTask                              7E3AA0A5 5 Bytes  JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ADVAPI32.dll!OpenServiceW                       77DB6FFD 7 Bytes  JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ADVAPI32.dll!OpenServiceA                       77DC4C66 7 Bytes  JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ADVAPI32.dll!CreateServiceA                     77E07211 7 Bytes  JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ADVAPI32.dll!CreateServiceW                     77E073A9 7 Bytes  JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] SHELL32.dll!ShellExecuteExW                     7E6B996B 5 Bytes  JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] SHELL32.dll!ShellExecuteEx                      7E6F0EB5 5 Bytes  JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] SHELL32.dll!ShellExecuteA                       7E6F11E0 5 Bytes  JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] SHELL32.dll!ShellExecuteW                       7E765D48 5 Bytes  JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtAllocateVirtualMemory                         7C91CF6E 5 Bytes  JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtClose                                         7C91CFEE 5 Bytes  JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtCreateFile                                    7C91D0AE 5 Bytes  JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtCreateProcess                                 7C91D14E 5 Bytes  JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtCreateProcessEx                               7C91D15E 5 Bytes  JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtDeleteFile                                    7C91D23E 5 Bytes  JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtFreeVirtualMemory                             7C91D38E 5 Bytes  JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtLoadDriver                                    7C91D46E 5 Bytes  JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtOpenFile                                      7C91D59E 5 Bytes  JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtProtectVirtualMemory                          7C91D6EE 5 Bytes  JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtSetInformationProcess                         7C91DC9E 5 Bytes  JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtUnloadDriver                                  7C91DEBE 5 Bytes  JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!NtWriteVirtualMemory                            7C91DFAE 5 Bytes  JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!RtlAllocateHeap                                 7C9200C4 5 Bytes  JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!LdrLoadDll                                      7C9263C3 5 Bytes  JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!LdrUnloadDll                                    7C92738B 5 Bytes  JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] ntdll.dll!LdrGetProcedureAddress                          7C927EA8 5 Bytes  JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!CreateFileA                                  7C801A28 5 Bytes  JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!VirtualProtect                               7C801AD4 5 Bytes  JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!LoadLibraryExW                               7C801AF5 7 Bytes  JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!LoadLibraryExA                               7C801D53 5 Bytes  JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!LoadLibraryA                                 7C801D7B 5 Bytes  JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!CreateProcessW                               7C802336 5 Bytes  JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!CreateProcessA                               7C80236B 5 Bytes  JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!GetProcAddress                               7C80AE40 5 Bytes  JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!LoadLibraryW                                 7C80AEEB 5 Bytes  JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!GetModuleHandleA                             7C80B741 5 Bytes  JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!GetModuleHandleW                             7C80E4DD 5 Bytes  JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!CreateFileW                                  7C810800 5 Bytes  JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!MoveFileWithProgressW                        7C81F72E 5 Bytes  JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!MoveFileW                                    7C821261 5 Bytes  JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!OpenFile                                     7C821982 2 Bytes  JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!OpenFile + 3                                 7C821985 2 Bytes  [7E, 93] {JLE 0xffffffffffffff95}
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!CopyFileExW                                  7C827B32 7 Bytes  JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!CopyFileA                                    7C8286EE 5 Bytes  JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!CopyFileW                                    7C82F87B 5 Bytes  JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!DeleteFileA                                  7C831EDD 5 Bytes  JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!DeleteFileW                                  7C831F63 5 Bytes  JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!MoveFileExW                                  7C83568B 5 Bytes  JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!MoveFileA                                    7C835EBF 5 Bytes  JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!MoveFileWithProgressA                        7C835EDE 5 Bytes  JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!MoveFileExA                                  7C85E49B 5 Bytes  JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!CopyFileExA                                  7C85F39C 5 Bytes  JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!WinExec                                      7C86250D 5 Bytes  JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] kernel32.dll!LoadModule                                   7C86261E 5 Bytes  JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] USER32.dll!EndTask                                        7E3AA0A5 5 Bytes  JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] ADVAPI32.dll!OpenServiceW                                 77DB6FFD 7 Bytes  JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] ADVAPI32.dll!OpenServiceA                                 77DC4C66 7 Bytes  JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] ADVAPI32.dll!CreateServiceA                               77E07211 7 Bytes  JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] ADVAPI32.dll!CreateServiceW                               77E073A9 7 Bytes  JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] ole32.dll!CoCreateInstanceEx                              774D0526 5 Bytes  JMP 10008450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\FreePDF_XP\fpassist.exe[2112] ole32.dll!CoGetClassObject                                774E56C5 5 Bytes  JMP 10008590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
         

Alt 13.11.2009, 17:06   #17
ElSteffe
 
Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt - Standard

Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt



GMER, Teil X:

Code:
ATTFilter
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtAllocateVirtualMemory                 7C91CF6E 5 Bytes  JMP 00391950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtClose                                 7C91CFEE 5 Bytes  JMP 00398B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtCreateFile                            7C91D0AE 5 Bytes  JMP 003918D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtCreateProcess                         7C91D14E 5 Bytes  JMP 00391890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtCreateProcessEx                       7C91D15E 5 Bytes  JMP 003919B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtDeleteFile                            7C91D23E 5 Bytes  JMP 00391910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtFreeVirtualMemory                     7C91D38E 5 Bytes  JMP 00391A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtLoadDriver                            7C91D46E 5 Bytes  JMP 00391970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtOpenFile                              7C91D59E 5 Bytes  JMP 003918F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtProtectVirtualMemory                  7C91D6EE 5 Bytes  JMP 00391930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtSetInformationProcess                 7C91DC9E 5 Bytes  JMP 003919D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtUnloadDriver                          7C91DEBE 5 Bytes  JMP 00391990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!NtWriteVirtualMemory                    7C91DFAE 5 Bytes  JMP 003918B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!RtlAllocateHeap                         7C9200C4 5 Bytes  JMP 00391A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!LdrLoadDll                              7C9263C3 5 Bytes  JMP 00394550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!LdrUnloadDll                            7C92738B 5 Bytes  JMP 00398A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ntdll.dll!LdrGetProcedureAddress                  7C927EA8 5 Bytes  JMP 003919F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!CreateFileA                          7C801A28 5 Bytes  JMP 00391B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!VirtualProtect                       7C801AD4 5 Bytes  JMP 00391D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!LoadLibraryExW                       7C801AF5 7 Bytes  JMP 00391AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!LoadLibraryExA                       7C801D53 5 Bytes  JMP 00391AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!LoadLibraryA                         7C801D7B 5 Bytes  JMP 00391D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!CreateProcessW                       7C802336 5 Bytes  JMP 00391A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!CreateProcessA                       7C80236B 5 Bytes  JMP 00391A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!GetProcAddress                       7C80AE40 5 Bytes  JMP 00391A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!LoadLibraryW                         7C80AEEB 5 Bytes  JMP 00391D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!GetModuleHandleA                     7C80B741 5 Bytes  JMP 00391CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!GetModuleHandleW                     7C80E4DD 5 Bytes  JMP 00391D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!CreateFileW                          7C810800 5 Bytes  JMP 00391B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!MoveFileWithProgressW                7C81F72E 5 Bytes  JMP 00391C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!MoveFileW                            7C821261 5 Bytes  JMP 00391C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!OpenFile                             7C821982 2 Bytes  JMP 00391B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!OpenFile + 3                         7C821985 2 Bytes  [B7, 83] {MOV BH, 0x83}
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!CopyFileExW                          7C827B32 7 Bytes  JMP 00391BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!CopyFileA                            7C8286EE 5 Bytes  JMP 00391B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!CopyFileW                            7C82F87B 5 Bytes  JMP 00391B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!DeleteFileA                          7C831EDD 5 Bytes  JMP 00391CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!DeleteFileW                          7C831F63 5 Bytes  JMP 00391CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!MoveFileExW                          7C83568B 5 Bytes  JMP 00391C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!MoveFileA                            7C835EBF 5 Bytes  JMP 00391BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!MoveFileWithProgressA                7C835EDE 5 Bytes  JMP 00391C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!MoveFileExA                          7C85E49B 5 Bytes  JMP 00391C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!CopyFileExA                          7C85F39C 5 Bytes  JMP 00391BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!WinExec                              7C86250D 5 Bytes  JMP 00391D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] kernel32.dll!LoadModule                           7C86261E 5 Bytes  JMP 00391AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] USER32.dll!EndTask                                7E3AA0A5 5 Bytes  JMP 00398700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ADVAPI32.dll!OpenServiceW                         77DB6FFD 7 Bytes  JMP 00391480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ADVAPI32.dll!OpenServiceA                         77DC4C66 7 Bytes  JMP 00391640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ADVAPI32.dll!CreateServiceA                       77E07211 7 Bytes  JMP 00391000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ADVAPI32.dll!CreateServiceW                       77E073A9 7 Bytes  JMP 00391250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] SHELL32.dll!ShellExecuteExW                       7E6B996B 5 Bytes  JMP 00391E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] SHELL32.dll!ShellExecuteEx                        7E6F0EB5 5 Bytes  JMP 00391DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] SHELL32.dll!ShellExecuteA                         7E6F11E0 5 Bytes  JMP 00391DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] SHELL32.dll!ShellExecuteW                         7E765D48 5 Bytes  JMP 00391DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ole32.dll!CoCreateInstanceEx                      774D0526 5 Bytes  JMP 00398450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Avira\AntiVir Desktop\avgnt.exe[2120] ole32.dll!CoGetClassObject                        774E56C5 5 Bytes  JMP 00398590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtAllocateVirtualMemory                 7C91CF6E 5 Bytes  JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtClose                                 7C91CFEE 5 Bytes  JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtCreateFile                            7C91D0AE 5 Bytes  JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtCreateProcess                         7C91D14E 5 Bytes  JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtCreateProcessEx                       7C91D15E 5 Bytes  JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtDeleteFile                            7C91D23E 5 Bytes  JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtFreeVirtualMemory                     7C91D38E 5 Bytes  JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtLoadDriver                            7C91D46E 5 Bytes  JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtOpenFile                              7C91D59E 5 Bytes  JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtProtectVirtualMemory                  7C91D6EE 5 Bytes  JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtSetInformationProcess                 7C91DC9E 5 Bytes  JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtUnloadDriver                          7C91DEBE 5 Bytes  JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!NtWriteVirtualMemory                    7C91DFAE 5 Bytes  JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!RtlAllocateHeap                         7C9200C4 5 Bytes  JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!LdrLoadDll                              7C9263C3 5 Bytes  JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!LdrUnloadDll                            7C92738B 5 Bytes  JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ntdll.dll!LdrGetProcedureAddress                  7C927EA8 5 Bytes  JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!CreateFileA                          7C801A28 5 Bytes  JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!VirtualProtect                       7C801AD4 5 Bytes  JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!LoadLibraryExW                       7C801AF5 7 Bytes  JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!LoadLibraryExA                       7C801D53 5 Bytes  JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!LoadLibraryA                         7C801D7B 5 Bytes  JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!CreateProcessW                       7C802336 5 Bytes  JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!CreateProcessA                       7C80236B 5 Bytes  JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!GetProcAddress                       7C80AE40 5 Bytes  JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!LoadLibraryW                         7C80AEEB 5 Bytes  JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!GetModuleHandleA                     7C80B741 5 Bytes  JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!GetModuleHandleW                     7C80E4DD 5 Bytes  JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!CreateFileW                          7C810800 5 Bytes  JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!MoveFileWithProgressW                7C81F72E 5 Bytes  JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!MoveFileW                            7C821261 5 Bytes  JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!OpenFile                             7C821982 2 Bytes  JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!OpenFile + 3                         7C821985 2 Bytes  [7E, 93] {JLE 0xffffffffffffff95}
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!CopyFileExW                          7C827B32 7 Bytes  JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!CopyFileA                            7C8286EE 5 Bytes  JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!CopyFileW                            7C82F87B 5 Bytes  JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!DeleteFileA                          7C831EDD 5 Bytes  JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!DeleteFileW                          7C831F63 5 Bytes  JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!MoveFileExW                          7C83568B 5 Bytes  JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!MoveFileA                            7C835EBF 5 Bytes  JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!MoveFileWithProgressA                7C835EDE 5 Bytes  JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!MoveFileExA                          7C85E49B 5 Bytes  JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!CopyFileExA                          7C85F39C 5 Bytes  JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!WinExec                              7C86250D 5 Bytes  JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] kernel32.dll!LoadModule                           7C86261E 5 Bytes  JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] USER32.dll!EndTask                                7E3AA0A5 5 Bytes  JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ADVAPI32.dll!OpenServiceW                         77DB6FFD 7 Bytes  JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ADVAPI32.dll!OpenServiceA                         77DC4C66 7 Bytes  JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ADVAPI32.dll!CreateServiceA                       77E07211 7 Bytes  JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ADVAPI32.dll!CreateServiceW                       77E073A9 7 Bytes  JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] SHELL32.dll!ShellExecuteExW                       7E6B996B 5 Bytes  JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] SHELL32.dll!ShellExecuteEx                        7E6F0EB5 5 Bytes  JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] SHELL32.dll!ShellExecuteA                         7E6F11E0 5 Bytes  JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] SHELL32.dll!ShellExecuteW                         7E765D48 5 Bytes  JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ole32.dll!CoCreateInstanceEx                      774D0526 5 Bytes  JMP 10008450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\ScanSoft\PaperPort\pptd40nt.exe[2160] ole32.dll!CoGetClassObject                        774E56C5 5 Bytes  JMP 10008590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
         
__________________


Alt 13.11.2009, 17:07   #18
ElSteffe
 
Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt - Standard

Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt



GMER, Teil XI:

Code:
ATTFilter
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtAllocateVirtualMemory                       7C91CF6E 5 Bytes  JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtClose                                       7C91CFEE 5 Bytes  JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtCreateFile                                  7C91D0AE 5 Bytes  JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtCreateProcess                               7C91D14E 5 Bytes  JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtCreateProcessEx                             7C91D15E 5 Bytes  JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtDeleteFile                                  7C91D23E 5 Bytes  JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtFreeVirtualMemory                           7C91D38E 5 Bytes  JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtLoadDriver                                  7C91D46E 5 Bytes  JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtOpenFile                                    7C91D59E 5 Bytes  JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtProtectVirtualMemory                        7C91D6EE 5 Bytes  JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtSetInformationProcess                       7C91DC9E 5 Bytes  JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtUnloadDriver                                7C91DEBE 5 Bytes  JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!NtWriteVirtualMemory                          7C91DFAE 5 Bytes  JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!RtlAllocateHeap                               7C9200C4 5 Bytes  JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!LdrLoadDll                                    7C9263C3 5 Bytes  JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!LdrUnloadDll                                  7C92738B 5 Bytes  JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] ntdll.dll!LdrGetProcedureAddress                        7C927EA8 5 Bytes  JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!CreateFileA                                7C801A28 5 Bytes  JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!VirtualProtect                             7C801AD4 5 Bytes  JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!LoadLibraryExW                             7C801AF5 7 Bytes  JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!LoadLibraryExA                             7C801D53 5 Bytes  JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!LoadLibraryA                               7C801D7B 5 Bytes  JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!CreateProcessW                             7C802336 5 Bytes  JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!CreateProcessA                             7C80236B 5 Bytes  JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!GetProcAddress                             7C80AE40 5 Bytes  JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!LoadLibraryW                               7C80AEEB 5 Bytes  JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!GetModuleHandleA                           7C80B741 5 Bytes  JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!GetModuleHandleW                           7C80E4DD 5 Bytes  JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!CreateFileW                                7C810800 5 Bytes  JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!MoveFileWithProgressW                      7C81F72E 5 Bytes  JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!MoveFileW                                  7C821261 5 Bytes  JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!OpenFile                                   7C821982 2 Bytes  JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!OpenFile + 3                               7C821985 2 Bytes  [7E, 93] {JLE 0xffffffffffffff95}
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!CopyFileExW                                7C827B32 7 Bytes  JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!CopyFileA                                  7C8286EE 5 Bytes  JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!CopyFileW                                  7C82F87B 5 Bytes  JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!DeleteFileA                                7C831EDD 5 Bytes  JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!DeleteFileW                                7C831F63 5 Bytes  JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!MoveFileExW                                7C83568B 5 Bytes  JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!MoveFileA                                  7C835EBF 5 Bytes  JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!MoveFileWithProgressA                      7C835EDE 5 Bytes  JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!MoveFileExA                                7C85E49B 5 Bytes  JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!CopyFileExA                                7C85F39C 5 Bytes  JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!WinExec                                    7C86250D 5 Bytes  JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] kernel32.dll!LoadModule                                 7C86261E 5 Bytes  JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] ADVAPI32.dll!OpenServiceW                               77DB6FFD 7 Bytes  JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] ADVAPI32.dll!OpenServiceA                               77DC4C66 7 Bytes  JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] ADVAPI32.dll!CreateServiceA                             77E07211 7 Bytes  JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] ADVAPI32.dll!CreateServiceW                             77E073A9 7 Bytes  JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] USER32.dll!EndTask                                      7E3AA0A5 5 Bytes  JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] WININET.dll!InternetConnectA                            408CDEAE 5 Bytes  JMP 10001E30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] WININET.dll!InternetConnectW                            408CF862 5 Bytes  JMP 10001E50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] ole32.dll!CoCreateInstanceEx                            774D0526 5 Bytes  JMP 10008450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] ole32.dll!CoGetClassObject                              774E56C5 5 Bytes  JMP 10008590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] SHELL32.dll!ShellExecuteExW                             7E6B996B 5 Bytes  JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] SHELL32.dll!ShellExecuteEx                              7E6F0EB5 5 Bytes  JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] SHELL32.dll!ShellExecuteA                               7E6F11E0 5 Bytes  JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Programme\Java\jre6\bin\jusched.exe[2240] SHELL32.dll!ShellExecuteW                               7E765D48 5 Bytes  JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtAllocateVirtualMemory                             7C91CF6E 5 Bytes  JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtClose                                             7C91CFEE 5 Bytes  JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtCreateFile                                        7C91D0AE 5 Bytes  JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtCreateProcess                                     7C91D14E 5 Bytes  JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtCreateProcessEx                                   7C91D15E 5 Bytes  JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtDeleteFile                                        7C91D23E 5 Bytes  JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtFreeVirtualMemory                                 7C91D38E 5 Bytes  JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtLoadDriver                                        7C91D46E 5 Bytes  JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtOpenFile                                          7C91D59E 5 Bytes  JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtProtectVirtualMemory                              7C91D6EE 5 Bytes  JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtSetInformationProcess                             7C91DC9E 5 Bytes  JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtUnloadDriver                                      7C91DEBE 5 Bytes  JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!NtWriteVirtualMemory                                7C91DFAE 5 Bytes  JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!RtlAllocateHeap                                     7C9200C4 5 Bytes  JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!LdrLoadDll                                          7C9263C3 5 Bytes  JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!LdrUnloadDll                                        7C92738B 5 Bytes  JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] ntdll.dll!LdrGetProcedureAddress                              7C927EA8 5 Bytes  JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!CreateFileA                                      7C801A28 5 Bytes  JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!VirtualProtect                                   7C801AD4 5 Bytes  JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!LoadLibraryExW                                   7C801AF5 7 Bytes  JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!LoadLibraryExA                                   7C801D53 5 Bytes  JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!LoadLibraryA                                     7C801D7B 5 Bytes  JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!CreateProcessW                                   7C802336 5 Bytes  JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!CreateProcessA                                   7C80236B 5 Bytes  JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!GetProcAddress                                   7C80AE40 5 Bytes  JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!LoadLibraryW                                     7C80AEEB 5 Bytes  JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!GetModuleHandleA                                 7C80B741 5 Bytes  JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!GetModuleHandleW                                 7C80E4DD 5 Bytes  JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!CreateFileW                                      7C810800 5 Bytes  JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!MoveFileWithProgressW                            7C81F72E 5 Bytes  JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!MoveFileW                                        7C821261 5 Bytes  JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!OpenFile                                         7C821982 2 Bytes  JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!OpenFile + 3                                     7C821985 2 Bytes  [7E, 93] {JLE 0xffffffffffffff95}
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!CopyFileExW                                      7C827B32 7 Bytes  JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!CopyFileA                                        7C8286EE 5 Bytes  JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!CopyFileW                                        7C82F87B 5 Bytes  JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!DeleteFileA                                      7C831EDD 5 Bytes  JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!DeleteFileW                                      7C831F63 5 Bytes  JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!MoveFileExW                                      7C83568B 5 Bytes  JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!MoveFileA                                        7C835EBF 5 Bytes  JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!MoveFileWithProgressA                            7C835EDE 5 Bytes  JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!MoveFileExA                                      7C85E49B 5 Bytes  JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!CopyFileExA                                      7C85F39C 5 Bytes  JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!WinExec                                          7C86250D 5 Bytes  JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] kernel32.dll!LoadModule                                       7C86261E 5 Bytes  JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] USER32.dll!EndTask                                            7E3AA0A5 5 Bytes  JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] ADVAPI32.dll!OpenServiceW                                     77DB6FFD 7 Bytes  JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] ADVAPI32.dll!OpenServiceA                                     77DC4C66 7 Bytes  JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] ADVAPI32.dll!CreateServiceA                                   77E07211 7 Bytes  JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] ADVAPI32.dll!CreateServiceW                                   77E073A9 7 Bytes  JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] ole32.dll!CoCreateInstanceEx                                  774D0526 5 Bytes  JMP 10008450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] ole32.dll!CoGetClassObject                                    774E56C5 5 Bytes  JMP 10008590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] SHELL32.dll!ShellExecuteExW                                   7E6B996B 5 Bytes  JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] SHELL32.dll!ShellExecuteEx                                    7E6F0EB5 5 Bytes  JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] SHELL32.dll!ShellExecuteA                                     7E6F11E0 5 Bytes  JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\RUNDLL32.EXE[2248] SHELL32.dll!ShellExecuteW                                     7E765D48 5 Bytes  JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
         
__________________

Alt 13.11.2009, 17:09   #19
ElSteffe
 
Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt - Standard

Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt



GMER, Teil XII:

Code:
ATTFilter
.text           C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtAllocateVirtualMemory                               7C91CF6E 5 Bytes  JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtClose                                               7C91CFEE 5 Bytes  JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtCreateFile                                          7C91D0AE 5 Bytes  JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtCreateProcess                                       7C91D14E 5 Bytes  JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtCreateProcessEx                                     7C91D15E 5 Bytes  JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtDeleteFile                                          7C91D23E 5 Bytes  JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtFreeVirtualMemory                                   7C91D38E 5 Bytes  JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtLoadDriver                                          7C91D46E 5 Bytes  JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtOpenFile                                            7C91D59E 5 Bytes  JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtProtectVirtualMemory                                7C91D6EE 5 Bytes  JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtSetInformationProcess                               7C91DC9E 5 Bytes  JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtUnloadDriver                                        7C91DEBE 5 Bytes  JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!NtWriteVirtualMemory                                  7C91DFAE 5 Bytes  JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!RtlAllocateHeap                                       7C9200C4 5 Bytes  JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!LdrLoadDll                                            7C9263C3 5 Bytes  JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!LdrUnloadDll                                          7C92738B 5 Bytes  JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] ntdll.dll!LdrGetProcedureAddress                                7C927EA8 5 Bytes  JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!CreateFileA                                        7C801A28 5 Bytes  JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!VirtualProtect                                     7C801AD4 5 Bytes  JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!LoadLibraryExW                                     7C801AF5 7 Bytes  JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!LoadLibraryExA                                     7C801D53 5 Bytes  JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!LoadLibraryA                                       7C801D7B 5 Bytes  JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!CreateProcessW                                     7C802336 5 Bytes  JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!CreateProcessA                                     7C80236B 5 Bytes  JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!GetProcAddress                                     7C80AE40 5 Bytes  JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!LoadLibraryW                                       7C80AEEB 5 Bytes  JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!GetModuleHandleA                                   7C80B741 5 Bytes  JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!GetModuleHandleW                                   7C80E4DD 5 Bytes  JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!CreateFileW                                        7C810800 5 Bytes  JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!MoveFileWithProgressW                              7C81F72E 5 Bytes  JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!MoveFileW                                          7C821261 5 Bytes  JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!OpenFile                                           7C821982 2 Bytes  JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!OpenFile + 3                                       7C821985 2 Bytes  [7E, 93] {JLE 0xffffffffffffff95}
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!CopyFileExW                                        7C827B32 7 Bytes  JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!CopyFileA                                          7C8286EE 5 Bytes  JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!CopyFileW                                          7C82F87B 5 Bytes  JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!DeleteFileA                                        7C831EDD 5 Bytes  JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!DeleteFileW                                        7C831F63 5 Bytes  JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!MoveFileExW                                        7C83568B 5 Bytes  JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!MoveFileA                                          7C835EBF 5 Bytes  JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!MoveFileWithProgressA                              7C835EDE 5 Bytes  JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!MoveFileExA                                        7C85E49B 5 Bytes  JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!CopyFileExA                                        7C85F39C 5 Bytes  JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!WinExec                                            7C86250D 5 Bytes  JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] kernel32.dll!LoadModule                                         7C86261E 5 Bytes  JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] ADVAPI32.dll!OpenServiceW                                       77DB6FFD 7 Bytes  JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] ADVAPI32.dll!OpenServiceA                                       77DC4C66 7 Bytes  JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] ADVAPI32.dll!CreateServiceA                                     77E07211 7 Bytes  JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] ADVAPI32.dll!CreateServiceW                                     77E073A9 7 Bytes  JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] USER32.dll!EndTask                                              7E3AA0A5 5 Bytes  JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] ole32.dll!CoCreateInstanceEx                                    774D0526 5 Bytes  JMP 10008450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] ole32.dll!CoGetClassObject                                      774E56C5 5 Bytes  JMP 10008590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] SHELL32.dll!ShellExecuteExW                                     7E6B996B 5 Bytes  JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] SHELL32.dll!ShellExecuteEx                                      7E6F0EB5 5 Bytes  JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] SHELL32.dll!ShellExecuteA                                       7E6F11E0 5 Bytes  JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\WINDOWS\system32\ctfmon.exe[2288] SHELL32.dll!ShellExecuteW                                       7E765D48 5 Bytes  JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
         

Alt 13.11.2009, 17:10   #20
ElSteffe
 
Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt - Standard

Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt



GMER, Schluss:

Code:
ATTFilter
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtAllocateVirtualMemory   7C91CF6E 5 Bytes  JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtClose                   7C91CFEE 5 Bytes  JMP 10008B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtCreateFile              7C91D0AE 5 Bytes  JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtCreateProcess           7C91D14E 5 Bytes  JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtCreateProcessEx         7C91D15E 5 Bytes  JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtDeleteFile              7C91D23E 5 Bytes  JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtFreeVirtualMemory       7C91D38E 5 Bytes  JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtLoadDriver              7C91D46E 5 Bytes  JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtOpenFile                7C91D59E 5 Bytes  JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtProtectVirtualMemory    7C91D6EE 5 Bytes  JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtSetInformationProcess   7C91DC9E 5 Bytes  JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtUnloadDriver            7C91DEBE 5 Bytes  JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!NtWriteVirtualMemory      7C91DFAE 5 Bytes  JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!RtlAllocateHeap           7C9200C4 5 Bytes  JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!LdrLoadDll                7C9263C3 5 Bytes  JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!LdrUnloadDll              7C92738B 5 Bytes  JMP 10008A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ntdll.dll!LdrGetProcedureAddress    7C927EA8 5 Bytes  JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!CreateFileA            7C801A28 5 Bytes  JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!VirtualProtect         7C801AD4 5 Bytes  JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!LoadLibraryExW         7C801AF5 7 Bytes  JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!LoadLibraryExA         7C801D53 5 Bytes  JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!LoadLibraryA           7C801D7B 5 Bytes  JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!CreateProcessW         7C802336 5 Bytes  JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!CreateProcessA         7C80236B 5 Bytes  JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!GetProcAddress         7C80AE40 5 Bytes  JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!LoadLibraryW           7C80AEEB 5 Bytes  JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!GetModuleHandleA       7C80B741 5 Bytes  JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!GetModuleHandleW       7C80E4DD 5 Bytes  JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!CreateFileW            7C810800 5 Bytes  JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!MoveFileWithProgressW  7C81F72E 5 Bytes  JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!MoveFileW              7C821261 5 Bytes  JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!OpenFile               7C821982 2 Bytes  JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!OpenFile + 3           7C821985 2 Bytes  [7E, 93] {JLE 0xffffffffffffff95}
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!CopyFileExW            7C827B32 7 Bytes  JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!CopyFileA              7C8286EE 5 Bytes  JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!CopyFileW              7C82F87B 5 Bytes  JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!DeleteFileA            7C831EDD 5 Bytes  JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!DeleteFileW            7C831F63 5 Bytes  JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!MoveFileExW            7C83568B 5 Bytes  JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!MoveFileA              7C835EBF 5 Bytes  JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!MoveFileWithProgressA  7C835EDE 5 Bytes  JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!MoveFileExA            7C85E49B 5 Bytes  JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!CopyFileExA            7C85F39C 5 Bytes  JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!WinExec                7C86250D 5 Bytes  JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] kernel32.dll!LoadModule             7C86261E 5 Bytes  JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ADVAPI32.dll!OpenServiceW           77DB6FFD 7 Bytes  JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ADVAPI32.dll!OpenServiceA           77DC4C66 7 Bytes  JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ADVAPI32.dll!CreateServiceA         77E07211 7 Bytes  JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ADVAPI32.dll!CreateServiceW         77E073A9 7 Bytes  JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] USER32.dll!EndTask                  7E3AA0A5 5 Bytes  JMP 10008700 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ole32.dll!CoCreateInstanceEx        774D0526 5 Bytes  JMP 10008450 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] ole32.dll!CoGetClassObject          774E56C5 5 Bytes  JMP 10008590 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] shell32.dll!ShellExecuteExW         7E6B996B 5 Bytes  JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] shell32.dll!ShellExecuteEx          7E6F0EB5 5 Bytes  JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] shell32.dll!ShellExecuteA           7E6F11E0 5 Bytes  JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text           C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe[2740] shell32.dll!ShellExecuteW           7E765D48 5 Bytes  JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT             \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter]                                  [F74636E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter]                                   [F74637B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol]                            [F7463780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol]                              [F7463740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol]                             [F7463740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter]                                  [F74637B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter]                                 [F74636E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol]                           [F7463780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol]                             [F7463780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol]                               [F7463740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter]                                    [F74637B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter]                                   [F74636E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol]                              [F7463740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol]                            [F7463780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter]                                  [F74636E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter]                                   [F74637B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter]                                    [F74636E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter]                                     [F74637B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol]                                [F7463740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol]                             [F7463780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol]                               [F7463740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter]                                    [F74637B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter]                                   [F74636E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol]                              [F7463740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol]                            [F7463780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter]                                  [F74636E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT             \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter]                                   [F74637B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\Tcpip \Device\Ip                                                                             cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                            cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                            cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                          cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice  \FileSystem\Fastfat \Fat                                                                             fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
         


Alt 13.11.2009, 17:24   #21
Larusso
/// Selecta Jahrusso
 
Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt - Standard

Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt



Hast Du Combofix nocheinmal laufen lassen ?

Während dieser Scans soll(en):
  • alle anderen Scanner gegen Viren, Spyware, usw. deaktiviert sein,
  • keine Verbindung zu einem Netzwerk/Internet bestehen (WLAN nicht vergessen),
  • nichts am Rechner getan werden,
  • nach jedem Scan der Rechner neu gestartet werden.
Rootkitscan mit RootRepeal
  • Gehe hierhin, scrolle runter und downloade RootRepeal.zip.
  • Entpacke die Datei auf Deinen Desktop.
  • Doppelklicke die RootRepeal.exe, um den Scanner zu starten.
  • Klicke auf den Reiter Report und dann auf den Button Scan.
  • Mache einen Haken bei den folgenden Elementen und klicke Ok.
    .
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    Shadow SSDT

    .
  • Im Anschluss wirst Du gefragt, welche Laufwerke gescannt werden sollen.
  • Wähle C:\ und klicke wieder Ok.
  • Der Suchlauf beginnt automatisch, es wird eine Weile dauern, bitte Geduld.
  • Wenn der Suchlauf beendet ist, klicke auf Save Report.
  • Speichere das Logfile als RootRepeal.txt auf dem Desktop.
  • Kopiere den Inhalt hier in den Thread.
__________________
--> Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt

Alt 13.11.2009, 17:45   #22
ElSteffe
 
Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt - Standard

Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt



Combofix habe ich laufen lassen und vorher die Scanner abgestellt. Das Gepostete ist der aktuelle Log. Internet muss aus gewesen sein, der Scan lief problemlos.

RootRepeal mach ich gleich.

Alt 13.11.2009, 17:58   #23
ElSteffe
 
Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt - Standard

Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt



RootRepeal war erstaunlich schnell fertig (keine 2 Minuten):

Code:
ATTFilter
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:		2009/11/13 17:53
Program Version:		Version 1.3.5.0
Windows Version:		Windows XP SP3
==================================================

Drivers
-------------------
Name: afwyikod.sys
Image Path: C:\DOKUME~1\Liebig\LOKALE~1\Temp\afwyikod.sys
Address: 0xB6855000	Size: 91136	File Visible: No	Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB82A0000	Size: 98304	File Visible: No	Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79A5000	Size: 8192	File Visible: No	Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB453E000	Size: 49152	File Visible: No	Signed: -
Status: -

Name: tmcomm.sys
Image Path: C:\WINDOWS\system32\drivers\tmcomm.sys
Address: 0xB6DE4000	Size: 97280	File Visible: No	Signed: -
Status: -

Name: uphcleanhlp.sys
Image Path: C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
Address: 0xB6F08000	Size: 8960	File Visible: No	Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\dokumente und einstellungen\liebig\lokale einstellungen\temp\etilqs_gpwutkdtda6queykj9hr
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\dokumente und einstellungen\liebig\lokale einstellungen\temp\etilqs_gqdpzx1zm9wgxgkm3lh3
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\dokumente und einstellungen\liebig\anwendungsdaten\flock\browser\profiles\ti1dzm8r.default\flock-data.sqlite-journal
Status: Size mismatch (API: 5672, Raw: 4640)

SSDT
-------------------
#: 011	Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8587d46

#: 031	Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8587250

#: 037	Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb85878ea

#: 041	Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xb9e4977e

#: 046	Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8587132

#: 050	Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8589254

#: 052	Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858952c

#: 053	Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xb9e49774

#: 063	Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xb9e49783

#: 065	Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xb9e4978d

#: 068	Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8586a5a

#: 097	Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8588ed6

#: 098	Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xb9e49792

#: 105	Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb85874d4

#: 116	Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8587b2e

#: 122	Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xb9e49760

#: 125	Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8587764

#: 128	Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xb9e49765

#: 192	Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8588688

#: 193	Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xb9e4979c

#: 200	Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb85889f0

#: 204	Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xb9e49797

#: 210	Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8588c72

#: 240	Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8589084

#: 247	Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xb9e49788

#: 249	Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858746e

#: 255	Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8587658

#: 257	Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xb9e4976f

#: 258	Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb8586eca

#: 263	Function Name: NtUnloadKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\uphcleanhlp.sys" at address 0xb6f086d0

Shadow SSDT
-------------------
#: 013	Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858b308

#: 122	Function Name: NtGdiDeleteObjectApp
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858ba2c

#: 227	Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858b43c

#: 233	Function Name: NtGdiOpenDCW
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858b8ec

#: 237	Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858b57c

#: 292	Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858b6b0

#: 310	Function Name: NtUserBlockInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858b188

#: 319	Function Name: NtUserCallHwndParamLock
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858a3da

#: 383	Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858ae58

#: 389	Function Name: NtUserGetClipboardData
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858b7ea

#: 414	Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858abc6

#: 416	Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858ad08

#: 460	Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858a8aa

#: 465	Function Name: NtUserMoveWindow
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858a112

#: 475	Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858a55c

#: 476	Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858a708

#: 491	Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858afa8

#: 502	Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858aa6c

#: 509	Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858b09e

#: 529	Function Name: NtUserSetParent
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858a282

#: 549	Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858ba92

#: 552	Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb858bcc6

==EOF==
         
Bin dann erstmal weg, hab noch was zu erledigen. Übers Wochenende störts mit den längeren Shutdowns auch nicht weiter, da bin ich eh nicht so oft on wie unter der Woche. Die Auswertung der Logs hat also Zeit...auch bis irgendwann nächste Woche, ich sehs ja dann in der Mailbox, wenns was Neues gibt.

Besten Dank für jede Unterstützung und ein schönes WE alle miteinander.

Cu, Steffen

Geändert von ElSteffe (13.11.2009 um 18:09 Uhr)

Alt 13.11.2009, 19:04   #24
Larusso
/// Selecta Jahrusso
 
Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt - Standard

Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt



Und wer sagte was von "noch einmal ausführen"?


Scripten mit Combofix
  • Öffne den Editor (Start => Zubehör => Editor ) kopiere nun folgenden Text in das weiße Feld:
Code:
ATTFilter
File::
c:\windows\system32\39.tmp
         
Speichere diese Datei nun auf dem Desktop unter -> cfscript.txt
  • Nun die Datei cfscript.txt mit der rechten Maustaste auf das Sysmbol von Combofix ziehen!

  • Danach das Combofix nochmal ausführen, das System neu starten und das Log von Combofix posten


Hinweis: Das obige Script ist nur für diesen einen User in dieser Situtation erstellt worden. Es ist auf keinen anderen Rechner portierbar und darf nicht anderweitig verwandt werden, da es das System nachhaltig schädigen kann.
__________________
mfg, Daniel

ASAP & UNITE Member
Alliance of Security Analysis Professionals
Unified Network of Instructors and Trusted Eliminators

Lerne, zurück zu schlagen und unterstütze uns!
TB Akademie

Alt 13.11.2009, 19:31   #25
ElSteffe
 
Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt - Standard

Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt



*lach* sorry, da liegt ein Missverständnis vor

Du hattest Deine Anleitung zu Combofix gar nicht in meinem Beitrag gepostet, das mit dem Rüberziehen der tmp-Datei ist mir völlig neu.

Kurze Erläuterung: als ich hierher kam, hatte ich Combofix bereits benutzt. Siehe meine Bemerkung "Combofix meldete ein Rootkit und desinfizierte die Datei".

Danach habe ich Combofix deinstalliert und das Log gelöscht, weil das Rootkit beseitigt schien. Erst als der Fehler trotzdem wieder auftrat, bin ich hier ins Forum gekommen. Das "nochmal ausführen" hat insofern gar nicht stattgefunden. Es handelt sich vielmehr um ein erneutes Herunterladen und Laufenlassen, um hier ein Log bzw das Ergebnis des Suchlaufs posten zu können. Das Ganze hat eigentlich den Zweck herauszufinden, was jetzt nach der Desinfektion noch im System herumspuken und die langsamen Shutdowns verursachen könnte.

Vielleicht hätten wir uns den Combofix-Kram sparen können, das Log mit dem Namen der desinfizierten Datei existiert leider nicht mehr. Ich werde aber gleich den Ablauf, den Du als Letztes geschildert hast, durchführen. Vielleicht bringt das dabei entstehende Log zusätzlich was, auch wenn ich nicht verstehe, wozu das Rüberziehen einer Textdatei mit nem Dateinamen drin (nuja, zumindest weiss ich jetzt, wo diese Datei, die mir schon aufgefallen ist, herkommt *g*) auf das Combofixsymbol gut sein soll. Vermutlich wird diese Datei dann irgendwie mitverwendet. Ich hab nur keine Ahnung von Scripten und vom Inhalt der Datei, drum fehlt mir da wohl vom Sinn her ein Mosaikstein :-).

Geändert von ElSteffe (13.11.2009 um 20:28 Uhr)

Alt 13.11.2009, 20:23   #26
ElSteffe
 
Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt - Standard

Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt



Hier der Log vom Combofix incl der Temp-Datei:

Code:
ATTFilter
ComboFix 09-11-13.06 - Liebig 13.11.2009 20:06.3.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.49.1031.18.1535.1024 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\Liebig\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\dokumente und einstellungen\Liebig\Desktop\cfscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning disabled* (Updated) {804E5358-FFA4-00EB-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning disabled* (Updated) {804E5358-FFA4-011E-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning enabled* (Outdated) {00000000-0000-0000-0000-000000000000}
AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning enabled* (Updated) {804E5358-FFA4-00DA-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning enabled* (Updated) {804E5358-FFA4-010C-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virenschutz *On-access scanning enabled* (Updated) {804E5358-FFA4-011C-0D24-347CA8A3377C}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

FILE ::
"c:\windows\system32\39.tmp"
.

(((((((((((((((((((((((   Dateien erstellt von 2009-10-13 bis 2009-11-13  ))))))))))))))))))))))))))))))
.

2009-11-12 19:19 . 2009-11-12 19:19	--------	d-----w-	c:\programme\microsoft frontpage
2009-11-12 12:40 . 2009-11-12 12:40	--------	d---a-w-	c:\windows\rundll16.exe
2009-11-12 11:55 . 2009-11-12 11:55	--------	d-----w-	c:\programme\Gemeinsame Dateien\MicroWorld
2009-11-11 22:05 . 2009-11-11 22:05	--------	d---a-w-	c:\windows\VDLL.DLL
2009-11-11 22:05 . 2009-11-11 22:05	--------	d---a-w-	c:\windows\system32\runouce.exe
2009-11-11 22:05 . 2009-11-11 22:05	--------	d---a-w-	c:\windows\RUNDL132.EXE
2009-11-11 22:02 . 2009-11-11 22:02	632064	----a-w-	c:\windows\system32\msvcr80.dll
2009-11-11 22:02 . 2009-11-11 22:02	554240	----a-w-	c:\windows\system32\msvcp80.dll
2009-11-11 22:02 . 2009-11-11 22:02	34048	----a-w-	c:\windows\system32\eEmpty.exe
2009-11-11 22:02 . 2008-04-14 02:23	140800	----a-w-	c:\windows\system32\T.COM
2009-11-11 22:02 . 2008-04-14 02:22	153600	----a-w-	c:\windows\R.COM
2009-11-11 18:37 . 2009-11-11 18:37	--------	d-----r-	c:\dokumente und einstellungen\NetworkService\Favoriten
2009-11-11 18:36 . 2009-11-11 18:36	--------	d-sh--w-	c:\dokumente und einstellungen\NetworkService\IETldCache
2009-11-10 16:33 . 2009-11-10 16:33	--------	d-----w-	C:\Brother
2009-11-10 12:14 . 2008-05-18 17:54	9216	----a-w-	c:\windows\system32\drivers\videX32.sys
2009-11-08 15:12 . 2009-03-25 05:29	130432	----a-w-	c:\windows\system32\drivers\Rtnicxp.sys
2009-11-08 15:12 . 2009-03-03 11:18	73728	----a-w-	c:\windows\system32\RtNicProp32.dll
2009-11-08 14:19 . 2006-09-20 15:25	5627904	----a-w-	c:\windows\system32\nvdisps.dll
2009-11-08 14:19 . 2006-09-20 15:25	2904064	----a-w-	c:\windows\system32\nvvitvs.dll
2009-11-08 14:19 . 2006-09-20 15:25	2035712	----a-w-	c:\windows\system32\nvwss.dll
2009-11-08 14:19 . 2006-09-20 15:25	188416	----a-w-	c:\windows\system32\nvmccss.dll
2009-11-08 14:19 . 2006-09-20 15:25	888832	----a-w-	c:\windows\system32\nvmobls.dll
2009-11-08 14:19 . 2006-09-20 15:25	3051520	----a-w-	c:\windows\system32\nvgames.dll
2009-11-06 14:34 . 2009-11-10 23:05	--------	d-----w-	c:\programme\Setup Files
2009-11-05 19:02 . 2009-11-05 19:02	158312	----a-w-	c:\dokumente und einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\FontCache3.0.0.0.dat
2009-11-04 13:36 . 2009-11-10 21:54	--------	d-----w-	c:\programme\Uniblue
2009-11-03 23:22 . 2009-11-03 23:22	152576	----a-w-	c:\dokumente und einstellungen\Liebig\Anwendungsdaten\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-20 10:35 . 2009-08-06 17:24	44768	----a-w-	c:\windows\system32\wups2.dll
2009-10-20 10:35 . 2008-10-16 13:13	202776	----a-w-	c:\windows\system32\wuweb.dll
2009-10-20 10:35 . 2009-08-06 17:24	35552	-c--a-w-	c:\windows\system32\dllcache\wups.dll
2009-10-20 10:35 . 2009-08-06 17:24	35552	----a-w-	c:\windows\system32\wups.dll
2009-10-20 10:35 . 2008-10-16 13:12	323608	----a-w-	c:\windows\system32\wucltui.dll
2009-10-20 10:35 . 2008-10-16 13:13	1809944	----a-w-	c:\windows\system32\wuaueng.dll
2009-10-20 10:35 . 2008-10-16 13:09	51224	------w-	c:\windows\system32\wuauclt.exe
2009-10-20 10:35 . 2008-10-16 13:12	561688	----a-w-	c:\windows\system32\wuapi.dll
2009-10-20 10:35 . 2008-10-16 13:09	92696	----a-w-	c:\windows\system32\cdm.dll

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-12 19:29 . 2009-06-25 16:47	--------	d-----w-	c:\programme\Trillian
2009-11-11 19:26 . 2008-08-10 01:05	--------	d---a-w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP
2009-11-10 23:31 . 2008-02-22 19:24	--------	d-----w-	c:\programme\Flock
2009-11-10 20:59 . 2004-08-04 12:00	86770	----a-w-	c:\windows\system32\perfc007.dat
2009-11-10 20:59 . 2004-08-04 12:00	501756	----a-w-	c:\windows\system32\perfh007.dat
2009-11-10 16:33 . 2008-12-09 17:01	50	----a-w-	c:\windows\system32\bridf06a.dat
2009-11-10 16:32 . 2009-03-28 15:47	57	----a-w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\Brother\BrLog\BrCollectDir\BR_cat.bat
2009-11-07 15:46 . 2006-01-27 11:34	--------	d-----w-	c:\programme\AVM_update
2009-11-06 16:32 . 2009-09-03 16:35	586107	----a-w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aescript.dll
2009-11-06 16:32 . 2009-09-03 16:35	2093432	----a-w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aeheur.dll
2009-11-05 16:39 . 2009-11-04 13:37	--------	d-----w-	c:\dokumente und einstellungen\Liebig\Anwendungsdaten\Uniblue
2009-11-05 16:39 . 2009-11-05 16:38	--------	dc-h--w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}
2009-11-05 16:38 . 2006-01-27 14:08	69392	----a-w-	c:\dokumente und einstellungen\Liebig\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2009-11-05 14:21 . 2009-09-03 16:35	422261	----a-w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aepack.dll
2009-11-05 14:21 . 2009-09-03 16:35	364916	----a-w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aegen.dll
2009-11-05 14:21 . 2009-09-03 16:35	184694	----a-w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aecore.dll
2009-11-04 00:25 . 2008-05-01 13:05	--------	d-----w-	c:\programme\UPHClean
2009-11-03 23:23 . 2006-03-23 18:27	--------	d-----w-	c:\programme\Java
2009-11-01 08:43 . 2007-08-17 19:36	--------	d-----w-	c:\programme\Eumex 504PC USB
2009-10-29 18:38 . 2009-11-05 16:39	2838480	-c--a-w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}\speedupmypc2009.exe
2009-10-17 12:31 . 2009-03-19 16:54	--------	d-----w-	c:\programme\Avira
2009-10-15 10:10 . 2006-01-26 11:36	--------	d-----w-	c:\programme\Gemeinsame Dateien\Adobe
2009-10-12 17:21 . 2006-01-27 20:17	--------	d-----w-	c:\programme\Winamp
2009-10-11 03:17 . 2008-12-26 16:42	411368	----a-w-	c:\windows\system32\deploytk.dll
2009-10-02 22:15 . 2009-09-03 16:35	479604	----a-w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aerdl.dll
2009-10-02 22:15 . 2009-09-03 16:35	393587	----a-w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aeemu.dll
2009-09-19 12:11 . 2008-01-02 19:26	179792	----a-w-	c:\windows\system32\guard32.dll
2009-09-19 12:11 . 2008-01-02 19:26	87104	----a-w-	c:\windows\system32\drivers\inspect.sys
2009-09-19 12:11 . 2008-01-02 19:26	25160	----a-w-	c:\windows\system32\drivers\cmdhlp.sys
2009-09-19 12:11 . 2008-01-02 19:26	132296	----a-w-	c:\windows\system32\drivers\cmdGuard.sys
2009-09-16 13:07 . 2006-01-29 15:26	--------	d-----w-	c:\programme\ChessBase
2009-09-15 15:58 . 2009-09-03 16:35	106867	----a-w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aevdf.dll
2009-09-11 14:17 . 2004-08-04 12:00	136192	----a-w-	c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 12:00	58880	----a-w-	c:\windows\system32\msasn1.dll
2009-09-03 15:24 . 2009-09-03 16:35	237940	----a-w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aehelp.dll
2009-09-03 15:24 . 2009-09-03 16:35	127346	----a-w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\FAILSAVE\aescn.dll
2009-08-29 07:54 . 2004-08-04 12:00	916480	------w-	c:\windows\system32\wininet.dll
2009-08-26 19:41 . 2009-08-26 19:41	152576	----a-w-	c:\dokumente und einstellungen\Liebig\Anwendungsdaten\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-26 18:11 . 2009-03-19 16:54	55656	----a-w-	c:\windows\system32\drivers\avgntflt.sys
2009-08-26 08:00 . 2004-08-04 12:00	247326	----a-w-	c:\windows\system32\strmdll.dll
2008-02-28 11:30 . 2008-02-28 11:30	14852	----a-w-	c:\programme\settings.dat
2006-10-26 18:40 . 2006-10-26 18:40	13	----a-w-	c:\programme\ATT00019.txt
.

------- Sigcheck -------

[-] 2006-10-18 20:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
[-] 2006-10-18 20:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\dllcache\mspmsnsv.dll
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\programme\QuickTime\qttask.exe" [2008-05-27 413696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-09-20 7680000]
"COMODO Firewall Pro"="c:\programme\COMODO\Firewall\cfp.exe" [2009-09-19 1799952]
"UnlockerAssistant"="c:\programme\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"QuickTime Task"="c:\programme\QuickTime\qttask.exe" [2008-05-27 413696]
"FreePDF Assistant"="c:\programme\FreePDF_XP\fpassist.exe" [2008-07-22 357376]
"avgnt"="c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SSBkgdUpdate"="c:\programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\programme\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\programme\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"BrMfcWnd"="c:\programme\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"ControlCenter3"="c:\programme\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"COMODO Internet Security"="c:\programme\COMODO\Firewall\cfp.exe" [2009-09-19 1799952]
"SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-09-20 86016]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-12-10 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ   	autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"d:\\Daten_alt\\Programme\\Zubehör\\Backgammon\\backgw32.exe"=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [02.01.2008 20:26 132296]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [02.01.2008 20:26 25160]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [19.03.2009 17:54 108289]
R2 AVMPORT;AVMPORT;c:\windows\system32\drivers\avmport.sys [27.01.2006 23:55 59520]
R2 CAPI20;Eumex 504PC USB;c:\windows\system32\drivers\Capi20.sys [17.08.2007 20:36 964428]
R3 AVMCOWAN;AVMCOWAN;c:\windows\system32\drivers\avmcowan.sys [24.11.2005 01:00 53632]
R3 fpcibase;FRITZ!Card PCI;c:\windows\system32\drivers\fpcibase.sys [26.01.2006 11:46 537600]
S2 DETEWECP;Telekom ISDN Port;c:\windows\system32\drivers\detewecp.sys [17.08.2007 20:36 38480]
S3 AVMWAN;NDIS WAN CAPI Treiber;c:\windows\system32\drivers\avmwan.sys [26.01.2006 11:46 38608]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\39.tmp --> c:\windows\system32\39.tmp [?]
S3 MsibiosDevice;MsibiosDevice;\??\c:\programme\MSI\Live Update 4\LU4\msibios.sys --> c:\programme\MSI\Live Update 4\LU4\msibios.sys [?]
S3 NETFRITZ;AVM FRITZ!web PPP over ISDN;c:\windows\system32\drivers\Netfritz.sys [27.01.2006 12:44 316928]
S3 WEBNTACCESS;WEBNTACCESS;c:\windows\system32\Ntaccess.sys [14.04.2008 02:21 17920]
S4 SAVAdminService;Sophos Anti-Virus Statusreporter;"c:\programme\Sophos\Sophos Anti-Virus\SAVAdminService.exe" --> c:\programme\Sophos\Sophos Anti-Virus\SAVAdminService.exe [?]
S4 SAVService;Sophos Anti-Virus;"c:\programme\Sophos\Sophos Anti-Virus\SavService.exe" --> c:\programme\Sophos\Sophos Anti-Virus\SavService.exe [?]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys --> c:\windows\system32\DRIVERS\SophosBootDriver.sys [?]

--- Andere Dienste/Treiber im Speicher ---

*Deregistered* - afwyikod
*Deregistered* - mbr
*Deregistered* - PROCEXP113
*Deregistered* - uphcleanhlp
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-13 20:19
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

Scanne versteckte Prozesse... 

Scanne versteckte Autostarteinträge... 

Scanne versteckte Dateien... 

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\39.tmp"
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(864)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(7504)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Zeit der Fertigstellung: 2009-11-13 20:21
ComboFix-quarantined-files.txt  2009-11-13 19:21
ComboFix2.txt  2009-11-13 19:02
ComboFix3.txt  2009-11-13 15:03

Vor Suchlauf: 10 Verzeichnis(se), 22.460.784.640 Bytes frei
Nach Suchlauf: 12 Verzeichnis(se), 22.443.253.760 Bytes frei

- - End Of File - - 30048EF9FC21C713C35980A01DAD8446
         

Alt 14.11.2009, 14:28   #27
Larusso
/// Selecta Jahrusso
 
Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt - Standard

Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt



schritt 1

Wende bitte Malwarebytes nach Anleitung an.


schritt 2

CustomScan mit OTL
  • Starte bitte die OTL.exe.
    Vista-User mit Rechtsklick "als Administrator starten"
  • Kopiere nun den Inhalt in die Textbox.
Code:
ATTFilter
netsvcs
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
         
  • Schliesse bitte nun alle Programme. (Wichtig)
  • Klicke nun bitte auf den Quick Scan Button.
  • Klick auf .
  • Kopiere nun den Inhalt aus OTL.txt und Extra.txt hier in Code-Tags in Deinen Thread
__________________
mfg, Daniel

ASAP & UNITE Member
Alliance of Security Analysis Professionals
Unified Network of Instructors and Trusted Eliminators

Lerne, zurück zu schlagen und unterstütze uns!
TB Akademie

Alt 15.11.2009, 14:01   #28
ElSteffe
 
Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt - Standard

Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt



Malwarebytes hat nichts gefunden:

Code:
ATTFilter
Malwarebytes' Anti-Malware 1.41
Datenbank Version: 3174
Windows 5.1.2600 Service Pack 3

15.11.2009 13:55:17
mbam-log-2009-11-15 (13-55-17).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|)
Durchsuchte Objekte: 132670
Laufzeit: 23 minute(s), 14 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)
         
OTL folgt gleich. Allerdings kann es sein, dass sich AntiVir nicht komplett abschalten lässt. Höchstens deaktivieren, nicht mal der Taskmanager will den Guard etc abschalten lassen. Wir werden sehen, ob das klappt.

Alt 15.11.2009, 14:12   #29
ElSteffe
 
Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt - Standard

Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt



OTL, Teil I (eine Extras.txt wurde diesmal nicht erstellt *wunder*):

Code:
ATTFilter
OTL by OldTimer - Version 3.1.5.0     Folder = C:\Dokumente und Einstellungen\Liebig\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
1,50 Gb Total Physical Memory | 1,13 Gb Available Physical Memory | 75,23% Memory free
4,00 Gb Paging File | 4,00 Gb Available in Paging File | 100,00% Paging File free
Paging file location(s): [Binary data over 100 bytes]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 29,29 Gb Total Space | 20,92 Gb Free Space | 71,41% Space Free | Partition Type: NTFS
Drive D: | 45,23 Gb Total Space | 41,96 Gb Free Space | 92,77% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: LIEBIG-2DA4E295
Current User Name: Liebig
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Minimal
Quick Scan
 
========== Processes (SafeList) ==========
 
PRC - C:\Dokumente und Einstellungen\Liebig\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
 
 
========== Modules (SafeList) ==========
 
MOD - C:\Dokumente und Einstellungen\Liebig\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\guard32.dll (COMODO)
MOD - C:\WINDOWS\system32\wbem\framedyn.dll (Microsoft Corporation)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (Microsoft Corporation)
 
 
========== Win32 Services (SafeList) ==========
 
SRV - (Sophos AutoUpdate Service) --  File not found
SRV - (SAVService) --  File not found
SRV - (SAVAdminService) --  File not found
SRV - (MySql) --  File not found
SRV - (JavaQuickStarterService) -- C:\Programme\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (cmdAgent) -- C:\Programme\COMODO\Firewall\cmdagent.exe (COMODO)
SRV - (AntiVirService) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (AntiVirSchedulerService) -- C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (FontCache3.0.0.0) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (idsvc) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (NetTcpPortSharing) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (aspnet_state) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (helpsvc) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll (Microsoft Corporation)
SRV - (NVSvc) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (UPHClean) -- C:\Programme\UPHClean\uphclean.exe (Microsoft Corporation)
SRV - (IDriverT) -- C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =  [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://de.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 96 3E E4 49 FA 4F CA 01  [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
[2009.09.15 16:13:10 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\Mozilla\Extensions
[2009.09.15 16:13:10 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\Mozilla\Extensions\{a463f10c-3994-11da-9945-000d60ca027b}
 
O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (PicLens for Internet Explorer) - {53349B29-8E4B-447A-9068-5C83EB591753} - C:\Programme\PicLensIE\PicLens.dll (Cooliris Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {00000000-0000-0000-0000-000000000000} - No CLSID value found.
O4 - HKLM..\Run: [avgnt] C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [BrMfcWnd] C:\Programme\Brother\Brmfcmon\BrMfcWnd.exe ()
O4 - HKLM..\Run: [COMODO Firewall Pro] C:\Programme\COMODO\Firewall\cfp.exe (COMODO)
O4 - HKLM..\Run: [COMODO Internet Security] C:\Programme\COMODO\Firewall\cfp.exe (COMODO)
O4 - HKLM..\Run: [ControlCenter3] C:\Programme\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe (shbox.de)
O4 - HKLM..\Run: [IndexSearch] C:\Programme\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PaperPort PTD] C:\Programme\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Programme\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Scansoft, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UnlockerAssistant] C:\Programme\Unlocker\UnlockerAssistant.exe ()
O4 - HKCU..\Run: [QuickTime Task] C:\Programme\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClearRecentDocsOnExit = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe File not found
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} Reg Error: Key error. (YInstStarter Class)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/scanner/sources/de/scan8/oscan8.cab (Reg Error: Key error.)
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} http://liveupdate.msi.com.tw/autobios/LOnline/install.cab (WebSDev Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\guard32.dll) - C:\WINDOWS\system32\guard32.dll (COMODO)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.01.26 11:54:59 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) -  File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) -  File not found
O34 - HKLM BootExecute: (OODBS) -  File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found
 
NetSvcs: Ias - C:\WINDOWS\system32\ias [2006.01.26 11:54:19 | 00,000,000 | ---D | M]
NetSvcs: Iprip -  File not found
NetSvcs: Irmon -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp -  File not found
NetSvcs: helpsvc - C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll (Microsoft Corporation)
 
========== Files/Folders - Created Within 14 Days ==========
 
[2009.11.15 13:30:38 | 00,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\Malwarebytes
[2009.11.15 13:30:13 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009.11.15 13:30:11 | 00,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
[2009.11.15 13:30:10 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009.11.15 13:30:10 | 00,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware
[2009.11.15 13:28:38 | 04,045,544 | ---- | C] (Malwarebytes Corporation                                    ) -- C:\Dokumente und Einstellungen\Liebig\Desktop\mbam-setup.exe
[2009.11.13 20:35:59 | 00,000,000 | RH-D | C] -- C:\Dokumente und Einstellungen\Liebig\Recent
[2009.11.13 19:44:53 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009.11.13 19:40:03 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009.11.13 19:40:03 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009.11.13 19:40:03 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009.11.13 19:40:03 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009.11.13 19:38:39 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009.11.13 17:50:45 | 00,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Liebig\Desktop\RootRepeal
[2009.11.13 16:09:01 | 00,529,408 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Liebig\Desktop\OTL.exe
[2009.11.13 16:03:06 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009.11.13 15:45:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009.11.12 20:19:58 | 00,000,000 | ---D | C] -- C:\Programme\xerox
[2009.11.12 20:19:58 | 00,000,000 | ---D | C] -- C:\Programme\movie maker
[2009.11.12 20:19:57 | 00,000,000 | ---D | C] -- C:\Programme\netmeeting
[2009.11.12 20:19:57 | 00,000,000 | ---D | C] -- C:\Programme\msn gaming zone
[2009.11.12 20:19:56 | 00,000,000 | ---D | C] -- C:\Programme\windows media player
[2009.11.12 20:19:56 | 00,000,000 | ---D | C] -- C:\Programme\microsoft frontpage
[2009.11.12 17:04:32 | 00,000,000 | ---D | C] -- C:\Config.Msi
[2009.11.12 13:40:13 | 00,000,000 | ---D | C] -- C:\WINDOWS\rundll16.exe
[2009.11.12 12:55:25 | 00,000,000 | ---D | C] -- C:\Programme\Gemeinsame Dateien\MicroWorld
[2009.11.11 23:05:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\VDLL.DLL
[2009.11.11 23:05:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\runouce.exe
[2009.11.11 23:05:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\RUNDL132.EXE
[2009.11.11 23:02:19 | 00,034,048 | ---- | C] (MicroWorld Technologies Inc.) -- C:\WINDOWS\System32\eEmpty.exe
[2009.11.10 17:33:23 | 00,000,000 | ---D | C] -- C:\Brother
[2009.11.08 16:12:56 | 00,130,432 | ---- | C] (Realtek Semiconductor Corporation                           ) -- C:\WINDOWS\System32\drivers\Rtnicxp.sys
[2009.11.06 15:34:21 | 00,000,000 | ---D | C] -- C:\Programme\Setup Files
[2009.11.05 19:39:29 | 00,000,000 | ---D | C] -- D:\Liebig\Eigene Dateien\My Drivers
[2009.11.05 17:38:45 | 00,000,000 | -H-D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}
[2009.11.04 14:37:08 | 00,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\Uniblue
[2009.11.04 14:36:57 | 00,000,000 | ---D | C] -- C:\Programme\Uniblue
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
         

Alt 15.11.2009, 14:13   #30
ElSteffe
 
Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt - Standard

Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt



OTL, Teil II:

Code:
ATTFilter
========== Files - Modified Within 14 Days ==========
 
[2009.11.15 13:30:24 | 00,000,682 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009.11.15 13:28:38 | 04,045,544 | ---- | M] (Malwarebytes Corporation                                    ) -- C:\Dokumente und Einstellungen\Liebig\Desktop\mbam-setup.exe
[2009.11.15 13:17:49 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009.11.15 13:17:29 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009.11.15 13:15:34 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009.11.15 13:15:30 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009.11.15 13:15:27 | 16,101,41696 | -HS- | M] () -- C:\hiberfil.sys
[2009.11.14 01:47:57 | 00,260,608 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009.11.13 20:36:00 | 07,864,320 | ---- | M] () -- C:\Dokumente und Einstellungen\Liebig\NTUSER.DAT
[2009.11.13 20:36:00 | 00,000,190 | -HS- | M] () -- C:\Dokumente und Einstellungen\Liebig\ntuser.ini
[2009.11.13 20:32:19 | 00,000,177 | ---- | M] () -- C:\WINDOWS\ChssBase.ini
[2009.11.13 20:19:16 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009.11.13 19:44:59 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009.11.13 19:38:20 | 03,559,628 | R--- | M] () -- C:\Dokumente und Einstellungen\Liebig\Desktop\ComboFix.exe
[2009.11.13 18:03:01 | 05,455,908 | ---- | M] () -- C:\Dokumente und Einstellungen\Liebig\Desktop\Sportkongress_2009_auswahl.zip
[2009.11.13 17:50:09 | 00,464,491 | ---- | M] () -- C:\Dokumente und Einstellungen\Liebig\Desktop\RootRepeal.zip
[2009.11.13 16:19:35 | 00,291,840 | ---- | M] () -- C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe
[2009.11.13 16:09:11 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Liebig\Desktop\OTL.exe
[2009.11.12 20:28:24 | 00,001,592 | ---- | M] () -- C:\Dokumente und Einstellungen\Liebig\Desktop\Trillian.lnk
[2009.11.12 12:55:51 | 00,000,028 | ---- | M] () -- C:\WINDOWS\Lic.xxx
[2009.11.12 00:58:39 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009.11.11 23:02:18 | 00,034,048 | ---- | M] (MicroWorld Technologies Inc.) -- C:\WINDOWS\System32\eEmpty.exe
[2009.11.10 21:59:08 | 01,158,866 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009.11.10 21:59:08 | 00,501,756 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat
[2009.11.10 21:59:08 | 00,483,428 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009.11.10 21:59:08 | 00,086,770 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat
[2009.11.10 21:59:08 | 00,072,906 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009.11.10 17:53:32 | 00,000,425 | ---- | M] () -- C:\WINDOWS\BRWMARK.INI
[2009.11.10 17:53:32 | 00,000,027 | ---- | M] () -- C:\WINDOWS\BRPP2KA.INI
[2009.11.10 17:49:30 | 00,294,072 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009.11.10 17:33:59 | 00,001,011 | ---- | M] () -- C:\WINDOWS\Brpfx04a.ini
[2009.11.10 17:33:59 | 00,000,149 | ---- | M] () -- C:\WINDOWS\brpcfx.ini
[2009.11.10 17:33:59 | 00,000,050 | ---- | M] () -- C:\WINDOWS\System32\bridf06a.dat
[2009.11.09 19:01:47 | 06,384,498 | -H-- | M] () -- C:\Dokumente und Einstellungen\Liebig\Lokale Einstellungen\Anwendungsdaten\IconCache.db
[2009.11.05 17:56:03 | 00,000,709 | ---- | M] () -- C:\Dokumente und Einstellungen\Liebig\CommandDispatchers.xml
[2009.11.05 17:56:00 | 00,001,367 | ---- | M] () -- C:\Dokumente und Einstellungen\Liebig\cleaner-config.xml
[2009.11.05 17:39:13 | 00,000,845 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\SpeedUpMyPC 2009.lnk
[2009.11.05 17:38:41 | 00,069,392 | ---- | M] () -- C:\Dokumente und Einstellungen\Liebig\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
[2009.11.04 15:35:04 | 00,000,844 | ---- | M] () -- C:\Dokumente und Einstellungen\Liebig\Desktop\RegistryBooster.lnk
[2009.11.04 14:48:42 | 00,000,991 | ---- | M] () -- C:\WINDOWS\win.ini
[2009.11.04 14:48:42 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2009.11.15 13:30:24 | 00,000,682 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009.11.13 19:44:59 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009.11.13 19:44:55 | 00,262,448 | ---- | C] () -- C:\cmldr
[2009.11.13 19:40:03 | 00,260,608 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009.11.13 19:40:03 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009.11.13 19:40:03 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009.11.13 19:40:03 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009.11.13 19:40:03 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009.11.13 19:38:13 | 03,559,628 | R--- | C] () -- C:\Dokumente und Einstellungen\Liebig\Desktop\ComboFix.exe
[2009.11.13 18:03:01 | 05,455,908 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\Desktop\Sportkongress_2009_auswahl.zip
[2009.11.13 17:50:05 | 00,464,491 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\Desktop\RootRepeal.zip
[2009.11.13 16:19:34 | 00,291,840 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\Desktop\9hufmi1h.exe
[2009.11.12 02:42:50 | 16,101,41696 | -HS- | C] () -- C:\hiberfil.sys
[2009.11.11 23:02:52 | 00,000,028 | ---- | C] () -- C:\WINDOWS\Lic.xxx
[2009.11.11 23:02:20 | 00,000,522 | ---- | C] () -- C:\WINDOWS\System32\Microsoft.VC80.CRT.manifest
[2009.11.08 16:12:56 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2009.11.05 17:56:01 | 00,000,709 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\CommandDispatchers.xml
[2009.11.05 17:56:00 | 00,001,367 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\cleaner-config.xml
[2009.11.05 17:39:13 | 00,000,845 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\SpeedUpMyPC 2009.lnk
[2009.11.04 15:34:22 | 00,000,844 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\Desktop\RegistryBooster.lnk
[2009.03.28 16:48:04 | 00,027,114 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2009.03.19 19:47:16 | 00,000,521 | ---- | C] () -- C:\WINDOWS\my.ini
[2009.03.11 18:48:37 | 00,063,488 | ---- | C] () -- C:\WINDOWS\xobglu16.dll
[2009.03.11 18:48:37 | 00,033,244 | ---- | C] () -- C:\WINDOWS\xobglu32.dll
[2008.12.09 18:06:32 | 00,000,425 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2008.12.09 18:06:32 | 00,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2008.12.09 18:01:40 | 00,001,011 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2008.12.09 18:01:40 | 00,000,149 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2008.12.09 18:00:00 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2008.10.16 16:23:30 | 00,000,530 | ---- | C] () -- C:\WINDOWS\System32\tx13_ic.ini
[2008.10.16 16:23:29 | 00,131,072 | ---- | C] () -- C:\WINDOWS\System32\CSVSpecialProcessing.dll
[2008.10.16 16:23:29 | 00,102,400 | ---- | C] () -- C:\WINDOWS\System32\SARzilla.dll
[2008.05.01 18:53:48 | 00,000,000 | ---- | C] () -- C:\WINDOWS\OODCNT.INI
[2008.05.01 15:40:57 | 06,384,498 | -H-- | C] () -- C:\Dokumente und Einstellungen\Liebig\Lokale Einstellungen\Anwendungsdaten\IconCache.db
[2008.03.11 17:10:48 | 00,000,079 | ---- | C] () -- C:\WINDOWS\SW_Win2000X1.DLL
[2008.03.11 17:10:42 | 00,000,027 | ---- | C] () -- C:\WINDOWS\SW_Win2146X32.DLL
[2008.03.11 17:06:56 | 00,004,106 | ---- | C] () -- C:\WINDOWS\CX_SearchHistory.INI
[2008.02.28 14:23:02 | 00,000,043 | ---- | C] () -- C:\WINDOWS\gswin32.ini
[2008.02.28 13:16:17 | 00,116,224 | ---- | C] () -- C:\WINDOWS\System32\redmonnt.dll
[2008.02.28 12:30:38 | 00,014,852 | ---- | C] () -- C:\Programme\settings.dat
[2008.02.01 08:18:14 | 00,009,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\FlashSys.sys
[2007.11.06 16:31:06 | 00,000,000 | ---- | C] () -- C:\WINDOWS\LiveBilliards.INI
[2007.09.10 14:27:35 | 00,049,253 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\Lokale Einstellungen\Anwendungsdaten\FASTWiz.log
[2007.05.08 17:13:10 | 00,000,035 | ---- | C] () -- C:\WINDOWS\System32\backgw.ini
[2006.10.26 19:40:43 | 00,000,013 | ---- | C] () -- C:\Programme\ATT00019.txt
[2006.07.11 17:55:45 | 00,000,336 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006.06.29 13:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006.06.29 13:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006.05.02 23:38:24 | 00,000,748 | ---- | C] () -- C:\WINDOWS\SetBrowser.ini
[2006.04.18 14:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006.04.18 14:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006.03.10 19:47:43 | 00,000,215 | ---- | C] () -- C:\WINDOWS\AntiDial.ini
[2006.02.08 15:37:23 | 00,000,305 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\addr_file.html
[2006.01.29 16:32:17 | 00,000,177 | ---- | C] () -- C:\WINDOWS\ChssBase.ini
[2006.01.28 14:59:47 | 00,000,487 | ---- | C] () -- C:\WINDOWS\Capictrl.INI
[2006.01.28 02:31:15 | 00,001,706 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\iwatch.txt
[2006.01.28 00:00:44 | 00,000,059 | ---- | C] () -- C:\WINDOWS\WINPHONE.INI
[2006.01.27 21:18:03 | 00,000,508 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006.01.27 21:17:41 | 00,000,155 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2006.01.27 19:06:02 | 00,038,400 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006.01.27 15:08:49 | 00,069,392 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
[2006.01.26 15:05:13 | 00,000,139 | ---- | C] () -- C:\Dokumente und Einstellungen\Liebig\Lokale Einstellungen\Anwendungsdaten\fusioncache.dat
[2006.01.26 14:11:10 | 00,003,972 | ---- | C] () -- C:\WINDOWS\System32\drivers\PciBus.sys
[2006.01.26 12:48:28 | 00,000,000 | ---- | C] () -- C:\WINDOWS\ZDDBView.INI
[2006.01.26 12:48:21 | 00,000,022 | ---- | C] () -- C:\WINDOWS\zdbui32.ini
[2006.01.26 12:00:50 | 00,000,062 | -HS- | C] () -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\desktop.ini
[2006.01.26 11:44:46 | 00,000,062 | -HS- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini
[2005.12.10 03:06:00 | 01,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2005.12.10 03:06:00 | 01,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2005.12.10 03:06:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2005.12.10 03:06:00 | 00,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2005.12.10 03:06:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2005.12.10 03:06:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2005.12.10 03:06:00 | 00,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2004.08.04 13:00:00 | 00,000,991 | ---- | C] () -- C:\WINDOWS\win.ini
[2004.08.04 13:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2002.03.04 10:16:34 | 00,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll
[1999.01.22 19:46:56 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
 
========== LOP Check ==========
 
[2009.08.30 16:08:51 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Canneverbe Limited
[2007.09.20 16:04:03 | 00,000,000 | -H-D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\MailFrontier
[2009.02.12 16:52:15 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\n7-89-o9-3r-4t-r9
[2009.03.28 16:47:37 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ScanSoft
[2009.11.11 20:26:48 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP
[2009.11.05 17:39:14 | 00,000,000 | -H-D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}
[2008.12.14 18:42:41 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\Canneverbe_Limited
[2008.01.14 17:32:45 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\ChessBase
[2008.02.22 20:27:19 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\Flock
[2008.07.01 21:51:10 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\ICQ
[2009.05.19 21:28:54 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\MySQL
[2008.12.09 18:37:12 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\PC-FAX TX
[2009.04.21 17:03:17 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\ScanSoft
[2009.11.05 17:39:42 | 00,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Liebig\Anwendungsdaten\Uniblue
[2004.08.04 13:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009.11.15 13:15:34 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
 
< %SYSTEMDRIVE%\iaStor.sys /s /md5 >
 
< %SYSTEMDRIVE%\atapi.sys /s /md5 >
[2008.04.13 19:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008.04.13 19:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008.04.13 19:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008.04.13 19:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=52532E3216CC137EF44AFC758A0435D8 -- C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\i386\atapi.sys
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 147 bytes -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:DFC5A2B2
@Alternate Data Stream - 127 bytes -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:D1B5B4F1
@Alternate Data Stream - 114 bytes -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:A8ADE5D8
< End of report >
         

Antwort

Themen zu Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt
5 minuten, ablauf, antivir, combofix, computer, dateien, down, escan, fehler, frage, hijack, hijackthis, internet, mcafee, problem, programme, rechner, registry, registry booster, rootkit, security, shutdown, speedupmypc, temp-ordner, treiber, trojaner, virus, virustotal.com, wiederholt, windows, windows xp




Ähnliche Themen: Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt


  1. Virenbefall Windows 8.1 64 bit Comodo. Dringend Trojaner bereits Internet Verbindung
    Plagegeister aller Art und deren Bekämpfung - 17.07.2015 (31)
  2. Windows 8.1: GVU-Trojaner mit Systemwiederherstellung beseitigt?
    Log-Analyse und Auswertung - 13.02.2014 (9)
  3. Windows 7 Trojaner - System bereits clean?
    Log-Analyse und Auswertung - 13.12.2013 (11)
  4. Nach GVU Trojaner (bereits entfernt durch euch), möglicherweise noch Rootkit auf meinem Rechner?
    Log-Analyse und Auswertung - 10.01.2013 (11)
  5. Bundepolizei-Trojaner beseitigt(?) -> Windows trotzdem defekt
    Plagegeister aller Art und deren Bekämpfung - 22.08.2012 (2)
  6. Windows 7 64bit Shutdown Problem
    Plagegeister aller Art und deren Bekämpfung - 22.05.2012 (3)
  7. Sicherheitscenter Inactiv auf Vista nach Rootkit mit Backdoor (schon beseitigt?)
    Log-Analyse und Auswertung - 27.12.2011 (17)
  8. McAfee Startet Nicht, Shutdown nach Start, RootKit?
    Plagegeister aller Art und deren Bekämpfung - 06.09.2010 (11)
  9. Trojan.Dropper gefunden - angebl beseitigt GMER meldet Rootkit
    Plagegeister aller Art und deren Bekämpfung - 10.05.2010 (3)
  10. Laptop immer langsamer, Rootkit gefunden
    Log-Analyse und Auswertung - 08.04.2010 (2)
  11. Win32/Renos.JF entfernt und langsamer Shutdown
    Log-Analyse und Auswertung - 16.07.2009 (1)
  12. Windows shutdown beim booten
    Plagegeister aller Art und deren Bekämpfung - 19.04.2009 (6)
  13. Windows XP und der Shutdown
    Alles rund um Windows - 12.05.2006 (7)
  14. Problem - Windows 98 shutdown
    Alles rund um Windows - 20.08.2005 (3)
  15. Langsamer Shutdown!
    Plagegeister aller Art und deren Bekämpfung - 29.06.2005 (6)
  16. trojaner beseitigt doch jetzt fehlermeldundg beim starten von windows
    Plagegeister aller Art und deren Bekämpfung - 28.09.2004 (12)
  17. Windows Shutdown probs
    Alles rund um Windows - 15.01.2004 (2)

Zum Thema Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt - GMER, Teil IX: Code: Alles auswählen Aufklappen ATTFilter .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Programme\Avira\AntiVir Desktop\avguard.exe[2032] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 10008B30 - Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt...
Archiv
Du betrachtest: Windows XP: langsamer Shutdown, Rootkit / Trojaner bereits beseitigt auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.