Liebe Trojanerboardgemeinde,

ich hatte mir vor 2-3 Tagen den Trojaner "User Protection" eingefangen und das "Gröbste" anhand der Tipps hier auf dem Board mit Malware bytes bekämpft.
hier das Logprotokoll:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Datenbank Version: 3935

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

01.04.2010 18:16:10
mbam-log-2010-04-01 (18-16-10).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|)
Durchsuchte Objekte: 234599
Laufzeit: 1 Stunde(n), 33 Minute(n), 19 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 5
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 1
Infizierte Dateien: 23

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_voidiqbvxuqcoi (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\_VOID (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
C:\Windows\_VOIDiqbvxuqcoi (Rootkit.TDSS) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\Users\Oliver\AppData\Local\Temp\_VOID3d1c.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDbybibpnjws.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDctpsibugpt.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDdfomcpeuap.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDeihrweumei.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDetgdopmxld.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDiceptttcch.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDkhsqwmpyfl.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDlwcxmopnsu.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDmqpbwavgvb.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDoxkjdxeiii.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDpdkglnixqb.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDpepilvyeri.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDpoiywndkmj.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDrujfsocdfp.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDtdyutbvrxu.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Windows\_VOIDiqbvxuqcoi\_VOIDd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDbvptomxwns.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDcdbysqqymd.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDexcouiltoe.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDidemjcybnr.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDlrixperxqv.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDxqpivmvbpr.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.

Auch mit Grinler rkill bin ich gegen den Trojaner vorgegangen. Dennoch ist mein Rechner nach wie vor nicht 100% wieder in Ordnung, dies äußert sich dadurch, dass ich das Sicherheitscenter nicht öffnen kann

Hier noch die HijackThis Log-Datei:

ogfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 18:35:00, on 01.04.2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Toshiba TEMPRO\TemproTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\ICQ6.5\ICQ.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Users\Oliver\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Oliver\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\hijack\TrendMicro\HiJackThis\HiJackThis.exe
C:\Users\Oliver\AppData\Local\Google\Chrome\Application\chrome.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://webmailer.hosteurope.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\pdfforge Toolbar\SearchSettings.dll
O1 - Hosts: ::1 localhost
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\WidgiToolbarIE.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\pdfforge Toolbar\SearchSettings.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O3 - Toolbar: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\WidgiToolbarIE.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [cfFncEnabler.exe] cfFncEnabler.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Toshiba TEMPO] C:\Program Files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\pdfforge Toolbar\SearchSettings.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Toshiba TEMPRO] C:\Program Files\Toshiba TEMPRO\TemproTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ Malwarebytes Anti-Malware (rootkit-scan)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\StartRegistryBooster.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Oliver\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6.5\ICQ.exe" silent
O4 - .DEFAULT User Startup: TRDCReminder.lnk = C:\Program Files\TOSHIBA\TRDCReminder\TRDCReminder.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: eBay - Der weltweite Online Marktplatz - {76577871-04EC-495E-A12B-91F7C3600AFA} - hxxp://rover.ebay.com/rover/1/707-44556-9400-3/4 (file missing)
O9 - Extra button: Amazon.de - {8A918C1D-E123-4E36-B562-5C1519E434CE} - hxxp://www.amazon.de/exec/obidos/redirect-home?tag=Toshibadebholink-21&site=home (file missing)
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O13 - Gopher Prefix:
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Notebook Performance Tuning Service (TEMPRO) (TemproMonitoringService) - Toshiba Europe GmbH - C:\Program Files\Toshiba TEMPRO\TemproSvc.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11931 bytes

So, ich hoffe, dass ich nun alles Wesentliche genannt habe, so dass mir hoffentlich geholfen werden kann.
vielen Dank im voraus,
Badelatsche

Hallo und !

Du hast/hattest MalwareDefense und PaladinAntivirus auf Deinem Rechner.

TDSS-Killer von Kaspersky

• Lade Dir tdsskiller.zip von Kaspersky und öffne die Archiv-Datei.
• Entpacke TDSSKiller.exe in einen Ordner Deiner Wahl.
• Öffne den Editor (Start -> alle Programme -> Zubehör -> Editor) und kopiere folgenden Text rein:
  Code: Alles auswählenAufklappen

  ATTFilter

  @echo off
  TDSSKiller.exe -l log.txt -v
           

• Speichere es als start.bat in den selben Ordner, wie zuvor TDSSKiller.exe
• Achte darauf, dass Du beim Speichern unter Dateityp "Alle Dateien" ausgewählt hast.
• Doppelklicke nun auf start.bat (Vista-User: Rechtsklick -> "Als Administrator ausführen")
• TDSSKiller fängt nun an, nach versteckten Services und infizierten Treibern zu suchen.
• Es wird eine log.txt in Deinem Ordner erstellt - poste den Inhalt dieser bitte hier.

Bebilderte Anleitung: Viren und Lösungen

Hallo StLB und Trojanerboard-Crew,

zunächst einmal vielen Dank für die schnelle Hilfe. Da du alles haargenau beschrieben hattest, war ich in der Lage deinen Anweisungen zu folgen.
Hier die gewünschte Logdatei, wobei mich wundert, dass nichts gefunden / entfernt wurde:

14:29:34:801 5788 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
14:29:34:801 5788 ================================================================================
14:29:34:801 5788 SystemInfo:

14:29:34:801 5788 OS Version: 6.0.6002 ServicePack: 2.0
14:29:34:801 5788 Product type: Workstation
14:29:34:801 5788 ComputerName: ST32E5
14:29:34:801 5788 UserName: Oliver
14:29:34:801 5788 Windows directory: C:\Windows
14:29:34:801 5788 Processor architecture: Intel x86
14:29:34:801 5788 Number of processors: 2
14:29:34:801 5788 Page size: 0x1000
14:29:34:801 5788 Boot type: Normal boot
14:29:34:801 5788 ================================================================================
14:29:34:817 5788 UnloadDriverW: NtUnloadDriver error 2
14:29:34:817 5788 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
14:29:34:863 5788 wfopen_ex: Trying to open file C:\Windows\system32\config\system
14:29:34:863 5788 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:29:34:863 5788 wfopen_ex: Trying to KLMD file open
14:29:34:863 5788 wfopen_ex: File opened ok (Flags 2)
14:29:34:895 5788 wfopen_ex: Trying to open file C:\Windows\system32\config\software
14:29:34:895 5788 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:29:34:895 5788 wfopen_ex: Trying to KLMD file open
14:29:34:910 5788 wfopen_ex: File opened ok (Flags 2)
14:29:34:910 5788 Initialize success
14:29:34:910 5788
14:29:34:910 5788 Scanning Services ...
14:29:35:784 5788 Raw services enum returned 438 services
14:29:35:799 5788
14:29:35:799 5788 Scanning Kernel memory ...
14:29:35:799 5788 Devices to scan: 1
14:29:35:799 5788
14:29:35:799 5788 Driver Name: atapi
14:29:35:799 5788 IRP_MJ_CREATE : 878F1140
14:29:35:799 5788 IRP_MJ_CREATE_NAMED_PIPE : 8222DA22
14:29:35:799 5788 IRP_MJ_CLOSE : 878F1140
14:29:35:799 5788 IRP_MJ_READ : 8222DA22
14:29:35:799 5788 IRP_MJ_WRITE : 8222DA22
14:29:35:799 5788 IRP_MJ_QUERY_INFORMATION : 8222DA22
14:29:35:799 5788 IRP_MJ_SET_INFORMATION : 8222DA22
14:29:35:799 5788 IRP_MJ_QUERY_EA : 8222DA22
14:29:35:799 5788 IRP_MJ_SET_EA : 8222DA22
14:29:35:799 5788 IRP_MJ_FLUSH_BUFFERS : 8222DA22
14:29:35:799 5788 IRP_MJ_QUERY_VOLUME_INFORMATION : 8222DA22
14:29:35:799 5788 IRP_MJ_SET_VOLUME_INFORMATION : 8222DA22
14:29:35:799 5788 IRP_MJ_DIRECTORY_CONTROL : 8222DA22
14:29:35:799 5788 IRP_MJ_FILE_SYSTEM_CONTROL : 8222DA22
14:29:35:799 5788 IRP_MJ_DEVICE_CONTROL : 878DFA5A
14:29:35:799 5788 IRP_MJ_INTERNAL_DEVICE_CONTROL : 878DFA2C
14:29:35:799 5788 IRP_MJ_SHUTDOWN : 8222DA22
14:29:35:799 5788 IRP_MJ_LOCK_CONTROL : 8222DA22
14:29:35:799 5788 IRP_MJ_CLEANUP : 8222DA22
14:29:35:799 5788 IRP_MJ_CREATE_MAILSLOT : 8222DA22
14:29:35:799 5788 IRP_MJ_QUERY_SECURITY : 8222DA22
14:29:35:799 5788 IRP_MJ_SET_SECURITY : 8222DA22
14:29:35:799 5788 IRP_MJ_POWER : 878DFA88
14:29:35:799 5788 IRP_MJ_SYSTEM_CONTROL : 878ECB70
14:29:35:799 5788 IRP_MJ_DEVICE_CHANGE : 8222DA22
14:29:35:799 5788 IRP_MJ_QUERY_QUOTA : 8222DA22
14:29:35:799 5788 IRP_MJ_SET_QUOTA : 8222DA22
14:29:35:815 5788 C:\Windows\system32\drivers\atapi.sys - Verdict: 1
14:29:35:815 5788
14:29:35:815 5788 Completed
14:29:35:815 5788
14:29:35:815 5788 Results:
14:29:35:815 5788 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
14:29:35:815 5788 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
14:29:35:815 5788 File objects infected / cured / cured on reboot: 0 / 0 / 0
14:29:35:815 5788
14:29:35:831 5788 fclose_ex: Trying to close file C:\Windows\system32\config\system
14:29:35:831 5788 fclose_ex: Trying to close file C:\Windows\system32\config\software
14:29:35:831 5788 KLMD(ARK) unloaded successfully

Bin gespannt, was du daraus entnehmen kannst, denn mein Sicherheitscenter funzt momentan noch nicht...

Interessant. Versuch bitte mal einen Rootkitscan mit GMER zu machen und poste das Logfile.

Hallo Julian, liebe Borad-Crew!

Hier das Gmer-log:

GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-04-02 20:52:00
Windows 6.0.6002 Service Pack 2
Running: yj1tkgx5.exe; Driver: C:\Users\Oliver\AppData\Local\Temp\kwldypob.sys


---- System - GMER 1.0.15 ----

SSDT A800BA4B ZwLoadDriver
SSDT A800BA50 ZwSetSystemInformation
SSDT A800BA0F ZwTerminateProcess
SSDT A800BA0A ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 37D 822F0AE0 4 Bytes [4B, BA, 00, A8]
.text ntkrnlpa.exe!KeSetEvent + 5DD 822F0D40 4 Bytes [50, BA, 00, A8]
.text ntkrnlpa.exe!KeSetEvent + 621 822F0D84 4 Bytes [0F, BA, 00, A8]
.text ntkrnlpa.exe!KeSetEvent + 681 822F0DE4 4 Bytes [0A, BA, 00, A8]
.text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x87F55480, 0x3C939, 0xE8000020]
.dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x87F96900, 0x3CA, 0x48000040]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[4088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73777817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [737CA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7377BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7376F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [737775E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7376E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [737A8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7377DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7376FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7376FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [737671CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [737FCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7379C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7376D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73766853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7376687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73772AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

GMER-Log sieht gut aus.
Bitte noch einen Online-Scan mit ESET machen, dann sollten wir fast durch sein

ESET Online Scanner

• Anmerkung für Vista-User: Bitte den Browser unbedingt als Administrator starten.
• Button "ESET Online Scanner" drücken.
• Firefox-User müssen ein zusätzliches Addon (esetsmartinstaller_enu.exe) installieren.
• Das Firefox-Addon auf dem Desktop speichern und dann installieren.
• IE-User müssen das Installieren eines ActiveX Elements erlauben.
• Einen Haken bei "Remove found threads" und "Scan archives" machen.
• Start drücken.
• Der Scan beginnt automatisch.
• Finish drücken.
• Browser schließen.
• Explorer öffnen.
• C:\Programme\Eset\EsetOnlineScanner\log.txt suchen und mit Deinem Editor öffnen.
• Logfile hier posten.
• Deinstallation: Systemsteuerung => Software => Eset Online Scanner V3 entfernen.
• Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset
• IE-User zusätzlich: mit HJT folgenden Eintrag fixen:
• O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control)

Moin Board-Crew,

habe die Mammutaktion mit ESET durchgezogen. Hier das Log:

C:\Users\Oliver\AppData\Local\Temp\ie568A.tmp a variant of Win32/Kryptik.DLB trojan cleaned by deleting - quarantined
C:\Users\Oliver\AppData\Local\Temp\ie57FF.tmp a variant of Win32/Kryptik.DLB trojan cleaned by deleting - quarantined

Aber das Sicherheitscenter funzt leider immer noch nicht....

Hi,

nur kurz zwischenrein:

Sicherheitscenter wiederbeleben:
Wenn sich das Sicherheitscenter nicht starten lässt, steht wahrscheinlich der Dienst auf "disabled"
Öffne eine Commandline-Shell mit Adminrechten. Am einfachsten Du erstellst eine entsprechende Verknüpfung auf dem Desktop. Ziel der Verknüpfung ist "C:\Windows\System32\cmd.exe". Ausführen als Administrator ankreuzen nicht vergessen...

Code: Alles auswählenAufklappen

ATTFilter

sc config wscsvc start=auto
net start wscsvc
         

Geht es dann immer noch nicht, muss die Reg überprüft werden.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = dword:0x01

chris&out

1000 Dank - das war des Rätsel-Lösung. Alles funzt wieder - yippie!

Zitat:

Zitat von Chris4You

Geht es dann immer noch nicht, muss die Reg überprüft werden.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = dword:0x01

chris&out

Ich kann den Wert dort kein x eingeben? Wie geht das?

Hi,

das ist ein hex-wert, das x musst du nicht eingeben nur sicherstellen dass dort "1" steht... (ist im binären und dezimalen Zahlensystem erstmal kein unterschied zwischen 0 und eins, das geht erst dann los ;o)...

chris