| |
| |||||||
Log-Analyse und Auswertung: Rootkit.Gen Virus im System,wie löschen?Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
12.04.2010, 20:34
| #1 |
 |  Rootkit.Gen Virus im System,wie löschen? hallo allerseits, Auf meinem Rechner läuft Windows Vista Business,32bit,SP2 mein Problem: Mein Avira Antivir (Standard) hat plötzlich wie wild alarm geschlagen mit dem fund eines "Rootkit.Gen" Viruses. Ich habe erst einmal einen kompletten systemcheck mit avira durchgeführt. Doch die datei kann nicht gelöscht werden. (Meldung: "DIe Datei konnte nicht zum löschen nach dem Neustart markiert werden.Mögliche Ursache:Ein an das System angeschlossenes Gerät funktioniert nicht") Der "Trojan Agent" scheint diese datei zu sein. C:\windows\system32\Drivers\clwquor.sys Ich habe dann nach Internet-Recherche via Gogle Malewarebytes Antimaleware runtergeladen und ausgeführt und alle funde gelöscht und den PC im sicheren Modus neu gestartet. Doch die eben erwähnte datei ist nachwie vor da (obwohl MBAM sagt, dass sie gelöscht ist). auch googeln hat mich diesbezüglich nicht weitergebracht. also habe ich die von euch empfohlenen checks mit CC Cleaner,MBAM (dieses mal der Quick-Scan) und RSIT gemacht. Hier die LOGFiles: Malewarebytes Antimaleware Logfile(fall das file vom ersten scan benötigt wird, kann ich das auch noch posten): Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Datenbank Version: 3980 Windows 6.0.6002 Service Pack 2 Internet Explorer 8.0.6001.18904 12.04.2010 20:46:13 mbam-log-2010-04-12 (20-46-13).txt Art des Suchlaufs: Quick-Scan Durchsuchte Objekte: 110507 Laufzeit: 9 Minute(n), 20 Sekunde(n) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 1 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: C:\windows\system32\Drivers\clwquor.sys (Rootkit.Agent) -> Quarantined and deleted successfully. RSIT LogFile: info.txt logfile of random's system information tool 1.06 2010-04-12 20:56:56 ======Uninstall list====== -->C:\Program Files\InstallShield Installation Information\{22EB2FA7-1BA0-4FFB-972F-353EC6ABA9D5}\setup.exe -runfromtemp -l0x0007 -removeonly -->C:\Program Files\InstallShield Installation Information\{28B97CAB-828F-49D8-A30A-675476F9BA92}\setup.exe -runfromtemp -l0x0007/cont -removeonly -->C:\Program Files\InstallShield Installation Information\{4E7DC12A-3597-4A94-9429-F6C6987361B1}\setup.exe -runfromtemp -l0x0007 -removeonly -->C:\Program Files\InstallShield Installation Information\{6813C983-427E-4511-8456-E98FCAA1A125}\setup.exe -runfromtemp -l0x0007 -removeonly -->C:\Program Files\InstallShield Installation Information\{7DADB304-AF20-48C3-A780-4B4133A08817}\setup.exe -runfromtemp -l0x0007 -removeonly -->C:\Program Files\InstallShield Installation Information\{9C423CF6-2DAA-4A37-94B8-59D7ECC7DB13}\setup.exe -runfromtemp -l0x0007 -removeonly -->C:\Program Files\InstallShield Installation Information\{ACE66099-E18E-4037-83C8-9D182E5B9FA8}\setup.exe -runfromtemp -l0x0007 -removeonly -->C:\Program Files\InstallShield Installation Information\{E078134D-A344-41B6-A0F8-147AB235396E}\setup.exe -runfromtemp -l0x0007 -removeonly -->C:\Program Files\InstallShield Installation Information\{FA6CC4B4-7741-4F8D-8E81-15C4BAB9869B}\setup.exe -runfromtemp -l0x0007 -removeonly 2007 Microsoft Office system-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROHYBRIDR /dll OSETUP.DLL 32 Bit HP CIO Components Installer-->MsiExec.exe /I{2614F54E-A828-49FA-93BA-45A3F756BFAA} ActivClient 6.1 x86-->MsiExec.exe /I{AC194855-F7AC-4D04-B4C9-07BA46FCB697} Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe Adobe Flash Player 10 Plugin-->C:\windows\system32\Macromed\Flash\uninstall_plugin.exe Adobe Reader 9.2 - Deutsch-->MsiExec.exe /I{AC76BA86-7AD7-1031-7B44-A92000000001} Agere Systems HDA Modem-->agrsmdel AOL Toolbar 5.0-->"C:\Program Files\AOL\AOL Toolbar 5.0\uninstall.exe" Apple Application Support-->MsiExec.exe /I{3FA365DF-2D68-45ED-8F83-8C8A33E65143} Apple Mobile Device Support-->MsiExec.exe /I{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE} Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033} AuthenTec Fingerprint System-->MsiExec.exe /I{FECEF9D2-9D3D-449B-9EA4-CFA775C99464} Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B} CCleaner-->"C:\Program Files\CCleaner\uninst.exe" Credential Manager for HP ProtectTools-->rundll32.exe "c:\Program Files\Hewlett-Packard\IAM\Bin\SetupHelper.dll",ExecMain /Uninstall {EE1AE5E9-6ECE-4ADF-A28A-56A981E138D4} Drive Encryption for HP ProtectTools-->MsiExec.exe /I{1B99FFC8-B898-406D-9A67-14F8A833A200} ESU for Microsoft Vista SP1-->MsiExec.exe /I{6EAFBCAF-20E9-474A-A720-E7D276B35498} FreePDF XP (Remove only)-->C:\Program Files\FreePDF_XP\fpsetup.exe /r Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_E85CDE7661A53A6A.exe" /uninstall Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C} Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2} GPL Ghostscript 8.64-->C:\Program Files\gs\uninstgs.exe "C:\Program Files\gs\gs8.64\uninstal.txt" Hewlett-Packard Active Check for Health Check-->MsiExec.exe /X{254C37AA-6B72-4300-84F6-98A82419187E} Hewlett-Packard Asset Agent for Health Check-->MsiExec.exe /X{669D4A35-146B-4314-89F1-1AC3D7B88367} HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall HiJackThis-->MsiExec.exe /X{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A} Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT="" Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT="" HP 3D DriveGuard-->MsiExec.exe /X{2ACA66D0-7C67-4235-90B5-7AB382FF8633} HP Active Support Library-->C:\Program Files\InstallShield Installation Information\{5DAA9C36-8F8B-462F-8CCA-E205BC3751F5}\setup.exe -runfromtemp -l0x0409 HP Customer Experience Enhancements-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{420BBA1D-B275-4891-838C-EA88FE87A632}\setup.exe" -l0x9 -removeonly HP Customer Participation Program 11.0-->C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat HP Doc Viewer-->MsiExec.exe /I{082702D5-5DD8-4600-BCE5-48B15174687F} HP Easy Setup - Frontend-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8BB128BE-2670-485D-A221-B00715BCEBCF}\setup.exe" -l0x9 -removeonly HP Help and Support-->MsiExec.exe /X{31216452-5540-4C96-B754-94890A63D5AB} HP Imaging Device Functions 11.0-->C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat HP Integrated Module with Bluetooth wireless technology 6.0.1.6204-->MsiExec.exe /X{03D1988F-469F-4843-8E6E-E5FE9D17889D} HP JavaCard for HP ProtectTools-->MsiExec.exe /I{9F5BCAA5-E78B-4C01-B6D3-F3EA9B3E3DC1} HP Photosmart C4500 All-In-One Driver Software 11.0 Rel .4-->C:\Program Files\HP\Digital Imaging\{BED1705F-7558-40f7-9F52-6C6FBD58EA2E}\setup\hpzscr01.exe -datfile hposcr30.dat -onestop HP Photosmart Essential 3.0-->C:\Program Files\HP\Digital Imaging\PhotoSmartEssential\hpzscr01.exe -datfile hpqbud13.dat HP ProtectTools Security Manager Suite-->C:\Windows\Installer\HPPTSuiteInstallEngine.exe /uninstall=C:\Windows\Installer\44474080.msi HP ProtectTools Security Manager-->MsiExec.exe /I{9FE06DD0-C1DB-4E0E-A8B9-D3224261A4F3} HP Quick Launch Buttons 6.40 F1-->C:\Program Files\InstallShield Installation Information\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\setup.exe -runfromtemp -l0x0009 -removeonly uninst HP QuickLook 2-->"C:\Program Files\Hewlett-Packard\HP QuickLook 2\unins000.exe" HP Smart Web Printing-->C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpzscr01.exe -datfile hpqbud15.dat HP Software Setup 5.00.A.7-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{70CEFEBA-F757-4DBE-8A21-027C326137CE}\SETUP.EXE" -l0x9 HP Solution Center 13.0-->C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat -forcereboot HP Update-->MsiExec.exe /X{74DC0593-6BC6-4001-AD5F-D810AFB68D86} HP User Guides 0099-->MsiExec.exe /I{0778D325-1A92-46D9-B2DB-634040F5675B} HP Wallpaper-->MsiExec.exe /I{F173C2B3-296F-458C-98FF-1676A42EBA02} HP Webcam Application-->C:\Program Files\InstallShield Installation Information\{154E4F71-DFC0-4B31-8D99-F97615031B02}\setup.exe -runfromtemp -l0x0007 -removeonly HP Webcam-->C:\Program Files\InstallShield Installation Information\{399C37FB-08AF-493B-BFED-20FBD85EDF7F}\setup.exe -runfromtemp -l0x0007 -removeonly HP Wireless Assistant-->MsiExec.exe /I{9ADABDDE-9644-461B-9E73-83FA3EFCAB50} HPNetworkAssistant-->MsiExec.exe /I{228C6B46-64E2-404E-898A-EF0830603EF4} Intel(R) Management Engine Interface-->C:\windows\system32\heciudlg.exe -uninstall Intel® Active-Management-Technologie-->C:\windows\system32\mesoludlg.exe -uninstall Intel® Matrix Storage Manager-->C:\Windows\system32\imsmudlg.exe -uninstall iPhone-Konfigurationsprogramm-->MsiExec.exe /I{FA54AFB1-5745-4389-B8C1-9F7509672ED1} iTunes-->MsiExec.exe /I{F439D7AF-03F3-4F8E-AEC4-571BFE977C61} Java(TM) 6 Update 12-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF} LimeWire 5.4.6-->"C:\Program Files\LimeWire\uninstall.exe" Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe" Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp" Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} Microsoft .NET Framework 3.5 Language Pack SP1 - DEU-->c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 Language Pack SP1 - deu\setup.exe Microsoft .NET Framework 3.5 Language Pack SP1 - deu-->MsiExec.exe /I{052FDD78-A6EA-3187-8386-C82F4CA3A929} Microsoft .NET Framework 3.5 SP1-->c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0015-0407-0000-0000000FF1CE} /uninstall {9BD40163-B95D-4B07-8991-0AB775B6D88B} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0015-040C-0000-0000000FF1CE} /uninstall {AE187E0D-EBA5-4EE1-A397-BF1A577CB24C} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0015-0410-0000-0000000FF1CE} /uninstall {71CCE0F1-A3B4-49C9-A328-1DABE845E0C4} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0015-0413-0000-0000000FF1CE} /uninstall {DC387AA5-94A6-4920-B004-D59846526D81} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0407-0000-0000000FF1CE} /uninstall {9BD40163-B95D-4B07-8991-0AB775B6D88B} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-040C-0000-0000000FF1CE} /uninstall {AE187E0D-EBA5-4EE1-A397-BF1A577CB24C} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0410-0000-0000000FF1CE} /uninstall {71CCE0F1-A3B4-49C9-A328-1DABE845E0C4} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0413-0000-0000000FF1CE} /uninstall {DC387AA5-94A6-4920-B004-D59846526D81} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0407-0000-0000000FF1CE} /uninstall {9BD40163-B95D-4B07-8991-0AB775B6D88B} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-040C-0000-0000000FF1CE} /uninstall {AE187E0D-EBA5-4EE1-A397-BF1A577CB24C} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0410-0000-0000000FF1CE} /uninstall {71CCE0F1-A3B4-49C9-A328-1DABE845E0C4} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0413-0000-0000000FF1CE} /uninstall {DC387AA5-94A6-4920-B004-D59846526D81} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0019-0407-0000-0000000FF1CE} /uninstall {9BD40163-B95D-4B07-8991-0AB775B6D88B} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0019-040C-0000-0000000FF1CE} /uninstall {AE187E0D-EBA5-4EE1-A397-BF1A577CB24C} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0019-0410-0000-0000000FF1CE} /uninstall {71CCE0F1-A3B4-49C9-A328-1DABE845E0C4} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0019-0413-0000-0000000FF1CE} /uninstall {DC387AA5-94A6-4920-B004-D59846526D81} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0407-0000-0000000FF1CE} /uninstall {9BD40163-B95D-4B07-8991-0AB775B6D88B} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001A-040C-0000-0000000FF1CE} /uninstall {AE187E0D-EBA5-4EE1-A397-BF1A577CB24C} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0410-0000-0000000FF1CE} /uninstall {71CCE0F1-A3B4-49C9-A328-1DABE845E0C4} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0413-0000-0000000FF1CE} /uninstall {DC387AA5-94A6-4920-B004-D59846526D81} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0407-0000-0000000FF1CE} /uninstall {9BD40163-B95D-4B07-8991-0AB775B6D88B} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-040C-0000-0000000FF1CE} /uninstall {AE187E0D-EBA5-4EE1-A397-BF1A577CB24C} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0410-0000-0000000FF1CE} /uninstall {71CCE0F1-A3B4-49C9-A328-1DABE845E0C4} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0413-0000-0000000FF1CE} /uninstall {DC387AA5-94A6-4920-B004-D59846526D81} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0407-0000-0000000FF1CE} /uninstall {26454C26-D259-4543-AA60-3189E09C5F76} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-040C-0000-0000000FF1CE} /uninstall {B165D3C2-40AE-4D39-86F7-E5C87C4264C0} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0410-0000-0000000FF1CE} /uninstall {0A75DA12-55CB-4DE5-8B6A-74D97847204E} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0413-0000-0000000FF1CE} /uninstall {89C8E56A-90D8-4598-B0E6-EB28F6270E07} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E} Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B} Microsoft Office Access MUI (Dutch) 2007-->MsiExec.exe /X{90120000-0015-0413-0000-0000000FF1CE} Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE} Microsoft Office Access MUI (French) 2007-->MsiExec.exe /X{90120000-0015-040C-0000-0000000FF1CE} Microsoft Office Access MUI (German) 2007-->MsiExec.exe /X{90120000-0015-0407-0000-0000000FF1CE} Microsoft Office Access MUI (Italian) 2007-->MsiExec.exe /X{90120000-0015-0410-0000-0000000FF1CE} Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE} Microsoft Office Excel 2007 Help - Aggiornamento (KB963678)-->msiexec /package {90120000-0016-0410-0000-0000000FF1CE} /uninstall {9F57BDED-B51B-4D2F-B360-5B4EFAAF0F1A} Microsoft Office Excel MUI (Dutch) 2007-->MsiExec.exe /X{90120000-0016-0413-0000-0000000FF1CE} Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE} Microsoft Office Excel MUI (French) 2007-->MsiExec.exe /X{90120000-0016-040C-0000-0000000FF1CE} Microsoft Office Excel MUI (German) 2007-->MsiExec.exe /X{90120000-0016-0407-0000-0000000FF1CE} Microsoft Office Excel MUI (Italian) 2007-->MsiExec.exe /X{90120000-0016-0410-0000-0000000FF1CE} Microsoft Office Outlook 2007 Help - Aggiornamento (KB963677)-->msiexec /package {90120000-001A-0410-0000-0000000FF1CE} /uninstall {2278E02A-AB15-4BF7-B2B4-5C0EEB4B7EEB} Microsoft Office Outlook MUI (Dutch) 2007-->MsiExec.exe /X{90120000-001A-0413-0000-0000000FF1CE} Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE} Microsoft Office Outlook MUI (French) 2007-->MsiExec.exe /X{90120000-001A-040C-0000-0000000FF1CE} Microsoft Office Outlook MUI (German) 2007-->MsiExec.exe /X{90120000-001A-0407-0000-0000000FF1CE} Microsoft Office Outlook MUI (Italian) 2007-->MsiExec.exe /X{90120000-001A-0410-0000-0000000FF1CE} Microsoft Office Powerpoint 2007 Help - Aggiornamento (KB963669)-->msiexec /package {90120000-0018-0410-0000-0000000FF1CE} /uninstall {C76C02F1-B07F-4974-876A-A18DEC9887C8} Microsoft Office PowerPoint MUI (Dutch) 2007-->MsiExec.exe /X{90120000-0018-0413-0000-0000000FF1CE} Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE} Microsoft Office PowerPoint MUI (French) 2007-->MsiExec.exe /X{90120000-0018-040C-0000-0000000FF1CE} Microsoft Office PowerPoint MUI (German) 2007-->MsiExec.exe /X{90120000-0018-0407-0000-0000000FF1CE} Microsoft Office PowerPoint MUI (Italian) 2007-->MsiExec.exe /X{90120000-0018-0410-0000-0000000FF1CE} Microsoft Office Professional Hybrid 2007-->MsiExec.exe /X{91120000-0031-0000-0000-0000000FF1CE} Microsoft Office Proof (Arabic) 2007-->MsiExec.exe /X{90120000-001F-0401-0000-0000000FF1CE} Microsoft Office Proof (Dutch) 2007-->MsiExec.exe /X{90120000-001F-0413-0000-0000000FF1CE} Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE} Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE} Microsoft Office Proof (German) 2007-->MsiExec.exe /X{90120000-001F-0407-0000-0000000FF1CE} Microsoft Office Proof (Italian) 2007-->MsiExec.exe /X{90120000-001F-0410-0000-0000000FF1CE} Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE} Microsoft Office Proofing (Dutch) 2007-->MsiExec.exe /X{90120000-002C-0413-0000-0000000FF1CE} Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE} Microsoft Office Proofing (French) 2007-->MsiExec.exe /X{90120000-002C-040C-0000-0000000FF1CE} Microsoft Office Proofing (German) 2007-->MsiExec.exe /X{90120000-002C-0407-0000-0000000FF1CE} Microsoft Office Proofing (Italian) 2007-->MsiExec.exe /X{90120000-002C-0410-0000-0000000FF1CE} Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0401-0000-0000000FF1CE} /uninstall {14809F99-C601-4D4A-9391-F1E8FAA964C5} Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0407-0000-0000000FF1CE} /uninstall {A0516415-ED61-419A-981D-93596DA74165} Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045} Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787} Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0410-0000-0000000FF1CE} /uninstall {322296D4-1EAE-4030-9FBC-D2787EB25FA2} Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0413-0000-0000000FF1CE} /uninstall {D66D5A44-E480-4BA4-B4F2-C554F6B30EBB} Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9} Microsoft Office Publisher MUI (Dutch) 2007-->MsiExec.exe /X{90120000-0019-0413-0000-0000000FF1CE} Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE} Microsoft Office Publisher MUI (French) 2007-->MsiExec.exe /X{90120000-0019-040C-0000-0000000FF1CE} Microsoft Office Publisher MUI (German) 2007-->MsiExec.exe /X{90120000-0019-0407-0000-0000000FF1CE} Microsoft Office Publisher MUI (Italian) 2007-->MsiExec.exe /X{90120000-0019-0410-0000-0000000FF1CE} Microsoft Office Shared MUI (Dutch) 2007-->MsiExec.exe /X{90120000-006E-0413-0000-0000000FF1CE} Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE} Microsoft Office Shared MUI (French) 2007-->MsiExec.exe /X{90120000-006E-040C-0000-0000000FF1CE} Microsoft Office Shared MUI (German) 2007-->MsiExec.exe /X{90120000-006E-0407-0000-0000000FF1CE} Microsoft Office Shared MUI (Italian) 2007-->MsiExec.exe /X{90120000-006E-0410-0000-0000000FF1CE} Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE} Microsoft Office Standard Edition 2003-->MsiExec.exe /I{91120407-6000-11D3-8CFE-0150048383C9} Microsoft Office Suite Activation Assistant-->MsiExec.exe /X{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E} Microsoft Office Word 2007 Help - Aggiornamento (KB963665)-->msiexec /package {90120000-001B-0410-0000-0000000FF1CE} /uninstall {E5B82DB3-DD7D-4C45-BC5E-09864B26F9BC} Microsoft Office Word MUI (Dutch) 2007-->MsiExec.exe /X{90120000-001B-0413-0000-0000000FF1CE} Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE} Microsoft Office Word MUI (French) 2007-->MsiExec.exe /X{90120000-001B-040C-0000-0000000FF1CE} Microsoft Office Word MUI (German) 2007-->MsiExec.exe /X{90120000-001B-0407-0000-0000000FF1CE} Microsoft Office Word MUI (Italian) 2007-->MsiExec.exe /X{90120000-001B-0410-0000-0000000FF1CE} Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118} Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c} Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C} Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475} mIRC-->C:\Program Files\mIRC\uninstall.exe _?=C:\Program Files\mIRC Mise à jour Microsoft Office Excel 2007 Help (KB963678)-->msiexec /package {90120000-0016-040C-0000-0000000FF1CE} /uninstall {B761869A-B85C-40E2-994C-A1CE78AC8F2C} Mise à jour Microsoft Office Outlook 2007 Help (KB963677)-->msiexec /package {90120000-001A-040C-0000-0000000FF1CE} /uninstall {51EFB347-1F3D-4BAC-8B79-F056B904FE21} Mise à jour Microsoft Office Powerpoint 2007 Help (KB963669)-->msiexec /package {90120000-0018-040C-0000-0000000FF1CE} /uninstall {C3DCA38E-005E-41BA-A52A-7C3429F351C3} Mise à jour Microsoft Office Word 2007 Help (KB963665)-->msiexec /package {90120000-001B-040C-0000-0000000FF1CE} /uninstall {81536A04-DBFB-4DB3-978F-0F284590C223} MSVC80_x86_v2-->MsiExec.exe /I{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6} MSVC90_x86-->MsiExec.exe /I{AF111648-99A1-453E-81DD-80DBBF6DAD0D} MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71} MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC} Nokia Connectivity Cable Driver-->MsiExec.exe /I{C50EF365-2898-489A-B6C7-30DAA466E9A2} Nokia Home Media Server-->MsiExec.exe /X{0EEB3C40-2A8C-4045-B3F9-13C4A5C490C0} Nokia Map Loader-->MsiExec.exe /I{45D4F727-43B5-49CD-B474-B9866A8F4FB8} Nokia Ovi Player-->MsiExec.exe /I{A528306A-C5EC-481C-A619-6106334E6800} Nokia Ovi Suite Software Updater-->MsiExec.exe /X{564B16F4-6B5B-47B0-9AB6-FF2E943947F7} Nokia Ovi Suite-->C:\ProgramData\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\NokiaOviSuite2Installer.exe Nokia Ovi Suite-->MsiExec.exe /X{B6164ADA-55DA-4FA9-B78B-A7EB741742A1} Nokia Photos-->MsiExec.exe /I{0EABFEF6-6D10-4C12-8667-3029C481D355} Nokia Software Updater-->MsiExec.exe /X{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78} Nokia_Multimedia_Common_Components_2_5-->MsiExec.exe /I{3762698E-E9DF-4DD8-99F1-8192D0F8EE06} NVIDIA Drivers-->C:\Windows\system32\NVUNINST.EXE UninstallGUI OCR Software by I.R.I.S. 11.0-->C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat OGA Notifier 2.0.0048.0-->MsiExec.exe /I{B2544A03-10D0-4E5E-BA69-0362FFC20D18} Ovi Desktop Sync Engine-->MsiExec.exe /X{F1C3541D-5B93-4131-B440-692FBA3DD250} OviMPlatform-->MsiExec.exe /I{8D100E0C-1A5A-43AD-93EF-76F94AE61C30} PC Connectivity Solution-->MsiExec.exe /I{4CE6B3C4-D8E2-4A5D-BEF5-5B69AF843B0C} Presto! BizCard 5-->"C:\Program Files\InstallShield Installation Information\{272253C3-D9DD-4C0C-A586-7E7ABC7E9AA2}\setup.exe" -runfromtemp -l0x0007 -uninst -removeonly QuickTime-->MsiExec.exe /I{1451DE6B-ABE1-4F62-BE9A-B363A17588A2} RedMon - Redirection Port Monitor-->C:\windows\system32\unredmon.exe Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08} Security Update for 2007 Microsoft Office System (KB978380)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {667A88D1-0369-4070-A62A-70672D68A9BF} Security Update for Microsoft Office Excel 2007 (KB978382)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {6DE3DABF-0203-426B-B330-7287D1003E86} Security Update for Microsoft Office Outlook 2007 (KB972363)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {120BE9A0-9B09-4855-9E0C-7DEE45CB03C0} Security Update for Microsoft Office PowerPoint 2007 (KB957789)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {7559E742-FF9F-4FAE-B279-008ED296CB4D} Security Update for Microsoft Office Publisher 2007 (KB969693)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {7BE67088-1EB3-4569-8E75-DDAFBF61BC4E} Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF} Security Update for Microsoft Office system 2007 (KB969613)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {5ECEB317-CBE9-4E08-AB10-756CB6F0FB6C} Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC} Security Update for Microsoft Office Visio Viewer 2007 (KB973709)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {71127777-8B2C-4F97-AF7A-6CF8CAC8224D} Shop for HP Supplies-->C:\Program Files\HP\Digital Imaging\HPSSupply\hpzscr01.exe -datfile hpqbud16.dat Skype web features-->MsiExec.exe /I{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748} Skype™ 4.1-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36} Sony Picture Utility-->C:\Program Files\InstallShield Installation Information\{D5068583-D569-468B-9755-5FBF5848F46F}\setup.exe -runfromtemp -l0x0007 /removeonly uninstall -removeonly SoundMAX-->C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe -runfromtemp -l0x0007 -removeonly Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall TwonkyMedia-->C:\Program Files\Nokia\Nokia Home Media Server\\Media Server\UninstallTwonkyMedia.exe Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D} Update for 2007 Microsoft Office System (KB977724)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {CC0E469C-5006-48B9-BBDC-D11B562499B4} Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT="" Update for Microsoft Office 2007 Help for Common Features (KB963673)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {AB365889-0395-4FAD-B702-CA5985D53D42} Update for Microsoft Office Access 2007 Help (KB963663)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {6B76A18A-AA1E-42AB-A7AD-6C84BBB43987} Update for Microsoft Office Excel 2007 Help (KB963678)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {199DF7B6-169C-448C-B511-1054101BE9C9} Update for Microsoft Office InfoPath 2007 (KB976416)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {432C5EE4-8096-4FF1-95E1-65219365DFF7} Update for Microsoft Office Outlook 2007 Help (KB963677)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {0451F231-E3E3-4943-AB9F-58EB96171784} Update for Microsoft Office Powerpoint 2007 Help (KB963669)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {397B1D4F-ED7B-4ACA-A637-43B670843876} Update for Microsoft Office Publisher 2007 Help (KB963667)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2E40DE55-B289-4C8B-8901-5D369B16814F} Update for Microsoft Office Script Editor Help (KB963671)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {CD11C6A2-FFC6-4271-8EAB-79C3582F505C} Update for Microsoft Office Word 2007 (KB974561)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {0CDDBAA2-2111-4A0E-A1B0-76C40C635331} Update for Microsoft Office Word 2007 Help (KB963665)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {80E762AA-C921-4839-9D7D-DB62A72C0726} Update for Outlook 2007 Junk Email Filter (kb979895)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {D45674C6-9127-4C84-8826-93FBC552DF53} Update für Microsoft Office Excel 2007 Help (KB963678)-->msiexec /package {90120000-0016-0407-0000-0000000FF1CE} /uninstall {BEC163EC-7A83-48A1-BFB6-3BF47CC2F8CF} Update für Microsoft Office Outlook 2007 Help (KB963677)-->msiexec /package {90120000-001A-0407-0000-0000000FF1CE} /uninstall {F6828576-6F79-470D-AB50-69D1BBADBD30} Update für Microsoft Office Powerpoint 2007 Help (KB963669)-->msiexec /package {90120000-0018-0407-0000-0000000FF1CE} /uninstall {EA160DA3-E9B5-4D03-A518-21D306665B96} Update für Microsoft Office Word 2007 Help (KB963665)-->msiexec /package {90120000-001B-0407-0000-0000000FF1CE} /uninstall {38472199-D7B6-4833-A949-10E4EE6365A1} Update voor Microsoft Office Excel 2007 Help (KB963678)-->msiexec /package {90120000-0016-0413-0000-0000000FF1CE} /uninstall {5CF7002F-6F49-4482-9564-5614FBE560FA} Update voor Microsoft Office Powerpoint 2007 Help (KB963669)-->msiexec /package {90120000-0018-0413-0000-0000000FF1CE} /uninstall {15D84E79-1ED7-42C5-B2FD-745C3FBDDDC5} Update voor Microsoft Office Word 2007 Help (KB963665)-->msiexec /package {90120000-001B-0413-0000-0000000FF1CE} /uninstall {A66AE6A1-8D8C-4102-BC18-38CBDE40F809} Vista Default Settings-->MsiExec.exe /I{12D61C9C-5E84-47F0-BD81-A48DF61A86D7} VLC media player 0.9.8a-->C:\Program Files\VideoLAN\VLC\uninstall.exe Vuze Toolbar-->"C:\Program Files\AskBarDis\unins000.exe" Vuze-->C:\Program Files\Vuze\uninstall.exe Windows-Treiberpaket - Nokia pccsmcfd (08/22/2008 7.0.0.0)-->C:\PROGRA~1\DIFX\B4723E9A0713E5B1\dpinst.exe /u C:\windows\system32\DRVSTORE\pccsmcfd_A3B3916E5D8138F59EE218321B27B044D3B18294\pccsmcfd.inf WinRAR-->C:\Program Files\WinRAR\uninstall.exe ======Security center information====== AS: Windows Defender ======System event log====== Computer Name: *Muster*-Notebook Event Code: 7036 Message: Dienst "Net Driver HPZ12" befindet sich jetzt im Status "Beendet". Record Number: 46478 Source Name: Service Control Manager Time Written: 20090928124339.000000-000 Event Type: Informationen User: Computer Name: *Muster*-Notebook Event Code: 7036 Message: Dienst "Pml Driver HPZ12" befindet sich jetzt im Status "Beendet". Record Number: 46477 Source Name: Service Control Manager Time Written: 20090928124339.000000-000 Event Type: Informationen User: Computer Name: *Muster*-Notebook Event Code: 7036 Message: Dienst "Windows Modules Installer" befindet sich jetzt im Status "Beendet". Record Number: 46476 Source Name: Service Control Manager Time Written: 20090928123550.000000-000 Event Type: Informationen User: Computer Name: *Muster*-Notebook Event Code: 18 Message: Installationsbereit: Die folgenden Updates wurden heruntergeladen und können installiert werden. Diese Updates sollen laut Zeitplan am ?Dienstag, ?29. ?September ?2009 um 03:00 auf diesem Computer installiert werden: - Sicherheitsupdate für Microsoft .NET Framework, Version 1.1 Service Pack 1 (KB929729) Record Number: 46475 Source Name: Microsoft-Windows-WindowsUpdateClient Time Written: 20090928122914.603820-000 Event Type: Informationen User: NT-AUTORITÄT\SYSTEM Computer Name: *Muster*-Notebook Event Code: 7040 Message: Der Starttyp des Diensts "Windows Modules Installer" wurde von Automatisch starten in Manuell starten geändert. Record Number: 46474 Source Name: Service Control Manager Time Written: 20090928122841.000000-000 Event Type: Informationen User: NT-AUTORITÄT\SYSTEM =====Application event log===== Computer Name: *Muster*-Notebook Event Code: 223 Message: WinMail (5192) WindowsMail0: Sicherung von Protokolldateien (Bereich C:\Users\Mustermann\AppData\Local\Microsoft\Windows Mail\edb00001.log - C:\Users\Mustermann\AppData\Local\Microsoft\Windows Mail\edb00001.log) wird gestartet. Record Number: 5 Source Name: ESENT Time Written: 20090308135328.000000-000 Event Type: Informationen User: Computer Name: *Muster*-Notebook Event Code: 221 Message: WinMail (5192) WindowsMail0: Sicherung der Datei C:\Users\Mustermann\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore wird beendet. Record Number: 4 Source Name: ESENT Time Written: 20090308135327.000000-000 Event Type: Informationen User: Computer Name: *Muster*-Notebook Event Code: 220 Message: WinMail (5192) WindowsMail0: Sicherung der Datei C:\Users\Mustermann\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (Größe 2 Mb) beginnt. Record Number: 3 Source Name: ESENT Time Written: 20090308135327.000000-000 Event Type: Informationen User: Computer Name: *Muster*-Notebook Event Code: 210 Message: WinMail (5192) WindowsMail0: Eine vollständige Sicherung wird gestartet. Record Number: 2 Source Name: ESENT Time Written: 20090308135327.000000-000 Event Type: Informationen User: Computer Name: *Muster*-Notebook Event Code: 102 Message: WinMail (5192) WindowsMail0: Das Datenbankmodul (6.00.6001.0000) hat eine neue Instanz gestartet (0). Record Number: 1 Source Name: ESENT Time Written: 20090308135327.000000-000 Event Type: Informationen User: =====Security event log===== Computer Name: *Muster*-Notebook Event Code: 4905 Message: Es wurde versucht, die Registrierung einer Sicherheitsereignisquelle aufzuheben. Antragsteller: Sicherheits-ID: S-1-5-18 Kontoname: WIN-RZIBX90M9DO$ Kontodomäne: WORKGROUP Anmelde-ID: 0x3e7 Prozess: Prozess-ID: 0xf48 Prozessname: C:\Windows\System32\VSSVC.exe Ereignisquelle: Quellenname: VSSAudit Ereignisquellen-ID: 0x81200b Record Number: 5 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20090308141059.778313-000 Event Type: Überwachung erfolgreich User: Computer Name: *Muster*-Notebook Event Code: 4904 Message: Es wurde versucht, eine Sicherheitsereignisquelle zu registrieren. Antragsteller: Sicherheits-ID: S-1-5-18 Kontoname: WIN-RZIBX90M9DO$ Kontodomäne: WORKGROUP Anmelde-ID: 0x3e7 Prozess: Prozess-ID: 0xf48 Prozessname: C:\Windows\System32\VSSVC.exe Ereignisquelle: Quellenname: VSSAudit Ereignisquellen-ID: 0x81200b Record Number: 4 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20090308141059.778313-000 Event Type: Überwachung erfolgreich User: Computer Name: *Muster*-Notebook Event Code: 4905 Message: Es wurde versucht, die Registrierung einer Sicherheitsereignisquelle aufzuheben. Antragsteller: Sicherheits-ID: S-1-5-18 Kontoname: WIN-RZIBX90M9DO$ Kontodomäne: WORKGROUP Anmelde-ID: 0x3e7 Prozess: Prozess-ID: 0xf48 Prozessname: C:\Windows\System32\VSSVC.exe Ereignisquelle: Quellenname: VSSAudit Ereignisquellen-ID: 0x4d02be Record Number: 3 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20090308135546.827313-000 Event Type: Überwachung erfolgreich User: Computer Name: *Muster*-Notebook Event Code: 4904 Message: Es wurde versucht, eine Sicherheitsereignisquelle zu registrieren. Antragsteller: Sicherheits-ID: S-1-5-18 Kontoname: WIN-RZIBX90M9DO$ Kontodomäne: WORKGROUP Anmelde-ID: 0x3e7 Prozess: Prozess-ID: 0xf48 Prozessname: C:\Windows\System32\VSSVC.exe Ereignisquelle: Quellenname: VSSAudit Ereignisquellen-ID: 0x4d02be Record Number: 2 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20090308135546.827313-000 Event Type: Überwachung erfolgreich User: Computer Name: *Muster*-Notebook Event Code: 1102 Message: Das Überwachungsprotokoll wurde gelöscht. Subjekt: Sicherheits- ID: S-1-5-21-2449081074-777161564-3864287623-1003 Kontoname: Mustermann Domänenname: *Muster*-Notebook Logon-ID: 0x17cc1b Record Number: 1 Source Name: Microsoft-Windows-Eventlog Time Written: 20090308134718.048113-000 Event Type: Überwachung erfolgreich User: ======Environment variables====== "ComSpec"=%SystemRoot%\system32\cmd.exe "FP_NO_HOST_CHECK"=NO "OS"=Windows_NT "Path"=C:\Program Files\PC Connectivity Solution\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Program Files\ActivIdentity\ActivClient\;c:\Program Files\Hewlett-Packard\IAM\bin;C:\Program Files\QuickTime\QTSystem\ "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC "PROCESSOR_ARCHITECTURE"=x86 "TEMP"=%SystemRoot%\TEMP "TMP"=%SystemRoot%\TEMP "USERNAME"=SYSTEM "windir"=%SystemRoot% "PROCESSOR_LEVEL"=6 "PROCESSOR_IDENTIFIER"=x86 Family 6 Model 23 Stepping 10, GenuineIntel "PROCESSOR_REVISION"=170a "NUMBER_OF_PROCESSORS"=2 "TRACE_FORMAT_SEARCH_PATH"=\\NTREL202.ntdev.corp.microsoft.com\4F18C3A5-CA09-4DBD-B6FC-219FDD4C6BE0\TraceFormat "DFSTRACINGON"=FALSE "OnlineServices"=Online Services "Platform"=BNB "CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip "QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip -----------------EOF----------------- Wie kann ich mein System von diesem lästigen Virus bereinigen??? Vielen Dank im Voraus für eure Hilfe Mahastud |
|
13.04.2010, 12:19
| #3 |
| | Rootkit.Gen Virus im System,wie löschen? Vielen Dank Arne,
__________________alles klar. Hier erst einmal das GMER logfile: GMER 1.0.15.15281 - GMER - Rootkit Detector and Remover Rootkit scan 2010-04-13 13:17:52 Windows 6.0.6002 Service Pack 2 Running: 7gkqzov2.exe; Driver: C:\Users\Marc\AppData\Local\Temp\pxloipoc.sys ---- System - GMER 1.0.15 ---- SSDT A1F4A7F4 ZwCreateThread SSDT A1F4A7E0 ZwOpenProcess SSDT A1F4A7E5 ZwOpenThread SSDT A1F4A7EF ZwTerminateProcess INT 0xA1 ? 900A6CD0 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 221 81EB8984 4 Bytes [F4, A7, F4, A1] .text ntkrnlpa.exe!KeSetEvent + 3F1 81EB8B54 4 Bytes [E0, A7, F4, A1] .text ntkrnlpa.exe!KeSetEvent + 40D 81EB8B70 4 Bytes [E5, A7, F4, A1] .text ntkrnlpa.exe!KeSetEvent + 621 81EB8D84 4 Bytes [EF, A7, F4, A1] ? System32\Drivers\clwquor.sys Ein an das System angeschlossenes Gerät funktioniert nicht. ! ? C:\windows\System32\Drivers\SafeBoot.sys Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird. .text C:\windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8EC0B340, 0x3EA957, 0xE8000020] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\windows\Explorer.EXE[812] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73EA7817] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[812] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73EFA86D] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[812] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73EABB22] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[812] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73E9F695] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[812] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73EA75E9] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[812] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73E9E7CA] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[812] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73ED8395] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[812] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73EADA60] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[812] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73E9FFFA] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[812] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73E9FF61] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[812] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73E971CF] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[812] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73F2CAE2] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[812] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73ECC8D8] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[812] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73E9D968] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[812] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipFree] [73E96853] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[812] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73E9687E] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[812] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73EA2AD1] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 877EE588 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation) ---- Services - GMER 1.0.15 ---- Service (*** hidden *** ) [BOOT] clwquor <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00247e19a515 Reg HKLM\SYSTEM\CurrentControlSet\Services\clwquor@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\clwquor@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\clwquor@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\clwquor@Group Boot Bus Extender Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00247e19a515 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\clwquor@Type 1 Reg HKLM\SYSTEM\ControlSet003\Services\clwquor@Start 0 Reg HKLM\SYSTEM\ControlSet003\Services\clwquor@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet003\Services\clwquor@Group Boot Bus Extender ---- EOF - GMER 1.0.15 ---- |
|
13.04.2010, 12:20
| #4 |
| | Rootkit.Gen Virus im System,wie löschen? und hier das OSAM logfile: Report of OSAM: Autorun Manager v5.0.11926.0 Online Solutions. Complex Protection for Information Systems Saved at 12:55:10 on 13.04.2010 OS: Windows Vista Business Edition Service Pack 2 (Build 6002), 32-bit Default Browser: Microsoft Corporation Internet Explorer 8.00.6001.18702 Scanner Settings [x] Rootkits detection (hidden registry) [x] Rootkits detection (hidden files) [x] Retrieve files information [x] Check Microsoft signatures Filters [ ] Trusted entries [ ] Empty entries [x] Hidden registry entries (rootkit activity) [x] Exclusively opened files [x] Not found files [x] Files without detailed information [x] Existing files [ ] Non-startable services [ ] Non-startable drivers [x] Active entries [x] Disabled entries [AppInit DLLs] -----( HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows )----- "AppInit_DLLs" - "Bioscrypt Inc." - C:\windows\system32\APSHook.dll [Common] -----( %SystemRoot%\Tasks )----- "GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe "GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe [Control Panel Objects] -----( %SystemRoot%\system32 )----- "hpaccelerometercp.CPL" - "Hewlett-Packard Corporation" - C:\windows\system32\hpaccelerometercp.CPL -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )----- "HP 3D DriveGuard" - "Hewlett-Packard Corporation" - C:\windows\system32\hpaccelerometercp.CPL "QuickTime" - "Apple Inc." - C:\Program Files\QuickTime\QTSystem\QuickTime.cpl "SoundMAX" - "Analog Devices, Inc." - C:\Program Files\Analog Devices\SoundMAX\soundmax.cpl [Drivers] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- "avgio" (avgio) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\avgio.sys "avgntflt" (avgntflt) - "Avira GmbH" - C:\windows\System32\DRIVERS\avgntflt.sys "avipbb" (avipbb) - "Avira GmbH" - C:\windows\System32\DRIVERS\avipbb.sys "clwquor" (clwquor) - ? - C:\windows\system32\drivers\clwquor.sys (Hidden registry entry, rootkit activity | File not found) "IP in IP Tunnel Driver" (IpInIp) - ? - C:\windows\System32\DRIVERS\ipinip.sys (File not found) "IPX Traffic Filter Driver" (NwlnkFlt) - ? - C:\windows\System32\DRIVERS\nwlnkflt.sys (File not found) "IPX Traffic Forwarder Driver" (NwlnkFwd) - ? - C:\windows\System32\DRIVERS\nwlnkfwd.sys (File not found) "PxHelp20" (PxHelp20) - "Sonic Solutions" - C:\windows\System32\Drivers\PxHelp20.sys "RsvLock" (RsvLock) - "SafeBoot International" - C:\windows\system32\drivers\RsvLock.sys "SafeBoot" (SafeBoot) - "SafeBoot International" - C:\windows\system32\drivers\SafeBoot.sys (File is exclusively opened, access blocked) "SbAlg" (SbAlg) - "SafeBoot N.V." - C:\windows\system32\drivers\SbAlg.sys "SbFsLock" (SbFsLock) - "SafeBoot International" - C:\windows\system32\drivers\SbFsLock.sys "ssmdrv" (ssmdrv) - "Avira GmbH" - C:\windows\System32\DRIVERS\ssmdrv.sys [Explorer] -----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )----- {F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll -----( HKLM\Software\Classes\Protocols\Filter )----- {807553E5-5146-11D5-A672-00B0D022E945} "text/xml" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL -----( HKLM\Software\Classes\Protocols\Handler )----- {32505114-5902-49B2-880A-1F7738E5A384} "Data Page Plugable Protocal mso-offdap11 Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL {314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )----- {911051fa-c21c-4246-b470-070cd8df6dc4} ".cab or .zip files" - ? - (File not found | COM-object registry key not found) {1b24a030-9b20-49bc-97ac-1be4426f9e59} "ActiveDirectory Folder" - ? - (File not found | COM-object registry key not found) {34449847-FD14-4fc8-A75A-7432F5181EFB} "ActiveDirectory Folder" - ? - (File not found | COM-object registry key not found) {0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} "Contacts folder" - ? - (File not found | COM-object registry key not found) {2C2577C2-63A7-40e3-9B7F-586602617ECB} "Explorer Query Band" - ? - (File not found | COM-object registry key not found) {FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" - ? - (File not found | COM-object registry key not found) {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "iTunes" - "Apple Inc." - C:\Program Files\iTunes\iTunesMiniPlayer.dll {42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\OFFICE11\msohev.dll {993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll {00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL {C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll {7842554E-6BED-11D2-8CDB-B05550C10000} "Monitor Class" - "Broadcom Corporation." - C:\windows\system32\btncopy.dll {0006F045-0000-0000-C000-000000000046} "Outlook-Dateisymbolerweiterung" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL {C8494E42-ACDD-4739-B0FB-217361E4894F} "Sam Account Folder" - ? - (File not found | COM-object registry key not found) {E29F9716-5C08-4FCD-955A-119FDB5A522D} "Sam Account Folder" - ? - (File not found | COM-object registry key not found) {45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\shlext.dll {BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Webordner" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL {da67b8ad-e81b-4c70-9b91b417b5e33527} "Windows Search Shell Service" - ? - (File not found | COM-object registry key not found) {B41DB860-8EE4-11D2-9906-E49FADC173CA} "WinRAR" - "Alexander Roshal" - C:\Program Files\WinRAR\rarext.dll [Internet Explorer] -----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )----- <binary data> "AOL Toolbar" - "AOL LLC" - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll <binary data> "Ask Toolbar" - "Ask.com" - C:\Program Files\AskBarDis\bar\bin\askBar.dll <binary data> "Google Toolbar" - "Google Inc." - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll ITBar7Height "ITBar7Height" - ? - (File not found | COM-object registry key not found) <binary data> "ITBar7Layout" - ? - (File not found | COM-object registry key not found) -----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )----- {8100D56A-5661-482C-BEE8-AFECE305D968} "Facebook Photo Uploader 5 Control" - "The Facebook" - C:\Windows\Downloaded Program Files\PhotoUploader55.ocx / hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab {8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_12" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://dl8-cdn-01.sun.com/s/ESD7/JSCDL/jdk/6u12-b04/jinstall-6u12-windows-i586-jc.cab?e=1236530247270&h=8a95033873b69adec2dbcadc2ed1baa1/&filename=jinstall-6u12-windows-i586-jc.cab {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} "Java Plug-in 1.6.0_12" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_12" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\npjpi160_12.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )----- "@btrez.dll,-4015" - ? - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm {77BF5300-1474-4EC7-9980-D32B190E9B07} "ClsidExtension" - "Skype Technologies S.A." - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll {DDE87865-83C5-48c4-8357-2F5B1AA84522} "HP Intelligente Auswahl" - "Hewlett-Packard Co." - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll {FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Recherchieren" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL {77BF5300-1474-4EC7-9980-D32B190E9B07} "Skype" - "Skype Technologies S.A." - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )----- {DE9C389F-3316-41A7-809B-AA305ED9D922} "AOL Toolbar" - "AOL LLC" - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll <binary data> "Ask Toolbar" - "Ask.com" - C:\Program Files\AskBarDis\bar\bin\askBar.dll <binary data> "Google Toolbar" - "Google Inc." - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )----- {18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} "AOL Toolbar BHO" - "AOL LLC" - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll {201f27d4-3704-41d6-89c1-aa35e39143ed} "AskBar BHO" - "Ask.com" - C:\Program Files\AskBarDis\bar\bin\askBar.dll {DF21F1DB-80C6-11D3-9483-B03D0EC10000} "Credential Manager for HP ProtectTools" - "Bioscrypt Inc." - c:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll {AA58ED58-01DD-4d91-8333-CF10577473F7} "Google Toolbar Helper" - "Google Inc." - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} "Google Toolbar Notifier BHO" - "Google Inc." - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} "HP Smart BHO Class" - "Hewlett-Packard Co." - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll {DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2ssv.dll {22BF413B-C6D2-4d91-82A9-A0F997BA588C} "Skype add-on (mastermind)" - "Skype Technologies S.A." - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll {ee1babcf-cbe2-4c07-8e18-dfe6fc08c30a} "{ee1babcf-cbe2-4c07-8e18-dfe6fc08c30a} " - ? - (File not found | COM-object registry key not found) [LSA Providers] -----( HKLM\SYSTEM\CurrentControlSet\Control\Lsa )----- "Notification packages" - "Bioscrypt Inc." - c:\Program Files\Hewlett-Packard\IAM\bin\ASWLNPkg.dll [Logon] -----( %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup )----- "desktop.ini" - ? - C:\Users\Marc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini "LimeWire On Startup.lnk" - "Lime Wire, LLC" - C:\Program Files\LimeWire\LimeWire.exe (Shortcut exists | File exists) "mirc - Verknüpfung.lnk" - "mIRC Co. Ltd." - C:\Program Files\mIRC\mirc.exe (Shortcut exists | File exists) "Picture Motion Browser Medien-Prüfung.lnk" - "Sony Corporation" - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (Shortcut exists | File exists) -----( %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup )----- "desktop.ini" - ? - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini "HP Digital Imaging Monitor.lnk" - "Hewlett-Packard Co." - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Shortcut exists | File exists) "BTTray.lnk" - "Broadcom Corporation." - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Shortcut exists | File exists) -----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )----- "NokiaOviSuite2" - "Nokia" - C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe -tray "Skype" - "Skype Technologies S.A." - "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized "swg" - "Google Inc." - "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )----- "accrdsub" - "ActivIdentity" - "c:\Program Files\ActivIdentity\ActivClient\accrdsub.exe" "Adobe ARM" - "Adobe Systems Incorporated" - "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" "Adobe Reader Speed Launcher" - "Adobe Systems Incorporated" - "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" "avgnt" - "Avira GmbH" - "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min "CognizanceTS" - "Bioscrypt Inc." - rundll32.exe c:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule "FreePDF Assistant" - "shbox.de" - C:\Program Files\FreePDF_XP\fpassist.exe "HP Health Check Scheduler" - "Hewlett-Packard" - c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe "HP Software Update" - "Hewlett-Packard" - C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "hpqSRMon" - "Hewlett-Packard" - C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe "hpWirelessAssistant" - "Hewlett-Packard Development Company, L.P." - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe "IAAnotif" - "Intel Corporation" - C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe "iTunesHelper" - "Apple Inc." - "C:\Program Files\iTunes\iTunesHelper.exe" " Malwarebytes Anti-Malware (reboot)" - "Malwarebytes Corporation" - "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript "NokiaMServer" - "Nokia" - C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup "NokiaMusic FastStart" - "Nokia" - "C:\Program Files\Nokia\Ovi Player\NokiaOviPlayer.exe" /command:faststart "picon" - "Intel Corporation" - "C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" -startup "PTHOSTTR" - "Hewlett-Packard Development Company, L.P." - c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start "QlbCtrl.exe" - " Hewlett-Packard Development Company, L.P." - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start "QuickTime Task" - "Apple Inc." - "C:\Program Files\QuickTime\QTTask.exe" -atboottime "SoundMAX" - "Analog Devices, Inc." - C:\Program Files\Analog Devices\SoundMAX\soundmax.exe /tray "SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Program Files\Java\jre6\bin\jusched.exe" [Print Monitors] -----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )----- "Microsoft Document Imaging Writer Monitor" - "Microsoft Corporation" - C:\windows\system32\mdimon.dll "Redirected Port" - ? - C:\windows\system32\redmonnt.dll (File found, but it contains no detailed information) [Services] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- "ActivClient Middleware Service" (accoca) - "ActivIdentity" - c:\Program Files\ActivIdentity\ActivClient\accoca.exe "Apple Mobile Device" (Apple Mobile Device) - "Apple Inc." - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe "ASKService" (ASKService) - ? - C:\Program Files\AskBarDis\bar\bin\AskService.exe (File found, but it contains no detailed information) "ASKUpgrade" (ASKUpgrade) - ? - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe (File found, but it contains no detailed information) "AuthenTec Fingerprint Service" (ATService) - "AuthenTec, Inc." - c:\Program Files\Fingerprint Sensor\AtService.exe "Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\avguard.exe "Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\sched.exe "Bonjour-Dienst" (Bonjour Service) - "Apple Inc." - C:\Program Files\Bonjour\mDNSResponder.exe "Com4QLBEx" (Com4QLBEx) - "Hewlett-Packard Development Company, L.P." - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe "Drive Encryption Service" (HpFkCryptService) - "SafeBoot International" - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe "Google Software Updater" (gusvc) - "Google" - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe "Google Update Service (gupdate)" (gupdate) - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe "HP CUE DeviceDiscovery Service" (hpqddsvc) - "Hewlett-Packard Co." - C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll "HP Health Check Service" (HP Health Check Service) - "Hewlett-Packard" - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe "HP Network Devices Support" (HPSLPSVC) - "Hewlett-Packard Co." - C:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.DLL "HP ProtectTools Service" (HP ProtectTools Service) - "Hewlett-Packard Development Company, L.P" - c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe "hpqcxs08" (hpqcxs08) - "Hewlett-Packard Co." - C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll "hpqwmiex" (hpqwmiex) - "Hewlett-Packard Development Company, L.P." - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe "InstallDriver Table Manager" (IDriverT) - "Macrovision Corporation" - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe "Intel(R) Active Management Technology Local Management Service" (LMS) - "Intel Corporation" - C:\Program Files\Intel\AMT\LMS.exe "Intel(R) Active Management Technology User Notification Service" (UNS) - "Intel Corporation" - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe "Intel(R) Matrix Storage Event Monitor" (IAANTMON) - "Intel Corporation" - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe "iPod-Dienst" (iPod Service) - "Apple Inc." - C:\Program Files\iPod\bin\iPodService.exe "Local Communication Channel" (ASChannel) - "Bioscrypt Inc." - c:\Program Files\Hewlett-Packard\IAM\Bin\AsChnl.dll "Logon Session Broker" (ASBroker) - "Bioscrypt Inc." - c:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll "Microsoft Office Diagnostics Service" (odserv) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE "Net Driver HPZ12" (Net Driver HPZ12) - "Hewlett-Packard" - C:\windows\system32\HPZinw12.dll "Office Source Engine" (ose) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE "Pml Driver HPZ12" (Pml Driver HPZ12) - "Hewlett-Packard" - C:\windows\system32\HPZipm12.dll "ServiceLayer" (ServiceLayer) - "Nokia" - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe "TwonkyMedia" (TwonkyMedia) - "PacketVideo" - C:\Program Files\Nokia\Nokia Home Media Server\Media Server\TwonkyMedia.exe [Winlogon] -----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions )----- {8F51D94E-8B89-4844-B15C-9C049BA0F49F} "DLLName" - "Bioscrypt Inc." - c:\Program Files\Hewlett-Packard\IAM\Bin\ItVCard.dll -----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )----- "ScCertProp" - ? - wlnotify.dll (File not found) [Winsock Providers] -----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries )----- "mdnsNSP" - "Apple Inc." - C:\Program Files\Bonjour\mdnsNSP.dll ===[ Logfile end ]=========================================[ Logfile end ]=== If You have questions or want to get some help, You can visit Online Solutions :: Index Gruss Marc |
|
13.04.2010, 12:27
| #5 |
| /// Winkelfunktion /// TB-Süch-Tiger™   | Rootkit.Gen Virus im System,wie löschen? Bitte mal den Avenger anwenden: 1.) Lade Dir von hier Avenger: Swandog46's Public Anti-Malware Tools (Download, linksseitig) 2.) Entpack das zip-Archiv, führe die Datei "avenger.exe" aus (unter Vista per Rechtsklick => als Administrator ausführen). Die Haken unten wie abgebildet setzen:  3.) Kopiere Dir exakt die Zeilen aus dem folgenden Code-Feld: Code:
ATTFilter files to delete:
C:\windows\system32\drivers\clwquor.sys
drivers to delete:
clwquor.sys
clwquor
5.) Der Code-Text hier aus meinem Beitrag müsste nun unter "Input Script here" in "The Avenger" zu sehen sein. 6.) Falls dem so ist, klick unten rechts auf "Execute". Bestätige die nächste Abfrage mit "Ja", die Frage zu "Reboot now" (Neustart des Systems) ebenso. 7.) Nach dem Neustart erhältst Du ein LogFile von Avenger eingeblendet. Kopiere dessen Inhalt und poste ihn hier. 8.) Die Datei c:\avenger\backup.zip bei file-upload.net hochladen und hier verlinken
__________________ Logfiles bitte immer in CODE-Tags posten  |
|
13.04.2010, 17:57
| #6 |
| | Rootkit.Gen Virus im System,wie löschen? 1) HIer der Link mit der avenger datei: hxxp://www.ispaceyou.com/uploads/47ab62b40b7ca54fb3524e7c6cbed042.zip Hier das Avenger Logfile (Nach dem Neustart hat Avira wieder gemeldet, dass der Trojaner versucht hat,was zu machen): Logfile of The Avenger Version 2.0, (c) by Swandog46 Swandog46's Public Anti-Malware Tools Platform: Windows Vista ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! File "C:\windows\system32\drivers\clwquor.sys" deleted successfully. Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\clwquor.sys" not found! Deletion of driver "clwquor.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Driver "clwquor" deleted successfully. Completed script processing. ******************* Finished! Terminate. |
|
13.04.2010, 19:55
| #7 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Rootkit.Gen Virus im System,wie löschen? Gut. Mach Du schonmal ein neues Log (zur Kontrolle) mit OSAM und mach nach Aktualisierung einen Vollscan mit Malwarebytes und poste auch das Log.
__________________ Logfiles bitte immer in CODE-Tags posten |
|
13.04.2010, 21:40
| #8 |
| | Rootkit.Gen Virus im System,wie löschen? Hier schonmal das OSAM Logfile (Malwarebytes starte ich jetzt): Report of OSAM: Autorun Manager v5.0.11926.0 Online Solutions. Complex Protection for Information Systems Saved at 22:37:43 on 13.04.2010 OS: Windows Vista Business Edition Service Pack 2 (Build 6002), 32-bit Default Browser: Microsoft Corporation Internet Explorer 8.00.6001.18702 Scanner Settings [x] Rootkits detection (hidden registry) [x] Rootkits detection (hidden files) [x] Retrieve files information [x] Check Microsoft signatures Filters [ ] Trusted entries [ ] Empty entries [x] Hidden registry entries (rootkit activity) [x] Exclusively opened files [x] Not found files [x] Files without detailed information [x] Existing files [ ] Non-startable services [ ] Non-startable drivers [x] Active entries [x] Disabled entries [AppInit DLLs] -----( HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows )----- "AppInit_DLLs" - "Bioscrypt Inc." - C:\windows\system32\APSHook.dll [Common] -----( %SystemRoot%\Tasks )----- "GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe "GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe [Control Panel Objects] -----( %SystemRoot%\system32 )----- "hpaccelerometercp.CPL" - "Hewlett-Packard Corporation" - C:\windows\system32\hpaccelerometercp.CPL -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )----- "HP 3D DriveGuard" - "Hewlett-Packard Corporation" - C:\windows\system32\hpaccelerometercp.CPL "QuickTime" - "Apple Inc." - C:\Program Files\QuickTime\QTSystem\QuickTime.cpl "SoundMAX" - "Analog Devices, Inc." - C:\Program Files\Analog Devices\SoundMAX\soundmax.cpl [Drivers] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- "avgio" (avgio) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\avgio.sys "avgntflt" (avgntflt) - "Avira GmbH" - C:\windows\System32\DRIVERS\avgntflt.sys "avipbb" (avipbb) - "Avira GmbH" - C:\windows\System32\DRIVERS\avipbb.sys "IP in IP Tunnel Driver" (IpInIp) - ? - C:\windows\System32\DRIVERS\ipinip.sys (File not found) "IPX Traffic Filter Driver" (NwlnkFlt) - ? - C:\windows\System32\DRIVERS\nwlnkflt.sys (File not found) "IPX Traffic Forwarder Driver" (NwlnkFwd) - ? - C:\windows\System32\DRIVERS\nwlnkfwd.sys (File not found) "PxHelp20" (PxHelp20) - "Sonic Solutions" - C:\windows\System32\Drivers\PxHelp20.sys "RsvLock" (RsvLock) - "SafeBoot International" - C:\windows\system32\drivers\RsvLock.sys "SafeBoot" (SafeBoot) - "SafeBoot International" - C:\windows\system32\drivers\SafeBoot.sys (File is exclusively opened, access blocked) "SbAlg" (SbAlg) - "SafeBoot N.V." - C:\windows\system32\drivers\SbAlg.sys "SbFsLock" (SbFsLock) - "SafeBoot International" - C:\windows\system32\drivers\SbFsLock.sys "ssmdrv" (ssmdrv) - "Avira GmbH" - C:\windows\System32\DRIVERS\ssmdrv.sys [Explorer] -----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )----- {F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll -----( HKLM\Software\Classes\Protocols\Filter )----- {807553E5-5146-11D5-A672-00B0D022E945} "text/xml" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL -----( HKLM\Software\Classes\Protocols\Handler )----- {32505114-5902-49B2-880A-1F7738E5A384} "Data Page Plugable Protocal mso-offdap11 Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL {314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )----- {911051fa-c21c-4246-b470-070cd8df6dc4} ".cab or .zip files" - ? - (File not found | COM-object registry key not found) {1b24a030-9b20-49bc-97ac-1be4426f9e59} "ActiveDirectory Folder" - ? - (File not found | COM-object registry key not found) {34449847-FD14-4fc8-A75A-7432F5181EFB} "ActiveDirectory Folder" - ? - (File not found | COM-object registry key not found) {0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} "Contacts folder" - ? - (File not found | COM-object registry key not found) {2C2577C2-63A7-40e3-9B7F-586602617ECB} "Explorer Query Band" - ? - (File not found | COM-object registry key not found) {FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" - ? - (File not found | COM-object registry key not found) {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "iTunes" - "Apple Inc." - C:\Program Files\iTunes\iTunesMiniPlayer.dll {42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\OFFICE11\msohev.dll {993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll {00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL {C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll {7842554E-6BED-11D2-8CDB-B05550C10000} "Monitor Class" - "Broadcom Corporation." - C:\windows\system32\btncopy.dll {0006F045-0000-0000-C000-000000000046} "Outlook-Dateisymbolerweiterung" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL {C8494E42-ACDD-4739-B0FB-217361E4894F} "Sam Account Folder" - ? - (File not found | COM-object registry key not found) {E29F9716-5C08-4FCD-955A-119FDB5A522D} "Sam Account Folder" - ? - (File not found | COM-object registry key not found) {45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\shlext.dll {BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Webordner" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL {da67b8ad-e81b-4c70-9b91b417b5e33527} "Windows Search Shell Service" - ? - (File not found | COM-object registry key not found) {B41DB860-8EE4-11D2-9906-E49FADC173CA} "WinRAR" - "Alexander Roshal" - C:\Program Files\WinRAR\rarext.dll [Internet Explorer] -----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )----- <binary data> "AOL Toolbar" - "AOL LLC" - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll <binary data> "Ask Toolbar" - "Ask.com" - C:\Program Files\AskBarDis\bar\bin\askBar.dll <binary data> "Google Toolbar" - "Google Inc." - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll ITBar7Height "ITBar7Height" - ? - (File not found | COM-object registry key not found) <binary data> "ITBar7Layout" - ? - (File not found | COM-object registry key not found) -----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )----- {8100D56A-5661-482C-BEE8-AFECE305D968} "Facebook Photo Uploader 5 Control" - "The Facebook" - C:\Windows\Downloaded Program Files\PhotoUploader55.ocx / hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab {8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_12" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://dl8-cdn-01.sun.com/s/ESD7/JSCDL/jdk/6u12-b04/jinstall-6u12-windows-i586-jc.cab?e=1236530247270&h=8a95033873b69adec2dbcadc2ed1baa1/&filename=jinstall-6u12-windows-i586-jc.cab {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} "Java Plug-in 1.6.0_12" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_12" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\npjpi160_12.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )----- "@btrez.dll,-4015" - ? - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm {77BF5300-1474-4EC7-9980-D32B190E9B07} "ClsidExtension" - "Skype Technologies S.A." - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll {DDE87865-83C5-48c4-8357-2F5B1AA84522} "HP Intelligente Auswahl" - "Hewlett-Packard Co." - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll {FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Recherchieren" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL {77BF5300-1474-4EC7-9980-D32B190E9B07} "Skype" - "Skype Technologies S.A." - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )----- {DE9C389F-3316-41A7-809B-AA305ED9D922} "AOL Toolbar" - "AOL LLC" - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll <binary data> "Ask Toolbar" - "Ask.com" - C:\Program Files\AskBarDis\bar\bin\askBar.dll <binary data> "Google Toolbar" - "Google Inc." - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )----- {18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} "AOL Toolbar BHO" - "AOL LLC" - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll {201f27d4-3704-41d6-89c1-aa35e39143ed} "AskBar BHO" - "Ask.com" - C:\Program Files\AskBarDis\bar\bin\askBar.dll {DF21F1DB-80C6-11D3-9483-B03D0EC10000} "Credential Manager for HP ProtectTools" - "Bioscrypt Inc." - c:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll {AA58ED58-01DD-4d91-8333-CF10577473F7} "Google Toolbar Helper" - "Google Inc." - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} "Google Toolbar Notifier BHO" - "Google Inc." - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} "HP Smart BHO Class" - "Hewlett-Packard Co." - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll {DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2ssv.dll {22BF413B-C6D2-4d91-82A9-A0F997BA588C} "Skype add-on (mastermind)" - "Skype Technologies S.A." - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll {ee1babcf-cbe2-4c07-8e18-dfe6fc08c30a} "{ee1babcf-cbe2-4c07-8e18-dfe6fc08c30a} " - ? - (File not found | COM-object registry key not found) [LSA Providers] -----( HKLM\SYSTEM\CurrentControlSet\Control\Lsa )----- "Notification packages" - "Bioscrypt Inc." - c:\Program Files\Hewlett-Packard\IAM\bin\ASWLNPkg.dll [Logon] -----( %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup )----- "desktop.ini" - ? - C:\Users\Marc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini "LimeWire On Startup.lnk" - "Lime Wire, LLC" - C:\Program Files\LimeWire\LimeWire.exe (Shortcut exists | File exists) "mirc - Verknüpfung.lnk" - "mIRC Co. Ltd." - C:\Program Files\mIRC\mirc.exe (Shortcut exists | File exists) "Picture Motion Browser Medien-Prüfung.lnk" - "Sony Corporation" - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (Shortcut exists | File exists) -----( %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup )----- "desktop.ini" - ? - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini "HP Digital Imaging Monitor.lnk" - "Hewlett-Packard Co." - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Shortcut exists | File exists) "BTTray.lnk" - "Broadcom Corporation." - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Shortcut exists | File exists) -----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )----- "NokiaOviSuite2" - "Nokia" - C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe -tray "Skype" - "Skype Technologies S.A." - "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized "swg" - "Google Inc." - "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )----- "accrdsub" - "ActivIdentity" - "c:\Program Files\ActivIdentity\ActivClient\accrdsub.exe" "Adobe ARM" - "Adobe Systems Incorporated" - "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" "Adobe Reader Speed Launcher" - "Adobe Systems Incorporated" - "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" "avgnt" - "Avira GmbH" - "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min "CognizanceTS" - "Bioscrypt Inc." - rundll32.exe c:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule "FreePDF Assistant" - "shbox.de" - C:\Program Files\FreePDF_XP\fpassist.exe "HP Health Check Scheduler" - "Hewlett-Packard" - c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe "HP Software Update" - "Hewlett-Packard" - C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "hpqSRMon" - "Hewlett-Packard" - C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe "hpWirelessAssistant" - "Hewlett-Packard Development Company, L.P." - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe "IAAnotif" - "Intel Corporation" - C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe "iTunesHelper" - "Apple Inc." - "C:\Program Files\iTunes\iTunesHelper.exe" " Malwarebytes Anti-Malware (reboot)" - "Malwarebytes Corporation" - "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript "NokiaMServer" - "Nokia" - C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup "NokiaMusic FastStart" - "Nokia" - "C:\Program Files\Nokia\Ovi Player\NokiaOviPlayer.exe" /command:faststart "picon" - "Intel Corporation" - "C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" -startup "PTHOSTTR" - "Hewlett-Packard Development Company, L.P." - c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start "QlbCtrl.exe" - " Hewlett-Packard Development Company, L.P." - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start "QuickTime Task" - "Apple Inc." - "C:\Program Files\QuickTime\QTTask.exe" -atboottime "SoundMAX" - "Analog Devices, Inc." - C:\Program Files\Analog Devices\SoundMAX\soundmax.exe /tray "SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Program Files\Java\jre6\bin\jusched.exe" [Print Monitors] -----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )----- "Microsoft Document Imaging Writer Monitor" - "Microsoft Corporation" - C:\windows\system32\mdimon.dll "Redirected Port" - ? - C:\windows\system32\redmonnt.dll (File found, but it contains no detailed information) [Services] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- "ActivClient Middleware Service" (accoca) - "ActivIdentity" - c:\Program Files\ActivIdentity\ActivClient\accoca.exe "Apple Mobile Device" (Apple Mobile Device) - "Apple Inc." - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe "ASKService" (ASKService) - ? - C:\Program Files\AskBarDis\bar\bin\AskService.exe (File found, but it contains no detailed information) "ASKUpgrade" (ASKUpgrade) - ? - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe (File found, but it contains no detailed information) "AuthenTec Fingerprint Service" (ATService) - "AuthenTec, Inc." - c:\Program Files\Fingerprint Sensor\AtService.exe "Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\avguard.exe "Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\sched.exe "Bonjour-Dienst" (Bonjour Service) - "Apple Inc." - C:\Program Files\Bonjour\mDNSResponder.exe "Com4QLBEx" (Com4QLBEx) - "Hewlett-Packard Development Company, L.P." - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe "Drive Encryption Service" (HpFkCryptService) - "SafeBoot International" - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe "Google Software Updater" (gusvc) - "Google" - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe "Google Update Service (gupdate)" (gupdate) - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe "HP CUE DeviceDiscovery Service" (hpqddsvc) - "Hewlett-Packard Co." - C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll "HP Health Check Service" (HP Health Check Service) - "Hewlett-Packard" - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe "HP Network Devices Support" (HPSLPSVC) - "Hewlett-Packard Co." - C:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.DLL "HP ProtectTools Service" (HP ProtectTools Service) - "Hewlett-Packard Development Company, L.P" - c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe "hpqcxs08" (hpqcxs08) - "Hewlett-Packard Co." - C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll "hpqwmiex" (hpqwmiex) - "Hewlett-Packard Development Company, L.P." - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe "InstallDriver Table Manager" (IDriverT) - "Macrovision Corporation" - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe "Intel(R) Active Management Technology Local Management Service" (LMS) - "Intel Corporation" - C:\Program Files\Intel\AMT\LMS.exe "Intel(R) Active Management Technology User Notification Service" (UNS) - "Intel Corporation" - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe "Intel(R) Matrix Storage Event Monitor" (IAANTMON) - "Intel Corporation" - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe "iPod-Dienst" (iPod Service) - "Apple Inc." - C:\Program Files\iPod\bin\iPodService.exe "Local Communication Channel" (ASChannel) - "Bioscrypt Inc." - c:\Program Files\Hewlett-Packard\IAM\Bin\AsChnl.dll "Logon Session Broker" (ASBroker) - "Bioscrypt Inc." - c:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll "Microsoft Office Diagnostics Service" (odserv) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE "Net Driver HPZ12" (Net Driver HPZ12) - "Hewlett-Packard" - C:\windows\system32\HPZinw12.dll "Office Source Engine" (ose) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE "Pml Driver HPZ12" (Pml Driver HPZ12) - "Hewlett-Packard" - C:\windows\system32\HPZipm12.dll "ServiceLayer" (ServiceLayer) - "Nokia" - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe "TwonkyMedia" (TwonkyMedia) - "PacketVideo" - C:\Program Files\Nokia\Nokia Home Media Server\Media Server\TwonkyMedia.exe [Winlogon] -----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions )----- {8F51D94E-8B89-4844-B15C-9C049BA0F49F} "DLLName" - "Bioscrypt Inc." - c:\Program Files\Hewlett-Packard\IAM\Bin\ItVCard.dll -----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )----- "ScCertProp" - ? - wlnotify.dll (File not found) [Winsock Providers] -----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries )----- "mdnsNSP" - "Apple Inc." - C:\Program Files\Bonjour\mdnsNSP.dll ===[ Logfile end ]=========================================[ Logfile end ]=== If You have questions or want to get some help, You can visit Online Solutions :: Index |
|
13.04.2010, 22:53
| #9 |
| | Rootkit.Gen Virus im System,wie löschen? SO, während des Malewarebyte scans hat avira wieder die virenmeldung gebracht und dasselbe nochmals nach dem befehl zum löschen der datei. Hier das logfile: Malwarebytes' Anti-Malware 1.45 Malwarebytes Datenbank Version: 3985 Windows 6.0.6002 Service Pack 2 Internet Explorer 8.0.6001.18904 13.04.2010 23:43:57 mbam-log-2010-04-13 (23-43-57).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|F:\|) Durchsuchte Objekte: 271444 Laufzeit: 1 Stunde(n), 1 Minute(n), 2 Sekunde(n) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 1 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: C:\Avenger\clwquor.sys (Rootkit.Agent) -> Quarantined and deleted successfully. |
|
14.04.2010, 19:16
| #10 |
| | Rootkit.Gen Virus im System,wie löschen? Hallo, Ich habe heute nun nochmals einen vollscan mit malewarebytes gemacht und malewarebytes hat nichts gefunden. was bedeutet das? Hier das logfile davon: (wie sehen die gestrigen logfiles aus?) Malwarebytes' Anti-Malware 1.45 Malwarebytes Datenbank Version: 3987 Windows 6.0.6002 Service Pack 2 Internet Explorer 8.0.6001.18904 14.04.2010 18:44:26 mbam-log-2010-04-14 (18-44-26).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|F:\|G:\|) Durchsuchte Objekte: 272777 Laufzeit: 1 Stunde(n), 5 Minute(n), 9 Sekunde(n) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 0 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: (Keine bösartigen Objekte gefunden) Vielen Dank Gruss Marc |
|
14.04.2010, 19:46
| #11 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Rootkit.Gen Virus im System,wie löschen? Sieht gut aus. Ich würde aber nochmal nen Durchgang mit CF vorschlagen: ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
__________________ Logfiles bitte immer in CODE-Tags posten |
|
14.04.2010, 20:40
| #12 |
| | Rootkit.Gen Virus im System,wie löschen? Alles klar, Ich habe nun den CCCleaner laufen lassen und nun auch combofix. Mir ist noch eingefallen, dass ich nach dem Virenbefall die automatischen Wiederherstellungspunkt bei den systemeinstellungen rausgenommen habe. spielt das eine Rolle? Hier das txt file vom combofix: ComboFix 10-04-14.01 - Marc 14.04.2010 21:22:28.1.2 - x86 Microsoft® Windows Vista™ Business 6.0.6002.2.1252.41.1031.18.3066.1405 [GMT 2:00] ausgeführt von:: c:\users\Marc\Desktop\cofi.exe SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} * Neuer Wiederherstellungspunkt wurde erstellt . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . c:\$recycle.bin\S-1-5-21-1121538072-291572471-3616182424-500 c:\program files\Hewlett-Packard\IAM\bin\brand.dll c:\recycler\S-1-5-21-3974402540-5672230312-883192833-4638 . ((((((((((((((((((((((( Dateien erstellt von 2010-03-14 bis 2010-04-14 )))))))))))))))))))))))))))))) . 2010-04-14 19:27 . 2010-04-14 19:27 -------- d-----w- c:\users\Default\AppData\Local\temp 2010-04-12 18:56 . 2010-04-12 18:56 -------- d-----w- C:\rsit 2010-04-12 18:56 . 2010-04-12 18:56 -------- d-----w- c:\program files\trend micro 2010-04-12 18:24 . 2010-04-14 19:20 -------- d-----w- c:\program files\CCleaner 2010-04-12 18:15 . 2010-04-12 18:15 388096 ----a-r- c:\users\Marc\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe 2010-04-12 18:15 . 2010-04-12 18:15 -------- d-----w- c:\program files\TrendMicro 2010-04-12 14:59 . 2010-04-12 14:59 -------- d-----w- c:\users\Marc\AppData\Roaming\Malwarebytes 2010-04-12 14:59 . 2010-03-29 13:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-12 14:59 . 2010-04-12 14:59 -------- d-----w- c:\programdata\Malwarebytes 2010-04-12 14:59 . 2010-04-12 16:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-12 14:59 . 2010-03-29 13:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-08 08:43 . 2010-04-08 08:44 -------- d-----w- c:\users\Marc\AppData\Roaming\Media Player Classic 2010-04-07 21:07 . 2010-04-07 21:24 -------- d-----w- c:\users\Marc\AppData\Roaming\dvdcss . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-14 19:29 . 2008-12-25 16:45 -------- d-----w- c:\programdata\hpqLog 2010-04-14 19:27 . 2009-03-08 12:20 12 ----a-w- c:\windows\bthservsdp.dat 2010-04-14 19:27 . 2009-10-27 21:00 -------- d-----w- c:\users\Marc\AppData\Roaming\Skype 2010-04-14 15:42 . 2008-04-15 20:22 672608 ----a-w- c:\windows\system32\perfh007.dat 2010-04-14 15:42 . 2008-04-15 20:22 146012 ----a-w- c:\windows\system32\perfc007.dat 2010-04-14 15:36 . 2009-04-09 18:15 -------- d-----w- c:\users\Marc\AppData\Roaming\mIRC 2010-04-14 15:36 . 2009-10-27 21:04 -------- d-----w- c:\users\Marc\AppData\Roaming\skypePM 2010-04-14 15:35 . 2010-01-02 17:26 -------- d-----w- c:\users\Marc\AppData\Roaming\LimeWire 2010-04-12 14:48 . 2009-03-08 16:22 27744 ----a-w- c:\programdata\nvModes.dat 2010-04-07 21:37 . 2009-10-03 21:20 -------- d-----w- c:\users\Marc\AppData\Roaming\Azureus 2010-03-11 07:17 . 2009-12-17 15:16 64164264 ----a-w- c:\users\Marc\AppData\Roaming\Nokia\Ovi Suite\Software Updater\NokiaOviSuite2Installer.exe 2010-03-10 16:33 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail 2010-03-10 16:18 . 2009-03-08 13:56 -------- d-----w- c:\programdata\Microsoft Help 2010-02-28 12:58 . 2009-03-08 13:46 105928 ----a-w- c:\users\Marc\AppData\Local\GDIPFONTCACHEV1.DAT 2010-02-24 09:16 . 2009-10-03 20:18 181632 ------w- c:\windows\system32\MpSigStub.exe 2010-02-23 06:39 . 2010-03-30 17:24 916480 ----a-w- c:\windows\system32\wininet.dll 2010-02-23 06:33 . 2010-03-30 17:24 109056 ----a-w- c:\windows\system32\iesysprep.dll 2010-02-23 06:33 . 2010-03-30 17:24 71680 ----a-w- c:\windows\system32\iesetup.dll 2010-02-23 04:55 . 2010-03-30 17:24 133632 ----a-w- c:\windows\system32\ieUnatt.exe 2010-02-20 23:06 . 2010-03-10 16:11 24064 ----a-w- c:\windows\system32\nshhttp.dll 2010-02-20 23:05 . 2010-03-10 16:11 30720 ----a-w- c:\windows\system32\httpapi.dll 2010-02-20 20:53 . 2010-03-10 16:11 411648 ----a-w- c:\windows\system32\drivers\http.sys 2010-02-12 10:32 . 2010-03-08 02:00 293376 ----a-w- c:\windows\system32\browserchoice.exe 2010-02-10 22:30 . 2010-02-10 22:30 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb9A6F.tmp.exe 2010-02-04 16:31 . 2010-02-04 16:31 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe 2010-01-25 12:00 . 2010-02-23 18:22 471552 ----a-w- c:\windows\system32\secproc_isv.dll 2010-01-25 12:00 . 2010-02-23 18:22 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll 2010-01-25 12:00 . 2010-02-23 18:22 152064 ----a-w- c:\windows\system32\secproc_ssp.dll 2010-01-25 12:00 . 2010-02-23 18:22 471552 ----a-w- c:\windows\system32\secproc.dll 2010-01-25 11:58 . 2010-02-23 18:22 332288 ----a-w- c:\windows\system32\msdrm.dll 2010-01-25 08:21 . 2010-02-23 18:22 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe 2010-01-25 08:21 . 2010-02-23 18:22 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe 2010-01-25 08:21 . 2010-02-23 18:22 518144 ----a-w- c:\windows\system32\RMActivate.exe 2010-01-25 08:21 . 2010-02-23 18:22 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe 2010-01-23 09:26 . 2010-02-23 18:23 2048 ----a-w- c:\windows\system32\tzres.dll 2008-12-25 16:52 . 2008-12-25 16:52 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}] 2009-04-02 11:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920] "WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-27 39408] "NokiaOviSuite2"="c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" [2009-12-10 401728] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-24 13543968] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-24 92704] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-06-20 178712] "accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-05-16 293168] "PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2008-07-09 238896] "CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2008-06-18 24848] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1045800] "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752] "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008] "QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-06-04 177456] "snuvcdsm"="c:\windows\snuvcdsm.exe" [2007-05-23 20480] "picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-06-02 367128] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 148888] "FreePDF Assistant"="c:\program files\FreePDF_XP\fpassist.exe" [2007-04-25 311296] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-25 49152] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 81920] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1314816] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "NokiaMusic FastStart"="c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe" [2009-11-06 2090272] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608] " Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-29 1086856] c:\users\Marc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-12-16 503808] mirc - Verknpfung.lnk - c:\program files\mIRC\mirc.exe [2008-10-17 2810880] Picture Motion Browser Medien-Prfung.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2009-9-23 376832] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-6-19 727592] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\System32\APSHook.dll c:\windows\System32\APSHook.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "VistaSp2"=hex(b):a4,69,c3,d6,6d,72,ca,01 R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 135664] R2 TwonkyMedia;TwonkyMedia;c:\program files\Nokia\Nokia Home Media Server\Media Server\TwonkyMedia.exe [2009-01-29 102400] R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712] R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840] S0 SafeBoot;SafeBoot; [x] S0 SbAlg;SbAlg; [x] S0 SbFsLock;SbFsLock; [x] S1 RsvLock;RsvLock; [x] S2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [2007-05-16 182576] S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289] S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe [2008-01-21 21504] S2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe [2008-01-21 21504] S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2009-04-02 464264] S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2009-04-02 234888] S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2008-06-12 1164536] S2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [2008-07-09 19968] S2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2008-07-11 256512] S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2008-04-07 24936] S2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2008-06-02 2058776] S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2008-06-12 477696] S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2008-03-27 224384] S3 NETw5v32;Intel(R) Wireless WiFi Link Adaptertreiber für Windows Vista 32-Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-04-28 3658752] S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\DRIVERS\rismc32.sys [2006-12-20 47616] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc Cognizance REG_MULTI_SZ ASBroker ASChannel bthsvcs REG_MULTI_SZ BthServ HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache . Inhalt des "geplante Tasks" Ordners 2010-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 22:31] 2010-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 22:31] 2010-04-14 c:\windows\Tasks\User_Feed_Synchronization-{D58EBC81-0B40-4E8F-8325-3D95C5A7305E}.job - c:\windows\system32\msfeedssync.exe [2010-03-30 04:54] . . ------- Zusätzlicher Suchlauf ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_ch&c=83&bd=all&pf=cmnb uInternet Settings,ProxyOverride = *.local IE: &AOL Toolbar-Suche - c:\programdata\AOL\ieToolbar\resources\de-CH\local\search.html IE: Bild an &Bluetooth-Gerät senden... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 IE: Seite an &Bluetooth-Gerät senden... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm . - - - - Entfernte verwaiste Registrierungseinträge - - - - BHO-{ee1babcf-cbe2-4c07-8e18-dfe6fc08c30a} - (no file) HKLM-Run-NWEReboot - (no file) ************************************************************************** Scanne versteckte Prozesse... Scanne versteckte Autostarteinträge... Scanne versteckte Dateien... Scan erfolgreich abgeschlossen versteckte Dateien: ************************************************************************** . --------------------- Gesperrte Registrierungsschluessel --------------------- [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 "MSCurrentCountry"=dword:000000b5 [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . --------------------- Durch laufende Prozesse gestartete DLLs --------------------- - - - - - - - > 'Explorer.exe'(5164) c:\program files\Hewlett-Packard\IAM\Bin\ItClient.dll c:\windows\system32\btncopy.dll . ------------------------ Weitere laufende Prozesse ------------------------ . c:\windows\system32\nvvsvc.exe c:\windows\system32\rundll32.exe c:\windows\system32\AEADISRV.EXE c:\windows\system32\agrsmsvc.exe c:\program files\ActivIdentity\ActivClient\acevents.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe c:\program files\Intel\AMT\LMS.exe c:\program files\Hewlett-Packard\IAM\Bin\AsGHost.exe c:\windows\servicing\TrustedInstaller.exe c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe c:\windows\system32\conime.exe c:\windows\system32\WerCon.exe c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe c:\\?\c:\windows\system32\wbem\WMIADAP.EXE c:\program files\Windows Media Player\wmpnscfg.exe c:\program files\Windows Media Player\wmpnetwk.exe . ************************************************************************** . Zeit der Fertigstellung: 2010-04-14 21:36:07 - PC wurde neu gestartet ComboFix-quarantined-files.txt 2010-04-14 19:35 Vor Suchlauf: 12 Verzeichnis(se), 250'327'289'856 Bytes frei Nach Suchlauf: 19 Verzeichnis(se), 250'013'573'120 Bytes frei - - End Of File - - C02955566AD4E82A26D2685BC56A26E1 Gruss Marc |
|
14.04.2010, 20:55
| #13 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Rootkit.Gen Virus im System,wie löschen? Das sieht gut aus. Machst Du nochmal zur Kontrolle ein Log mit GMER?
__________________ Logfiles bitte immer in CODE-Tags posten |
|
14.04.2010, 21:25
| #14 |
| | Rootkit.Gen Virus im System,wie löschen? ok, hier das GMER Logfile: GMER 1.0.15.15281 - GMER - Rootkit Detector and Remover Rootkit scan 2010-04-14 22:24:08 Windows 6.0.6002 Service Pack 2 Running: 7gkqzov2.exe; Driver: C:\Users\Mustermann\AppData\Local\Temp\pxloipoc.sys ---- System - GMER 1.0.15 ---- SSDT A46551E4 ZwCreateThread SSDT A46551D0 ZwOpenProcess SSDT A46551D5 ZwOpenThread SSDT A46551DF ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 221 81EB1984 4 Bytes [E4, 51, 65, A4] {IN AL, 0x51; MOVS BYTE GS:[EDI]} .text ntkrnlpa.exe!KeSetEvent + 3F1 81EB1B54 4 Bytes [D0, 51, 65, A4] {RCL BYTE [ECX+0x65], 0x1; MOVSB } .text ntkrnlpa.exe!KeSetEvent + 40D 81EB1B70 4 Bytes [D5, 51, 65, A4] {AAD 0x51; MOVS BYTE GS:[EDI]} .text ntkrnlpa.exe!KeSetEvent + 621 81EB1D84 4 Bytes [DF, 51, 65, A4] {FIST WORD [ECX+0x65]; MOVSB } ? C:\windows\System32\Drivers\SafeBoot.sys Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird. .text C:\windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8EE05340, 0x3EA957, 0xE8000020] ? C:\cofi\catchme.sys Das System kann den angegebenen Pfad nicht finden. ! ? C:\windows\system32\Drivers\PROCEXP113.SYS Das System kann die angegebene Datei nicht finden. ! ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\windows\Explorer.exe[5164] @ C:\windows\Explorer.exe [gdiplus.dll!GdiplusShutdown] [736E7817] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.exe[5164] @ C:\windows\Explorer.exe [gdiplus.dll!GdipCloneImage] [7373A86D] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.exe[5164] @ C:\windows\Explorer.exe [gdiplus.dll!GdipDrawImageRectI] [736EBB22] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.exe[5164] @ C:\windows\Explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [736DF695] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.exe[5164] @ C:\windows\Explorer.exe [gdiplus.dll!GdiplusStartup] [736E75E9] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.exe[5164] @ C:\windows\Explorer.exe [gdiplus.dll!GdipCreateFromHDC] [736DE7CA] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.exe[5164] @ C:\windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73718395] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.exe[5164] @ C:\windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [736EDA60] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.exe[5164] @ C:\windows\Explorer.exe [gdiplus.dll!GdipGetImageHeight] [736DFFFA] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.exe[5164] @ C:\windows\Explorer.exe [gdiplus.dll!GdipGetImageWidth] [736DFF61] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.exe[5164] @ C:\windows\Explorer.exe [gdiplus.dll!GdipDisposeImage] [736D71CF] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.exe[5164] @ C:\windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [7376CAE2] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.exe[5164] @ C:\windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [7370C8D8] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.exe[5164] @ C:\windows\Explorer.exe [gdiplus.dll!GdipDeleteGraphics] [736DD968] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.exe[5164] @ C:\windows\Explorer.exe [gdiplus.dll!GdipFree] [736D6853] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.exe[5164] @ C:\windows\Explorer.exe [gdiplus.dll!GdipAlloc] [736D687E] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.exe[5164] @ C:\windows\Explorer.exe [gdiplus.dll!GdipSetCompositingMode] [736E2AD1] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation) Device \Driver\BTHUSB \Device\000000b9 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation) Device \Driver\BTHUSB \Device\000000bb bthport.sys (Bluetooth Bus Driver/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00247e19a515 Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00247e19a515 (not active ControlSet) ---- EOF - GMER 1.0.15 ---- Gruss Marc Geändert von mahastud (14.04.2010 um 21:31 Uhr) |
|
14.04.2010, 21:29
| #15 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Rootkit.Gen Virus im System,wie löschen? Sieht auch gut aus  Rechner wieder ok?
__________________ Logfiles bitte immer in CODE-Tags posten |
|
| Themen zu Rootkit.Gen Virus im System,wie löschen? |
| .com, antimaleware, antivir, avira, cc cleaner, components, desktop, drvstore, email, excel, explorer, flash player, home, hotfix.exe, install.exe, installation, löschen, löschen?, microsoft, msiexec.exe, neustart, office 2007, problem, programdata, rootkit.agent, rundll, security, security update, service pack 1, software, starten, system, systemcheck, trojan, trojan agent, updates, virus, vista, windows |
Linear-Darstellung
