| |
| |||||||
Log-Analyse und Auswertung: Rootkit-Invasion? Antimalware? H8SRT? Logfile-AnalyseWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
15.01.2010, 22:31
| #1 |
 |  Rootkit-Invasion? Antimalware? H8SRT? Logfile-Analyse Hallo, lange nichts gehabt, habe ich mir nun etwas Hartnäckiges eingefangen, dass sich auch mit a-squared und MAM nicht entfernen kann, immer wieder tauchen der Virusname Trojan.Vundo auf und in den gefundenen Traces mal H8SSRT, mal Antimalware auf. Die Keys lassen sich weder manuell noch mit den Scannern löschen, die gelöschten Trojaner beleben sich immer wieder neu. Anfangs hatte ich auch Malware Defense und TdssDateien, die hat a-squared aber scheinbar beseitigen können. Deshalb poste ich Euch jetzt mal den aktuellen RSIT Log und den GMER Log, da es sich um eine Rootkit-Invasion zu handeln scheint. Auch wenn ich mir jetzt schon einiges in Euerm Board angelesen habe, weiss ich jetzt nicht mehr weiter, traue mich auch nur noch ins Netz, um Euch zu schreiben…, nach der heutigen Tagesschau werde ich mir nach baldiger Heilung erstmal Mozilla beschaffen….Wie kann ich jetzt weitermachen? Hier also die Logs, weiter unten kommt noch der von GMER, MAM und a-squared…: Logfile of random's system information tool 1.06 (written by random/random) Run by *** at 2010-01-15 21:44:36 Microsoft Windows XP Professional Service Pack 2 System drive C: has 4 GB (19%) free of 20 GB Total RAM: 503 MB (69% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:44:37, on 15.01.2010 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16945) Boot mode: Safe mode Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\Explorer.EXE E:\RSIT.exe C:\Program Files\Trend Micro\HijackThis\***.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w*w.wetter.de/wetter/vorhersage/tage/Italien/Wetter-Rom/md5/9022ec3fa077f89a211761da2ed1c0cd/step/1 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = htt**p://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [ Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Hilfebyte\hilfebyte.exe" /runcleanupscript O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Voipwise] "C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe" -nosplash -minimized O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{357AAD99-84C6-4E55-88B8-82AA1CD99C81}: NameServer = 213.205.36.70 213.205.32.70 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 5627 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job C:\WINDOWS\tasks\WGASetup.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}] AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-12-13 1111320] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}] Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-11-30 263280] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}] Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll [2009-11-30 764912] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-11-30 263280] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-12-13 2043160] "MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [2004-08-03 158208] " Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Hilfebyte\hilfebyte.exe [2010-01-07 1394000] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-03 15360] "Voipwise"=C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe [2009-12-21 9069360] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2kadiras] 2kadiras.exe [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\9xadiras] 9xadiras.exe [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALDI_NORD_FotoSuite_Download] C:\Program Files\ALDI Foto Service Nord\ALDI_Foto_Service\FotoSuite.exe [2008-11-11 1257472] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-05-29 149040] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent] bthprops.cpl,,BluetoothAuthenticationAgent [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe [2004-08-03 15360] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device Detection] C:\Program Files\fotokasten comfort - Tchibo Edition\dd.exe [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe [2005-07-19 77824] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers] C:\WINDOWS\System32\igfxpers.exe [2005-07-19 114688] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray] C:\WINDOWS\System32\igfxtray.exe [2005-07-19 94208] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [2005-07-22 385024] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [2005-07-22 401408] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan] C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe [2007-05-24 1226288] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-05-29 149040] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe [2005-08-24 393216] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std] C:\WINDOWS\vsnp2std.exe [2006-09-15 675840] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-06-24 729178] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2009-10-12 198160] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe] C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe [2009-11-13 247144] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std] C:\WINDOWS\tsnp2std.exe [2006-11-02 258048] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WireLessKeyboard] C:\Program Files\12025SC Kabellose Multimedia Tastatur und Maus Set\StartAutorun.exe [2005-11-30 94208] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WireLessMouse] C:\Program Files\12025SC Kabellose Multimedia Tastatur und Maus Set\StartAutorun.exe [2005-11-30 94208] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE [2008-04-23 29696] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk] C:\PROGRA~1\Toshiba\BLUETO~1\TosBtMng.exe [2007-05-22 2756608] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DSLMON.lnk] C:\PROGRA~1\ADSL\STARMO~1\dslmon.exe [2003-01-13 929861] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^p6_19_erinnerung.lnk] C:\PROGRA~1\phase6\PHASE6~1\WinStart\P6ERIN~1.EXE [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "gusvc"=3 "gupdate1c9b2e4b3c3a1c0"=2 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter] C:\WINDOWS\system32\avgrsstx.dll [2009-08-29 11952] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui] C:\WINDOWS\system32\igfxdev.dll [2005-07-19 135168] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntelWireless] C:\Program Files\Intel\Wireless\Bin\LgNotify.dll [2005-07-22 110592] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-03 239616] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "notification packages"= scecli [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "HonorAutoRunSetting"= [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5" "C:\Program Files\Grisoft\AVG7\avginet.exe"="C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe" "C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe" "C:\Program Files\Grisoft\AVG7\avgcc.exe"="C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe" "C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe"="C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe:*:Enabled:Voipwise" "C:\Program Files\devolo\informer\devinf.exe"="C:\Program Files\devolo\informer\devinf.exe:*:Enabled:devolo Informer" "C:\Program Files\devolo\easyshare\easyshare.exe"="C:\Program Files\devolo\easyshare\easyshare.exe:*:Enabled:devolo EasyShare" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\coktel\Junior2\WLOADER.EXE"="C:\coktel\Junior2\WLOADER.EXE:*:Enabled:Addy Junior V.2.20 Deutsche Version auf Laufwerk C" "D:\Daten\eMule0.48a\emule.exe"="D:\Daten\eMule0.48a\emule.exe:*  isabled:eMule""C:\Program Files\IncrediMail\bin\IncMail.exe"="C:\Program Files\IncrediMail\bin\IncMail.exe:* isabled:IncrediMail""C:\Program Files\IncrediMail\bin\ImpCnt.exe"="C:\Program Files\IncrediMail\bin\ImpCnt.exe:* isabled:IncrediMail""C:\Program Files\IncrediMail\bin\ImApp.exe"="C:\Program Files\IncrediMail\bin\ImApp.exe:* isabled:IncrediMail""C:\Documents and Settings\Scheidt\Local Settings\Temporary Internet Files\Content.IE5\S1YB8H6F\incredimail_install[1].exe"="C:\Documents and Settings\Scheidt\Local Settings\Temporary Internet Files\Content.IE5\S1YB8H6F\incredimail_install[1].exe:* isabled:IncrediMail Installer""C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe" "C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe" "C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:* isabled:RealPlayer""C:\Program Files\Home Cinema\PowerDirector\PDR.exe"="C:\Program Files\Home Cinema\PowerDirector\PDR.exe:*:Enabled:CyberLink PowerDirector" "C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer" "C:\Program Files\Skype\Plugin Manager\skypePM.exe"="C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager" "C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2229991b-7eb1-11de-aeb4-4d6564696130}] shell\AutoRun\command - F:\InstallTomTomHOME.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{baeadb34-f245-11de-af93-4d6564696130}] shell\AutoRun\command - G:\InstallSeagateManager.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc12f5b3-0f2a-11de-adba-4d6564696130}] shell\AutoRun\command - G:\Menu.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d2ebc6af-7c37-11de-aeae-4d6564696130}] shell\AutoRun\command - F:\setupSNK.exe ======List of files/folders created in the last 1 months====== 2010-01-15 21:44:36 ----D---- C:\rsit 2010-01-15 21:40:25 ----D---- C:\Program Files\CCleaner 2010-01-15 21:35:55 ----D---- C:\Program Files\Trend Micro 2010-01-14 08:34:39 ----HDC---- C:\WINDOWS\$NtUninstallKB955759$ 2010-01-14 08:34:26 ----HDC---- C:\WINDOWS\$NtUninstallKB972270$ 2010-01-13 19:00:43 ----D---- C:\Documents and Settings\Scheidt\Application Data\Malwarebytes 2010-01-13 10:49:35 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2010-01-13 10:49:34 ----D---- C:\Program Files\Hilfebyte 2010-01-13 08:43:19 ----D---- C:\Program Files\Hilfebyte' Hilfebyte 2010-01-13 08:40:09 ----SHD---- C:\WINDOWS\CSC 2010-01-13 08:39:54 ----A---- C:\WINDOWS\ntbtlog.txt 2010-01-09 22:16:53 ----D---- C:\Program Files\a-squared Free 2010-01-09 19:28:53 ----A---- C:\Documents and Settings\All Users\Application Data\sysReserve.ini 2009-12-28 21:41:25 ----D---- C:\Program Files\Common Files\Skype 2009-12-17 20:08:01 ----A---- C:\WINDOWS\ModemLog_Standard 33600 bps Modem #2.txt ======List of files/folders modified in the last 1 months====== 2010-01-15 21:40:25 ----RD---- C:\Program Files 2010-01-15 20:14:33 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$ 2010-01-15 20:14:33 ----D---- C:\WINDOWS\system32\drivers 2010-01-15 19:58:21 ----D---- C:\WINDOWS\Temp 2010-01-15 19:57:35 ----A---- C:\WINDOWS\SchedLgU.Txt 2010-01-15 19:56:11 ----D---- C:\WINDOWS\system32 2010-01-15 09:22:27 ----D---- C:\WINDOWS\system32\CatRoot2 2010-01-15 09:05:16 ----ASH---- C:\boot.ini 2010-01-15 09:05:16 ----A---- C:\WINDOWS\win.ini 2010-01-15 09:05:16 ----A---- C:\WINDOWS\system.ini 2010-01-15 08:03:46 ----HD---- C:\WINDOWS\inf 2010-01-15 07:41:25 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$ 2010-01-14 08:50:32 ----D---- C:\WINDOWS\PCHealth 2010-01-14 08:37:26 ----D---- C:\WINDOWS 2010-01-14 08:36:39 ----D---- C:\WINDOWS\AppPatch 2010-01-14 08:34:43 ----RSHDC---- C:\WINDOWS\system32\dllcache 2010-01-14 08:34:38 ----HD---- C:\WINDOWS\$hf_mig$ 2010-01-14 08:34:34 ----A---- C:\WINDOWS\imsins.BAK 2010-01-14 08:02:59 ----D---- C:\WINDOWS\Prefetch 2010-01-13 13:18:54 ----D---- C:\FBBM 2010-01-10 20:43:52 ----D---- C:\WINDOWS\Minidump 2010-01-09 20:47:14 ----A---- C:\WINDOWS\NeroDigital.ini 2010-01-09 20:05:04 ----D---- C:\Documents and Settings\All Users\Application Data\avg8 2010-01-07 23:15:26 ----D---- C:\Documents and Settings\Scheidt\Application Data\Skype 2010-01-07 16:03:56 ----D---- C:\Documents and Settings\Scheidt\Application Data\skypePM 2010-01-05 01:17:46 ----A---- C:\WINDOWS\system32\MRT.exe 2009-12-30 10:55:52 ----SHD---- C:\WINDOWS\Installer 2009-12-28 21:41:26 ----RD---- C:\Program Files\Skype 2009-12-28 21:41:25 ----D---- C:\Program Files\Common Files 2009-12-28 21:41:20 ----D---- C:\Documents and Settings\All Users\Application Data\Skype 2009-12-20 21:57:32 ----D---- C:\Program Files\Google 2009-12-18 21:55:42 ----D---- C:\Program Files\Scriberius 2009-12-18 21:54:11 ----D---- C:\Program Files\Canon 2009-12-18 21:22:04 ----D---- C:\Tivola 2009-12-18 21:20:17 ----D---- C:\totalcmd ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848] R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\System32\DRIVERS\HDAudBus.sys [2004-08-12 137728] R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\System32\DRIVERS\HDAudBus.sys [2004-08-12 137728] R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600] R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160] R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\System32\DRIVERS\SynTP.sys [2005-06-24 190560] R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616] R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-03 26624] R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600] R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-03 20480] S1 AvgLdx86;AVG AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-08-29 335240] S1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-08-29 27784] S1 AvgTdiX;AVG8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-05-08 108552] S1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-03 36096] S1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632] S1 Tosrfcom;Bluetooth RFCOMM; C:\WINDOWS\System32\Drivers\tosrfcom.sys [2007-05-24 64000] S2 ADILOADER;General Purpose USB Driver (adildr.sys); C:\WINDOWS\System32\Drivers\adildr.sys [2003-03-25 46455] S2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\System32\DRIVERS\AegisP.sys [2006-09-20 17801] S2 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver; C:\WINDOWS\system32\plcndis5.sys [2004-05-17 17280] S2 s24trans;WLAN-Transport; C:\WINDOWS\System32\DRIVERS\s24trans.sys [2005-07-22 11354] S3 61883;61883 Unit Device; C:\WINDOWS\system32\DRIVERS\61883.sys [2004-08-03 48128] S3 adiusbaw;StarModem ADSL USB MODEM WAN ADAPTER; C:\WINDOWS\system32\DRIVERS\adiusbaw.sys [2004-02-16 127113] S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-03 60800] S3 Avc;AVC Device; C:\WINDOWS\system32\DRIVERS\avc.sys [2004-08-03 38912] S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2005-08-05 45312] S3 BthEnum;Bluetooth Request Block Driver; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2004-08-03 17024] S3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2004-08-03 100992] S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-06-13 272128] S3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2004-08-03 18944] S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024] S3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2004-08-03 14080] S3 dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\system32\DRIVERS\Dot4.sys [2004-08-03 207360] S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys [2001-08-17 12928] S3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\WINDOWS\system32\DRIVERS\dot4usb.sys [2001-08-17 23808] S3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2005-07-19 1049180] S3 IWCA;Intel Wireless Connection Agent Miniport for Win XP; C:\WINDOWS\System32\DRIVERS\iwca.sys [2004-08-12 234496] S3 MSDV;Microsoft DV Camera and VCR; C:\WINDOWS\system32\DRIVERS\msdv.sys [2004-08-03 51328] S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504] S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376] S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880] S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-03 61824] S3 pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [2009-03-19 47360] S3 PLCMPR5;PLCMPR5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\PLCMPR5.SYS [] S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2004-08-03 59648] S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2002-08-29 5888] S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136] S3 SNP2STD;USB2.0 PC Camera (SNP2STD); C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2006-11-08 12006784] S3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2005-08-30 1031720] S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360] S3 tosporte;Bluetooth COM Port; C:\WINDOWS\system32\DRIVERS\tosporte.sys [2006-10-10 41600] S3 tosrfbd;Bluetooth RFBUS; C:\WINDOWS\system32\DRIVERS\tosrfbd.sys [2007-04-24 113920] S3 tosrfbnp;Bluetooth RFBNEP; C:\WINDOWS\System32\Drivers\tosrfbnp.sys [2006-11-20 36480] S3 Tosrfhid;Bluetooth RFHID; C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys [2007-03-01 73728] S3 tosrfnds;Bluetooth Personal Area Network; C:\WINDOWS\system32\DRIVERS\tosrfnds.sys [2005-01-06 18612] S3 TosRfSnd;Bluetooth Audio; C:\WINDOWS\system32\drivers\tosrfsnd.sys [2007-01-22 53376] S3 tosrfusb;Bluetooth USB Controller; C:\WINDOWS\system32\DRIVERS\tosrfusb.sys [2007-06-11 41856] S3 TridVid;Video Grabber; C:\WINDOWS\system32\DRIVERS\TridVid.sys [2007-06-15 99200] S3 UIUSys;Conexant Setup API; C:\WINDOWS\system32\drivers\UIUSys.sys [] S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-03 59264] S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104] S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496] S3 w29n51;Intel(R) PRO/Wireless 2200BG Netzwerkverbindungstreiber für Windows XP; C:\WINDOWS\System32\DRIVERS\w29n51.sys [2005-07-19 3289088] S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328] S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys [] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== S2 a2free;a-squared Free Service; C:\Program Files\a-squared Free\a2service.exe [2009-10-01 1858144] S2 avg8emc;AVG8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-08-29 908056] S2 avg8wd;AVG8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-08-29 297752] S2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2004-08-03 14336] S2 EvtEng;EvtEng; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2005-07-22 86016] S2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120] S2 PLFlash DeviceIoControl Service;PLFlash DeviceIoControl Service; C:\WINDOWS\system32\IoctlSvc.exe [2005-09-16 53248] S2 RegSrvc;RegSrvc; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2005-07-22 139264] S2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2006-12-19 272024] S2 S24EventMonitor;Spectrum24 Event Monitor; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2005-07-22 372809] S2 TomTomHOMEService;TomTomHOMEService; C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe [2009-11-13 92008] S2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service; C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-25 125048] S2 WLANKEEPER;WLANKEEPER; C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe [2005-07-22 225353] S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312] S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632] S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104] S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664] S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-05-24 792112] S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-05-29 271920] S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136] S4 gupdate1c9b2e4b3c3a1c0;Google Update Service (gupdate1c9b2e4b3c3a1c0); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-04-01 133104] S4 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-01 183280] S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096] -----------------EOF----------------- SO UND NUN ZUM GMER: GMER 1.0.15.15281 - http://w*w.gmer.net Rootkit scan 2010-01-15 21:20:25 Windows 5.1.2600 Service Pack 2 Running: by8o8mot.exe; Driver: C:\DOCUME~1\****\LOCALS~1\Temp\pxtdapod.sys ---- System - GMER 1.0.15 ---- Code 832201C0 ZwEnumerateKey Code 83220188 ZwFlushInstructionCache Code 8322000E IofCallDriver Code 8322336E IofCompleteRequest ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 83220013 .text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 83223373 PAGE ntoskrnl.exe!ZwEnumerateKey 8056EF20 5 Bytes JMP 832201C4 PAGE ntoskrnl.exe!ZwFlushInstructionCache 80576A5A 5 Bytes JMP 8322018C ? drujlv.sys Das System kann die angegebene Datei nicht finden. ! ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) ---- Modules - GMER 1.0.15 ---- Module \systemroot\system32\drivers\H8SRTuumaftdgxu.sys (*** hidden *** ) F822F000-F824C000 (118784 bytes) ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\system32\drivers\H8SRTuumaftdgxu.sys (*** hidden *** ) [SYSTEM] H8SRTd.sys <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0009dd501959 Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTuumaftdgxu.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTuumaftdgxu.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTrdepsoaoya.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTwrrpojqonc.dat Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTykwfhmppjc.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtmsg \\?\globalroot\systemroot\system32\H8SRTjsnmmgxrpo.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTmeulvvkprk.dll Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0009dd501959 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@start 1 Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@type 1 Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTuumaftdgxu.sys Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@group file system Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTuumaftdgxu.sys Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTrdepsoaoya.dll Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTwrrpojqonc.dat Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTykwfhmppjc.dll Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtmsg \\?\globalroot\systemroot\system32\H8SRTjsnmmgxrpo.dll Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTmeulvvkprk.dll ---- Files - GMER 1.0.15 ---- File C:\Documents and Settings\***\Local Settings\Temp\H8SRT292c.tmp 343040 bytes executable File C:\Documents and Settings\***\Local Settings\Temp\h8srtmainqt.dll 1155 bytes File C:\WINDOWS\system32\H8SRTjsnmmgxrpo.dll 16896 bytes executable File C:\WINDOWS\system32\h8srtkrl32mainweq.dll 1180 bytes File C:\WINDOWS\system32\H8SRTmeulvvkprk.dll 40960 bytes executable File C:\WINDOWS\system32\H8SRTrdepsoaoya.dll 23552 bytes executable File C:\WINDOWS\system32\h8srtshsyst.dll 1572 bytes File C:\WINDOWS\system32\H8SRTwrrpojqonc.dat 160 bytes File C:\WINDOWS\system32\H8SRTykwfhmppjc.dll 40960 bytes executable File C:\WINDOWS\system32\drivers\H8SRTuumaftdgxu.sys 40960 bytes executable <-- ROOTKIT !!! ---- EOF - GMER 1.0.15 ---- So das wärs, ich hätte von RSIT auch noch eine InfoDate, aber die ist sehr sehr lang, außerdem die Logfiles von MAM Und a-squared: Malwarebytes' Anti-Malware 1.44 Datenbank Version: 3558 Windows 5.1.2600 Service Pack 2 (Safe Mode) Internet Explorer 7.0.5730.13 14.01.2010 15:25:41 mbam-log-2010-01-14 (15-25-37).txt Scan-Methode: Quick-Scan Durchsuchte Objekte: 108089 Laufzeit: 11 minute(s), 47 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 1 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 0 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: HKEY_LOCAL_MACHINE\Soft ****RE\H8SRT (Rootkit.TDSS) -> No action taken. Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: (Keine bösartigen Objekte gefunden) A SQUARED: a-squared Free - Version 4.5 Letztes Update: 14.01.2010 08:21:07 Scan Einstellungen: Scan Methode: Schnelltest Objekte: Speicher, Traces, Cookies Archiv Scan: An Heuristik: Aus ADS Scan: An Scan Beginn: 15.01.2010 09:21:06 Key: HKEY_LOCAL_MACHINE\software\AntiMalware gefunden: Trace.Registry.AntiMalware!A2 C:\Documents and Settings\Scheidt\Cookies\scheidt@adtech[1].txt gefunden: Trace.TrackingCookie.adtech!A2 C:\Documents and Settings\Scheidt\Cookies\scheidt@adviva[2].txt gefunden: Trace.TrackingCookie.adviva!A2 C:\Documents and Settings\Scheidt\Cookies\scheidt@bs.serving-sys[1].txt gefunden: Trace.TrackingCookie.bs.serving-sys!A2 C:\Documents and Settings\Scheidt\Cookies\scheidt@doubleclick[2].txt gefunden: Trace.TrackingCookie.doubleclick!A2 C:\Documents and Settings\Scheidt\Cookies\scheidt@serving-sys[1].txt gefunden: Trace.TrackingCookie.serving-sys!A2 C:\Documents and Settings\Scheidt\Cookies\scheidt@specificclick[2].txt gefunden: Trace.TrackingCookie.specificclick!A2 C:\Documents and Settings\Scheidt\Cookies\scheidt@tradedoubler[1].txt gefunden: Trace.TrackingCookie.tradedoubler!A2 Gescannt Dateien: 157 Traces: 374711 Cookies: 73 Prozesse: 13 Gefunden Dateien: 0 Traces: 1 Cookies: 7 Prozesse: 0 Registry Keys: 0 Scan Ende: 15.01.2010 09:22:29 Scan Zeit: 0:01:23 C:\Documents and Settings\Scheidt\Cookies\scheidt@tradedoubler[1].txt Quarantäne Trace.TrackingCookie.tradedoubler!A2 C:\Documents and Settings\Scheidt\Cookies\scheidt@specificclick[2].txt Quarantäne Trace.TrackingCookie.specificclick!A2 C:\Documents and Settings\Scheidt\Cookies\scheidt@serving-sys[1].txt Quarantäne Trace.TrackingCookie.serving-sys!A2 C:\Documents and Settings\Scheidt\Cookies\scheidt@doubleclick[2].txt Quarantäne Trace.TrackingCookie.doubleclick!A2 C:\Documents and Settings\Scheidt\Cookies\scheidt@bs.serving-sys[1].txt Quarantäne Trace.TrackingCookie.bs.serving-sys!A2 C:\Documents and Settings\Scheidt\Cookies\scheidt@adviva[2].txt Quarantäne Trace.TrackingCookie.adviva!A2 C:\Documents and Settings\Scheidt\Cookies\scheidt@adtech[1].txt Quarantäne Trace.TrackingCookie.adtech!A2 Quarantäne Dateien: 0 Traces: 2 Cookies: 7 Key: HKEY_LOCAL_MACHINE\software\AntiMalware Gelöscht Trace.Registry.AntiMalware!A2 Gelöscht Dateien: 0 Traces: 1 Cookies: 0 DANKE schon jetzt für Euren Beitrag!! |
| Themen zu Rootkit-Invasion? Antimalware? H8SRT? Logfile-Analyse |
| 0 bytes, 1.exe, bho, browser, content.ie5, converter, e-mail, entfernen, excel, fontcache, google, gservice, gupdate, h8srt, helper, hijack, hijackthis, hkus\s-1-5-18, iexplore.exe, internet, internet explorer, laufwerk c, maus, mozilla, notification, object, registrierungsschlüssel, registry, scan, skype.exe, software, start menu, system, tastatur, traces, trojaner, usb 2.0, virus, windows, windows xp |
Baum-Darstellung