Antivir und andere Virenprogramme starten nicht / Rootkit?

GumbuEsquire · 03.01.2010, 22:46

Entwarnung kam leider etwas zu früh. Nach ca. der Hälfte des Avira-Scans geht der Rechner ohne Vorwarnung aus. Habs jetzt 3x probiert.

Windows neu aufzusetzen ist wohl ein sehr vernünftiger Vorschlag...

GumbuEsquire · 04.01.2010, 01:46

Mittlerweile ist nun auch Avira mit den aggressiven Einstellungen komplett durchgelaufen. Ergebnis: Kein Fund!

Das klingt doch ganz gut, oder?

Gute Nacht!

Chris4You · 04.01.2010, 10:20

Hi,

poste noch ein neues RSIT-Log...

chris

GumbuEsquire · 04.01.2010, 13:16

Logfile of random's system information tool 1.06 (written by random/random)
Run by XXXX at 2010-01-04 13:08:59
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 9 GB (32%) free of 29 GB
Total RAM: 351 MB (22% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:09:28, on 04.01.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS.0\system32\slserv.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\System32\sistray.EXE
C:\WINDOWS.0\System32\khooker.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Programme\iTunes\iTunes.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\XXXX\Desktop\RSIT.exe
C:\Programme\trend micro\XXXX.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-cache.rz.uni-passau.de:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.uni-passau.de;*.local
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS.0\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS.0\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS.0\sisUSBrg.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ Malwarebytes Anti-Malware (reboot)] "C:\Programme\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSetup] F:\setup.exe /skip_all_checks /p /start /restart /l:deu
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS.0\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS.0\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS.0\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS.0\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1186037039801
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186036979254
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {C94BFF60-7315-11D2-A844-0060086FEFD7} (Internet Banking und Brokerage) - http://www.izb-hb.de/SPK_Passau/SBrokerXXXX.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Update Service (gupdate1c9f0fce0e3c9c0) (gupdate1c9f0fce0e3c9c0) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS.0\SYSTEM32\slserv.exe

--
End of file - 7865 bytes

======Scheduled tasks folder======

C:\WINDOWS.0\tasks\AppleSoftwareUpdate.job
C:\WINDOWS.0\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS.0\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2009-02-27 61816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2009-08-04 1586472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SiS Tray"=C:\WINDOWS.0\System32\sistray.EXE [2002-05-09 303104]
"SiS KHooker"=C:\WINDOWS.0\System32\khooker.exe [2002-01-25 290816]
"SiSUSBRG"=C:\WINDOWS.0\sisUSBrg.exe [2002-04-26 32768]
"Microsoft Works Update Detection"=C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe [2002-07-24 28672]
"LogitechCommunicationsManager"=C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe [2007-07-25 563984]
"QuickTime Task"=C:\Programme\QuickTime\qttask.exe [2009-01-05 413696]
" Malwarebytes Anti-Malware (reboot)"=C:\Programme\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]
"avgnt"=C:\Programme\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"Adobe Reader Speed Launcher"=C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03 35696]
"Adobe ARM"=C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe [2009-09-04 935288]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS.0\system32\ctfmon.exe [2008-04-14 15360]
"PowerBar"= []
"LogitechSetup"=F:\setup.exe /skip_all_checks /p /start /restart /l:deu []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Programme\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe [2007-03-15 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03 35696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Programme\Ahead\InCD\InCD.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Programme\iTunes\iTunesHelper.exe [2009-03-12 342312]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
C:\Programme\Logitech\QuickCam\Quickcam.exe [2007-07-25 2027792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS.0\system32\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Programme\CyberLink DVD Solution\PowerDVD\PDVDServ.exe [2003-12-08 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users.WINDOWS.0^Startmenü^Programme^Autostart^VPN Client.lnk]
C:\WINDOWS.0\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2007-08-02 6144]

C:\Dokumente und Einstellungen\All Users.WINDOWS.0\Startmenü\Programme\Autostart
Microsoft Office.lnk - C:\Programme\Microsoft Office\Office10\OSA.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS.0\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Programme\Mozilla Firefox\firefox.exe"="C:\Programme\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Programme\fotobuch.de AG\Designer 2.0\Designer.exe"="C:\Programme\fotobuch.de AG\Designer 2.0\Designer.exe:*

esigner.exe"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS.0\system32\dpnsvr.exe"="C:\WINDOWS.0\system32\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8-Server"
"C:\Programme\EA GAMES\Battlefield 1942\BF1942.exe"="C:\Programme\EA GAMES\Battlefield 1942\BF1942.exe:*

isabled:BF1942"
"C:\Programme\Bonjour\mDNSResponder.exe"="C:\Programme\Bonjour\mDNSResponder.exe:*

isabled:Bonjour"
"C:\Programme\Atari\Deer Hunter 2005 Demo\DH2005Demo.exe"="C:\Programme\Atari\Deer Hunter 2005 Demo\DH2005Demo.exe:*

isabled

H2005Demo"
"C:\Programme\Illusion Softworks\Hidden & Dangerous 2\HD2.exe"="C:\Programme\Illusion Softworks\Hidden & Dangerous 2\HD2.exe:*

isabled:HD2"
"C:\Programme\iTunes\iTunes.exe"="C:\Programme\iTunes\iTunes.exe:*

isabled:iTunes"
"C:\Programme\PATRIZIER II Gold\Patrizier 2.exe"="C:\Programme\PATRIZIER II Gold\Patrizier 2.exe:*

isabled:Patrizier 2"
"C:\Programme\Skype\Phone\Skype.exe"="C:\Programme\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 3 months======

2010-01-04 13:09:01 ----D---- C:\Programme\trend micro
2010-01-04 13:08:58 ----D---- C:\rsit
2010-01-04 11:57:09 ----SHD---- C:\Config.Msi
2010-01-03 21:16:55 ----D---- C:\Dokumente und Einstellungen\All Users.WINDOWS.0\Anwendungsdaten\Avira
2010-01-03 21:16:54 ----D---- C:\Programme\Avira
2010-01-03 19:49:39 ----D---- C:\Dokumente und Einstellungen\XXXX\Anwendungsdaten\Malwarebytes
2010-01-03 19:48:05 ----D---- C:\Avenger
2010-01-03 19:48:05 ----A---- C:\avenger.txt
2010-01-03 17:23:48 ----D---- C:\Programme\Malwarebytes' Anti-Malware
2010-01-03 17:23:48 ----D---- C:\Dokumente und Einstellungen\All Users.WINDOWS.0\Anwendungsdaten\Malwarebytes
2010-01-03 12:49:31 ----D---- C:\Dokumente und Einstellungen\XXXX\Anwendungsdaten\QuickScan
2010-01-03 01:16:58 ----A---- C:\WINDOWS.0\system32\krl32mainweq.dll
2010-01-03 01:12:33 ----A---- C:\Dokumente und Einstellungen\All Users.WINDOWS.0\Anwendungsdaten\sysReserve.ini
2009-12-29 16:04:33 ----D---- C:\WINDOWS.0\pss
2009-12-10 23:28:40 ----HDC---- C:\WINDOWS.0\$NtUninstallKB970430$
2009-12-10 23:28:26 ----HDC---- C:\WINDOWS.0\$NtUninstallKB974318$
2009-12-10 23:27:15 ----HDC---- C:\WINDOWS.0\$NtUninstallKB973904$
2009-12-10 23:25:47 ----HDC---- C:\WINDOWS.0\$NtUninstallKB974392$
2009-12-10 23:25:27 ----HDC---- C:\WINDOWS.0\$NtUninstallKB971737$
2009-11-27 13:23:31 ----D---- C:\Dokumente und Einstellungen\All Users.WINDOWS.0\Anwendungsdaten\DVD Shrink
2009-11-25 19:38:19 ----HDC---- C:\WINDOWS.0\$NtUninstallKB976098-v2$
2009-11-25 19:37:56 ----HDC---- C:\WINDOWS.0\$NtUninstallKB973687$
2009-11-11 23:15:20 ----HDC---- C:\WINDOWS.0\$NtUninstallKB969947$
2009-10-14 23:26:45 ----HDC---- C:\WINDOWS.0\$NtUninstallKB958869$
2009-10-14 23:23:29 ----HDC---- C:\WINDOWS.0\$NtUninstallKB969059$
2009-10-14 23:22:25 ----HDC---- C:\WINDOWS.0\$NtUninstallKB954155_WM9$
2009-10-14 23:22:16 ----HDC---- C:\WINDOWS.0\$NtUninstallKB974112$
2009-10-14 23:22:06 ----HDC---- C:\WINDOWS.0\$NtUninstallKB975025$
2009-10-14 23:20:32 ----HDC---- C:\WINDOWS.0\$NtUninstallKB974571$
2009-10-14 23:19:23 ----HDC---- C:\WINDOWS.0\$NtUninstallKB971486$
2009-10-14 23:17:59 ----HDC---- C:\WINDOWS.0\$NtUninstallKB973525$
2009-10-14 23:17:36 ----HDC---- C:\WINDOWS.0\$NtUninstallKB975467$

======List of files/folders modified in the last 3 months======

2010-01-04 13:09:01 ----RD---- C:\Programme
2010-01-04 13:08:44 ----D---- C:\WINDOWS.0\Prefetch
2010-01-04 12:21:24 ----D---- C:\Programme\Mozilla Firefox
2010-01-04 12:08:21 ----D---- C:\Dokumente und Einstellungen\All Users.WINDOWS.0\Anwendungsdaten\Adobe
2010-01-04 12:08:02 ----SHD---- C:\WINDOWS.0\Installer
2010-01-04 12:04:50 ----D---- C:\Programme\Gemeinsame Dateien\Adobe
2010-01-04 11:56:27 ----D---- C:\WINDOWS.0\system32
2010-01-04 11:56:01 ----D---- C:\WINDOWS.0
2010-01-04 11:49:05 ----D---- C:\WINDOWS.0\Temp
2010-01-04 11:48:51 ----D---- C:\WINDOWS.0\system32\CatRoot2
2010-01-04 02:16:37 ----A---- C:\WINDOWS.0\SchedLgU.Txt
2010-01-03 23:22:31 ----D---- C:\WINDOWS.0\system32\drivers
2010-01-03 21:18:40 ----HD---- C:\WINDOWS.0\inf
2010-01-03 21:15:45 ----D---- C:\WINDOWS.0\WinSxS
2010-01-03 16:05:29 ----D---- C:\WINDOWS.0\Minidump
2010-01-03 15:01:42 ----D---- C:\Dokumente und Einstellungen\XXXX\Anwendungsdaten\Skype
2010-01-03 12:55:41 ----RASH---- C:\boot.ini
2010-01-03 12:55:41 ----A---- C:\WINDOWS.0\win.ini
2010-01-03 12:55:41 ----A---- C:\WINDOWS.0\system.ini
2010-01-03 01:18:02 ----D---- C:\WINDOWS.0\Debug
2009-12-30 22:48:37 ----D---- C:\Programme\Google
2009-12-29 16:17:37 ----D---- C:\Programme\ahead
2009-12-11 16:56:35 ----A---- C:\WINDOWS.0\system32\PerfStringBackup.INI
2009-12-10 23:28:50 ----RSHDC---- C:\WINDOWS.0\system32\dllcache
2009-12-10 23:27:11 ----HD---- C:\WINDOWS.0\$hf_mig$
2009-12-10 23:26:44 ----D---- C:\WINDOWS.0\system32\de-de
2009-12-10 23:26:44 ----D---- C:\Programme\Internet Explorer
2009-12-10 23:26:19 ----D---- C:\WINDOWS.0\ie7updates
2009-12-01 21:06:19 ----A---- C:\WINDOWS.0\system32\MRT.exe
2009-11-21 13:13:22 ----SD---- C:\WINDOWS.0\Downloaded Program Files
2009-11-16 21:12:54 ----HD---- C:\Programme\InstallShield Installation Information
2009-11-16 19:17:04 ----RD---- C:\Programme\Skype
2009-11-16 19:16:18 ----D---- C:\Dokumente und Einstellungen\All Users.WINDOWS.0\Anwendungsdaten\Skype
2009-10-29 08:41:02 ----A---- C:\WINDOWS.0\system32\wininet.dll
2009-10-29 08:41:02 ----A---- C:\WINDOWS.0\system32\webcheck.dll
2009-10-29 08:41:02 ----A---- C:\WINDOWS.0\system32\urlmon.dll
2009-10-29 08:41:01 ----N---- C:\WINDOWS.0\system32\pngfilt.dll
2009-10-29 08:41:01 ----N---- C:\WINDOWS.0\system32\occache.dll
2009-10-29 08:41:01 ----N---- C:\WINDOWS.0\system32\mstime.dll
2009-10-29 08:41:01 ----A---- C:\WINDOWS.0\system32\url.dll
2009-10-29 08:41:00 ----N---- C:\WINDOWS.0\system32\msrating.dll
2009-10-29 08:41:00 ----N---- C:\WINDOWS.0\system32\mshtmled.dll
2009-10-29 08:41:00 ----A---- C:\WINDOWS.0\system32\mshtml.dll
2009-10-29 08:40:59 ----A---- C:\WINDOWS.0\system32\msfeedsbs.dll
2009-10-29 08:40:59 ----A---- C:\WINDOWS.0\system32\msfeeds.dll
2009-10-29 08:40:58 ----N---- C:\WINDOWS.0\system32\jsproxy.dll
2009-10-29 08:40:58 ----A---- C:\WINDOWS.0\system32\iertutil.dll
2009-10-29 08:40:57 ----N---- C:\WINDOWS.0\system32\iernonce.dll
2009-10-29 08:40:57 ----A---- C:\WINDOWS.0\system32\ieframe.dll
2009-10-29 08:40:56 ----N---- C:\WINDOWS.0\system32\iedkcs32.dll
2009-10-29 08:40:56 ----A---- C:\WINDOWS.0\system32\ieencode.dll
2009-10-29 08:40:55 ----N---- C:\WINDOWS.0\system32\ieaksie.dll
2009-10-29 08:40:55 ----A---- C:\WINDOWS.0\system32\ieapfltr.dll
2009-10-29 08:40:54 ----N---- C:\WINDOWS.0\system32\ieakeng.dll
2009-10-29 08:40:54 ----N---- C:\WINDOWS.0\system32\extmgr.dll
2009-10-29 08:40:54 ----N---- C:\WINDOWS.0\system32\dxtrans.dll
2009-10-29 08:40:54 ----N---- C:\WINDOWS.0\system32\dxtmsft.dll
2009-10-29 08:40:54 ----N---- C:\WINDOWS.0\system32\corpol.dll
2009-10-29 08:40:54 ----A---- C:\WINDOWS.0\system32\icardie.dll
2009-10-29 08:40:54 ----A---- C:\WINDOWS.0\system32\advpack.dll
2009-10-28 16:07:15 ----N---- C:\WINDOWS.0\system32\tzchange.exe
2009-10-28 15:35:50 ----N---- C:\WINDOWS.0\system32\ie4uinit.exe
2009-10-28 15:35:50 ----A---- C:\WINDOWS.0\system32\ieudinit.exe
2009-10-28 07:52:46 ----N---- C:\WINDOWS.0\system32\ieakui.dll
2009-10-21 06:38:36 ----A---- C:\WINDOWS.0\system32\strmfilt.dll
2009-10-21 06:38:36 ----A---- C:\WINDOWS.0\system32\httpapi.dll
2009-10-15 11:59:34 ----D---- C:\WINDOWS.0\Microsoft.NET
2009-10-15 11:59:19 ----RSD---- C:\WINDOWS.0\assembly
2009-10-13 11:32:34 ----A---- C:\WINDOWS.0\system32\oakley.dll
2009-10-12 14:38:18 ----A---- C:\WINDOWS.0\system32\rastls.dll
2009-10-12 14:38:18 ----A---- C:\WINDOWS.0\system32\raschap.dll
2009-10-06 17:54:31 ----D---- C:\WINDOWS.0\Help

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Programme\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS.0\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 cdrbsdrv;cdrbsdrv; C:\WINDOWS.0\system32\drivers\cdrbsdrv.sys [2004-03-08 13567]
R1 intelppm;Intel-Prozessortreiber; C:\WINDOWS.0\System32\DRIVERS\intelppm.sys [2008-04-14 40448]
R1 SiSkp;SiSkp; C:\WINDOWS.0\system32\drivers\srvkp.sys [2002-04-03 5760]
R1 SSHDRV58;SSHDRV58; \??\C:\WINDOWS.0\System32\drivers\SSHDRV58.sys []
R1 ssmdrv;ssmdrv; C:\WINDOWS.0\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R2 avgntflt;avgntflt; C:\WINDOWS.0\system32\DRIVERS\avgntflt.sys [2009-07-28 55656]
R2 CVPNDRVA;Cisco Systems Inc. IPSec Driver; \??\C:\WINDOWS.0\system32\Drivers\CVPNDRVA.sys []
R2 irda;IrDA-Protokoll; C:\WINDOWS.0\System32\DRIVERS\irda.sys [2008-04-13 88192]
R2 Sentinel;Sentinel; C:\WINDOWS.0\System32\Drivers\SENTINEL.SYS [1999-07-20 73216]
R3 CmBatt;Treiber für Microsoft-ACPI-Kontrollmethodenkompatible Batterie; C:\WINDOWS.0\System32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 DNE;Deterministic Network Enhancer Miniport; C:\WINDOWS.0\system32\DRIVERS\dne2000.sys [2007-01-31 127376]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS.0\System32\Drivers\GEARAspiWDM.sys [2009-01-15 23848]
R3 LVPr2Mon;Logitech LVPr2Mon Driver; C:\WINDOWS.0\system32\DRIVERS\LVPr2Mon.sys [2007-07-18 25624]
R3 MODEMCSA;Unimodem-Datenstromfiltergerät; C:\WINDOWS.0\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 Mtlmnt5;Mtlmnt5; C:\WINDOWS.0\System32\DRIVERS\Mtlmnt5.sys [2002-05-05 194128]
R3 NSCIRDA;NSC-Infrarotgerätetreiber; C:\WINDOWS.0\System32\DRIVERS\nscirda.sys [2008-04-13 28672]
R3 pfc;Padus ASPI Shell; C:\WINDOWS.0\system32\drivers\pfc.sys [2003-12-05 10368]
R3 Rasirda;WAN-Miniport (IrDA); C:\WINDOWS.0\System32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 SiS315;SiS315; C:\WINDOWS.0\System32\DRIVERS\sisgrp.sys [2002-06-13 201600]
R3 SiS7012;Service for AC'97 Sample Driver (WDM); C:\WINDOWS.0\system32\drivers\sis7012.sys [2002-06-17 798739]
R3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS.0\System32\DRIVERS\sisnic.sys [2002-04-16 32256]
R3 Slntamr;SmartLink AMR_PCI Driver; C:\WINDOWS.0\System32\DRIVERS\slntamr.sys [2002-06-17 417552]
R3 SlWdmSup;SlWdmSup; C:\WINDOWS.0\System32\DRIVERS\SlWdmSup.sys [2002-03-14 39348]
R3 usbhub;USB2-aktivierter Hub; C:\WINDOWS.0\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Miniporttreiber für Microsoft USB Open Host-Controller; C:\WINDOWS.0\System32\DRIVERS\usbohci.sys [2008-04-13 17152]
S1 cdrbsvsd;cdrbsvsd; C:\WINDOWS.0\system32\drivers\cdrbsvsd.sys []
S2 Sntnlusb;Sntnlusb; C:\WINDOWS.0\System32\Drivers\SNTNLUSB.SYS [1999-07-20 8128]
S3 Arp1394;1394-ARP-Clientprotokoll; C:\WINDOWS.0\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 Bridge;MAC-Brücke; C:\WINDOWS.0\System32\DRIVERS\bridge.sys [2008-04-13 71552]
S3 BridgeMP;MAC-Brückenminiport; C:\WINDOWS.0\System32\DRIVERS\bridge.sys [2008-04-13 71552]
S3 CCDECODE;Untertiteldecoder; C:\WINDOWS.0\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 CVirtA;Cisco Systems VPN Adapter; C:\WINDOWS.0\System32\DRIVERS\CVirtA.sys [2007-01-18 5275]
S3 ENUM1394;%1394\031887&040892.DeviceDesc%; C:\WINDOWS.0\System32\DRIVERS\enum1394.sys [2001-08-17 6400]
S3 HidUsb;Microsoft HID Class-Treiber; C:\WINDOWS.0\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 k750bus;Sony Ericsson 750 driver (WDM); C:\WINDOWS.0\system32\DRIVERS\k750bus.sys [2005-02-11 55216]
S3 k750mdfl;Sony Ericsson 750 USB WMC Modem Filter; C:\WINDOWS.0\system32\DRIVERS\k750mdfl.sys [2005-02-11 6576]
S3 k750mdm;Sony Ericsson 750 USB WMC Modem Drivers; C:\WINDOWS.0\system32\DRIVERS\k750mdm.sys [2005-02-11 89872]
S3 k750mgmt;Sony Ericsson 750 USB WMC Device Management Drivers; C:\WINDOWS.0\system32\DRIVERS\k750mgmt.sys [2005-02-11 81728]
S3 k750obex;Sony Ericsson 750 USB WMC OBEX Interface Drivers; C:\WINDOWS.0\system32\DRIVERS\k750obex.sys [2005-02-11 79488]
S3 LVcKap;Logitech AEC Driver; C:\WINDOWS.0\system32\DRIVERS\LVcKap.sys [2007-07-20 2109592]
S3 LVMVDrv;Logitech Machine Vision Engine Loader; C:\WINDOWS.0\system32\DRIVERS\LVMVDrv.sys [2007-07-20 2142488]
S3 LVUSBSta;Logitech USB Monitor Filter; C:\WINDOWS.0\system32\drivers\LVUSBSta.sys [2007-07-19 41752]
S3 mouhid;Maus-HID-Treiber; C:\WINDOWS.0\System32\DRIVERS\mouhid.sys [2001-08-18 12288]
S3 MSIRCOMM;Microsoft IR Communications Driver; C:\WINDOWS.0\System32\DRIVERS\MSIRCOMM.sys [2008-04-13 22016]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink-Konvertierung; C:\WINDOWS.0\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 Mtlstrm;Mtlstrm; C:\WINDOWS.0\System32\DRIVERS\Mtlstrm.sys [2002-04-18 1805544]
S3 NABTSFEC;NABTS/FEC VBI-Codec; C:\WINDOWS.0\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV-/Videoverbindung; C:\WINDOWS.0\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 NIC1394;1394-Netzwerktreiber; C:\WINDOWS.0\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 NtMtlFax;NtMtlFax; C:\WINDOWS.0\System32\DRIVERS\NtMtlFax.sys [2002-03-14 161984]
S3 PID_PEPI;Logitech QuickCam IM(PID_PEPI); C:\WINDOWS.0\system32\DRIVERS\LV302V32.SYS [2007-07-19 1278104]
S3 s816bus;Sony Ericsson Device 816 driver (WDM); C:\WINDOWS.0\system32\DRIVERS\s816bus.sys [2007-06-19 81832]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter; C:\WINDOWS.0\system32\DRIVERS\s816mdfl.sys [2007-06-19 13864]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver; C:\WINDOWS.0\system32\DRIVERS\s816mdm.sys [2007-06-19 107304]
S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM); C:\WINDOWS.0\system32\DRIVERS\s816mgmt.sys [2007-06-19 99112]
S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS); C:\WINDOWS.0\system32\DRIVERS\s816nd5.sys [2007-06-19 21928]
S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface; C:\WINDOWS.0\system32\DRIVERS\s816obex.sys [2007-06-19 97320]
S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM); C:\WINDOWS.0\system32\DRIVERS\s816unic.sys [2007-06-19 97704]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS.0\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 SlNtHal;SlNtHal; C:\WINDOWS.0\System32\DRIVERS\Slnthal.sys [2002-03-14 84720]
S3 SONYPVU1;Sony USB-Filtertreiber (SONYPVU1); C:\WINDOWS.0\System32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 streamip;BDA-IPSink; C:\WINDOWS.0\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbprint;Microsoft USB-Druckerklasse; C:\WINDOWS.0\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 USBSTOR;USB-Massenspeichertreiber; C:\WINDOWS.0\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 vsdatant;vsdatant; \??\C:\WINDOWS.0\System32\vsdatant.sys []
S3 WSTCODEC;World Standard Teletext-Codec; C:\WINDOWS.0\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS.0\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS.0\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS.0\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Planer; C:\Programme\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Programme\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 Apple Mobile Device;Apple Mobile Device; C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-03-06 132424]
R2 Bonjour Service;Bonjour-Dienst; C:\Programme\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 CVPND;Cisco Systems, Inc. VPN Service; C:\Programme\Cisco Systems\VPN Client\cvpnd.exe [2007-04-03 1516584]
R2 EPSONStatusAgent2;EPSON Printer Status Agent2; C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe [2001-10-25 90112]
R2 Irmon;Infrarotüberwachung; C:\WINDOWS.0\System32\svchost.exe [2008-04-14 14336]
R2 LVCOMSer;LVCOMSer; C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe [2007-07-20 186904]
R2 LVPrcSrv;Process Monitor; C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe [2007-07-20 137752]
R2 SLService;SmartLinkService; C:\WINDOWS.0\system32\slserv.exe [2002-05-05 45056]
R3 iPod Service;iPod-Dienst; C:\Programme\iPod\bin\iPodService.exe [2009-03-12 656168]
S2 gupdate1c9f0fce0e3c9c0;Google Update Service (gupdate1c9f0fce0e3c9c0); C:\Programme\Google\Update\GoogleUpdate.exe [2009-06-19 133104]
S2 LVSrvLauncher;LVSrvLauncher; C:\Programme\Gemeinsame Dateien\LogiShrd\SrvLnch\SrvLnch.exe [2007-07-20 141848]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS.0\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS.0\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS.0\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; c:\WINDOWS.0\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 WMPNetworkSvc;Windows Media Player-Netzwerkfreigabedienst; C:\Programme\Windows Media Player\WMPNetwk.exe [2006-11-03 920576]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS.0\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS.0\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

Chris4You · 04.01.2010, 16:33

Hi,

da ist noch was...

Also:
Anleitung Avenger (by swandog46)

1.) Lade dir das Tool Avenger und speichere es auf dem Desktop:

2.) Das Programm so einstellen wie es auf dem Bild zu sehen ist.

Kopiere nun folgenden Text in das weiße Feld:
(bei -> "input script here")

Code:

ATTFilter

Files to delete:
C:\WINDOWS.0\system32\krl32mainweq.dll

3.) Schliesse nun alle Programme (vorher notfalls abspeichern!) und Browser-Fenster, nach dem Ausführen des Avengers wird das System neu gestartet.

4.) Um den Avenger zu starten klicke auf -> Execute
Dann bestätigen mit "Yes" das der Rechner neu startet!

5.) Nachdem das System neu gestartet ist, findest du hier einen Report vom Avenger -> C:\avenger.txt
Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.

Update MAM und lass es im Fullscanmode laufen und alles bereinigen...

chris

GumbuEsquire · 04.01.2010, 19:14

Oh,

dann schnell weg damit. Avenger:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS.0\system32\krl32mainweq.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Chris4You · 04.01.2010, 20:29

Hi,

na, was treibt der Rechner so?

chris

Antivir und andere Virenprogramme starten nicht / Rootkit?

Plagegeister aller Art und deren Bekämpfung: Antivir und andere Virenprogramme starten nicht / Rootkit?