Guten Abend zusammen,

Da ich heute Nachmittag festgestellt habe, dass mein Spieleaccount (World of Warcraft) zum 2ten Mal gehackt wurde, habe ich mich mal einige Stunden mit dem Thema Keylogger befasst.

Und zwar dachte ich bis vor ein paar Tagen es würde reichen nen Virenscanner laufen zu lassen und eine firewall aktiv zu halten um vor den sämtlichen Schädlingen geschützt zu sein. Blauäugig, ich weiß. Nun ich wurde eines besseren belehrt und um nun endlich sicher zu sein, dass der Schädling um den es mir geht weg ist, habe ich so einige Seiten durchstöbert und einige Programme zur Erkennung und Beseitigung von Malware ausprobiert.

Standart mäßig habe ich avast! als Virenscanner. Zusätzlich habe ich Spybot, Spyware Terminator, Ad-Aware und HijackThis eingesetzt um den Schädling zu finden. Bis auf ein paar cookies habe ich nichts gefunden, bis ich dann HJT eingesetzt habe und dann durch einen Post in einem Internetforum erfahren habe, dass ich mal nach "xml_inc.dll" suchen sollte. Diesen habe ich dann auch gefunden und mit dem "Fix checked" button gelöscht. Anschließend habe ich hier die Suchfunktion benutzt um zu sehen ob ich vielleicht einen interessanten Thread dazu finde.

h**p://www.trojaner-board.de/77248-nach-entfernung-eines-keyloggers-trojaners.html

In diesem Thread hatte ein User fast dasselbe Problem wie ich. Jetzt wüsste ich gerne ob ich denn nun wirklich den entscheidenden Schädling entfernt habe, oder ob ich möglicherweise immer noch befallen bin. Und wie ich das am besten überprüfen kann.

Ich bitte um Verzeihung falls ich irgend eine Forenregel nicht beachtet habe.

mfg Clipzer

Halli hallo.

Poste bitte zwei AVZ logs und hänge diese an deinen nächsten Post an.

Ich hoffe ich hab das richtig verstanden.

syscheck:


Attention !!! Database was last updated 19.08.2009 it is necessary to update the database (via File - Database update)
AVZ Antiviral Toolkit log; AVZ version is 4.32
Scanning started at 26.11.2009 22:28:36
Database loaded: signatures - 237742, NN profile(s) - 2, malware removal microprograms - 56, signature database released 19.08.2009 21:41
Heuristic microprograms loaded: 374
PVS microprograms loaded: 9
Digital signatures of system files loaded: 135347
Heuristic analyzer mode: Maximum heuristics mode
Malware removal mode: disabled
Windows version is: 5.1.2600, Service Pack 2 ; AVZ is run with administrator rights
System Restore: Disabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=07B400)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 80552400
KiST = 8050121C (284)
Function NtClose (19) intercepted (805B0A4E->B780588E), hook C:\WINDOWS\system32\drivers\sp_rsdrv2.sys, driver recognized as trusted
Function NtCreateFile (25) intercepted (8056D44A->B78050EC), hook C:\WINDOWS\system32\drivers\sp_rsdrv2.sys, driver recognized as trusted
Function NtCreateKey (29) intercepted (80618F32->B7804DCE), hook C:\WINDOWS\system32\drivers\sp_rsdrv2.sys, driver recognized as trusted
Function NtCreateSection (32) intercepted (8059F568->B7806938), hook C:\WINDOWS\system32\drivers\sp_rsdrv2.sys, driver recognized as trusted
Function NtDeleteKey (3F) intercepted (806193C2->B7804ED8), hook C:\WINDOWS\system32\drivers\sp_rsdrv2.sys, driver recognized as trusted
Function NtDeleteValueKey (41) intercepted (80619592->B7804FC2), hook C:\WINDOWS\system32\drivers\sp_rsdrv2.sys, driver recognized as trusted
Function NtDuplicateObject (44) intercepted (805B252A->B770814C), hook C:\WINDOWS\System32\Drivers\aswSP.SYS
Function NtEnumerateKey (47) intercepted (80619772->BA6C6CA2), hook spbu.sys
Function NtEnumerateValueKey (49) intercepted (806199DC->BA6C7030), hook spbu.sys
Function NtLoadDriver (61) intercepted (80578664->B7805BBC), hook C:\WINDOWS\system32\drivers\sp_rsdrv2.sys, driver recognized as trusted
Function NtOpenFile (74) intercepted (8056E568->B78053F4), hook C:\WINDOWS\system32\drivers\sp_rsdrv2.sys, driver recognized as trusted
Function NtOpenKey (77) intercepted (8061A2C8->B770864E), hook C:\WINDOWS\System32\Drivers\aswSP.SYS
Function NtOpenProcess (7A) intercepted (805BFEAC->B770808C), hook C:\WINDOWS\System32\Drivers\aswSP.SYS
Function NtOpenThread (80) intercepted (805C0138->B77080F0), hook C:\WINDOWS\System32\Drivers\aswSP.SYS
Function NtQueryKey (A0) intercepted (8061A5EC->BA6C7108), hook spbu.sys
Function NtQueryValueKey (B1) intercepted (80616FEC->B770876E), hook C:\WINDOWS\System32\Drivers\aswSP.SYS
Function NtRestoreKey (CC) intercepted (8061733A->B770872E), hook C:\WINDOWS\System32\Drivers\aswSP.SYS
Function NtSetInformationFile (E0) intercepted (8056F418->B7805526), hook C:\WINDOWS\system32\drivers\sp_rsdrv2.sys, driver recognized as trusted
Function NtSetValueKey (F7) intercepted (806175F2->B7804BFC), hook C:\WINDOWS\system32\drivers\sp_rsdrv2.sys, driver recognized as trusted
Function NtTerminateProcess (101) intercepted (805C77FA->B7805B04), hook C:\WINDOWS\system32\drivers\sp_rsdrv2.sys, driver recognized as trusted
Function NtWriteFile (112) intercepted (805713B4->B780570C), hook C:\WINDOWS\system32\drivers\sp_rsdrv2.sys, driver recognized as trusted
Functions checked: 284, intercepted: 21, restored: 0
1.3 Checking IDT and SYSENTER
Analyzing CPU 1
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking IRP handlers
\FileSystem\ntfs[IRP_MJ_CREATE] = 8940B1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_CLOSE] = 8940B1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_WRITE] = 8940B1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 8940B1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 8940B1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 8940B1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_EA] = 8940B1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 8940B1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 8940B1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 8940B1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 8940B1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 8940B1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 8940B1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 8940B1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 8940B1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_PNP] = 8940B1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_CREATE] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_CLOSE] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_WRITE] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_QUERY_INFORMATION] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_INFORMATION] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_QUERY_EA] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_EA] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_QUERY_VOLUME_INFORMATION] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_VOLUME_INFORMATION] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_DIRECTORY_CONTROL] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_FILE_SYSTEM_CONTROL] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_DEVICE_CONTROL] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_LOCK_CONTROL] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_PNP] = 898DA1F8 -> hook not defined
Checking - complete
2. Scanning RAM
Number of processes found: 31
Extended process analysis: 1720 C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
Extended process analysis: 1844 C:\Programme\Alwil Software\Avast4\ashServ.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 628 C:\Programme\Spyware Terminator\sp_rsser.exe
[ES]:Application has no visible windows
Extended process analysis: 1664 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Registered for automatic startup !!
Extended process analysis: 1900 C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe
[ES]:Application has no visible windows
[ES]:Registered for automatic startup !!
Extended process analysis: 2060 C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
[ES]:Program code includes networking-related functionality
[ES]:Listens on TCP ports !
[ES]:Application has no visible windows
[ES]:Registered for automatic startup !!
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 3476 C:\Programme\Mozilla Firefox\firefox.exe
[ES]:Program code includes networking-related functionality
[ES]:Loads RASAPI DLL - may use dialing ?
Number of modules loaded: 315
Scanning RAM - complete
3. Scanning disks
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious software
Checking - disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote-Registrierung)
>> Services: potentially dangerous service allowed: TermService (Terminaldienste)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP-Suchdienst)
>> Services: potentially dangerous service allowed: Schedule (Taskplaner)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting-Remotedesktop-Freigabe)
>> Services: potentially dangerous service allowed: RDSessMgr (Sitzungs-Manager f?r Remotedesktophilfe)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> HDD autorun is allowed
>> Network drives autorun is allowed
>> Removable media autorun is allowed
Checking - complete
Files scanned: 346, extracted from archives: 0, malicious software found 0, suspicions - 0
Scanning finished at 26.11.2009 22:28:58
Time of scanning: 00:00:22


syscure:


Attention !!! Database was last updated 19.08.2009 it is necessary to update the database (via File - Database update)
AVZ Antiviral Toolkit log; AVZ version is 4.32
Scanning started at 26.11.2009 22:16:32
Database loaded: signatures - 237742, NN profile(s) - 2, malware removal microprograms - 56, signature database released 19.08.2009 21:41
Heuristic microprograms loaded: 374
PVS microprograms loaded: 9
Digital signatures of system files loaded: 135347
Heuristic analyzer mode: Medium heuristics mode
Malware removal mode: enabled
Windows version is: 5.1.2600, Service Pack 2 ; AVZ is run with administrator rights
System Restore: Disabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=07B400)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 80552400
KiST = 8050121C (284)
Function NtClose (19) intercepted (805B0A4E->B77D588E), hook C:\WINDOWS\system32\drivers\sp_rsdrv2.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateFile (25) intercepted (8056D44A->B77D50EC), hook C:\WINDOWS\system32\drivers\sp_rsdrv2.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateKey (29) intercepted (80618F32->B77D4DCE), hook C:\WINDOWS\system32\drivers\sp_rsdrv2.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateSection (32) intercepted (8059F568->B77D6938), hook C:\WINDOWS\system32\drivers\sp_rsdrv2.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeleteKey (3F) intercepted (806193C2->B77D4ED8), hook C:\WINDOWS\system32\drivers\sp_rsdrv2.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeleteValueKey (41) intercepted (80619592->B77D4FC2), hook C:\WINDOWS\system32\drivers\sp_rsdrv2.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDuplicateObject (44) intercepted (805B252A->B770014C), hook C:\WINDOWS\System32\Drivers\aswSP.SYS
>>> Function restored successfully !
>>> Hook code blocked
Function NtEnumerateKey (47) intercepted (80619772->BA6C6CA2), hook sphh.sys
>>> Function restored successfully !
>>> Hook code blocked
Function NtEnumerateValueKey (49) intercepted (806199DC->BA6C7030), hook sphh.sys
>>> Function restored successfully !
>>> Hook code blocked
Function NtLoadDriver (61) intercepted (80578664->B77D5BBC), hook C:\WINDOWS\system32\drivers\sp_rsdrv2.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenFile (74) intercepted (8056E568->B77D53F4), hook C:\WINDOWS\system32\drivers\sp_rsdrv2.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenKey (77) intercepted (8061A2C8->B770064E), hook C:\WINDOWS\System32\Drivers\aswSP.SYS
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenProcess (7A) intercepted (805BFEAC->B770008C), hook C:\WINDOWS\System32\Drivers\aswSP.SYS
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenThread (80) intercepted (805C0138->B77000F0), hook C:\WINDOWS\System32\Drivers\aswSP.SYS
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryKey (A0) intercepted (8061A5EC->BA6C7108), hook sphh.sys
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryValueKey (B1) intercepted (80616FEC->B770076E), hook C:\WINDOWS\System32\Drivers\aswSP.SYS
>>> Function restored successfully !
>>> Hook code blocked
Function NtRestoreKey (CC) intercepted (8061733A->B770072E), hook C:\WINDOWS\System32\Drivers\aswSP.SYS
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetInformationFile (E0) intercepted (8056F418->B77D5526), hook C:\WINDOWS\system32\drivers\sp_rsdrv2.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetValueKey (F7) intercepted (806175F2->B77D4BFC), hook C:\WINDOWS\system32\drivers\sp_rsdrv2.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateProcess (101) intercepted (805C77FA->B77D5B04), hook C:\WINDOWS\system32\drivers\sp_rsdrv2.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtWriteFile (112) intercepted (805713B4->B77D570C), hook C:\WINDOWS\system32\drivers\sp_rsdrv2.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Functions checked: 284, intercepted: 21, restored: 21
1.3 Checking IDT and SYSENTER
Analyzing CPU 1
CmpCallCallBacks = 000882AE
Disable callback OK
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking IRP handlers
\FileSystem\ntfs[IRP_MJ_CREATE] = 8943B500 -> hook not defined
\FileSystem\ntfs[IRP_MJ_CLOSE] = 8943B500 -> hook not defined
\FileSystem\ntfs[IRP_MJ_WRITE] = 8943B500 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 8943B500 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 8943B500 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 8943B500 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_EA] = 8943B500 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 8943B500 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 8943B500 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 8943B500 -> hook not defined
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 8943B500 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 8943B500 -> hook not defined
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 8943B500 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 8943B500 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 8943B500 -> hook not defined
\FileSystem\ntfs[IRP_MJ_PNP] = 8943B500 -> hook not defined
\FileSystem\FastFat[IRP_MJ_CREATE] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_CLOSE] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_WRITE] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_QUERY_INFORMATION] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_INFORMATION] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_QUERY_EA] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_EA] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_QUERY_VOLUME_INFORMATION] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_VOLUME_INFORMATION] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_DIRECTORY_CONTROL] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_FILE_SYSTEM_CONTROL] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_DEVICE_CONTROL] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_LOCK_CONTROL] = 898DA1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_PNP] = 898DA1F8 -> hook not defined
Checking - complete
2. Scanning RAM
Number of processes found: 32
Number of modules loaded: 366
Scanning RAM - complete
3. Scanning disks
Direct reading: C:\WINDOWS\system32\drivers\sptd.sys
C:\WINDOWS\SoftwareDistribution\Download\7d084ddd2c07c476a226e31c4ef032ff\tdc.ocx >>> suspicion for Trojan.Win32.Obfuscated.gx ( 053750B3 01AEF965 0005F0DD 00218FA4 61440)
File quarantined succesfully (C:\WINDOWS\SoftwareDistribution\Download\7d084ddd2c07c476a226e31c4ef032ff\tdc.ocx)
Direct reading: C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temp\~DFBD99.tmp
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious software
Checking - disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote-Registrierung)
>> Services: potentially dangerous service allowed: TermService (Terminaldienste)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP-Suchdienst)
>> Services: potentially dangerous service allowed: Schedule (Taskplaner)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting-Remotedesktop-Freigabe)
>> Services: potentially dangerous service allowed: RDSessMgr (Sitzungs-Manager f?r Remotedesktophilfe)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> HDD autorun is allowed
>> Network drives autorun is allowed
>> Removable media autorun is allowed
Checking - complete
Files scanned: 73212, extracted from archives: 58379, malicious software found 0, suspicions - 1
Scanning finished at 26.11.2009 22:21:19
!!! Attention !!! Restored 21 KiST functions during Anti-Rootkit operation
This may affect execution of certain software, so it is strongly recommended to reboot
Time of scanning: 00:04:47

Lies bitte nocheinmal die Anleitung durch und hänge die Archive mit den logs drinn an deinen Post an.

Ich hoffe nun habe ich es richtig verstanden

mfg

Führe mit AVZ folgendes Skript aus:

Code: Alles auswählenAufklappen

ATTFilter

begin
SearchRootkit(true);
SetAVZGuardStatus(true, true);
 DeleteFile('C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temp\~DFBD99.tmp');
 DeleteFileMask('C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temp', '*.*' ,true);
 DelBHO('{32099AAC-C132-4136-9E9A-4E364A424E17}');
 DelBHO('{5C255C8A-E604-49b4-9D64-90988571CECB}');
 DeleteFile('C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\kfaoypoc.sys');
 DeleteFile('sphh.sys');
 DeleteFile('C:\WINDOWS\SoftwareDistribution\Download\7d084ddd2c07c476a226e31c4ef032ff\tdc.ocx');
 DeleteFile('spbu.sys');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
         

Bitte deinstalliere Deamon Tools über die Systemsteuerung.
Während der Deinstallation musst du den Rechner neustarten.

Danach downloade dir das Tool hier: http://www.duplexsecure.com/download/SPTDinst-v162-x86.exe
Starte es durch einen Doppelklick. Im anschließenden Dialog wirst du den "Uninstall" Button finden. Betätige diesen um SPTD zu deinstallieren.
Starten den Rechner danach neu.



Deinstalliere Spyware Terminator, Lavasoft, Spybot und alle weiteren Anti-irgendwas Tools die du installiert hast. Nur Avast bleibt drauf!


Räume danach mit dem CCleaner auf (Punkte 1 &2).


Poste erst nachdem du das alles gemacht hast zwei frische AVZ logs.

Zitat:

Zitat von undoreal

Führe mit AVZ folgendes Skript aus:

Code: Alles auswählenAufklappen

ATTFilter

begin
SearchRootkit(true);
SetAVZGuardStatus(true, true);
 DeleteFile('C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temp\~DFBD99.tmp');
 DeleteFileMask('C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temp', '*.*' ,true);
 DelBHO('{32099AAC-C132-4136-9E9A-4E364A424E17}');
 DelBHO('{5C255C8A-E604-49b4-9D64-90988571CECB}');
 DeleteFile('C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\kfaoypoc.sys');
 DeleteFile('sphh.sys');
 DeleteFile('C:\WINDOWS\SoftwareDistribution\Download\7d084ddd2c07c476a226e31c4ef032ff\tdc.ocx');
 DeleteFile('spbu.sys');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
         

Mir wird ein Fehler angezeigt:
h**p://img28.imageshack.us/img28/3129/avz.png
Zitat: "Error: Not enough actual parameters at position 2:14"

Zitat:

Zitat von undoreal

Bitte deinstalliere Deamon Tools über die Systemsteuerung.
Während der Deinstallation musst du den Rechner neustarten.

Ich hab die uninstall.exe nicht in der Systemsteuerung gefunden. Hab danach auch mal gegooglet und dort steht man soll mit der Datei, mit der man DT installiert hat auch wieder deinstallieren. die habe ich aber nicht, da ich vor langer Zeit alles gelöscht habe was ich zu DT geunden habe :/
Gibts ne Möglichkeit das auf andere Art und Weise wieder zu entfernen? Oder ist es gar schon weg? Oder muss ich die slebe Datei finden, mit der ich damals DT installiert habe?

Deinstalliere den SPDT Treiber wie beschrieben. Das sollte reichen.

Neues Skript:

Code: Alles auswählenAufklappen

ATTFilter

begin
SearchRootkit(true, true);
SetAVZGuardStatus(true);
 DeleteFile('C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temp\~DFBD99.tmp');
 DeleteFileMask('C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temp', '*.*' ,true);
 DelBHO('{32099AAC-C132-4136-9E9A-4E364A424E17}');
 DelBHO('{5C255C8A-E604-49b4-9D64-90988571CECB}');
 DeleteFile('C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\kfaoypoc.sys');
 DeleteFile('sphh.sys');
 DeleteFile('C:\WINDOWS\SoftwareDistribution\Download\7d084ddd2c07c476a226e31c4ef032ff\tdc.ocx');
 DeleteFile('spbu.sys');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
         

mfg
__________________________

/push :<

mfg

Das sieht soweit gut aus.

Auffälligkeiten am PC?

Ich würde auf jeden Fall einen At Boot Time Scan mit Avast machen.

Danach scanne auch noch mit Malwarebytes und poste das log.