Rootkit entfernen? pkslzz.sys

TheFiddler · 16.12.2009, 22:25

Hey liebe Community,

hab nun nach langem ausprobieren aufgegeben und wende mich mit folgendem Problem an euch:
Ich hab anscheinend einen Rootkit (so meint zumindest avast) in
C:\Windows\System32\Drivers\pkslzz.sys

habe darüber absolut nichts gefunden!
Wenn ich die Datei entferne, meint WinXP (SP2), ich hätte die Systemeinstellungen verändert, und sollte auf den Reiter "allgemein" klicken um Windows beim nächsten Mal wieder normal zu starten.
Wenn ich das tue, kommt die avast-Rootkit-Meldung beim nächsten Neustart wieder und die pkslzz.sys scheint wieder da zu sein!
Entferne ich sie nicht, habe ich nur die Wahl zwischen Herunterfahren und Neustart.

Bin dankbar für jede Idee!
Danke im Voraus,

The Fiddler

cosinus · 17.12.2009, 12:07

Hallo,

Bitte diese Liste beachten und abarbeiten. Beim Scan mit MalwareBytes auch alle externen Speicher (ext. Platten, USB-Sticks, ... mit anklemmen!! )

Wichtig für Benutzer mit Windows Vista und Windows 7: Bitte alle Tools per Rechtsklick => Als Admin ausführen!

Die Logfiles kannst Du zB alle in eine Datei zippen und auf File-Upload.net hochladen und hier verlinken, denn 1. sind manche Logfiles fürs Board nämlich zu groß und 2. kann ich mit einem Klick mir gleich alle auf einmal runterladen.

TheFiddler · 17.12.2009, 12:10

nachdem nun auch adaware nichts gefunden hat, hier die HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:57, on 17.12.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Roxio\Media Experience\DMXLauncher.exe
C:\Programme\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programme\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programme\Lavasoft\Ad-Aware\AAWTray.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Programme\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Programme\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Programme\WordPerfect Office X3\Programs\QFSCHD130.EXE"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CorelDRAW ESSENTIALS14] C:\Programme\Corel\CorelDRAW ESSENTIALS 2\Register\Registration.exe /title="CorelDRAW ESSENTIALS" /date=122009 serial=ES02WBG-0090091-CML
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DMXLauncher] "C:\Programme\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Programme\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [sysgif32] C:\WINDOWS\TEMP\~TM613.tmp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Programme\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Öffnen mit WordPerfect - C:\Programme\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: HP Sammelmappe - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Programme\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Intelligente Auswahl - {700259D7-1666-479a-93B1-3250410481E8} - C:\Programme\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - h**p://download.bitdefender.com/resources/scanner/sources/de/scan8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - h**p://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{74F4E841-C7ED-4BC1-9051-E82B97662FDB}: NameServer = 192.168.2.1
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Programme\Gemeinsame Dateien\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Programme\Gemeinsame Dateien\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Programme\Gemeinsame Dateien\SureThing Shared\stllssvr.exe

--
End of file - 10576 bytes

Kann damit leider nicht sehr viel anfangen, ich hoffe ihr wisst mehr

cosinus · 17.12.2009, 12:24

Bitte die Liste abackern!

TheFiddler · 17.12.2009, 14:17

Hallo cosinus,

habe deine Anweisungen befolgt! Während des malware-Scans hat sich allerdings eine C:\Windows\...\Services.exe zu Wort gemeldet,
dass irgendein Parameter geändert wurde und das System deswegen in 1 Minute heruntergefahren wird.
Habe den Scan dann im abgesicherten Modus abgeschlossen.
Meine log-files findest du hier:

http://www.file-upload.net/download-2085299/log.zip.html

Hoffe, du wirst schlau daraus, mein Avast hat nämlich gerade erneut besagten Rootkit gefunden!

cosinus · 17.12.2009, 14:59

Bitte mal den Avenger anwenden

Vorbereitungen:
a) Deaktiviere den Hintergrundwächter vom Virenscanner.
b) Stöpsele alle externen Datenträger vom Rechner ab.

Danach:

1.) Lade Dir von hier Avenger:
Swandog46's Public Anti-Malware Tools (Download, linksseitig)

2.) Entpack das zip-Archiv, führe die Datei "avenger.exe" aus (unter Vista per Rechtsklick => als Administrator ausführen). Die Haken unten wie abgebildet setzen:

3.) Kopiere Dir exakt die Zeilen aus dem folgenden Code-Feld:

Code:

ATTFilter

files to delete:
C:\WINDOWS\system32\615.tmp
C:\Windows\System32\Drivers\pkslzz.sys

drivers to delete:
MEMSWEEP2
MHN

4.) Geh in "The Avenger" nun oben auf "Load Script", dort auf "Paste from Clipboard".

5.) Der Code-Text hier aus meinem Beitrag müsste nun unter "Input Script here" in "The Avenger" zu sehen sein.

6.) Falls dem so ist, klick unten rechts auf "Execute". Bestätige die nächste Abfrage mit "Ja", die Frage zu "Reboot now" (Neustart des Systems) ebenso.

7.) Nach dem Neustart erhältst Du ein LogFile von Avenger eingeblendet. Kopiere dessen Inhalt und poste ihn hier.

TheFiddler · 17.12.2009, 15:10

Beim Drücken auf Execute, erhalte ich:

"Error: Invalid Script. A valid script must begin with a command directive. Aborting execution!"

Das "avast! Warnung" Fenster mit der "Rootkit gefunden!" Meldung ist auch noch offen! Was soll ich damit vor dem Scan machen? "Jetzt löschen" oder "Ignorieren"?

cosinus · 17.12.2009, 15:18

Ich hatte einen Schreibfehler, man möge mir verzeihen.

Nun sollte das Script richtig sein.

TheFiddler · 17.12.2009, 15:25

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu Dec 17 15:05:06 2009

15:05:06: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!

//////////////////////////////////////////

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu Dec 17 15:17:05 2009

15:17:05: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: file "C:\WINDOWS\system32\615.tmp" not found!
Deletion of file "C:\WINDOWS\system32\615.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not open file "C:\Windows\System32\Drivers\pkslzz.sys"
Deletion of file "C:\Windows\System32\Drivers\pkslzz.sys" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)

Driver "MEMSWEEP2" deleted successfully.
Driver "MHN" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

cosinus · 17.12.2009, 15:37

Probier mal bitte hiermit einen Durchlauf => Avira AntiRootkit Tool

TheFiddler · 17.12.2009, 15:56

Avira hat einiges gefunden, aber entfernen kann ich damit nichts oder?
Hier die Ergebnisse:

Avira AntiRootkit Tool (1.1.0.1)

========================================================================================================
- Scan started Donnerstag, 17. Dezember 2009 - 15:50:43
========================================================================================================

--------------------------------------------------------------------------------------------------------
Configuration:
--------------------------------------------------------------------------------------------------------
- [X] Scan files
- [X] Scan registry
- [X] Scan processes
- [ ] Fast scan
- Working disk total size : 232.88 GB
- Working disk free size : 196.37 GB (84 %)
--------------------------------------------------------------------------------------------------------

Results:
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pkslzz -> type
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pkslzz -> start
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pkslzz -> errorcontrol
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pkslzz -> group
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pkslzz -> qe6a7ri2
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pkslzz -> i3llvg5
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet002\Services\pkslzz -> type
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet002\Services\pkslzz -> start
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet002\Services\pkslzz -> errorcontrol
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet002\Services\pkslzz -> group
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet002\Services\pkslzz -> qe6a7ri2
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet002\Services\pkslzz -> i3llvg5

--------------------------------------------------------------------------------------------------------
Files: 0/77482
Registry items: 12/308981
Processes: 0/63
Scan time: 00:03:57
--------------------------------------------------------------------------------------------------------
Active processes:
- rnvffgem.exe (PID 4812) (Avira AntiRootkit Tool)
- System (PID 4)
- smss.exe (PID 492)
- csrss.exe (PID 548)
- winlogon.exe (PID 572)
- services.exe (PID 616)
- lsass.exe (PID 628)
- svchost.exe (PID 924)
- svchost.exe (PID 968)
- svchost.exe (PID 1036)
- svchost.exe (PID 1120)
- svchost.exe (PID 1252)
- svchost.exe (PID 1288)
- aswUpdSv.exe (PID 1464)
- AAWService.exe (PID 1496)
- ashServ.exe (PID 1552)
- explorer.exe (PID 1560)
- ehtray.exe (PID 1760)
- jusched.exe (PID 1772)
- issch.exe (PID 1800)
- SOUNDMAN.EXE (PID 1832)
- DMXLauncher.exe (PID 1840)
- DrgToDsc.exe (PID 1852)
- ashDisp.exe (PID 1860)
- hpwuSchd2.exe (PID 376)
- iTunesHelper.exe (PID 348)
- RoxWatchTray9.exe (PID 552)
- ctfmon.exe (PID 152)
- GoogleToolbarNotifier.exe (PID 296)
- msmsgs.exe (PID 868)
- spoolsv.exe (PID 1344)
- hpqtra08.exe (PID 1388)
- GoogleCrashHandler.exe (PID 1712)
- svchost.exe (PID 2252)
- AppleMobileDeviceService.exe (PID 2288)
- mDNSResponder.exe (PID 2308)
- ehrecvr.exe (PID 2340)
- ehSched.exe (PID 2384)
- svchost.exe (PID 2488)
- jqs.exe (PID 2564)
- svchost.exe (PID 2644)
- firefox.exe (PID 2704)
- svchost.exe (PID 2940)
- svchost.exe (PID 3300)
- svchost.exe (PID 3312)
- mcrdsvc.exe (PID 3412)
- ashMaiSv.exe (PID 3888)
- unsecapp.exe (PID 3896)
- ashWebSv.exe (PID 4000)
- wmiprvse.exe (PID 4056)
- ehmsas.exe (PID 2124)
- iPodService.exe (PID 408)
- dllhost.exe (PID 2364)
- alg.exe (PID 3512)
- CPSHelpRunner.exe (PID 1748)
- hpqste08.exe (PID 4124)
- AAWTray.exe (PID 1788)
- wuauclt.exe (PID 3356)
- msiexec.exe (PID 5440)
- avguard.exe (PID 4208)
- sched.exe (PID 1892)
- avgnt.exe (PID 5332)
- avirarkd.exe (PID 5228)
========================================================================================================
- Scan finished Donnerstag, 17. Dezember 2009 - 15:54:41
========================================================================================================

Hoffe, es hilft

cosinus · 17.12.2009, 16:33

Doch, entfernen sollte möglich sein (Quarantine all)

TheFiddler · 17.12.2009, 17:18

Avira AntiVir Personal
Report file date: Donnerstag, 17. Dezember 2009 16:18

Scanning for 1454287 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : ***
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : ***
Computer name : B******-*****

Version information:
BUILD.DAT : 9.0.0.418 21723 Bytes 02.12.2009 16:28:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 13.10.2009 10:26:33
AVSCAN.DLL : 9.0.3.0 40705 Bytes 27.02.2009 09:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 20.02.2009 10:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 27.02.2009 09:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 06.11.2009 06:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 19.11.2009 14:49:48
VBASE002.VDF : 7.10.1.1 2048 Bytes 19.11.2009 14:49:48
VBASE003.VDF : 7.10.1.2 2048 Bytes 19.11.2009 14:49:48
VBASE004.VDF : 7.10.1.3 2048 Bytes 19.11.2009 14:49:48
VBASE005.VDF : 7.10.1.4 2048 Bytes 19.11.2009 14:49:49
VBASE006.VDF : 7.10.1.5 2048 Bytes 19.11.2009 14:49:49
VBASE007.VDF : 7.10.1.6 2048 Bytes 19.11.2009 14:49:49
VBASE008.VDF : 7.10.1.7 2048 Bytes 19.11.2009 14:49:49
VBASE009.VDF : 7.10.1.8 2048 Bytes 19.11.2009 14:49:49
VBASE010.VDF : 7.10.1.9 2048 Bytes 19.11.2009 14:49:49
VBASE011.VDF : 7.10.1.10 2048 Bytes 19.11.2009 14:49:49
VBASE012.VDF : 7.10.1.11 2048 Bytes 19.11.2009 14:49:49
VBASE013.VDF : 7.10.1.79 209920 Bytes 25.11.2009 14:49:49
VBASE014.VDF : 7.10.1.128 197632 Bytes 30.11.2009 14:49:50
VBASE015.VDF : 7.10.1.178 195584 Bytes 07.12.2009 14:49:50
VBASE016.VDF : 7.10.1.224 183296 Bytes 14.12.2009 14:49:50
VBASE017.VDF : 7.10.1.247 182272 Bytes 15.12.2009 14:49:51
VBASE018.VDF : 7.10.1.248 2048 Bytes 15.12.2009 14:49:51
VBASE019.VDF : 7.10.1.249 2048 Bytes 15.12.2009 14:49:51
VBASE020.VDF : 7.10.1.250 2048 Bytes 15.12.2009 14:49:51
VBASE021.VDF : 7.10.1.251 2048 Bytes 15.12.2009 14:49:51
VBASE022.VDF : 7.10.1.252 2048 Bytes 15.12.2009 14:49:51
VBASE023.VDF : 7.10.1.253 2048 Bytes 15.12.2009 14:49:51
VBASE024.VDF : 7.10.1.254 2048 Bytes 15.12.2009 14:49:51
VBASE025.VDF : 7.10.1.255 2048 Bytes 15.12.2009 14:49:51
VBASE026.VDF : 7.10.2.0 2048 Bytes 15.12.2009 14:49:52
VBASE027.VDF : 7.10.2.1 2048 Bytes 15.12.2009 14:49:52
VBASE028.VDF : 7.10.2.2 2048 Bytes 15.12.2009 14:49:52
VBASE029.VDF : 7.10.2.3 2048 Bytes 15.12.2009 14:49:52
VBASE030.VDF : 7.10.2.4 2048 Bytes 15.12.2009 14:49:52
VBASE031.VDF : 7.10.2.15 121856 Bytes 17.12.2009 14:49:52
Engineversion : 8.2.1.114
AEVDF.DLL : 8.1.1.2 106867 Bytes 08.11.2009 06:38:52
AESCRIPT.DLL : 8.1.3.3 586106 Bytes 17.12.2009 14:49:56
AESCN.DLL : 8.1.3.0 127348 Bytes 17.12.2009 14:49:56
AESBX.DLL : 8.1.1.1 246132 Bytes 08.11.2009 06:38:44
AERDL.DLL : 8.1.3.4 479605 Bytes 17.12.2009 14:49:55
AEPACK.DLL : 8.2.0.3 422261 Bytes 08.11.2009 06:38:40
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 08.11.2009 06:38:38
AEHEUR.DLL : 8.1.0.186 2183544 Bytes 17.12.2009 14:49:55
AEHELP.DLL : 8.1.9.0 237943 Bytes 17.12.2009 14:49:53
AEGEN.DLL : 8.1.1.81 369014 Bytes 17.12.2009 14:49:53
AEEMU.DLL : 8.1.1.0 393587 Bytes 08.11.2009 06:38:26
AECORE.DLL : 8.1.9.1 180598 Bytes 17.12.2009 14:49:52
AEBB.DLL : 8.1.0.3 53618 Bytes 08.11.2009 06:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12.12.2008 07:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 26.08.2009 14:14:02
AVREP.DLL : 8.0.0.3 155905 Bytes 20.01.2009 13:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 05.12.2008 09:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 24.03.2009 14:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30.01.2009 09:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 28.01.2009 14:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 02.02.2009 07:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 05.12.2008 09:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 15.05.2009 14:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 13.10.2009 11:25:47

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\programme\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +PFS,+SPR,

Start of the scan: Donnerstag, 17. Dezember 2009 16:18

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pkslzz\type
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pkslzz\start
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pkslzz\errorcontrol
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pkslzz\group
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pkslzz\qe6a7ri2
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pkslzz\i3llvg5
[INFO] The registry entry is invisible.
'47573' objects were checked, '6' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'AAWTray.exe' - '1' Module(s) have been scanned
Scan process 'hpqste08.exe' - '1' Module(s) have been scanned
Scan process 'CPSHelpRunner.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'ehmsas.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'ashWebSv.exe' - '1' Module(s) have been scanned
Scan process 'unsecapp.exe' - '1' Module(s) have been scanned
Scan process 'ashMaiSv.exe' - '1' Module(s) have been scanned
Scan process 'mcrdsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ehSched.exe' - '1' Module(s) have been scanned
Scan process 'ehrecvr.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'GoogleCrashHandler.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'RoxWatchTray9.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'ashDisp.exe' - '1' Module(s) have been scanned
Scan process 'DrgToDsc.exe' - '1' Module(s) have been scanned
Scan process 'DMXLauncher.exe' - '1' Module(s) have been scanned
Scan process 'SOUNDMAN.EXE' - '1' Module(s) have been scanned
Scan process 'issch.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'ehtray.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ashServ.exe' - '1' Module(s) have been scanned
Scan process 'AAWService.exe' - '1' Module(s) have been scanned
Scan process 'aswUpdSv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
62 processes with 62 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!
Master boot sector HD5
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '64' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\System Volume Information\_restore{2879EEDD-FAC8-49A7-9869-7DB9218FF0E6}\RP706\A0077994.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Bredolab.bmk back-door program
C:\System Volume Information\_restore{2879EEDD-FAC8-49A7-9869-7DB9218FF0E6}\RP709\A0083226.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Bredolab.bmk back-door program
C:\WINDOWS\system32\drivers\pkslzz.sys
[WARNING] The file could not be opened!

Beginning disinfection:
C:\System Volume Information\_restore{2879EEDD-FAC8-49A7-9869-7DB9218FF0E6}\RP706\A0077994.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Bredolab.bmk back-door program
[NOTE] The file was moved to '4b5a59ef.qua'!
C:\System Volume Information\_restore{2879EEDD-FAC8-49A7-9869-7DB9218FF0E6}\RP709\A0083226.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Bredolab.bmk back-door program
[NOTE] The file was moved to '4a24ede0.qua'!

End of the scan: Donnerstag, 17. Dezember 2009 17:18
Used time: 59:41 Minute(s)

The scan has been done completely.

8898 Scanned directories
678789 Files were scanned
2 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
2 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
678785 Files not concerned
1954 Archives were scanned
2 Warnings
3 Notes
47573 Objects were scanned with rootkit scan
6 Hidden objects were found

cosinus · 17.12.2009, 17:29

Was ist mit 'Quarantine all' von Aviras AntiRootkit?

TheFiddler · 17.12.2009, 17:34

Avira AntiRootKit lässt mich wie gesagt nichts in Quarantäne stellen!

Er findet zwar 12 Files, die sind aber rot hinterlegt, hier in Screenshot:

17.12.2009, 12:24	#4
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Rootkit entfernen? pkslzz.sys Bitte die Liste abackern! __________________ Logfiles bitte immer in CODE-Tags posten

17.12.2009, 15:18	#8
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Rootkit entfernen? pkslzz.sys Ich hatte einen Schreibfehler, man möge mir verzeihen. Nun sollte das Script richtig sein. __________________ Logfiles bitte immer in CODE-Tags posten

17.12.2009, 15:37	#10
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Rootkit entfernen? pkslzz.sys Probier mal bitte hiermit einen Durchlauf => Avira AntiRootkit Tool __________________ Logfiles bitte immer in CODE-Tags posten

17.12.2009, 16:33	#12
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Rootkit entfernen? pkslzz.sys Doch, entfernen sollte möglich sein (Quarantine all) __________________ Logfiles bitte immer in CODE-Tags posten

17.12.2009, 17:29	#14
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Rootkit entfernen? pkslzz.sys Was ist mit 'Quarantine all' von Aviras AntiRootkit? __________________ Logfiles bitte immer in CODE-Tags posten

Rootkit entfernen? pkslzz.sys

Plagegeister aller Art und deren Bekämpfung: Rootkit entfernen? pkslzz.sys