| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Virus Festplatte ? versteckt ? virenprog nicht anwendbarWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
05.01.2010, 16:08
| #31 |
 |  Virus Festplatte ? versteckt ? virenprog nicht anwendbar ja der sagt 0 funde |
|
05.01.2010, 16:22
| #32 |
| | Virus Festplatte ? versteckt ? virenprog nicht anwendbar ich weiss nicht obs was bringt aber daas sind die logs vom TDSSKIlller
__________________15:24:24:578 0300 TDSSKiller 2.1.1 Dec 20 2009 02:40:02 15:24:24:578 0300 ================================================================================ 15:24:24:578 0300 SystemInfo: 15:24:24:578 0300 OS Version: 5.1.2600 ServicePack: 2.0 15:24:24:578 0300 Product type: Workstation 15:24:24:578 0300 ComputerName: OG 15:24:24:578 0300 UserName: Mathäus 15:24:24:578 0300 Windows directory: H:\WINDOWS 15:24:24:578 0300 Processor architecture: Intel x86 15:24:24:578 0300 Number of processors: 2 15:24:24:578 0300 Page size: 0x1000 15:24:24:578 0300 Boot type: Normal boot 15:24:24:578 0300 ================================================================================ 15:24:24:578 0300 ForceUnloadDriver: NtUnloadDriver error 2 15:24:24:578 0300 ForceUnloadDriver: NtUnloadDriver error 2 15:24:24:578 0300 ForceUnloadDriver: NtUnloadDriver error 2 15:24:24:609 0300 MyNtCreateFileW: NtCreateFile(\??\H:\WINDOWS\system32\Drivers\KLMD.sys) returned status 0 15:24:24:609 0300 main: Driver KLMD successfully dropped 15:24:24:609 0300 main: Driver KLMD successfully loaded 15:24:24:609 0300 Scanning Registry ... 15:24:24:640 0300 ScanServices: Searching service UACd.sys 15:24:24:640 0300 ScanServices: Open/Create key error 2 15:24:24:640 0300 ScanServices: Searching service TDSSserv.sys 15:24:24:640 0300 ScanServices: Open/Create key error 2 15:24:24:640 0300 ScanServices: Searching service gaopdxserv.sys 15:24:24:640 0300 ScanServices: Open/Create key error 2 15:24:24:640 0300 ScanServices: Searching service gxvxcserv.sys 15:24:24:640 0300 ScanServices: Open/Create key error 2 15:24:24:640 0300 ScanServices: Searching service MSIVXserv.sys 15:24:24:640 0300 ScanServices: Open/Create key error 2 15:24:24:656 0300 UnhookRegistry: Kernel module file name: H:\windows\system32\ntkrnlpa.exe, base addr: 804D7000 15:24:24:656 0300 UnhookRegistry: Kernel local addr: E00000 15:24:24:656 0300 UnhookRegistry: KeServiceDescriptorTable addr: E846E0 15:24:24:734 0300 UnhookRegistry: KiServiceTable addr: E2C960 15:24:24:734 0300 UnhookRegistry: NtEnumerateKey service number (local): 47 15:24:24:734 0300 UnhookRegistry: NtEnumerateKey local addr: F4B96E 15:24:24:750 0300 KLMD_OpenDevice: Trying to open KLMD device 15:24:24:750 0300 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey 15:24:24:750 0300 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey 15:24:24:750 0300 KLMD_ReadMem: Trying to ReadMemory 0x804FF801[0x4] 15:24:24:750 0300 UnhookRegistry: NtEnumerateKey service number (kernel): 47 15:24:24:750 0300 KLMD_ReadMem: Trying to ReadMemory 0x80503A7C[0x4] 15:24:24:750 0300 UnhookRegistry: NtEnumerateKey real addr: 8062296E 15:24:24:750 0300 UnhookRegistry: NtEnumerateKey calc addr: 8062296E 15:24:24:750 0300 UnhookRegistry: No SDT hooks found on NtEnumerateKey 15:24:24:750 0300 KLMD_ReadMem: Trying to ReadMemory 0x8062296E[0xA] 15:24:24:750 0300 UnhookRegistry: Splicing found on NtEnumerateKey 15:24:24:750 0300 KLMD_WriteMem: Trying to WriteMemory 0x8062296E[0xA] 15:24:24:750 0300 UnhookRegistry: NtEnumerateKey (Splicing) unhooked successfully 15:24:24:750 0300 Hidden service detected: H8SRTd.sys Type "delete" (without quotes) to delete it: ----------------------------------------------------------------------------- 15:24:58:953 2580 TDSSKiller 2.1.1 Dec 20 2009 02:40:02 15:24:58:953 2580 ================================================================================ 15:24:58:953 2580 SystemInfo: 15:24:58:953 2580 OS Version: 5.1.2600 ServicePack: 2.0 15:24:58:953 2580 Product type: Workstation 15:24:58:953 2580 ComputerName: OG 15:24:58:953 2580 UserName: Mathäus 15:24:58:953 2580 Windows directory: H:\WINDOWS 15:24:58:953 2580 Processor architecture: Intel x86 15:24:58:953 2580 Number of processors: 2 15:24:58:953 2580 Page size: 0x1000 15:24:58:953 2580 Boot type: Normal boot 15:24:58:953 2580 ================================================================================ 15:24:58:953 2580 main: Driver KLMD successfully unloaded 15:24:59:453 2580 ForceUnloadDriver: NtUnloadDriver error 2 15:24:59:453 2580 ForceUnloadDriver: NtUnloadDriver error 2 15:24:59:453 2580 MyNtCreateFileW: NtCreateFile(\??\H:\WINDOWS\system32\Drivers\KLMD.sys) returned status 0 15:24:59:453 2580 main: Driver KLMD successfully dropped 15:24:59:468 2580 main: Driver KLMD successfully loaded 15:24:59:468 2580 Scanning Registry ... 15:24:59:468 2580 ScanServices: Searching service UACd.sys 15:24:59:468 2580 ScanServices: Open/Create key error 2 15:24:59:468 2580 ScanServices: Searching service TDSSserv.sys 15:24:59:468 2580 ScanServices: Open/Create key error 2 15:24:59:468 2580 ScanServices: Searching service gaopdxserv.sys 15:24:59:468 2580 ScanServices: Open/Create key error 2 15:24:59:468 2580 ScanServices: Searching service gxvxcserv.sys 15:24:59:468 2580 ScanServices: Open/Create key error 2 15:24:59:468 2580 ScanServices: Searching service MSIVXserv.sys 15:24:59:468 2580 ScanServices: Open/Create key error 2 15:24:59:468 2580 UnhookRegistry: Kernel module file name: H:\windows\system32\ntkrnlpa.exe, base addr: 804D7000 15:24:59:468 2580 UnhookRegistry: Kernel local addr: E00000 15:24:59:468 2580 UnhookRegistry: KeServiceDescriptorTable addr: E846E0 15:24:59:468 2580 UnhookRegistry: KiServiceTable addr: E2C960 15:24:59:468 2580 UnhookRegistry: NtEnumerateKey service number (local): 47 15:24:59:468 2580 UnhookRegistry: NtEnumerateKey local addr: F4B96E 15:24:59:468 2580 KLMD_OpenDevice: Trying to open KLMD device 15:24:59:468 2580 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey 15:24:59:468 2580 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey 15:24:59:468 2580 KLMD_ReadMem: Trying to ReadMemory 0x804FF801[0x4] 15:24:59:468 2580 UnhookRegistry: NtEnumerateKey service number (kernel): 47 15:24:59:468 2580 KLMD_ReadMem: Trying to ReadMemory 0x80503A7C[0x4] 15:24:59:468 2580 UnhookRegistry: NtEnumerateKey real addr: 8062296E 15:24:59:468 2580 UnhookRegistry: NtEnumerateKey calc addr: 8062296E 15:24:59:468 2580 UnhookRegistry: No SDT hooks found on NtEnumerateKey 15:24:59:468 2580 KLMD_ReadMem: Trying to ReadMemory 0x8062296E[0xA] 15:24:59:468 2580 UnhookRegistry: No splicing found on NtEnumerateKey 15:24:59:468 2580 Scanning Kernel memory ... 15:24:59:468 2580 KLMD_OpenDevice: Trying to open KLMD device 15:24:59:468 2580 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk 15:24:59:468 2580 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk 15:24:59:468 2580 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 866EBA08 15:24:59:468 2580 DetectCureTDL3: KLMD_GetDeviceObjectList returned 8 DevObjects 15:24:59:468 2580 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 862F8030 15:24:59:468 2580 KLMD_GetLowerDeviceObject: Trying to get lower device object for 862F8030 15:24:59:468 2580 KLMD_ReadMem: Trying to ReadMemory 0x862F8030[0x38] 15:24:59:468 2580 DetectCureTDL3: DRIVER_OBJECT addr: 866EBA08 15:24:59:468 2580 KLMD_ReadMem: Trying to ReadMemory 0x866EBA08[0xA8] 15:24:59:468 2580 KLMD_ReadMem: Trying to ReadMemory 0xE1017898[0x208] 15:24:59:468 2580 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 15:24:59:468 2580 DetectCureTDL3: IrpHandler (0) addr: F7641C30 15:24:59:468 2580 DetectCureTDL3: IrpHandler (1) addr: 804F4476 15:24:59:468 2580 DetectCureTDL3: IrpHandler (2) addr: F7641C30 15:24:59:468 2580 DetectCureTDL3: IrpHandler (3) addr: F763BD9B 15:24:59:468 2580 DetectCureTDL3: IrpHandler (4) addr: F763BD9B 15:24:59:468 2580 DetectCureTDL3: IrpHandler (5) addr: 804F4476 15:24:59:468 2580 DetectCureTDL3: IrpHandler (6) addr: 804F4476 15:24:59:468 2580 DetectCureTDL3: IrpHandler (7) addr: 804F4476 15:24:59:468 2580 DetectCureTDL3: IrpHandler (8) addr: 804F4476 15:24:59:468 2580 DetectCureTDL3: IrpHandler (9) addr: F763C366 15:24:59:468 2580 DetectCureTDL3: IrpHandler (10) addr: 804F4476 15:24:59:468 2580 DetectCureTDL3: IrpHandler (11) addr: 804F4476 15:24:59:468 2580 DetectCureTDL3: IrpHandler (12) addr: 804F4476 15:24:59:468 2580 DetectCureTDL3: IrpHandler (13) addr: 804F4476 15:24:59:468 2580 DetectCureTDL3: IrpHandler (14) addr: F763C44D 15:24:59:468 2580 DetectCureTDL3: IrpHandler (15) addr: F763FFC3 15:24:59:468 2580 DetectCureTDL3: IrpHandler (16) addr: F763C366 15:24:59:468 2580 DetectCureTDL3: IrpHandler (17) addr: 804F4476 15:24:59:468 2580 DetectCureTDL3: IrpHandler (18) addr: 804F4476 15:24:59:468 2580 DetectCureTDL3: IrpHandler (19) addr: 804F4476 15:24:59:468 2580 DetectCureTDL3: IrpHandler (20) addr: 804F4476 15:24:59:468 2580 DetectCureTDL3: IrpHandler (21) addr: 804F4476 15:24:59:468 2580 DetectCureTDL3: IrpHandler (22) addr: F763DEF3 15:24:59:468 2580 DetectCureTDL3: IrpHandler (23) addr: F7642A24 15:24:59:468 2580 DetectCureTDL3: IrpHandler (24) addr: 804F4476 15:24:59:468 2580 DetectCureTDL3: IrpHandler (25) addr: 804F4476 15:24:59:468 2580 DetectCureTDL3: IrpHandler (26) addr: 804F4476 15:24:59:468 2580 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400] 15:24:59:468 2580 KLMD_ReadMem: DeviceIoControl error 1 15:24:59:468 2580 TDL3_StartIoHookDetect: Unable to get StartIo handler code 15:24:59:468 2580 TDL3_FileDetect: Processing driver: Disk 15:24:59:468 2580 TDL3_FileDetect: Parameters: H:\WINDOWS\system32\drivers\disk.sys, H:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk 15:24:59:468 2580 TDL3_FileDetect: Processing driver file: H:\WINDOWS\system32\drivers\disk.sys 15:24:59:468 2580 KLMD_CreateFileW: Trying to open file H:\WINDOWS\system32\drivers\disk.sys 15:24:59:484 2580 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 862C85E0 15:24:59:484 2580 KLMD_GetLowerDeviceObject: Trying to get lower device object for 862C85E0 15:24:59:484 2580 KLMD_ReadMem: Trying to ReadMemory 0x862C85E0[0x38] 15:24:59:484 2580 DetectCureTDL3: DRIVER_OBJECT addr: 866EBA08 15:24:59:484 2580 KLMD_ReadMem: Trying to ReadMemory 0x866EBA08[0xA8] 15:24:59:484 2580 KLMD_ReadMem: Trying to ReadMemory 0xE1017898[0x208] 15:24:59:484 2580 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 15:24:59:484 2580 DetectCureTDL3: IrpHandler (0) addr: F7641C30 15:24:59:484 2580 DetectCureTDL3: IrpHandler (1) addr: 804F4476 15:24:59:484 2580 DetectCureTDL3: IrpHandler (2) addr: F7641C30 15:24:59:484 2580 DetectCureTDL3: IrpHandler (3) addr: F763BD9B 15:24:59:484 2580 DetectCureTDL3: IrpHandler (4) addr: F763BD9B 15:24:59:484 2580 DetectCureTDL3: IrpHandler (5) addr: 804F4476 15:24:59:484 2580 DetectCureTDL3: IrpHandler (6) addr: 804F4476 15:24:59:484 2580 DetectCureTDL3: IrpHandler (7) addr: 804F4476 15:24:59:484 2580 DetectCureTDL3: IrpHandler (8) addr: 804F4476 15:24:59:484 2580 DetectCureTDL3: IrpHandler (9) addr: F763C366 15:24:59:484 2580 DetectCureTDL3: IrpHandler (10) addr: 804F4476 15:24:59:484 2580 DetectCureTDL3: IrpHandler (11) addr: 804F4476 15:24:59:484 2580 DetectCureTDL3: IrpHandler (12) addr: 804F4476 15:24:59:484 2580 DetectCureTDL3: IrpHandler (13) addr: 804F4476 15:24:59:500 2580 DetectCureTDL3: IrpHandler (14) addr: F763C44D 15:24:59:500 2580 DetectCureTDL3: IrpHandler (15) addr: F763FFC3 15:24:59:500 2580 DetectCureTDL3: IrpHandler (16) addr: F763C366 15:24:59:500 2580 DetectCureTDL3: IrpHandler (17) addr: 804F4476 15:24:59:500 2580 DetectCureTDL3: IrpHandler (18) addr: 804F4476 15:24:59:500 2580 DetectCureTDL3: IrpHandler (19) addr: 804F4476 15:24:59:500 2580 DetectCureTDL3: IrpHandler (20) addr: 804F4476 15:24:59:500 2580 DetectCureTDL3: IrpHandler (21) addr: 804F4476 15:24:59:500 2580 DetectCureTDL3: IrpHandler (22) addr: F763DEF3 15:24:59:500 2580 DetectCureTDL3: IrpHandler (23) addr: F7642A24 15:24:59:500 2580 DetectCureTDL3: IrpHandler (24) addr: 804F4476 15:24:59:500 2580 DetectCureTDL3: IrpHandler (25) addr: 804F4476 15:24:59:500 2580 DetectCureTDL3: IrpHandler (26) addr: 804F4476 15:24:59:500 2580 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400] 15:24:59:500 2580 KLMD_ReadMem: DeviceIoControl error 1 15:24:59:500 2580 TDL3_StartIoHookDetect: Unable to get StartIo handler code 15:24:59:500 2580 TDL3_FileDetect: Processing driver: Disk 15:24:59:500 2580 TDL3_FileDetect: Parameters: H:\WINDOWS\system32\drivers\disk.sys, H:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk 15:24:59:500 2580 TDL3_FileDetect: Processing driver file: H:\WINDOWS\system32\drivers\disk.sys 15:24:59:500 2580 KLMD_CreateFileW: Trying to open file H:\WINDOWS\system32\drivers\disk.sys 15:24:59:500 2580 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 8647C268 15:24:59:500 2580 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8647C268 15:24:59:500 2580 KLMD_ReadMem: Trying to ReadMemory 0x8647C268[0x38] 15:24:59:500 2580 DetectCureTDL3: DRIVER_OBJECT addr: 866EBA08 15:24:59:500 2580 KLMD_ReadMem: Trying to ReadMemory 0x866EBA08[0xA8] 15:24:59:500 2580 KLMD_ReadMem: Trying to ReadMemory 0xE1017898[0x208] 15:24:59:500 2580 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 15:24:59:500 2580 DetectCureTDL3: IrpHandler (0) addr: F7641C30 15:24:59:500 2580 DetectCureTDL3: IrpHandler (1) addr: 804F4476 15:24:59:500 2580 DetectCureTDL3: IrpHandler (2) addr: F7641C30 15:24:59:500 2580 DetectCureTDL3: IrpHandler (3) addr: F763BD9B 15:24:59:500 2580 DetectCureTDL3: IrpHandler (4) addr: F763BD9B 15:24:59:500 2580 DetectCureTDL3: IrpHandler (5) addr: 804F4476 15:24:59:500 2580 DetectCureTDL3: IrpHandler (6) addr: 804F4476 15:24:59:500 2580 DetectCureTDL3: IrpHandler (7) addr: 804F4476 15:24:59:500 2580 DetectCureTDL3: IrpHandler (8) addr: 804F4476 15:24:59:500 2580 DetectCureTDL3: IrpHandler (9) addr: F763C366 15:24:59:500 2580 DetectCureTDL3: IrpHandler (10) addr: 804F4476 15:24:59:500 2580 DetectCureTDL3: IrpHandler (11) addr: 804F4476 15:24:59:500 2580 DetectCureTDL3: IrpHandler (12) addr: 804F4476 15:24:59:500 2580 DetectCureTDL3: IrpHandler (13) addr: 804F4476 15:24:59:500 2580 DetectCureTDL3: IrpHandler (14) addr: F763C44D 15:24:59:500 2580 DetectCureTDL3: IrpHandler (15) addr: F763FFC3 15:24:59:500 2580 DetectCureTDL3: IrpHandler (16) addr: F763C366 15:24:59:500 2580 DetectCureTDL3: IrpHandler (17) addr: 804F4476 15:24:59:500 2580 DetectCureTDL3: IrpHandler (18) addr: 804F4476 15:24:59:500 2580 DetectCureTDL3: IrpHandler (19) addr: 804F4476 15:24:59:500 2580 DetectCureTDL3: IrpHandler (20) addr: 804F4476 15:24:59:500 2580 DetectCureTDL3: IrpHandler (21) addr: 804F4476 15:24:59:500 2580 DetectCureTDL3: IrpHandler (22) addr: F763DEF3 15:24:59:500 2580 DetectCureTDL3: IrpHandler (23) addr: F7642A24 15:24:59:500 2580 DetectCureTDL3: IrpHandler (24) addr: 804F4476 15:24:59:500 2580 DetectCureTDL3: IrpHandler (25) addr: 804F4476 15:24:59:500 2580 DetectCureTDL3: IrpHandler (26) addr: 804F4476 15:24:59:500 2580 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400] 15:24:59:500 2580 KLMD_ReadMem: DeviceIoControl error 1 15:24:59:500 2580 TDL3_StartIoHookDetect: Unable to get StartIo handler code 15:24:59:500 2580 TDL3_FileDetect: Processing driver: Disk 15:24:59:500 2580 TDL3_FileDetect: Parameters: H:\WINDOWS\system32\drivers\disk.sys, H:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk 15:24:59:500 2580 TDL3_FileDetect: Processing driver file: H:\WINDOWS\system32\drivers\disk.sys 15:24:59:500 2580 KLMD_CreateFileW: Trying to open file H:\WINDOWS\system32\drivers\disk.sys 15:24:59:515 2580 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 85EC3AB8 15:24:59:515 2580 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85EC3AB8 15:24:59:515 2580 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 865B2918 15:24:59:515 2580 KLMD_GetLowerDeviceObject: Trying to get lower device object for 865B2918 15:24:59:515 2580 KLMD_ReadMem: Trying to ReadMemory 0x865B2918[0x38] 15:24:59:515 2580 DetectCureTDL3: DRIVER_OBJECT addr: 85EB0240 15:24:59:515 2580 KLMD_ReadMem: Trying to ReadMemory 0x85EB0240[0xA8] 15:24:59:515 2580 KLMD_ReadMem: Trying to ReadMemory 0xE1CB6820[0x208] 15:24:59:515 2580 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor 15:24:59:515 2580 DetectCureTDL3: IrpHandler (0) addr: 85EBD1F8 15:24:59:515 2580 DetectCureTDL3: IrpHandler (1) addr: 804F4476 15:24:59:515 2580 DetectCureTDL3: IrpHandler (2) addr: 85EBD1F8 15:24:59:515 2580 DetectCureTDL3: IrpHandler (3) addr: 85EBD1F8 15:24:59:515 2580 DetectCureTDL3: IrpHandler (4) addr: 85EBD1F8 15:24:59:515 2580 DetectCureTDL3: IrpHandler (5) addr: 804F4476 15:24:59:515 2580 DetectCureTDL3: IrpHandler (6) addr: 804F4476 15:24:59:515 2580 DetectCureTDL3: IrpHandler (7) addr: 804F4476 15:24:59:515 2580 DetectCureTDL3: IrpHandler (8) addr: 804F4476 15:24:59:515 2580 DetectCureTDL3: IrpHandler (9) addr: 804F4476 15:24:59:515 2580 DetectCureTDL3: IrpHandler (10) addr: 804F4476 15:24:59:515 2580 DetectCureTDL3: IrpHandler (11) addr: 804F4476 15:24:59:515 2580 DetectCureTDL3: IrpHandler (12) addr: 804F4476 15:24:59:515 2580 DetectCureTDL3: IrpHandler (13) addr: 804F4476 15:24:59:515 2580 DetectCureTDL3: IrpHandler (14) addr: 85EBD1F8 15:24:59:515 2580 DetectCureTDL3: IrpHandler (15) addr: 85EBD1F8 15:24:59:515 2580 DetectCureTDL3: IrpHandler (16) addr: 804F4476 15:24:59:515 2580 DetectCureTDL3: IrpHandler (17) addr: 804F4476 15:24:59:515 2580 DetectCureTDL3: IrpHandler (18) addr: 804F4476 15:24:59:515 2580 DetectCureTDL3: IrpHandler (19) addr: 804F4476 15:24:59:515 2580 DetectCureTDL3: IrpHandler (20) addr: 804F4476 15:24:59:515 2580 DetectCureTDL3: IrpHandler (21) addr: 804F4476 15:24:59:515 2580 DetectCureTDL3: IrpHandler (22) addr: 85EBD1F8 15:24:59:515 2580 DetectCureTDL3: IrpHandler (23) addr: 85EBD1F8 15:24:59:515 2580 DetectCureTDL3: IrpHandler (24) addr: 804F4476 15:24:59:515 2580 DetectCureTDL3: IrpHandler (25) addr: 804F4476 15:24:59:515 2580 DetectCureTDL3: IrpHandler (26) addr: 804F4476 15:24:59:515 2580 KLMD_ReadMem: Trying to ReadMemory 0xF79D4F26[0x400] 15:24:59:515 2580 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0 15:24:59:515 2580 TDL3_FileDetect: Processing driver: usbstor 15:24:59:515 2580 TDL3_FileDetect: Parameters: H:\WINDOWS\system32\drivers\usbstor.sys, H:\WINDOWS\system32\Drivers\usbstor.tsk, SYSTEM\CurrentControlSet\Services\usbstor, system32\Drivers\usbstor.tsk 15:24:59:515 2580 TDL3_FileDetect: Processing driver file: H:\WINDOWS\system32\drivers\usbstor.sys 15:24:59:515 2580 KLMD_CreateFileW: Trying to open file H:\WINDOWS\system32\drivers\usbstor.sys 15:24:59:546 2580 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 86171290 15:24:59:546 2580 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86171290 15:24:59:546 2580 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 862A5D08 15:24:59:546 2580 KLMD_GetLowerDeviceObject: Trying to get lower device object for 862A5D08 15:24:59:546 2580 KLMD_ReadMem: Trying to ReadMemory 0x862A5D08[0x38] 15:24:59:546 2580 DetectCureTDL3: DRIVER_OBJECT addr: 85EB0240 15:24:59:546 2580 KLMD_ReadMem: Trying to ReadMemory 0x85EB0240[0xA8] 15:24:59:546 2580 KLMD_ReadMem: Trying to ReadMemory 0xE1CB6820[0x208] 15:24:59:546 2580 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor 15:24:59:546 2580 DetectCureTDL3: IrpHandler (0) addr: 85EBD1F8 15:24:59:546 2580 DetectCureTDL3: IrpHandler (1) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (2) addr: 85EBD1F8 15:24:59:546 2580 DetectCureTDL3: IrpHandler (3) addr: 85EBD1F8 15:24:59:546 2580 DetectCureTDL3: IrpHandler (4) addr: 85EBD1F8 15:24:59:546 2580 DetectCureTDL3: IrpHandler (5) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (6) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (7) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (8) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (9) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (10) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (11) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (12) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (13) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (14) addr: 85EBD1F8 15:24:59:546 2580 DetectCureTDL3: IrpHandler (15) addr: 85EBD1F8 15:24:59:546 2580 DetectCureTDL3: IrpHandler (16) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (17) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (18) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (19) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (20) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (21) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (22) addr: 85EBD1F8 15:24:59:546 2580 DetectCureTDL3: IrpHandler (23) addr: 85EBD1F8 15:24:59:546 2580 DetectCureTDL3: IrpHandler (24) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (25) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (26) addr: 804F4476 15:24:59:546 2580 KLMD_ReadMem: Trying to ReadMemory 0xF79D4F26[0x400] 15:24:59:546 2580 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0 15:24:59:546 2580 TDL3_FileDetect: Processing driver: usbstor 15:24:59:546 2580 TDL3_FileDetect: Parameters: H:\WINDOWS\system32\drivers\usbstor.sys, H:\WINDOWS\system32\Drivers\usbstor.tsk, SYSTEM\CurrentControlSet\Services\usbstor, system32\Drivers\usbstor.tsk 15:24:59:546 2580 TDL3_FileDetect: Processing driver file: H:\WINDOWS\system32\drivers\usbstor.sys 15:24:59:546 2580 KLMD_CreateFileW: Trying to open file H:\WINDOWS\system32\drivers\usbstor.sys 15:24:59:546 2580 DetectCureTDL3: 5 Curr stack PDEVICE_OBJECT: 8654E030 15:24:59:546 2580 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8654E030 15:24:59:546 2580 DetectCureTDL3: 5 Curr stack PDEVICE_OBJECT: 8628BD08 15:24:59:546 2580 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8628BD08 15:24:59:546 2580 KLMD_ReadMem: Trying to ReadMemory 0x8628BD08[0x38] 15:24:59:546 2580 DetectCureTDL3: DRIVER_OBJECT addr: 85EB0240 15:24:59:546 2580 KLMD_ReadMem: Trying to ReadMemory 0x85EB0240[0xA8] 15:24:59:546 2580 KLMD_ReadMem: Trying to ReadMemory 0xE1CB6820[0x208] 15:24:59:546 2580 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor 15:24:59:546 2580 DetectCureTDL3: IrpHandler (0) addr: 85EBD1F8 15:24:59:546 2580 DetectCureTDL3: IrpHandler (1) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (2) addr: 85EBD1F8 15:24:59:546 2580 DetectCureTDL3: IrpHandler (3) addr: 85EBD1F8 15:24:59:546 2580 DetectCureTDL3: IrpHandler (4) addr: 85EBD1F8 15:24:59:546 2580 DetectCureTDL3: IrpHandler (5) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (6) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (7) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (8) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (9) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (10) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (11) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (12) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (13) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (14) addr: 85EBD1F8 15:24:59:546 2580 DetectCureTDL3: IrpHandler (15) addr: 85EBD1F8 15:24:59:546 2580 DetectCureTDL3: IrpHandler (16) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (17) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (18) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (19) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (20) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (21) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (22) addr: 85EBD1F8 15:24:59:546 2580 DetectCureTDL3: IrpHandler (23) addr: 85EBD1F8 15:24:59:546 2580 DetectCureTDL3: IrpHandler (24) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (25) addr: 804F4476 15:24:59:546 2580 DetectCureTDL3: IrpHandler (26) addr: 804F4476 15:24:59:546 2580 KLMD_ReadMem: Trying to ReadMemory 0xF79D4F26[0x400] 15:24:59:546 2580 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0 15:24:59:546 2580 TDL3_FileDetect: Processing driver: usbstor 15:24:59:546 2580 TDL3_FileDetect: Parameters: H:\WINDOWS\system32\drivers\usbstor.sys, H:\WINDOWS\system32\Drivers\usbstor.tsk, SYSTEM\CurrentControlSet\Services\usbstor, system32\Drivers\usbstor.tsk 15:24:59:546 2580 TDL3_FileDetect: Processing driver file: H:\WINDOWS\system32\drivers\usbstor.sys 15:24:59:546 2580 KLMD_CreateFileW: Trying to open file H:\WINDOWS\system32\drivers\usbstor.sys 15:24:59:562 2580 DetectCureTDL3: 6 Curr stack PDEVICE_OBJECT: 866E2C68 15:24:59:562 2580 KLMD_GetLowerDeviceObject: Trying to get lower device object for 866E2C68 15:24:59:562 2580 KLMD_ReadMem: Trying to ReadMemory 0x866E2C68[0x38] 15:24:59:562 2580 DetectCureTDL3: DRIVER_OBJECT addr: 866EBA08 15:24:59:562 2580 KLMD_ReadMem: Trying to ReadMemory 0x866EBA08[0xA8] 15:24:59:562 2580 KLMD_ReadMem: Trying to ReadMemory 0xE1017898[0x208] 15:24:59:562 2580 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 15:24:59:562 2580 DetectCureTDL3: IrpHandler (0) addr: F7641C30 15:24:59:562 2580 DetectCureTDL3: IrpHandler (1) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (2) addr: F7641C30 15:24:59:562 2580 DetectCureTDL3: IrpHandler (3) addr: F763BD9B 15:24:59:562 2580 DetectCureTDL3: IrpHandler (4) addr: F763BD9B 15:24:59:562 2580 DetectCureTDL3: IrpHandler (5) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (6) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (7) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (8) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (9) addr: F763C366 15:24:59:562 2580 DetectCureTDL3: IrpHandler (10) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (11) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (12) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (13) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (14) addr: F763C44D 15:24:59:562 2580 DetectCureTDL3: IrpHandler (15) addr: F763FFC3 15:24:59:562 2580 DetectCureTDL3: IrpHandler (16) addr: F763C366 15:24:59:562 2580 DetectCureTDL3: IrpHandler (17) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (18) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (19) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (20) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (21) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (22) addr: F763DEF3 15:24:59:562 2580 DetectCureTDL3: IrpHandler (23) addr: F7642A24 15:24:59:562 2580 DetectCureTDL3: IrpHandler (24) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (25) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (26) addr: 804F4476 15:24:59:562 2580 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400] 15:24:59:562 2580 KLMD_ReadMem: DeviceIoControl error 1 15:24:59:562 2580 TDL3_StartIoHookDetect: Unable to get StartIo handler code 15:24:59:562 2580 TDL3_FileDetect: Processing driver: Disk 15:24:59:562 2580 TDL3_FileDetect: Parameters: H:\WINDOWS\system32\drivers\disk.sys, H:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk 15:24:59:562 2580 TDL3_FileDetect: Processing driver file: H:\WINDOWS\system32\drivers\disk.sys 15:24:59:562 2580 KLMD_CreateFileW: Trying to open file H:\WINDOWS\system32\drivers\disk.sys 15:24:59:562 2580 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 866AEAB8 15:24:59:562 2580 KLMD_GetLowerDeviceObject: Trying to get lower device object for 866AEAB8 15:24:59:562 2580 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 867139E8 15:24:59:562 2580 KLMD_GetLowerDeviceObject: Trying to get lower device object for 867139E8 15:24:59:562 2580 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 866B1D98 15:24:59:562 2580 KLMD_GetLowerDeviceObject: Trying to get lower device object for 866B1D98 15:24:59:562 2580 KLMD_ReadMem: Trying to ReadMemory 0x866B1D98[0x38] 15:24:59:562 2580 DetectCureTDL3: DRIVER_OBJECT addr: 866B5B60 15:24:59:562 2580 KLMD_ReadMem: Trying to ReadMemory 0x866B5B60[0xA8] 15:24:59:562 2580 KLMD_ReadMem: Trying to ReadMemory 0xE1001730[0x208] 15:24:59:562 2580 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi 15:24:59:562 2580 DetectCureTDL3: IrpHandler (0) addr: 867661F8 15:24:59:562 2580 DetectCureTDL3: IrpHandler (1) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (2) addr: 867661F8 15:24:59:562 2580 DetectCureTDL3: IrpHandler (3) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (4) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (5) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (6) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (7) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (8) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (9) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (10) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (11) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (12) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (13) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (14) addr: 867661F8 15:24:59:562 2580 DetectCureTDL3: IrpHandler (15) addr: F7AE56C1 15:24:59:562 2580 DetectCureTDL3: IrpHandler (16) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (17) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (18) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (19) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (20) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (21) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (22) addr: 867661F8 15:24:59:562 2580 DetectCureTDL3: IrpHandler (23) addr: 867661F8 15:24:59:562 2580 DetectCureTDL3: IrpHandler (24) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (25) addr: 804F4476 15:24:59:562 2580 DetectCureTDL3: IrpHandler (26) addr: 804F4476 15:24:59:562 2580 KLMD_ReadMem: Trying to ReadMemory 0xF732C7C6[0x400] 15:24:59:562 2580 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 229, 0 15:24:59:562 2580 TDL3_FileDetect: Processing driver: atapi 15:24:59:562 2580 TDL3_FileDetect: Parameters: H:\WINDOWS\system32\drivers\atapi.sys, H:\WINDOWS\system32\Drivers\atapi.tsk, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\atapi.tsk 15:24:59:562 2580 TDL3_FileDetect: Processing driver file: H:\WINDOWS\system32\drivers\atapi.sys 15:24:59:562 2580 KLMD_CreateFileW: Trying to open file H:\WINDOWS\system32\drivers\atapi.sys 15:24:59:593 2580 Completed Results: 15:24:59:593 2580 Infected objects in memory: 0 15:24:59:593 2580 Cured objects in memory: 0 15:24:59:593 2580 Infected objects on disk: 0 15:24:59:593 2580 Objects on disk cured on reboot: 0 15:24:59:593 2580 Objects on disk deleted on reboot: 0 15:24:59:593 2580 Registry nodes deleted on reboot: 0 15:24:59:593 2580 ------------------------------------------------------------------------------- 15:29:09:890 1584 TDSSKiller 2.1.1 Dec 20 2009 02:40:02 15:29:09:890 1584 ================================================================================ 15:29:09:890 1584 SystemInfo: 15:29:09:890 1584 OS Version: 5.1.2600 ServicePack: 2.0 15:29:09:890 1584 Product type: Workstation 15:29:09:890 1584 ComputerName: OG 15:29:09:890 1584 UserName: Mathäus 15:29:09:890 1584 Windows directory: H:\WINDOWS 15:29:09:890 1584 Processor architecture: Intel x86 15:29:09:890 1584 Number of processors: 2 15:29:09:890 1584 Page size: 0x1000 15:29:09:890 1584 Boot type: Safe boot 15:29:09:890 1584 ================================================================================ 15:29:09:890 1584 ForceUnloadDriver: NtUnloadDriver error 2 15:29:09:890 1584 ForceUnloadDriver: NtUnloadDriver error 2 15:29:09:890 1584 ForceUnloadDriver: NtUnloadDriver error 2 15:29:09:921 1584 MyNtCreateFileW: NtCreateFile(\??\H:\WINDOWS\system32\Drivers\KLMD.sys) returned status 0 15:29:09:921 1584 main: Driver KLMD successfully dropped 15:29:09:921 1584 main: Driver KLMD successfully loaded 15:29:09:921 1584 Scanning Registry ... 15:29:09:953 1584 ScanServices: Searching service UACd.sys 15:29:09:953 1584 ScanServices: Open/Create key error 2 15:29:09:953 1584 ScanServices: Searching service TDSSserv.sys 15:29:09:953 1584 ScanServices: Open/Create key error 2 15:29:09:953 1584 ScanServices: Searching service gaopdxserv.sys 15:29:09:953 1584 ScanServices: Open/Create key error 2 15:29:09:953 1584 ScanServices: Searching service gxvxcserv.sys 15:29:09:953 1584 ScanServices: Open/Create key error 2 15:29:09:953 1584 ScanServices: Searching service MSIVXserv.sys 15:29:09:953 1584 ScanServices: Open/Create key error 2 15:29:09:953 1584 UnhookRegistry: Kernel module file name: H:\windows\system32\ntoskrnl.exe, base addr: 804D7000 15:29:09:953 1584 UnhookRegistry: Kernel local addr: DB0000 15:29:09:968 1584 UnhookRegistry: KeServiceDescriptorTable addr: E3A500 15:29:10:546 1584 UnhookRegistry: KiServiceTable addr: DBD8B0 15:29:10:546 1584 UnhookRegistry: NtEnumerateKey service number (local): 47 15:29:10:546 1584 UnhookRegistry: NtEnumerateKey local addr: E513A4 15:29:10:578 1584 KLMD_OpenDevice: Trying to open KLMD device 15:29:10:578 1584 UnhookRegistry: Cannot get access to KLMD, error 2 15:29:10:578 1584 ScanHiddenServices: UnhookRegistry error 15:29:10:578 1584 Scanning Kernel memory ... 15:29:10:578 1584 KLMD_OpenDevice: Trying to open KLMD device 15:29:10:578 1584 DetectCureTDL3: Cannot get access to KLMD, error 2 15:29:10:578 1584 DetectCureTDL3 failed 15:29:10:578 1584 UnloadDriver: NtUnloadDriver error 2 15:29:10:593 1584 main: Driver KLMD unload error 15:29:10:593 1584 Completed Results: 15:29:10:593 1584 Infected objects in memory: 0 15:29:10:593 1584 Cured objects in memory: 0 15:29:10:593 1584 Infected objects on disk: 0 15:29:10:593 1584 Objects on disk cured on reboot: 0 15:29:10:593 1584 Objects on disk deleted on reboot: 0 15:29:10:593 1584 Registry nodes deleted on reboot: 0 15:29:10:593 1584 |
|
05.01.2010, 17:35
| #33 |
| | Virus Festplatte ? versteckt ? virenprog nicht anwendbar logfile von malewarebytes
__________________alles löschen oder? Malwarebytes' Anti-Malware 1.43 Datenbank Version: 3458 Windows 5.1.2600 Service Pack 2 Internet Explorer 6.0.2900.2180 05.01.2010 17:34:37 mbam-log-2010-01-05 (17-34-28).txt Scan-Methode: Vollständiger Scan (H:\|) Durchsuchte Objekte: 247866 Laufzeit: 31 minute(s), 49 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 6 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 1 Infizierte Dateien: 10 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9d71d88c-c598-4935-c5d1-43aa4db90836} (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\PTECH (Adware.21Nova) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\W32xgl2 (Backdoor.Bot) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\W32xgl2 (Backdoor.Bot) -> No action taken. Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: H:\Programme\malware Defense (Rogue.MalwareDefense) -> No action taken. Infizierte Dateien: H:\Programme\win32GI\svchost.exe (Trojan.Agent) -> No action taken. H:\Dokumente und Einstellungen\Mathäus\Desktop\Zwischenablage\CryptLoad_1.1.6\ocr\netload.in\asmCaptcha\test.exe (Malware.Packer) -> No action taken. H:\Dokumente und Einstellungen\Mathäus\Desktop\Zwischenablage\CryptLoad_1.1.6\router\FRITZ!Box\nc.exe (PUP.KeyLogger) -> No action taken. H:\Dokumente und Einstellungen\Mathäus\Desktop\Zwischenablage\Rapidshare_Downloader_0.59_Alpha_Recon\fritz!box reconnect\nc.exe (PUP.KeyLogger) -> No action taken. H:\Programme\Malware Defense\mdext.dll (Trojan.FakeAlert) -> No action taken. H:\WINDOWS\system32\ogZ1Tf3.mph (Trojan.Downloader) -> No action taken. H:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> No action taken. H:\Programme\win32GI\klog.dat (Malware.Trace) -> No action taken. H:\WINDOWS\system32\h@tkeysh@@k.dll (Trojan.Agent) -> No action taken. H:\Dokumente und Einstellungen\Mathäus\Anwendungsdaten\addons.dat (Bifrose.Trace) -> No action taken. |
|
05.01.2010, 17:44
| #34 |
| | Virus Festplatte ? versteckt ? virenprog nicht anwendbar Gut das Umbenennen der mbam.exe im Installationsordner von Malwarebytes hat geholfen. Ok das Rootkit ist also doch drauf, auch wenn es vorher nicht entdeckt wurde. Ja lösche alle infizierten Dateien. |
|
05.01.2010, 18:17
| #35 |
| | Virus Festplatte ? versteckt ? virenprog nicht anwendbar sooo kaspersky und so startet wieder, dh. ein kleiner erfolg ist zu sehen . DANKE abermeine festplatte wird immernoch nicht erkannt.... wollte eben schaunen ober ich die festplatte formatieren kann, jedoch sagt mir das system das keine festplatte vorhabden ist...  beim hochfahren bleibt er auch gerne mal im windowasladebildschirm hängen. |
|
05.01.2010, 18:20
| #36 |
| | Virus Festplatte ? versteckt ? virenprog nicht anwendbar Das Rootkit dürfte deaktiviert sein, allerding schlummern sicher noch Reste davon auf deiner Platte! Auch die vom Rootkit getarnten Schädlinge dürften noch aktiv sein oder zumindest Reste. Darum bitte jetzt 1. CCleaner noch einmal ausführen 2. Virenscann durchführen mit einem aktuellen! Virenscanner 3. Hijackthis Log posten |
|
05.01.2010, 18:22
| #37 |
| | Virus Festplatte ? versteckt ? virenprog nicht anwendbar danke mach ich. poste alles so bald wie möglich  |
|
05.01.2010, 20:25
| #38 |
| | Virus Festplatte ? versteckt ? virenprog nicht anwendbar cc cleaner ausgeführt klaplettscan mit AVG durchgeführt und die funde gelöscht. hier der HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:23:11, on 05.01.2010 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: H:\WINDOWS\System32\smss.exe H:\WINDOWS\system32\winlogon.exe H:\WINDOWS\system32\services.exe H:\WINDOWS\system32\lsass.exe H:\WINDOWS\system32\svchost.exe H:\WINDOWS\System32\svchost.exe H:\WINDOWS\system32\spoolsv.exe H:\Programme\Bonjour\mDNSResponder.exe H:\Programme\Java\jre6\bin\jqs.exe H:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe H:\WINDOWS\system32\nvsvc32.exe H:\WINDOWS\system32\svchost.exe H:\WINDOWS\Explorer.EXE H:\Programme\XpertVision\TBPanel.exe H:\WINDOWS\system32\RUNDLL32.EXE H:\Programme\Winamp\winampa.exe H:\WINDOWS\system32\RunDll32.exe H:\Programme\ScanSoft\OmniPageSE4\OpwareSE4.exe H:\Programme\FreePDF_XP\fpassist.exe H:\WINDOWS\system32\RunDll32.exe H:\Programme\QuickTime\QTTask.exe H:\Programme\Java\jre6\bin\jusched.exe H:\WINDOWS\system32\ctfmon.exe H:\Programme\DAEMON Tools Lite\daemon.exe H:\Programme\T-Online\WLAN-Access Finder\ToWLaAcF.exe H:\WINDOWS\System32\svchost.exe H:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe H:\Programme\Gemeinsame Dateien\Marmiko Shared\MWLaMaS.exe H:\Programme\AVG\AVG9\avgrsx.exe H:\Programme\AVG\AVG9\avgchsvx.exe H:\Programme\AVG\AVG9\avgcsrvx.exe H:\WINDOWS\System32\svchost.exe H:\Programme\Mozilla Firefox\firefox.exe H:\Programme\AVG\AVG9\avgwdsvc.exe H:\Programme\AVG\AVG9\avgnsx.exe H:\Programme\AVG\AVG9\avgemc.exe H:\Programme\AVG\AVG9\avgcsrvx.exe H:\Programme\AVG\AVG9\avgtray.exe H:\Dokumente und Einstellungen\Mathäus\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - H:\Programme\AVG\AVG9\avgssie.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: WebSpeechBHO Class - {83A30C59-3A50-49E6-9DAF-4923C4EA3C23} - H:\Programme\Gemeinsame Dateien\WebSpeech.4.0\LgxIEBar.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - H:\Programme\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - H:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - H:\Programme\DAEMON Tools Toolbar\DTToolbar.dll O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) O4 - HKLM\..\Run: [Gainward] H:\Programme\XpertVision\TBPanel.exe /A O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Verknüpfung mit der High Definition Audio-Eigenschaftenseite] HDAudPropShortcut.exe O4 - HKLM\..\Run: [WinampAgent] H:\Programme\Winamp\winampa.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [SSBkgdUpdate] "H:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [OpwareSE4] "H:\Programme\ScanSoft\OmniPageSE4\OpwareSE4.exe" O4 - HKLM\..\Run: [FreePDF Assistant] H:\Programme\FreePDF_XP\fpassist.exe O4 - HKLM\..\Run: [Cm106Sound] RunDll32 cm106.cpl,CMICtrlWnd O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "H:\Programme\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Programme\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AVG9_TRAY] H:\PROGRA~1\AVG\AVG9\avgtray.exe O4 - HKLM\..\RunServices: [SyteUpdtes] shfpcu.exe O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DAEMON Tools Lite] "H:\Programme\DAEMON Tools Lite\daemon.exe" -autorun O4 - HKCU\..\Run: [Steam] "h:\programme\steam\steam.exe" -silent O4 - HKCU\..\Run: [T-Online_Software_6\WLAN-Access Finder] H:\Programme\T-Online\WLAN-Access Finder\ToWLaAcF.exe /StartMinimized O4 - HKCU\..\RunServices: [SyteUpdtes] shfpcu.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: RocketDock.lnk = H:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe O4 - Global Startup: Microsoft Office.lnk = H:\Programme\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://H:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: WebSpeech - {1CE4DE72-7FCC-4eb8-8F66-AE6A56A0A54D} - H:\Programme\Gemeinsame Dateien\WebSpeech.4.0\LgxIEBar.dll O9 - Extra 'Tools' menuitem: Seite/Markierung vorlesen (WebSpeech) - {1CE4DE72-7FCC-4eb8-8F66-AE6A56A0A54D} - H:\Programme\Gemeinsame Dateien\WebSpeech.4.0\LgxIEBar.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - H:\Programme\PokerStars.NET\PokerStarsUpdate.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Programme\Messenger\msmsgs.exe O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - H:\Programme\AVG\AVG9\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - H:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: avgrsstarter - H:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - H:\Programme\AVG\AVG9\avgemc.exe O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - H:\Programme\AVG\AVG9\avgwdsvc.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - H:\Programme\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - H:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - H:\Programme\Java\jre6\bin\jqs.exe O23 - Service: T-Online WLAN Adapter Steuerungsdienst (MZCCntrl) - Deutsche Telekom AG, Marmiko IT-Solutions GmbH - H:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - H:\WINDOWS\system32\GameMon.des.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe O23 - Service: TSMService - T-Systems Nova, Berkom - H:\Programme\T-DSL SpeedManager\tsmsvc.exe -- End of file - 7644 bytes |
|
05.01.2010, 20:55
| #39 |
| | Virus Festplatte ? versteckt ? virenprog nicht anwendbar Ok, In HijackThis bitte alle no-file Einträge fixen! Zwei Einträge sind noch sehr verdächtig, wahrscheinlich schädlich Code:
ATTFilter O4 - HKLM\..\RunServices: [SyteUpdtes] shfpcu.exe
O4 - HKCU\..\RunServices: [SyteUpdtes] shfpcu.exe
Anschließend bitte mit GMER scannen lassen und das Log hier posten. |
|
05.01.2010, 20:59
| #40 | |
| | Virus Festplatte ? versteckt ? virenprog nicht anwendbarZitat:
und was ist MAM? |
|
05.01.2010, 21:12
| #41 |
| | Virus Festplatte ? versteckt ? virenprog nicht anwendbar |
|
05.01.2010, 22:01
| #42 |
| | Virus Festplatte ? versteckt ? virenprog nicht anwendbar hier die GMER log: stand am schluss auch iwas vom rootkit GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-01-05 21:56:24 Windows 5.1.2600 Service Pack 2 Running: wenqhn5r.exe; Driver: H:\DOKUME~1\MATHUS~1\LOKALE~1\Temp\pxtdapow.sys ---- System - GMER 1.0.15 ---- INT 0x62 ? 867D6BF8 INT 0x63 ? 865C8BF8 INT 0x73 ? 867D6BF8 INT 0x73 ? 867D6BF8 INT 0x73 ? 865C8BF8 INT 0x83 ? 865C8BF8 INT 0xB4 ? 865C8BF8 Code 8618F8C0 ZwEnumerateKey Code 8618F888 ZwFlushInstructionCache Code 8618F8F6 IofCallDriver Code 861C21AE IofCompleteRequest ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!IofCallDriver 804EF0BC 5 Bytes JMP 8618F8FB .text ntkrnlpa.exe!IofCompleteRequest 804EF14C 5 Bytes JMP 861C21B3 PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B528A 5 Bytes JMP 8618F88C PAGE ntkrnlpa.exe!ZwEnumerateKey 8062296E 5 Bytes JMP 8618F8C4 ? spsv.sys Das System kann die angegebene Datei nicht finden. ! .text H:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6945360, 0x24526E, 0xE8000020] .text USBPORT.SYS!DllUnload F690262C 5 Bytes JMP 865C81D8 ? System32\Drivers\avgtdix.sys Das System kann den angegebenen Pfad nicht finden. ! ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F73DC040] spsv.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F73DC13C] spsv.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73DC0BE] spsv.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73DC7FC] spsv.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73DC6D2] spsv.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 867D51F8 AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys Device \Driver\usbuhci \Device\USBPDO-0 865D23F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 867681F8 Device \Driver\dmio \Device\DmControl\DmConfig 867681F8 Device \Driver\dmio \Device\DmControl\DmPnP 867681F8 Device \Driver\dmio \Device\DmControl\DmInfo 867681F8 Device \Driver\usbuhci \Device\USBPDO-1 865D23F8 Device \Driver\usbuhci \Device\USBPDO-2 865D23F8 Device \Driver\usbuhci \Device\USBPDO-3 865D23F8 Device \Driver\PCI_PNP3264 \Device\00000055 spsv.sys Device \Driver\PCI_PNP3264 \Device\00000055 spsv.sys Device \Driver\usbehci \Device\USBPDO-4 865C31F8 AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys Device \Driver\prodrv06 \Device\ProDrv06 E226AA18 Device \Driver\NetBT \Device\NetBT_Tcpip_{C9FA4B80-2450-4CF7-ADB4-6716B7930C8E} 85FB81F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 867D71F8 Device \Driver\atapi \Device\Ide\IdePort0 867D61F8 Device \Driver\atapi \Device\Ide\IdePort0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort1 867D61F8 Device \Driver\atapi \Device\Ide\IdePort1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 867D61F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort2 867D61F8 Device \Driver\atapi \Device\Ide\IdePort2 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 867D61F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-19 867D61F8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-19 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\usbstor \Device\00000080 85FB21F8 Device \Driver\prohlp02 \Device\ProHlp02 E10115B8 Device \Driver\NetBT \Device\NetBt_Wins_Export 85FB81F8 Device \Driver\usbstor \Device\00000084 85FB21F8 Device \Driver\usbstor \Device\00000085 85FB21F8 Device \Driver\NetBT \Device\NetbiosSmb 85FB81F8 Device \Driver\usbstor \Device\00000086 85FB21F8 AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys Device \Driver\sptd \Device\3566105764 spsv.sys Device \Driver\usbuhci \Device\USBFDO-0 865D23F8 Device \Driver\usbuhci \Device\USBFDO-1 865D23F8 Device \Driver\usbuhci \Device\USBFDO-2 865D23F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 85FAF1F8 Device \Driver\usbuhci \Device\USBFDO-3 865D23F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 85FAF1F8 Device \Driver\Ftdisk \Device\FtControl 867D71F8 Device \Driver\usbehci \Device\USBFDO-4 865C31F8 Device \Driver\a6g5daju \Device\Scsi\a6g5daju1 8649E1F8 Device \Driver\a6g5daju \Device\Scsi\a6g5daju1Port3Path0Target0Lun0 8649E1F8 Device \FileSystem\Cdfs \Cdfs 8649F1F8 ---- Modules - GMER 1.0.15 ---- Module \systemroot\system32\drivers\H8SRTmrvvcxjbfr.sys (*** hidden *** ) F4305000-F4322000 (118784 bytes) ---- Processes - GMER 1.0.15 ---- Library H:\Programme\AVG\AVG9\avgse.dll (*** hidden *** ) @ H:\WINDOWS\Explorer.EXE [196] 0x6C330000 Library H:\Programme\AVG\AVG9\avgse.dll (*** hidden *** ) @ H:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [1232] 0x6C330000 ---- Services - GMER 1.0.15 ---- Service H:\WINDOWS\system32\drivers\H8SRTmrvvcxjbfr.sys (*** hidden *** ) [SYSTEM] H8SRTd.sys <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTmrvvcxjbfr.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTmrvvcxjbfr.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTqjixjsalgk.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTufobaymeht.dat Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTitesodesmo.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTmrdkrwkybw.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x54 0x22 0x6A 0x01 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 H:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCA 0x0F 0xC3 0x82 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD8 0x6E 0xF0 0xC2 ... Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@start 1 Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@type 1 Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTmrvvcxjbfr.sys Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@group file system Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTmrvvcxjbfr.sys Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTqjixjsalgk.dll Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTufobaymeht.dat Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTitesodesmo.dll Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTmrdkrwkybw.dll Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x54 0x22 0x6A 0x01 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 H:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCA 0x0F 0xC3 0x82 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD8 0x6E 0xF0 0xC2 ... ---- EOF - GMER 1.0.15 ---- |
|
05.01.2010, 22:55
| #43 |
| | Virus Festplatte ? versteckt ? virenprog nicht anwendbar Falls das RootKit noch aktiv ist mach folgendes. Wurde bereits in anderen Beiträgen schon erwähnt und es dürfte sich bald dazu eine allgemeine Anleitung finden (thx @ Chris) Lade dir Avenger runter und pack es auf den Desktop Setz den Haken bei Rootkitscan und füge diese Zeilen bei Input Script ein Code:
ATTFilter Drivers to delete:
H8SRTd.sys
Nach nem Reboot müsste sich nun eine Log bei C:\avenger.txt befinden. Diese hier posten! Anschließend einen Malwarebytes Scan durchführen und alles löschen Dann müsste es sich erledigt haben |
|
05.01.2010, 22:59
| #44 |
| | Virus Festplatte ? versteckt ? virenprog nicht anwendbar hier die log vom RootKitBuster: scheint aber immmernoch was da zu sein mache das jetzt erstmal mit avenger. +---------------------------------------------------- | Trend Micro RootkitBuster | Module version: 2.52.0.1013 +---------------------------------------------------- --== Dump Hidden MBR and Hidden File on H:\ ==-- [HIDDEN_FILE]: FullPath : H:\Dokumente und Einstellungen\xxx\Lokale Einstellungen\Temp\H8SRTb869.tmp FullPathLength: 78 DesiredAccess : 0x0 Options : 0x0 Attributes : 0x20 ShareAccess : 0x0 Type : 0x0 [HIDDEN_FILE]: FullPath : H:\Dokumente und Einstellungen\xxx\Lokale Einstellungen\Temp\h8srtmainqt.dll FullPathLength: 80 DesiredAccess : 0x0 Options : 0x0 Attributes : 0x20 ShareAccess : 0x0 Type : 0x0 [HIDDEN_FILE]: FullPath : H:\WINDOWS\system32\drivers\H8SRTmrvvcxjbfr.sys FullPathLength: 47 DesiredAccess : 0x0 Options : 0x0 Attributes : 0x20 ShareAccess : 0x0 Type : 0x0 [HIDDEN_FILE]: FullPath : H:\WINDOWS\system32\H8SRTitesodesmo.dll FullPathLength: 39 DesiredAccess : 0x0 Options : 0x0 Attributes : 0x20 ShareAccess : 0x0 Type : 0x0 [HIDDEN_FILE]: FullPath : H:\WINDOWS\system32\H8SRTmrdkrwkybw.dll FullPathLength: 39 DesiredAccess : 0x0 Options : 0x0 Attributes : 0x20 ShareAccess : 0x0 Type : 0x0 [HIDDEN_FILE]: FullPath : H:\WINDOWS\system32\H8SRTqjixjsalgk.dll FullPathLength: 39 DesiredAccess : 0x0 Options : 0x0 Attributes : 0x20 ShareAccess : 0x0 Type : 0x0 [HIDDEN_FILE]: FullPath : H:\WINDOWS\system32\H8SRTufobaymeht.dat FullPathLength: 39 DesiredAccess : 0x0 Options : 0x0 Attributes : 0x20 ShareAccess : 0x0 Type : 0x0 7 hidden files found. --== Dump Hidden Registry Value on HKLM ==-- No hidden registry entries found. --== Dump Hidden Process ==-- No hidden processes found. --== Dump Hidden Driver ==-- No hidden drivers found. |
|
05.01.2010, 23:08
| #45 | |
| | Virus Festplatte ? versteckt ? virenprog nicht anwendbarZitat:
uiuiui^^ nachdem ich avenger ausgefürht hatte wollte windows nicht mehr hochfahren. nach dem windwos ladebildschirm kam dauernd ein bluescreen und der rechner ist neugestartet. konnte den rechner "mit der letzen funktionierenden Kofiguration" zum glück wieder hochfahren. vill habs ich die rootskits mit dem prog vorher schon gelöscht deswegen maybe der bluescreen. edit: und ich kann immernoch nicht meine festplatte formatieren, obwohl der virus und die infizierten dateien weg zu sein "scheinen" Geändert von lips (05.01.2010 um 23:56 Uhr) |
|
| Themen zu Virus Festplatte ? versteckt ? virenprog nicht anwendbar |
| alert, desktop, einfach, eingefangen, erkannt, festplatte, formatieren, gelöst, guten, heute, langsam, nicht mehr, nichts, platte, probleme, rechner, security, security alert, software, startet, symbol, taskleiste, virensoftware, virus, virus eingefangen, virusprogramm, windows, windows security, windows security alert |
Linear-Darstellung
