| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Trojaner PWS:Win32/Daurso.A -- penetrant und resistentWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
20.05.2010, 01:23
| #1 |
| |  Trojaner PWS:Win32/Daurso.A -- penetrant und resistent Hallo zusammen, ich leide auch unter dem pws:win32/daurso.a Trojaner. Danke an die gute Beschreibung auf : http://www.trojaner-board.de/86113-t...o-problem.html StLB hat drei fragwürdige Dateien in dem anderen Fall gefunden, und da ich eine gültige Datei von einer fragwürdigen nicht unterscheiden kann, hoffe ich, dass mir jemand von euch weiterhelfen kann, damit ich nicht doch noch formatieren muss um den Dreck wieder los zu werden. Ich habe jetzt 2x Maleware laufen lassen (dazwischen ein Neustart und einer erneuten Meldung vom Windows Defender, dass pws:win32/daurso.a wieder/immer noch da ist) und nach dem zweiten Mal dieses Log erhalten: Code:
ATTFilter Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Datenbank Version: 4118
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904
20.05.2010 01:54:24
mbam-log-2010-05-20 (01-54-24).txt
Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|)
Durchsuchte Objekte: 321941
Laufzeit: 2 Stunde(n), 38 Minute(n), 4 Sekunde(n)
Infizierte Speicherprozesse: 1
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 2
Infizierte Speicherprozesse:
C:\Windows\Temp\7ac25ba5.tmp (Trojan.Downloader) -> Unloaded process successfully.
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)
Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)
Infizierte Dateien:
C:\Windows\Temp\7ac25ba5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\abfayyq.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
Code:
ATTFilter OTL logfile created on: 20.05.2010 01:56:09 - Run 1 OTL by OldTimer - Version 3.2.5.0 Folder = C:\Users\Name\Desktop Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18904) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 50,00% Memory free 6,00 Gb Paging File | 4,00 Gb Available in Paging File | 74,00% Paging File free Paging file location(s): c:\pagefile.sys 3072 4096 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 212,87 Gb Total Space | 55,90 Gb Free Space | 26,26% Space Free | Partition Type: NTFS Drive D: | 20,00 Gb Total Space | 15,60 Gb Free Space | 78,01% Space Free | Partition Type: FAT32 E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded Drive H: | 624,09 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS I: Drive not present or media not loaded Computer Name: Name-PC Current User Name: Name Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Users\Name\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Windows\System32\TUProgSt.exe (TuneUp Software) PRC - C:\Programme\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.) PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH) PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH) PRC - C:\Programme\Windows Sidebar\sidebar.exe (Microsoft Corporation) PRC - C:\Windows\explorer.exe (Microsoft Corporation) PRC - C:\Windows\System32\conime.exe (Microsoft Corporation) PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) PRC - C:\Programme\Windows Defender\MSASCui.exe (Microsoft Corporation) PRC - C:\Programme\BullGuard Software\BullGuard\BullGuardUpdate.exe (BullGuard Software) PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) PRC - C:\Programme\Medion\MEDIONbox\Program\GCS.exe (Empolis GmbH) PRC - c:\Programme\Common Files\Gnab\Service\ServiceController.exe (Empolis GmbH) ========== Modules (SafeList) ========== MOD - C:\Users\Name\Desktop\OTL.exe (OldTimer Tools) MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll (Microsoft Corporation) MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation) ========== Win32 Services (SafeList) ========== SRV - (TuneUp.ProgramStatisticsSvc) -- C:\Windows\System32\TUProgSt.exe (TuneUp Software) SRV - (TuneUp.Defrag) -- C:\Windows\System32\TuneUpDefragService.exe (TuneUp Software) SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.) SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation) SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH) SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH) SRV - (UxTuneUp) -- C:\Windows\System32\uxtuneup.dll (TuneUp Software) SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation) SRV - (BsMailProxy) -- C:\Programme\BullGuard Software\BullGuard\BsMailProxy.dll (BullGuard Ltd.) SRV - (BsFileScan) -- C:\Programme\BullGuard Software\BullGuard\BsFileScan.dll (BullGuard Ltd.) SRV - (BGLiveSvc) -- C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe (BullGuard Software) SRV - (BgMainSvc) -- C:\Programme\BullGuard Software\BullGuard\BsMain.dll (BullGuard, Ltd.) SRV - (WcesComm) -- C:\Windows\WindowsMobile\wcescomm.dll (Microsoft Corporation) SRV - (RapiMgr) -- C:\Windows\WindowsMobile\rapimgr.dll (Microsoft Corporation) SRV - (GnabService) -- c:\Programme\Common Files\Gnab\Service\ServiceController.exe (Empolis GmbH) SRV - (cvslock) -- C:\Program Files\CVSNT\cvslock.exe () SRV - (cvsnt) -- C:\Program Files\CVSNT\cvsservice.exe (March Hare Software Ltd) ========== Driver Services (SafeList) ========== DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH) DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH) DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH) DRV - (avgio) -- C:\Programme\Avira\AntiVir Desktop\avgio.sys (Avira GmbH) DRV - (acedrv11) -- C:\Windows\System32\drivers\acedrv11.sys (Protect Software GmbH) DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.) DRV - (BdFileSpy) -- C:\Windows\System32\drivers\BdFileSpy.sys (BullGuard Ltd.) DRV - (R300) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.) DRV - (atikmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.) DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\Windows\System32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.) DRV - (Reconn) -- C:\Programme\BullGuard Software\BullGuard\Reconn.sys (BullGuard Ltd.) DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.) DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.) DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation) DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.) DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex) DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.) DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.) DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation) DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.) DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.) DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd) DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation) DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.) DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.) DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation) DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation) DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH) DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems) DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation) DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.) DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.) DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic) DRV - (SiSRaid2) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.) DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company) DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.) DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.) DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.) DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic) DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic) DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic) DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic) DRV - (amdagp) -- C:\Windows\System32\drivers\amdagp.sys.bak (Microsoft Corporation) DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation) DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic) DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation) DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.) DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.) DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.) DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.) DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.) DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.) DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies) DRV - (E1G60) Intel(R) -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation) DRV - (BCM43XV) -- C:\Windows\System32\drivers\BCMWL6.SYS (Broadcom Corporation) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.msn.de IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKCU\..\URLSearchHook: - Reg Error: Key error. File not found IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - prefs.js..browser.search.defaultenginename: "ICQ Search" FF - prefs.js..browser.search.selectedEngine: "Google" FF - prefs.js..browser.search.update: false FF - prefs.js..browser.startup.homepage: "about:blanc" FF - prefs.js..extensions.enabledItems: toolbar@ask.com:3.4.4.118 FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20 FF - prefs.js..keyword.URL: "hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=" FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.05.05 17:19:58 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.05.05 17:19:57 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Sunbird 0.8\extensions\\Components: C:\Program Files\Mozilla Sunbird\components [2010.05.05 17:19:58 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Sunbird 0.8\extensions\\Plugins: C:\Program Files\Mozilla Sunbird\plugins [2010.05.05 17:19:57 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010.05.05 17:19:58 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010.05.05 17:19:57 | 000,000,000 | ---D | M] [2008.12.07 21:00:54 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\mozilla\Extensions [2010.05.19 22:45:57 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\mozilla\Firefox\Profiles\c9x8tr4l.default\extensions [2010.04.12 22:19:36 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Name\AppData\Roaming\mozilla\Firefox\Profiles\c9x8tr4l.default\extensions\{a8dd47cf-239f-48c4-8379-e6b4cbafdcfa} [2010.05.05 17:04:30 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Name\AppData\Roaming\mozilla\Firefox\Profiles\c9x8tr4l.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [2009.11.08 13:39:43 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\mozilla\Firefox\Profiles\c9x8tr4l.default\extensions\toolbar@ask.com [2008.05.27 01:35:00 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\mozilla\Sunbird\Profiles\iope8wpx.default\extensions [2009.04.22 20:38:14 | 000,000,950 | ---- | M] () -- C:\Users\Name\AppData\Roaming\Mozilla\FireFox\Profiles\c9x8tr4l.default\searchplugins\icqplugin-1.xml [2009.03.08 15:53:15 | 000,000,950 | ---- | M] () -- C:\Users\Name\AppData\Roaming\Mozilla\FireFox\Profiles\c9x8tr4l.default\searchplugins\icqplugin-2.xml [2009.03.30 12:57:05 | 000,000,950 | ---- | M] () -- C:\Users\Name\AppData\Roaming\Mozilla\FireFox\Profiles\c9x8tr4l.default\searchplugins\icqplugin-3.xml [2009.02.06 16:42:02 | 000,000,944 | ---- | M] () -- C:\Users\Name\AppData\Roaming\Mozilla\FireFox\Profiles\c9x8tr4l.default\searchplugins\icqplugin.xml [2010.04.19 20:06:34 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions [2009.01.22 20:38:04 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions\{800b5000-a755-47e1-992b-48a1c1357f07} [2008.01.25 21:05:11 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} [2010.04.19 20:06:35 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [2008.12.07 21:00:46 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org [2010.04.12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\npdeployJava1.dll [2010.04.12 22:12:09 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml [2010.04.12 22:12:09 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml [2010.04.12 22:12:09 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml [2010.04.12 22:12:09 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml [2010.04.12 22:12:09 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [BullGuard] C:\Program Files\BullGuard Software\BullGuard\bullguard.exe (BullGuard Software) O4 - HKLM..\Run: [ Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [MSConfig] C:\Windows\System32\msconfig.exe (Microsoft Corporation) O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) O4 - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [StartCCC] C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe () O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108723 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = [binary data] O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation) O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, Inc.) O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, Inc.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.) O13 - gopher Prefix: missing O15 - HKCU\..Trusted Domains: fritz.box ([]* in Lokales Intranet) O15 - HKCU\..Trusted Ranges: Range1 ([*] in Lokales Intranet) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Java Plug-in 1.6.0) O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03) O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab (Java Plug-in 1.6.0_04) O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07) O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1 O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Users\Name\AppData\Roaming\Mozilla\Firefox\Desktop Hintergrund.bmp O24 - Desktop BackupWallPaper: C:\Users\Name\AppData\Roaming\Mozilla\Firefox\Desktop Hintergrund.bmp O30 - LSA: Authentication Packages - (setuid) - C:\Windows\System32\setuid.dll (March-Hare Software Ltd) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O32 - AutoRun File - [2009.07.02 13:27:43 | 000,000,074 | R--- | M] () - H:\Autorun.inf -- [ CDFS ] O33 - MountPoints2\{b7a7f589-b97c-11dc-9116-806e6f6e6963}\Shell - "" = AutoRun O33 - MountPoints2\{b7a7f589-b97c-11dc-9116-806e6f6e6963}\Shell\AutoRun\command - "" = H:\zdata\cobi.exe -- [2009.09.22 14:39:30 | 001,144,832 | R--- | M] (getanet.MEDIA) O33 - MountPoints2\{d69a6a38-b8d8-11de-bc2a-001d9207f1d0}\Shell - "" = AutoRun O33 - MountPoints2\{d69a6a38-b8d8-11de-bc2a-001d9207f1d0}\Shell\AutoRun\command - "" = J:\LaunchU3.exe -- File not found O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010.05.20 01:02:07 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Users\Name\Desktop\OTL.exe [2010.05.19 22:49:55 | 000,000,000 | ---D | C] -- C:\Users\Name\AppData\Roaming\Malwarebytes [2010.05.19 22:49:27 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2010.05.19 22:49:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2010.05.19 22:49:22 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2010.05.19 22:49:22 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware [2010.05.19 19:56:59 | 000,604,416 | ---- | C] (TuneUp Software) -- C:\Windows\System32\TUProgSt.exe [2010.05.19 19:56:57 | 000,028,928 | ---- | C] (TuneUp Software) -- C:\Windows\System32\uxtuneup.dll [2010.05.19 19:56:56 | 000,017,152 | ---- | C] (TuneUp Software) -- C:\Windows\System32\authuitu.dll [2010.05.19 19:56:54 | 000,361,216 | ---- | C] (TuneUp Software) -- C:\Windows\System32\TuneUpDefragService.exe [2010.05.19 19:54:42 | 000,000,000 | ---D | C] -- C:\Programme\TuneUp Utilities 2009 [2010.05.19 19:05:02 | 000,000,000 | ---D | C] -- C:\Users\Name\Documents\Bewerbung [2010.05.18 22:27:51 | 000,000,000 | ---D | C] -- C:\Windows\Minidump [2010.05.05 17:22:56 | 000,000,000 | ---D | C] -- C:\Programme\iTunes [2010.05.05 17:22:56 | 000,000,000 | ---D | C] -- C:\ProgramData\{429CAD59-35B1-4DBC-BB6D-1DB246563521} [2010.05.05 17:19:25 | 000,000,000 | ---D | C] -- C:\Programme\QuickTime [2010.05.05 17:15:09 | 000,000,000 | ---D | C] -- C:\Programme\Bonjour [2010.04.27 20:20:23 | 000,293,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\browserchoice.exe ========== Files - Modified Within 30 Days ========== [2010.05.20 02:00:07 | 000,000,522 | ---- | M] () -- C:\Windows\tasks\1-Klick-Wartung.job [2010.05.20 01:59:35 | 000,802,304 | ---- | M] () -- C:\Windows\System32\drivers\abfayyq.sys [2010.05.20 01:59:01 | 002,883,584 | ---- | M] () -- C:\Users\Name\NTUSER.DAT [2010.05.20 01:54:30 | 000,054,016 | ---- | M] () -- C:\Windows\System32\drivers\eabdska.sys [2010.05.20 01:12:41 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2010.05.20 01:12:41 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2010.05.20 01:02:13 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Users\Name\Desktop\OTL.exe [2010.05.19 23:20:06 | 001,445,786 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI [2010.05.19 23:20:06 | 000,628,210 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2010.05.19 23:20:06 | 000,595,308 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2010.05.19 23:20:06 | 000,126,850 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2010.05.19 23:20:06 | 000,104,742 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2010.05.19 23:12:43 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT [2010.05.19 23:12:24 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2010.05.19 23:11:04 | 000,524,288 | -HS- | M] () -- C:\Users\Name\NTUSER.DAT{565c9e75-acd4-11de-b4bb-001d9207f1d0}.TMContainer00000000000000000001.regtrans-ms [2010.05.19 23:11:04 | 000,065,536 | -HS- | M] () -- C:\Users\Name\NTUSER.DAT{565c9e75-acd4-11de-b4bb-001d9207f1d0}.TM.blf [2010.05.19 23:11:02 | 003,924,319 | -H-- | M] () -- C:\Users\Name\AppData\Local\IconCache.db [2010.05.19 22:49:38 | 000,000,822 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010.05.19 22:29:32 | 000,000,420 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{EF8B46CB-B142-43D6-BF7C-49349D2E31F8}.job [2010.05.19 19:56:59 | 000,604,416 | ---- | M] (TuneUp Software) -- C:\Windows\System32\TUProgSt.exe [2010.05.19 19:56:54 | 000,361,216 | ---- | M] (TuneUp Software) -- C:\Windows\System32\TuneUpDefragService.exe [2010.05.19 19:56:50 | 000,001,711 | ---- | M] () -- C:\Users\Public\Desktop\TuneUp 1-Klick-Wartung.lnk [2010.05.19 19:56:49 | 000,001,627 | ---- | M] () -- C:\Users\Public\Desktop\TuneUp Utilities 2009.lnk [2010.05.18 22:27:45 | 249,751,869 | ---- | M] () -- C:\Windows\MEMORY.DMP [2010.05.11 17:26:59 | 000,018,472 | ---- | M] () -- C:\Users\Name\Documents\Anschreiben-DocuWare.odt [2010.05.11 16:40:48 | 000,057,939 | ---- | M] () -- C:\Users\Name\Documents\Anschreiben-DocuWare.pdf [2010.05.11 13:40:06 | 000,014,336 | ---- | M] () -- C:\Users\Name\Documents\3-computer_informationstechnologie-bXeuFsB.doc [2010.05.11 13:40:04 | 000,015,872 | ---- | M] () -- C:\Users\Name\Documents\3-computer_informationstechnologie-Lsf4N90.doc [2010.05.06 10:36:38 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe [2010.05.05 17:23:47 | 000,001,804 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk [2010.05.05 17:19:45 | 000,001,730 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk [2010.04.29 12:19:24 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2010.04.29 12:19:14 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2010.04.20 19:58:24 | 000,055,601 | ---- | M] () -- C:\Users\Name\Documents\ARGE.pdf [2010.04.20 19:57:59 | 000,018,265 | ---- | M] () -- C:\Users\Name\Documents\ARGE.odt ========== Files Created - No Company Name ========== [2010.05.20 01:54:30 | 000,054,016 | ---- | C] () -- C:\Windows\System32\drivers\eabdska.sys [2010.05.19 22:49:38 | 000,000,822 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010.05.19 19:58:00 | 000,000,522 | ---- | C] () -- C:\Windows\tasks\1-Klick-Wartung.job [2010.05.19 19:55:39 | 000,001,711 | ---- | C] () -- C:\Users\Public\Desktop\TuneUp 1-Klick-Wartung.lnk [2010.05.19 19:55:39 | 000,001,627 | ---- | C] () -- C:\Users\Public\Desktop\TuneUp Utilities 2009.lnk [2010.05.18 22:27:45 | 249,751,869 | ---- | C] () -- C:\Windows\MEMORY.DMP [2010.05.11 16:40:46 | 000,057,939 | ---- | C] () -- C:\Users\Name\Documents\Anschreiben-DocuWare.pdf [2010.05.11 13:40:06 | 000,014,336 | ---- | C] () -- C:\Users\Name\Documents\3-computer_informationstechnologie-bXeuFsB.doc [2010.05.11 13:39:57 | 000,015,872 | ---- | C] () -- C:\Users\Name\Documents\3-computer_informationstechnologie-Lsf4N90.doc [2010.05.11 13:29:22 | 000,018,472 | ---- | C] () -- C:\Users\Name\Documents\Anschreiben-DocuWare.odt [2010.05.05 17:23:47 | 000,001,804 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk [2010.05.05 17:19:45 | 000,001,730 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk [2010.04.20 19:58:05 | 000,055,601 | ---- | C] () -- C:\Users\Name\Documents\ARGE.pdf [2010.04.20 19:57:23 | 000,018,265 | ---- | C] () -- C:\Users\Name\Documents\ARGE.odt [2009.12.28 03:22:20 | 000,802,304 | ---- | C] () -- C:\Windows\System32\drivers\abfayyq.sys [2009.10.20 16:48:06 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll [2008.10.21 11:24:29 | 000,021,840 | ---- | C] () -- C:\Windows\System32\SIntfNT.dll [2008.10.21 11:24:29 | 000,017,212 | ---- | C] () -- C:\Windows\System32\SIntf32.dll [2008.10.21 11:24:29 | 000,012,067 | ---- | C] () -- C:\Windows\System32\SIntf16.dll [2008.10.21 11:17:29 | 000,000,239 | ---- | C] () -- C:\Windows\SIERRA.INI [2008.09.21 13:10:27 | 000,015,873 | ---- | C] () -- C:\Windows\System32\Inetde.dll [2008.08.17 21:29:03 | 000,000,025 | ---- | C] () -- C:\Windows\gsview32.ini [2008.07.23 18:50:52 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll [2008.07.23 18:47:34 | 000,000,416 | ---- | C] () -- C:\Windows\System32\dtu100.dll.manifest [2008.07.23 18:47:34 | 000,000,416 | ---- | C] () -- C:\Windows\System32\dpl100.dll.manifest [2008.07.23 18:46:38 | 000,012,288 | ---- | C] () -- C:\Windows\System32\DivXWMPExtType.dll [2008.06.29 12:56:08 | 000,000,292 | ---- | C] () -- C:\Windows\vtmb.ini [2007.08.15 13:41:49 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll [2006.11.02 14:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll [2006.11.02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini [1997.06.14 02:56:08 | 000,056,832 | ---- | C] () -- C:\Windows\System32\iyvu9_32.dll < End of report > Code:
ATTFilter OTL Extras logfile created on: 20.05.2010 01:56:09 - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Users\Name\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
3,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 50,00% Memory free
6,00 Gb Paging File | 4,00 Gb Available in Paging File | 74,00% Paging File free
Paging file location(s): c:\pagefile.sys 3072 4096 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 212,87 Gb Total Space | 55,90 Gb Free Space | 26,26% Space Free | Partition Type: NTFS
Drive D: | 20,00 Gb Total Space | 15,60 Gb Free Space | 78,01% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 624,09 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
I: Drive not present or media not loaded
Computer Name: Name-PC
Current User Name: Name
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2612312902-146071279-4069502417-1002]
"EnableNotifications" = 1
"EnableNotificationsRef" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0B206D64-E47F-40DA-9572-D5788E33919C}" = lport=5721 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{110DFFB5-732B-4ED9-912A-F4E9C971CA9A}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{12768A06-6180-48F2-A798-3EFABCBC80A8}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{12818E46-4C8C-4B97-82F3-FD090E35BA48}" = lport=26675 | protocol=6 | dir=in | name=@%systemroot%\windowsmobile\wmdcbase.exe,-4006 |
"{4DA47720-3D49-4DC3-A386-8F021CF3F583}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{52330406-B769-4591-B2E5-7700588FE2BA}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{65B8CB98-A69E-44E5-BC5B-985197A75A4B}" = lport=5678 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |
"{679000D3-E8BF-48AC-B597-71F897C337E7}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{69AA453A-355E-410E-AB4C-2AA9EFB90677}" = lport=5721 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{7B1868B2-F976-4DA9-80C2-7FEE82022275}" = lport=999 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |
"{835BFADA-1FF8-4C8E-85BA-B1E09CA841F0}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{A582C95F-C687-4564-94DE-8EBD76B6AAD3}" = lport=999 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |
"{AEB3D7BC-B02E-40BC-A297-EFD9A82AC0B0}" = lport=26675 | protocol=6 | dir=in | name=@%systemroot%\windowsmobile\wmdcbase.exe,-4006 |
"{B174FCE4-1BBA-4AB9-8F0A-5D9169262BED}" = lport=5721 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{B2183FB8-BBAD-4548-95E6-843B0B4899DC}" = lport=5678 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |
"{B28A899E-B100-4C35-851C-378066B63AAC}" = lport=999 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |
"{EEF3FEFA-E036-467C-86DC-3A0D46CFAFF0}" = lport=26675 | protocol=6 | dir=in | name=@%systemroot%\windowsmobile\wmdcbase.exe,-4006 |
"{FD11B3AE-1A16-465F-9EB8-8C85409F8824}" = lport=5678 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01BA9B81-1303-4EF4-A8DC-3BF34311429C}" = protocol=17 | dir=in | app=c:\program files\firaxis games\sid meier's civilization 4\beyond the sword\civ4beyondsword_pitboss.exe |
"{03368E0C-0DB5-4ECE-8F31-396826A18856}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10192-to-3.2.0.10314-dede-downloader.exe |
"{0831593D-5392-4E0C-9203-BED9E1EC1F01}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{0C95FA45-67C8-42EC-B27C-4A7D40CBFA58}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{15DA33F5-FB0E-4251-9F35-550374588CA7}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{1AB7356A-A3BF-47E1-A990-5C3BBE8B709D}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{1EC80399-C0D6-4A82-A6B2-7871339E650F}" = protocol=6 | dir=in | app=c:\program files\firaxis games\sid meier's civilization 4\warlords\civ4warlords.exe |
"{20F0B6B6-1369-40B5-854F-E383B4D8B914}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{2E8E7920-6489-4C7F-8A11-9935517A8372}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{3CD6086C-A53A-4AC3-B526-D29E8A1EE40E}" = protocol=6 | dir=in | app=c:\program files\firaxis games\sid meier's civilization 4\beyond the sword\civ4beyondsword.exe |
"{45ED55FE-3848-49F3-85BE-A349B919BD83}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{46195351-5249-4DD3-9239-F5288F6FFA90}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{4C2B40A0-EFEE-4057-8193-0357C1491B79}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-dede-downloader.exe |
"{4DE9BF40-3F0B-457E-8973-870B6A125F1F}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{65F2A2FB-22F2-43A1-8A19-240691C29BF9}" = protocol=6 | dir=in | app=c:\program files\firaxis games\sid meier's civilization 4\warlords\civ4warlords_pitboss.exe |
"{688DA2AF-495F-429A-9DEE-8D8A30844A83}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{6ECEBE89-4233-4948-A23C-6CA3332CCD88}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{83AE9D15-D924-49FB-846D-F3782617A5A5}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{8851DF65-6185-486A-9BB4-ACBFBA15BEB4}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{88966398-87E5-4BC6-9CC3-1881ABD6999D}" = protocol=17 | dir=in | app=c:\program files\firaxis games\sid meier's civilization 4\warlords\civ4warlords.exe |
"{8CF7DC18-FEB1-42C7-8579-E7012C142792}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{978173D6-1E2A-48C6-9A06-B6E677070E21}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{9A853882-5D75-476F-8A20-171CF5A61B87}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-dede-downloader.exe |
"{A2F559AF-417E-451F-80F8-B194B245E08D}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{B2A0C592-F1C4-4929-8181-A87F8D2CDAC3}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{B37D0607-C34E-4FE4-ADC0-47389018E55F}" = protocol=17 | dir=in | app=c:\program files\firaxis games\sid meier's civilization 4\warlords\civ4warlords_pitboss.exe |
"{B69FEBA3-96B0-411B-A144-52119E8B744A}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{CBC1670C-C202-4320-8161-3780CB619B85}" = protocol=17 | dir=in | app=c:\program files\firaxis games\sid meier's civilization 4\beyond the sword\civ4beyondsword.exe |
"{D10C1609-2E13-4952-B4E5-3D99D8F5A14C}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10192-to-3.2.0.10314-dede-downloader.exe |
"{D22D03F5-B722-4132-8BDF-D79494CC59EE}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{DBC46957-5EF6-47F0-9610-066241B97CE8}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{E3752D61-8C61-4C87-A412-9298C92B6A6E}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{E659B73D-A85D-4222-BE44-6DF3A5863352}" = protocol=6 | dir=in | app=c:\program files\firaxis games\sid meier's civilization 4\beyond the sword\civ4beyondsword_pitboss.exe |
"{EBFF43D8-643A-49FF-ABB1-0083AE5FA56D}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{F7F6A81B-BAD9-49DC-995A-2119E1F1BE46}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"TCP Query User{05D488FC-1470-4464-AD60-943BE00F0266}C:\program files\cvsnt\workspaceviewer.exe" = protocol=6 | dir=in | app=c:\program files\cvsnt\workspaceviewer.exe |
"TCP Query User{1428AFC1-FC0F-402E-B8E0-1F2B88D48212}C:\program files\java\jdk1.6.0\jre\bin\java.exe" = protocol=6 | dir=in | app=c:\program files\java\jdk1.6.0\jre\bin\java.exe |
"TCP Query User{432FFE16-EE9C-4C65-943C-0D7B8E4ACDB6}C:\users\public\games\world of warcraft\backgrounddownloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\backgrounddownloader.exe |
"TCP Query User{8FD6F43E-9AE8-4E43-99DB-FB9B7206EC9B}C:\users\public\games\world of warcraft\launcher.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe |
"TCP Query User{9A31BD99-FEBE-4C9A-8E1E-09266D23C116}C:\program files\icq6.5\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq6.5\icq.exe |
"UDP Query User{046E1ADE-E51C-480A-B286-F3C441BA6E99}C:\users\public\games\world of warcraft\backgrounddownloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\backgrounddownloader.exe |
"UDP Query User{68ACF34E-54A6-457D-B2E0-53AA1B83C490}C:\users\public\games\world of warcraft\launcher.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe |
"UDP Query User{B4083DD4-44F7-4D25-A26B-374B8B98019A}C:\program files\cvsnt\workspaceviewer.exe" = protocol=17 | dir=in | app=c:\program files\cvsnt\workspaceviewer.exe |
"UDP Query User{C25C1502-7D37-4CCF-AF6D-4F03594275A2}C:\program files\java\jdk1.6.0\jre\bin\java.exe" = protocol=17 | dir=in | app=c:\program files\java\jdk1.6.0\jre\bin\java.exe |
"UDP Query User{E887EA17-2D74-4512-AD89-1C4F5FE89FDA}C:\program files\icq6.5\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq6.5\icq.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 20
"{27FDF949-69CE-435A-8372-339F72336AC5}" = MEDIONbox
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java(TM) SE Runtime Environment 6
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java(TM) 6 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{32A3A4F4-B792-11D6-A78A-00B0D0160000}" = Java(TM) SE Development Kit 6
"{32E4F0D2-C135-475E-A841-1D59A0D22989}" = Sid Meier's Civilization 4 - Beyond the Sword
"{342126E1-173C-4585-BFBE-3EBDD20E3E9E}" = Mobipocket Reader 6.2
"{378BA9B5-DB6C-41DB-BE93-86CD198A8A9E}" = Guild 2 King's Edition
"{3E4B349F-10B5-4586-9D99-489A90A8B228}" = Sid Meier's Civilization 4 - Warlords
"{4160DC5B-4C56-D0C3-C5FD-F5BDAD3C882B}" = ATI Catalyst Install Manager
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{55A29068-F2CE-456C-9148-C869879E2357}" = TuneUp Utilities 2009
"{5CFEB311-219C-27B2-7439-6A1D509CD819}" = Catalyst Control Center Core Implementation
"{5ECB3A3C-980B-4D12-9724-25DCB07A1F47}" = iTunes
"{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6.5
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{710C1A1B-D0FC-28F1-7FC0-17C16541FEE0}" = Catalyst Control Center Graphics Full New
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7BD0D8F8-A13C-48D2-B201-4AD29A48AF34}" = Google SketchUp 7
"{7C480BB2-42A9-40C6-AA5F-7AA20FC7C7F3}" = CVSNT 2.5.03.2382
"{7DB1F93E-A510-91AB-F2BC-1842D1C9191A}" = Catalyst Control Center Graphics Light
"{81AB1374-098A-43CB-BE57-31CEB5EB1031}" = Nero 7 Essentials
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{8A253629-0511-4854-8B4E-46E57E66005C}" = Bonjour
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8B4453AF-C0F7-C9FC-9EB2-4E937ABFF70A}" = CCC Help German
"{904CCF62-818D-4675-BC76-D37EB399F917}" = Windows Mobile-Gerätecenter
"{99E862CC-6F69-4D39-99AA-DBF71BF3B585}" = OpenOffice.org 3.1
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9DE1BE03-AFE2-4CDB-BFEB-D06D736CD01A}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1031-7B44-A81300000003}" = Adobe Reader 8.1.3 - Deutsch
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{ACDE0B56-269E-3076-02BD-506BF816E40E}" = Catalyst Control Center Graphics Full Existing
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B3276CB1-20B6-4AF9-AAEC-E72C83816495}" = IKEA Home Planner
"{B6C2569C-E2AA-4AB9-8C26-AC2487A2BFFC}" = Sid Meier's Civilization 4
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BCEE61A2-D111-21D0-A8F1-5D85AC88B905}" = ccc-core-static
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}" = Sid Meier's Civilization 4
"{D4824F2A-1088-7628-40A6-F9D6993027E8}" = Skins
"{E1180142-3B31-4DCC-9D27-7AC2D37662BF}" = LightScribe 1.4.124.1
"{E7044E25-3038-4A76-9064-344AC038043E}" = Windows Mobile Device Center Driver Update
"{E7D01DFA-42ED-9A41-FDFB-5033A5324A45}" = Catalyst Control Center Graphics Previews Vista
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F9A6EB9F-41C3-BAAF-135F-BE811F379B71}" = ccc-utility
"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone-Konfigurationsprogramm
"{FECEAE9B-35EA-B495-D70C-29E1965359E7}" = Catalyst Control Center Localization German
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"AVMFBox" = AVM FRITZ!Box Dokumentation
"AVMFBoxPrinter" = AVM FRITZ!Box Druckeranschluss
"BullGuard" = BullGuard 7.0 for Vista
"Diagram Designer" = Diagram Designer
"Drakensang_is1" = Drakensang
"Free YouTube Download_is1" = Free YouTube Download 2.3
"Free YouTube to iPod Converter_is1" = Free YouTube to iPod Converter version 3.1
"Free YouTube to Mp3 Converter_is1" = Free YouTube to Mp3 Converter version 3.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MiKTeX 2.7" = MiKTeX 2.7
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"Mozilla Sunbird (0.8)" = Mozilla Sunbird (0.8)
"Mozilla Thunderbird (2.0.0.24)" = Mozilla Thunderbird (2.0.0.24)
"nbi-glassfish-2.0.0.58.20070907" = GlassFish V2
"nbi-nb-base-6.0.0.0.200711261600" = NetBeans IDE 6.0
"ProtectDisc Driver 11" = ProtectDisc Driver, Version 11
"RollerCoaster Tycoon Setup" = Roll
"SupernaturalScreensaver" = SupernaturalScreensaver
"Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2
"TeXnicCenter Alpha_is1" = TeXnicCenter Version 2.0 Alpha 2
"TeXnicCenter_is1" = TeXnicCenter Version 1 Beta 7.50
"Uninstall_is1" = Uninstall 1.0.0.1
"VLC media player" = VideoLAN VLC media player 0.8.6d
"Winamp" = Winamp
"Windows Mobile Device Handbook" = Windows Mobile-Ressourcen
"WinRAR archiver" = WinRAR
"World of Warcraft" = World of Warcraft
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 04.11.2009 06:04:42 | Computer Name = Name-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
Error - 04.11.2009 12:33:46 | Computer Name = Name-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
Error - 04.11.2009 12:33:46 | Computer Name = Name-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
Error - 04.11.2009 12:57:44 | Computer Name = Name-PC | Source = EventSystem | ID = 4621
Description =
Error - 04.11.2009 15:05:41 | Computer Name = Name-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
Error - 04.11.2009 15:05:41 | Computer Name = Name-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
Error - 05.11.2009 06:41:37 | Computer Name = Name-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
Error - 05.11.2009 06:41:37 | Computer Name = Name-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
Error - 05.11.2009 12:35:51 | Computer Name = Name-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
Error - 05.11.2009 12:35:51 | Computer Name = Name-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
[ System Events ]
Error - 11.02.2010 18:04:38 | Computer Name = Name-PC | Source = Service Control Manager | ID = 7009
Description =
Error - 11.02.2010 18:04:38 | Computer Name = Name-PC | Source = Service Control Manager | ID = 7000
Description =
Error - 15.02.2010 18:27:47 | Computer Name = Name-PC | Source = Service Control Manager | ID = 7031
Description =
Error - 27.04.2010 14:18:11 | Computer Name = Name-PC | Source = Service Control Manager | ID = 7022
Description =
Error - 05.05.2010 11:15:23 | Computer Name = Name-PC | Source = Service Control Manager | ID = 7031
Description =
Error - 05.05.2010 11:16:23 | Computer Name = Name-PC | Source = Service Control Manager | ID = 7032
Description =
Error - 05.05.2010 11:16:39 | Computer Name = Name-PC | Source = Service Control Manager | ID = 7031
Description =
Error - 18.05.2010 16:27:52 | Computer Name = Name-PC | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am 18.05.2010 um 22:26:10 unerwartet heruntergefahren.
Error - 19.05.2010 13:55:53 | Computer Name = Name-PC | Source = Service Control Manager | ID = 7000
Description =
Error - 19.05.2010 13:56:59 | Computer Name = Name-PC | Source = Service Control Manager | ID = 7000
Description =
[ TuneUp Events ]
Error - 24.09.2009 20:13:44 | Computer Name = Name-PC | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "s": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-09-25 02:13:44', '\device\harddiskvolume1\program
files\firaxis games\sid meier's civilization 4\warlords\civ4warlords.exe','4460',0)
Error - 26.10.2009 18:39:16 | Computer Name = Name-PC | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "s": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-10-26 23:39:16', '\device\harddiskvolume1\program
files\firaxis games\sid meier's civilization 4\warlords\civ4warlords.exe','3860',0)
Error - 08.12.2009 15:44:35 | Computer Name = Name-PC | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "s": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-12-08 20:44:35', '\device\harddiskvolume1\program
files\firaxis games\sid meier's civilization 4\warlords\civ4warlords.exe','1548',0)
Error - 19.05.2010 16:49:47 | Computer Name = Name-PC | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2010-05-19 22:49:47', '\device\harddiskvolume1\program
files\malwarebytes' anti-malware\mbam.exe','4052',0)
Error - 19.05.2010 16:50:23 | Computer Name = Name-PC | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2010-05-19 22:50:23', '\device\harddiskvolume1\program
files\malwarebytes' anti-malware\mbam.exe','3196',0)
< End of report >
|
|
20.05.2010, 07:07
| #2 |
| /// Helfer-Team    | Trojaner PWS:Win32/Daurso.A -- penetrant und resistent Hallo und Herzlich Willkommen!
__________________ Zur Info: Durch einen starken Befall, wie z.B Backdoor und Rootkit, ist nicht 100 %-ig möglich einen Rechner von Schädlingen zu befreien. Die Schädlinge hinterlassen charakteristische Spuren an ihrem "Tatort", sie vollkommen aufzuspüren ist nicht möglich. Daher ist empfehlenswert, das stark komprimierte System komplett neu zu installieren, den Auslieferungszustand wieder so zu erreichen Wenn du dich für eine umfassende Reinigung deines Systems entscheidest, so geht`s weiter: - Die Anweisungen bitte gründlich lesen und immer streng einhalten, da ich die Reihenfolge nach bestimmten Kriterien vorbereitet habe: 1. lade Dir HijackThis von *von hier* herunter HijackThis starten→ "Do a system scan and save a logfile" klicken→ das erhaltene Logfile "markieren" → "kopieren"→ hier in deinem Thread (rechte Maustaste) "einfügen" 2. bitte Versteckte - und Systemdateien sichtbar machen den Link hier anklicken: System-Dateien und -Ordner unter XP und Vista sichtbar machen Am Ende unserer Arbeit, kannst wieder rückgängig machen! 3. → Lade Dir HJTscanlist.zip herunter → entpacke die Datei auf deinem Desktop → Bei WindowsXP Home musst vor dem Scan zusätzlich tasklist.zip installieren → per Doppelklick starten → Wähle dein Betriebsystem aus - Vista → Wenn Du gefragt wirst, die Option "Einstellung" (1) - scanlist" wählen → Nach kurzer Zeit sollte sich Dein Editor öffnen und die Datei hjtscanlist.txt präsentieren → Bitte kopiere den Inhalt hier in Deinen Thread. 4. Ich würde gerne noch all deine installierten Programme sehen: Lade dir das Tool CCleaner herunter installieren ("Füge CCleaner Yahoo! Toolbar hinzu" abwählen)→ starten→ unter Options settings-> "german" einstellen dann klick auf "Extra (um die installierten Programme auch anzuzeigen)→ weiter auf "Als Textdatei speichern..." wird eine Textdatei (*.txt) erstellt, kopiere dazu den Inhalt und füge ihn da ein 5. Um einen tieferen Einblick in dein System, um eine mögliche Infektion mit einem Rootkit/Info v.wikipedia.org) aufzuspüren, werden wir ein Tool - Gmer - einsetzen :
** keine Verbindung zu einem Netzwerk und Internet - WLAN nicht vergessen Wenn der Scan beendet ist, bitte alle Programme und Tools wieder aktivieren! 6. Lade und installiere das Tool RootRepeal herunter
Damit dein Thread übersichtlicher und schön lesbar bleibt, am besten nutze den Code-Tags für deinen Post: → vor dein log schreibst du:[code] hier kommt dein logfile rein → dahinter:[/code] ** Möglichst nicht ins internet gehen, kein Online-Banking, File-sharing, Chatprogramme usw grußCoverflow Geändert von kira (20.05.2010 um 07:20 Uhr) |
|
09.06.2010, 22:52
| #3 |
| | Trojaner PWS:Win32/Daurso.A -- penetrant und resistent Hallo zusammen,
__________________ich war seit dem letzten Post im Urlaub. Ich hoffe dennoch, dass noch jemand diesen Thread liest und mir helfen kann. Denn kam fahre ich meinen PC hoch, schrillen wieder alle Alarmglocken, die CPU kreischt bei 98% und Maleware wird fündig .... Malewarebytes Anti-Maleware Code:
ATTFilter Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Datenbank Version: 4118
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904
09.06.2010 23:46:00
mbam-log-2010-06-09 (23-46-00).txt
Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 117283
Laufzeit: 7 Minute(n), 10 Sekunde(n)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)
Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)
Infizierte Dateien:
C:\Windows\system32\Drivers\abfayyq.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
Code:
ATTFilter HiJackthis Logfile: Code:
ATTFilter
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
º º
hjtscanlist v2.0
º º
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
Microsoft Windows [Version 6.0.6002]
C:
09.06.2010 22:42 C:\Program Files --------- 24576
09.06.2010 16:39 C:\Windows --------- 32768
C:\pagefile.sys ---------
08.06.2010 16:27 C:\System Volume Information --------- 40960
19.05.2010 22:49 C:\ProgramData --------- 8192
26.10.2009 23:11 C:\Boot --------- 4096
19.09.2009 14:43 C:\PerfLogs --------- 0
11.04.2009 08:36 C:\bootmgr --------- 333257
04.12.2008 00:26 C:\Fopra --------- 4096
11.11.2008 01:33 C:\fisc08.pdf --------- 354820
03.11.2008 00:56 C:\fisc08.tex --------- 3339
24.09.2008 02:00 C:\.jagex_cache_32 --------- 0
16.09.2008 13:26 C:\RA_Skript_SS08.pdf --------- 4329456
12.09.2008 22:57 C:\stud77.pdf --------- 325970
31.08.2008 02:03 C:\main.tex --------- 5831
31.08.2008 01:53 C:\main.2.tex --------- 236
30.08.2008 23:31 C:\Makefile --------- 5577
21.08.2008 19:09 C:\RA_Skript_SS08.2.pdf --------- 4418315
17.08.2008 21:46 C:\RA_Skript_SS08.ps --------- 13161432
17.08.2008 21:28 C:\gstools --------- 0
05.08.2008 23:29 C:\main.pdf --------- 4323903
05.08.2008 23:14 C:\struktur.pdf --------- 125661
05.08.2008 18:32 C:\rechner.pdf --------- 126717
05.08.2008 18:32 C:\mainboard.pdf --------- 124814
04.08.2008 13:37 C:\cover.pdf --------- 88263
04.08.2008 13:37 C:\cover.eps --------- 125203
11.06.2008 20:33 C:\BlueByte --------- 0
15.03.2008 18:50 C:\IO.SYS --------- 0
15.03.2008 18:50 C:\MSDOS.SYS --------- 0
06.02.2008 11:35 C:\stud77.tex --------- 1811
03.01.2008 00:08 C:\$RECYCLE.BIN --------- 0
03.01.2008 00:08 C:\Users --------- 4096
03.01.2008 00:04 C:\Programme --------- 0
03.01.2008 00:04 C:\Dokumente und Einstellungen --------- 0
28.06.2007 16:09 C:\BOOTSECT.BAK --------- 8192
02.11.2006 15:02 C:\Documents and Settings --------- 0
18.09.2006 23:43 C:\config.sys --------- 10
18.09.2006 23:43 C:\autoexec.bat --------- 24
----------------------------------------
C:\Windows
09.06.2010 21:45 C:\Windows\ntbtlog.txt --------- 3989150
09.06.2010 16:38 C:\Windows\bootstat.dat --------- 67584
09.06.2010 13:11 C:\Windows\WindowsUpdate.log --------- 1325405
27.05.2010 12:22 C:\Windows\PFRO.log --------- 4454
18.05.2010 22:27 C:\Windows\MEMORY.DMP --------- 249751869
05.01.2010 21:05 C:\Windows\avmsysnet.log --------- 107
25.11.2009 21:01 C:\Windows\msxml4-KB973688-deu.LOG --------- 295608
04.11.2009 22:58 C:\Windows\setupact.log --------- 16319
19.09.2009 14:53 C:\Windows\WindowsShell.Manifest --------- 749
19.09.2009 14:34 C:\Windows\setuperr.log --------- 0
14.09.2009 21:52 C:\Windows\ocsetup_install_NetFx3.etl --------- 30212096
14.09.2009 21:52 C:\Windows\ocsetup_cbs_install_NetFx3.perf --------- 393216
14.09.2009 21:52 C:\Windows\ocsetup_cbs_install_NetFx3.dpx --------- 196608
13.09.2009 13:33 C:\Windows\msxml4-KB954430-deu.LOG --------- 290038
11.04.2009 08:27 C:\Windows\explorer.exe --------- 2926592
21.10.2008 11:41 C:\Windows\SIERRA.INI --------- 239
17.08.2008 21:29 C:\Windows\gsview32.ini --------- 25
31.07.2008 10:43 C:\Windows\pscp.exe --------- 294912
29.06.2008 12:56 C:\Windows\vtmb.ini --------- 292
19.05.2008 11:43 C:\Windows\eReg.dat --------- 1886
19.01.2008 09:33 C:\Windows\regedit.exe --------- 134656
19.01.2008 09:33 C:\Windows\notepad.exe --------- 151040
19.01.2008 09:33 C:\Windows\HelpPane.exe --------- 498176
19.01.2008 09:33 C:\Windows\fveupdate.exe --------- 13312
19.01.2008 09:33 C:\Windows\bfsvc.exe --------- 58880
14.01.2008 14:36 C:\Windows\nsreg.dat --------- 0
15.08.2007 15:03 C:\Windows\csup.txt --------- 12
15.08.2007 14:27 C:\Windows\msxml4-KB936181-ita.LOG --------- 179416
15.08.2007 14:27 C:\Windows\msxml4-KB936181-fra.LOG --------- 180142
15.08.2007 14:27 C:\Windows\msxml4-KB936181-esn.LOG --------- 179662
15.08.2007 14:27 C:\Windows\msxml4-KB936181-enu.LOG --------- 179662
15.08.2007 14:27 C:\Windows\msxml4-KB936181-deu.LOG --------- 264692
15.08.2007 14:10 C:\Windows\DIFxAPI.dll --------- 319456
28.06.2007 15:59 C:\Windows\HideWin.exe --------- 315392
13.06.2007 13:11 C:\Windows\RtHDVCpl.exe --------- 4489216
28.05.2007 20:39 C:\Windows\SkyTel.exe --------- 1826816
03.05.2007 13:52 C:\Windows\atiogl.xml --------- 11557
16.01.2007 10:39 C:\Windows\RtlUpd.exe --------- 1191936
12.01.2007 16:54 C:\Windows\RtlExUpd.dll --------- 520192
02.11.2006 15:04 C:\Windows\win.ini --------- 144
02.11.2006 14:35 C:\Windows\WMSysPr9.prx --------- 316640
02.11.2006 14:34 C:\Windows\twunk_16.exe --------- 49680
02.11.2006 14:34 C:\Windows\twain_32.dll --------- 50688
02.11.2006 14:34 C:\Windows\twunk_32.exe --------- 31232
02.11.2006 14:34 C:\Windows\twain.dll --------- 94784
02.11.2006 11:45 C:\Windows\winhlp32.exe --------- 9216
02.11.2006 11:45 C:\Windows\hh.exe --------- 14848
02.11.2006 09:46 C:\Windows\mib.bin --------- 43131
19.09.2006 13:41 C:\Windows\HomePremium.xml --------- 8328
18.09.2006 23:46 C:\Windows\system.ini --------- 219
18.09.2006 23:43 C:\Windows\_default.pif --------- 707
18.09.2006 23:43 C:\Windows\winhelp.exe --------- 256192
18.09.2006 23:30 C:\Windows\msdfmap.ini --------- 1405
14.07.2006 16:29 C:\Windows\UNNeroVision.exe --------- 966656
14.07.2006 16:29 C:\Windows\UNNeroShowTime.exe --------- 966656
14.07.2006 16:29 C:\Windows\UNNeroMediaHome.exe --------- 966656
14.07.2006 16:29 C:\Windows\UNRecode.exe --------- 966656
14.07.2006 16:29 C:\Windows\UNNeroBackItUp.exe --------- 966656
15.09.2005 13:35 C:\Windows\UNNeroMediaHome.cfg --------- 50
30.08.2005 20:37 C:\Windows\UNNeroVision.cfg --------- 50
30.08.2005 20:37 C:\Windows\UNNeroShowTime.cfg --------- 50
30.08.2005 20:36 C:\Windows\UNRecode.cfg --------- 50
30.08.2005 20:33 C:\Windows\UNNeroBackItUp.cfg --------- 50
17.12.1999 10:13 C:\Windows\unvise32.exe --------- 86016
29.05.1999 10:54 C:\Windows\UniFish3.exe --------- 45568
21.10.1998 18:43 C:\Windows\IsUn0407.exe --------- 328704
----------------------------------------
C:\Windows\System
02.11.2006 14:34 C:\Windows\System\mciseq.drv --------- 25264
02.11.2006 14:34 C:\Windows\System\mciwave.drv --------- 28160
02.11.2006 14:34 C:\Windows\System\avifile.dll --------- 109456
02.11.2006 14:34 C:\Windows\System\avicap.dll --------- 69584
02.11.2006 14:34 C:\Windows\System\mciavi.drv --------- 73376
02.11.2006 14:34 C:\Windows\System\msvideo.dll --------- 126912
02.11.2006 09:10 C:\Windows\System\OLESVR.DLL --------- 24064
02.11.2006 09:10 C:\Windows\System\WFWNET.DRV --------- 12704
02.11.2006 09:10 C:\Windows\System\COMMDLG.DLL --------- 32816
02.11.2006 09:10 C:\Windows\System\TIMER.DRV --------- 4048
02.11.2006 09:10 C:\Windows\System\MMSYSTEM.DLL --------- 68992
02.11.2006 09:10 C:\Windows\System\mmtask.tsk --------- 1152
02.11.2006 09:10 C:\Windows\System\mouse.drv --------- 2032
02.11.2006 09:10 C:\Windows\System\vga.drv --------- 2176
02.11.2006 09:10 C:\Windows\System\sound.drv --------- 1744
02.11.2006 09:10 C:\Windows\System\keyboard.drv --------- 2000
02.11.2006 09:10 C:\Windows\System\SHELL.DLL --------- 5120
02.11.2006 09:10 C:\Windows\System\system.drv --------- 3360
18.09.2006 23:43 C:\Windows\System\ver.dll --------- 9008
18.09.2006 23:43 C:\Windows\System\olecli.dll --------- 82944
18.09.2006 23:43 C:\Windows\System\lzexpand.dll --------- 9936
18.09.2006 23:35 C:\Windows\System\stdole.tlb --------- 5532
----------------------------------------
C:\Windows\System32
09.06.2010 22:38 C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 --------- 3168
09.06.2010 22:38 C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 --------- 3168
09.06.2010 21:53 C:\Windows\system32\drivers --------- 57344
08.06.2010 22:06 C:\Windows\system32\perfh009.dat --------- 595308
08.06.2010 22:06 C:\Windows\system32\perfc009.dat --------- 104742
08.06.2010 22:06 C:\Windows\system32\perfh007.dat --------- 628210
08.06.2010 22:06 C:\Windows\system32\perfc007.dat --------- 126850
08.06.2010 22:06 C:\Windows\system32\PerfStringBackup.INI --------- 1445786
02.06.2010 20:13 C:\Windows\system32\catroot2 --------- 8192
26.05.2010 20:01 C:\Windows\system32\de-DE --------- 266240
26.05.2010 10:52 C:\Windows\system32\catroot --------- 4096
22.05.2010 00:01 C:\Windows\system32\en-US --------- 8192
19.05.2010 20:26 C:\Windows\system32\Tasks --------- 4096
19.05.2010 19:56 C:\Windows\system32\TUProgSt.exe --------- 604416
19.05.2010 19:56 C:\Windows\system32\TuneUpDefragService.exe --------- 361216
12.05.2010 11:21 C:\Windows\system32\MpSigStub.exe --------- 221568
30.04.2010 20:51 C:\Windows\system32\mrt.exe --------- 32058312
23.04.2010 16:13 C:\Windows\system32\tzres.dll --------- 2048
19.04.2010 20:06 C:\Windows\system32\jupdate-1.6.0_20-b02.log --------- 4640
16.04.2010 08:33 C:\Windows\system32\usbaaplrc.dll --------- 3003680
12.04.2010 17:29 C:\Windows\system32\javaws.exe --------- 153376
12.04.2010 17:29 C:\Windows\system32\javaw.exe --------- 145184
12.04.2010 17:29 C:\Windows\system32\java.exe --------- 145184
12.04.2010 17:29 C:\Windows\system32\deployJava1.dll --------- 411368
09.04.2010 20:16 C:\Windows\system32\migration --------- 4096
08.04.2010 13:20 C:\Windows\system32\dns-sd.exe --------- 107808
08.04.2010 13:20 C:\Windows\system32\dnssd.dll --------- 91424
17.03.2010 21:53 C:\Windows\system32\QuickTime.qts --------- 69632
17.03.2010 21:53 C:\Windows\system32\QuickTimeVR.qtx --------- 94208
05.03.2010 16:01 C:\Windows\system32\vbscript.dll --------- 420352
28.02.2010 17:01 C:\Windows\system32\FNTCACHE.DAT --------- 257496
23.02.2010 08:39 C:\Windows\system32\wininet.dll --------- 916480
23.02.2010 08:39 C:\Windows\system32\urlmon.dll --------- 1209344
23.02.2010 08:37 C:\Windows\system32\occache.dll --------- 206848
23.02.2010 08:35 C:\Windows\system32\mstime.dll --------- 611840
23.02.2010 08:34 C:\Windows\system32\mshtml.dll --------- 5944832
23.02.2010 08:34 C:\Windows\system32\msfeedsbs.dll --------- 55296
23.02.2010 08:34 C:\Windows\system32\msfeeds.dll --------- 594432
23.02.2010 08:34 C:\Windows\system32\jsproxy.dll --------- 25600
23.02.2010 08:33 C:\Windows\system32\inetcpl.cpl --------- 1469440
23.02.2010 08:33 C:\Windows\system32\ieui.dll --------- 164352
23.02.2010 08:33 C:\Windows\system32\iesysprep.dll --------- 109056
23.02.2010 08:33 C:\Windows\system32\iesetup.dll --------- 71680
23.02.2010 08:33 C:\Windows\system32\iertutil.dll --------- 1985536
23.02.2010 08:33 C:\Windows\system32\iernonce.dll --------- 55808
23.02.2010 08:33 C:\Windows\system32\iepeers.dll --------- 184320
23.02.2010 08:33 C:\Windows\system32\ieframe.dll --------- 11070976
23.02.2010 08:33 C:\Windows\system32\iedkcs32.dll --------- 387584
23.02.2010 06:55 C:\Windows\system32\ieUnatt.exe --------- 133632
23.02.2010 06:55 C:\Windows\system32\ie4uinit.exe --------- 173056
23.02.2010 06:54 C:\Windows\system32\msfeedssync.exe --------- 13312
23.02.2010 06:54 C:\Windows\system32\mshtml.tlb --------- 1638912
21.02.2010 01:06 C:\Windows\system32\nshhttp.dll --------- 24064
21.02.2010 01:05 C:\Windows\system32\httpapi.dll --------- 30720
18.02.2010 16:07 C:\Windows\system32\ntkrnlpa.exe --------- 3600776
18.02.2010 16:07 C:\Windows\system32\ntoskrnl.exe --------- 3548040
18.02.2010 15:30 C:\Windows\system32\iphlpsvc.dll --------- 200704
12.02.2010 12:32 C:\Windows\system32\browserchoice.exe --------- 293376
29.01.2010 17:40 C:\Windows\system32\inetcomm.dll --------- 738816
21.01.2010 17:05 C:\Windows\system32\l3codeca.acm --------- 62464
13.01.2010 19:34 C:\Windows\system32\cabview.dll --------- 98304
29.12.2009 21:04 C:\Windows\system32\mscomct2.ocx --------- 644400
23.12.2009 13:33 C:\Windows\system32\wintrust.dll --------- 172032
04.12.2009 20:30 C:\Windows\system32\tsbyuv.dll --------- 12288
04.12.2009 20:29 C:\Windows\system32\quartz.dll --------- 1314816
04.12.2009 20:28 C:\Windows\system32\msyuv.dll --------- 22528
04.12.2009 20:28 C:\Windows\system32\msvidc32.dll --------- 31744
04.12.2009 20:28 C:\Windows\system32\msvfw32.dll --------- 123904
04.12.2009 20:28 C:\Windows\system32\msrle32.dll --------- 13312
04.12.2009 20:28 C:\Windows\system32\mciavi32.dll --------- 82944
04.12.2009 20:28 C:\Windows\system32\iyuv_32.dll --------- 50176
04.12.2009 20:27 C:\Windows\system32\avifil32.dll --------- 91136
04.12.2009 09:19 C:\Windows\system32\jscript.dll --------- 726528
28.10.2009 15:57 C:\Windows\system32\wbem --------- 61440
28.10.2009 15:56 C:\Windows\system32\pt-BR --------- 4096
28.10.2009 15:56 C:\Windows\system32\bg-BG --------- 4096
28.10.2009 15:56 C:\Windows\system32\it-IT --------- 4096
28.10.2009 15:56 C:\Windows\system32\pt-PT --------- 4096
28.10.2009 15:56 C:\Windows\system32\he-IL --------- 4096
28.10.2009 15:56 C:\Windows\system32\pl-PL --------- 4096
28.10.2009 15:56 C:\Windows\system32\uk-UA --------- 4096
28.10.2009 15:56 C:\Windows\system32\hr-HR --------- 4096
28.10.2009 15:56 C:\Windows\system32\ko-KR --------- 4096
28.10.2009 15:56 C:\Windows\system32\hu-HU --------- 4096
28.10.2009 15:56 C:\Windows\system32\zh-HK --------- 4096
28.10.2009 15:56 C:\Windows\system32\sl-SI --------- 4096
28.10.2009 15:56 C:\Windows\system32\nl-NL --------- 4096
28.10.2009 15:56 C:\Windows\system32\fr-FR --------- 4096
28.10.2009 15:56 C:\Windows\system32\el-GR --------- 4096
28.10.2009 15:56 C:\Windows\system32\sr-Latn-CS --------- 4096
28.10.2009 15:56 C:\Windows\system32\fi-FI --------- 4096
28.10.2009 15:56 C:\Windows\system32\tr-TR --------- 4096
28.10.2009 15:56 C:\Windows\system32\th-TH --------- 4096
28.10.2009 15:56 C:\Windows\system32\sv-SE --------- 4096
28.10.2009 15:56 C:\Windows\system32\es-ES --------- 4096
28.10.2009 15:56 C:\Windows\system32\lv-LV --------- 4096
28.10.2009 15:56 C:\Windows\system32\lt-LT --------- 4096
28.10.2009 15:56 C:\Windows\system32\zh-TW --------- 4096
28.10.2009 15:56 C:\Windows\system32\sk-SK --------- 4096
28.10.2009 15:56 C:\Windows\system32\et-EE --------- 4096
----------------------------------------
C:\Windows\Prefetch
----------------------------------------
C:\Windows\Tasks
09.06.2010 22:00 C:\Windows\Tasks\1-Klick-Wartung.job --------- 522
09.06.2010 16:38 C:\Windows\Tasks\SA.DAT --------- 6
09.06.2010 13:11 C:\Windows\Tasks\SCHEDLGU.TXT --------- 32530
08.06.2010 23:02 C:\Windows\Tasks\User_Feed_Synchronization-{EF8B46CB-B142-43D6-BF7C-49349D2E31F8}.job --------- 420
----------------------------------------
C:\Windows\Temp
09.06.2010 22:50 C:\Windows\Temp\tmp00003b13 --------- 4096
09.06.2010 16:59 C:\Windows\Temp\MpCmdRun.log --------- 88168
09.06.2010 16:39 C:\Windows\Temp\JETED98.tmp --------- 0
09.06.2010 12:59 C:\Windows\Temp\JET157.tmp --------- 0
09.06.2010 12:30 C:\Windows\Temp\JET14F6.tmp --------- 0
08.06.2010 16:27 C:\Windows\Temp\MpSigStub.log --------- 223916
08.06.2010 16:02 C:\Windows\Temp\JETE484.tmp --------- 0
07.06.2010 22:16 C:\Windows\Temp\JET8E5.tmp --------- 0
07.06.2010 12:32 C:\Windows\Temp\JET111F.tmp --------- 0
06.06.2010 13:16 C:\Windows\Temp\JETF333.tmp --------- 0
05.06.2010 18:37 C:\Windows\Temp\JETD39.tmp --------- 0
05.06.2010 12:56 C:\Windows\Temp\JETEA3E.tmp --------- 0
03.06.2010 14:59 C:\Windows\Temp\JETA2D.tmp --------- 0
02.06.2010 22:34 C:\Windows\Temp\JET12C4.tmp --------- 0
02.06.2010 22:10 C:\Windows\Temp\Cookies --------- 0
02.06.2010 22:08 C:\Windows\Temp\JET1A62.tmp --------- 0
02.06.2010 20:13 C:\Windows\Temp\JET2922.tmp --------- 0
02.06.2010 15:23 C:\Windows\Temp\JET3062.tmp --------- 0
01.06.2010 19:55 C:\Windows\Temp\JET1DCC.tmp --------- 0
01.06.2010 13:51 C:\Windows\Temp\JET191B.tmp --------- 0
31.05.2010 20:29 C:\Windows\Temp\JETE407.tmp --------- 0
31.05.2010 16:26 C:\Windows\Temp\JET19E6.tmp --------- 0
31.05.2010 13:48 C:\Windows\Temp\JET10C2.tmp --------- 0
30.05.2010 20:47 C:\Windows\Temp\JET1370.tmp --------- 0
30.05.2010 13:19 C:\Windows\Temp\JET2136.tmp --------- 0
19.05.2010 20:11 C:\Windows\Temp\History --------- 0
12.09.2009 20:24 C:\Windows\Temp\Temporary Internet Files --------- 0
----------------------------------------
C:\Users\Lynaya\AppData\Local\Temp
09.06.2010 22:40 C:\Users\Lynaya\AppData\Local\Temp\Lynaya.bmp --------- 31832
09.06.2010 20:45 C:\Users\Lynaya\AppData\Local\Temp\plugtmp-3 --------- 0
09.06.2010 20:28 C:\Users\Lynaya\AppData\Local\Temp\2010-07-01-Vertrag-Fischer.pdf --------- 49621
09.06.2010 16:44 C:\Users\Lynaya\AppData\Local\Temp\WPDNSE --------- 0
08.06.2010 22:07 C:\Users\Lynaya\AppData\Local\Temp\wmplog05.sqm --------- 1604
08.06.2010 22:07 C:\Users\Lynaya\AppData\Local\Temp\wmplog04.sqm --------- 1604
07.06.2010 12:46 C:\Users\Lynaya\AppData\Local\Temp\hsperfdata_Lynaya --------- 0
07.06.2010 12:46 C:\Users\Lynaya\AppData\Local\Temp\AUCHECK_CORE.txt --------- 604
07.06.2010 12:46 C:\Users\Lynaya\AppData\Local\Temp\AUCHECK_PARSER.txt --------- 148
07.06.2010 12:46 C:\Users\Lynaya\AppData\Local\Temp\jusched.log --------- 2909
06.06.2010 16:57 C:\Users\Lynaya\AppData\Local\Temp\wmplog03.sqm --------- 1672
06.06.2010 16:43 C:\Users\Lynaya\AppData\Local\Temp\wmplog02.sqm --------- 1672
06.06.2010 00:49 C:\Users\Lynaya\AppData\Local\Temp\plugtmp --------- 0
02.06.2010 22:08 C:\Users\Lynaya\AppData\Local\Temp\wmplog01.sqm --------- 1780
02.06.2010 17:40 C:\Users\Lynaya\AppData\Local\Temp\jar_cache7824811363310327817.tmp --------- 22517
02.06.2010 17:40 C:\Users\Lynaya\AppData\Local\Temp\jar_cache4871130782545434463.tmp --------- 48381
02.06.2010 17:40 C:\Users\Lynaya\AppData\Local\Temp\jar_cache2910634618995902652.tmp --------- 30434
02.06.2010 17:40 C:\Users\Lynaya\AppData\Local\Temp\jar_cache8938047610762045726.tmp --------- 7209
02.06.2010 17:40 C:\Users\Lynaya\AppData\Local\Temp\jar_cache3796662114438646263.tmp --------- 23116
01.06.2010 19:55 C:\Users\Lynaya\AppData\Local\Temp\wmplog00.sqm --------- 1516
01.06.2010 00:21 C:\Users\Lynaya\AppData\Local\Temp\plugtmp-2 --------- 0
31.05.2010 20:31 C:\Users\Lynaya\AppData\Local\Temp\wmsetup.log --------- 406
30.05.2010 19:47 C:\Users\Lynaya\AppData\Local\Temp\plugtmp-1 --------- 0
07.09.2008 12:27 C:\Users\Lynaya\AppData\Local\Temp\nsr8853.tmp --------- 8192
19.03.2008 13:56 C:\Users\Lynaya\AppData\Local\Temp\Temporary Internet Files --------- 0
----------------------------------------
C:\Program Files
09.06.2010 22:42 C:\Program Files\Trend Micro --------- 0
02.06.2010 22:32 C:\Program Files\Malwarebytes' Anti-Malware --------- 4096
02.06.2010 22:12 C:\Program Files\DVDVideoSoft --------- 4096
20.05.2010 13:41 C:\Program Files\Google --------- 4096
19.05.2010 19:56 C:\Program Files\TuneUp Utilities 2009 --------- 49152
17.05.2010 20:00 C:\Program Files\Windows Mail --------- 4096
05.05.2010 17:23 C:\Program Files\iTunes --------- 4096
05.05.2010 17:23 C:\Program Files\iPod --------- 0
05.05.2010 17:19 C:\Program Files\QuickTime --------- 4096
05.05.2010 17:15 C:\Program Files\Bonjour --------- 4096
19.04.2010 20:06 C:\Program Files\Java --------- 4096
12.04.2010 22:12 C:\Program Files\Mozilla Firefox --------- 32768
10.04.2010 20:22 C:\Program Files\IKEA HomePlanner --------- 4096
09.04.2010 20:16 C:\Program Files\Internet Explorer --------- 4096
17.03.2010 21:43 C:\Program Files\Mozilla Thunderbird --------- 28672
12.03.2010 00:36 C:\Program Files\Movie Maker --------- 4096
27.02.2010 22:08 C:\Program Files\JRE --------- 0
27.02.2010 22:08 C:\Program Files\OpenOffice.org 3 --------- 4096
27.02.2010 22:07 C:\Program Files\OpenOffice.org 2.4 --------- 0
20.02.2010 15:03 C:\Program Files\TeXnicCenter Alpha --------- 8192
28.12.2009 23:19 C:\Program Files\InstallShield Installation Information --------- 8192
13.12.2009 21:51 C:\Program Files\ProtectDisc Driver Installer --------- 0
13.12.2009 21:48 C:\Program Files\Drakensang --------- 4096
28.10.2009 15:57 C:\Program Files\Windows Portable Devices --------- 0
28.10.2009 15:37 C:\Program Files\Windows Media Player --------- 4096
26.10.2009 23:04 C:\Program Files\Windows Calendar --------- 0
26.10.2009 23:04 C:\Program Files\Windows Sidebar --------- 4096
26.10.2009 23:04 C:\Program Files\Windows Collaboration --------- 4096
26.10.2009 23:04 C:\Program Files\Windows Journal --------- 4096
26.10.2009 23:04 C:\Program Files\Windows Photo Gallery --------- 4096
26.10.2009 23:04 C:\Program Files\Windows Defender --------- 4096
19.09.2009 14:53 C:\Program Files\desktop.ini --------- 174
18.09.2009 11:45 C:\Program Files\iPhone-Konfigurationsprogramm --------- 8192
13.09.2009 16:55 C:\Program Files\Windows Installer Clean Up --------- 0
13.09.2009 16:54 C:\Program Files\MSECACHE --------- 0
01.09.2009 15:30 C:\Program Files\Common Files --------- 4096
01.09.2009 14:29 C:\Program Files\GoogleEULA --------- 0
25.08.2009 14:50 C:\Program Files\Adobe --------- 0
18.07.2009 23:15 C:\Program Files\JoWood --------- 0
18.07.2009 23:03 C:\Program Files\Die Gilde --------- 0
01.07.2009 19:02 C:\Program Files\Avira --------- 0
27.05.2009 22:38 C:\Program Files\Skype --------- 0
31.03.2009 14:49 C:\Program Files\Mobipocket.com --------- 0
20.03.2009 00:16 C:\Program Files\Windows Mobile-Ressourcen --------- 0
04.02.2009 13:30 C:\Program Files\FRITZBoxPrint --------- 4096
04.02.2009 13:30 C:\Program Files\FRITZBox --------- 4096
22.01.2009 20:38 C:\Program Files\ICQ6.5 --------- 12288
22.01.2009 20:38 C:\Program Files\ICQ6Toolbar --------- 0
22.01.2009 20:37 C:\Program Files\ICQ6 --------- 0
02.12.2008 13:05 C:\Program Files\TeXnicCenter --------- 4096
02.12.2008 12:53 C:\Program Files\MiKTeX 2.7 --------- 4096
16.10.2008 11:34 C:\Program Files\World of Warcraft --------- 0
04.10.2008 12:40 C:\Program Files\Apple Software Update --------- 4096
07.09.2008 01:30 C:\Program Files\DivX --------- 4096
07.09.2008 01:29 C:\Program Files\Mozilla Sunbird --------- 8192
05.09.2008 18:03 C:\Program Files\eclipse --------- 4096
29.06.2008 12:38 C:\Program Files\Activision --------- 0
03.06.2008 01:44 C:\Program Files\Hasbro Interactive --------- 0
20.05.2008 20:30 C:\Program Files\Microsoft Games --------- 4096
28.04.2008 19:44 C:\Program Files\WinRAR --------- 4096
28.04.2008 01:02 C:\Program Files\WinEdt Team --------- 0
20.04.2008 20:30 C:\Program Files\CVSNT --------- 8192
09.04.2008 12:34 C:\Program Files\OpenOffice.org 2.3 --------- 0
04.03.2008 17:28 C:\Program Files\Winamp --------- 4096
16.02.2008 00:03 C:\Program Files\VideoLAN --------- 0
14.02.2008 18:52 C:\Program Files\MeeSoft --------- 0
25.01.2008 22:12 C:\Program Files\glassfish-v2 --------- 4096
25.01.2008 21:34 C:\Program Files\NetBeans 6.0 --------- 8192
12.01.2008 19:56 C:\Program Files\Firaxis Games --------- 0
04.01.2008 12:36 C:\Program Files\Teamspeak2_RC2 --------- 4096
03.01.2008 00:04 C:\Program Files\Gemeinsame Dateien --------- 0
03.01.2008 00:04 C:\Program Files\Windows NT --------- 4096
15.08.2007 14:25 C:\Program Files\Alice --------- 4096
15.08.2007 14:20 C:\Program Files\Medion --------- 0
15.08.2007 14:10 C:\Program Files\Realtek --------- 0
15.08.2007 14:03 C:\Program Files\ATI Technologies --------- 0
15.08.2007 14:03 C:\Program Files\ATI --------- 0
28.06.2007 16:58 C:\Program Files\BullGuard Software --------- 0
28.06.2007 16:16 C:\Program Files\MSXML 4.0 --------- 0
28.06.2007 16:06 C:\Program Files\Nero --------- 0
02.11.2006 15:01 C:\Program Files\Uninstall Information --------- 0
02.11.2006 14:37 C:\Program Files\Reference Assemblies --------- 0
02.11.2006 14:37 C:\Program Files\MSBuild --------- 0
----------------------------------------
C:\ProgramData\..
Lynaya
desktop.ini
Public
Administrator
Default
All Users
Default User
----------------------------------------
C:\Windows\system32\drivers\etc\hosts
127.0.0.1 localhost
::1 localhost
----------------------------------------
Abbildname PID Sitzungsname Sitz.-Nr. Speichernutzung
========================= ======== ================ =========== ===============
System Idle Process 0 Services 0 24 K
System 4 Services 0 14.524 K
smss.exe 524 Services 0 732 K
csrss.exe 608 Services 0 5.140 K
wininit.exe 648 Services 0 3.860 K
csrss.exe 660 Console 1 9.564 K
services.exe 692 Services 0 10.384 K
lsass.exe 708 Services 0 1.800 K
lsm.exe 716 Services 0 3.892 K
winlogon.exe 800 Console 1 5.944 K
svchost.exe 924 Services 0 6.432 K
svchost.exe 1024 Services 0 6.348 K
svchost.exe 1080 Services 0 53.620 K
Ati2evxx.exe 1160 Services 0 4.140 K
svchost.exe 1232 Services 0 12.880 K
svchost.exe 1280 Services 0 84.960 K
svchost.exe 1292 Services 0 30.200 K
audiodg.exe 1436 Services 0 17.088 K
svchost.exe 1456 Services 0 4.772 K
SLsvc.exe 1472 Services 0 11.736 K
svchost.exe 1520 Services 0 8.492 K
svchost.exe 1632 Services 0 14.268 K
Ati2evxx.exe 1724 Console 1 6.556 K
sched.exe 1820 Services 0 1.448 K
svchost.exe 1832 Services 0 17.192 K
avguard.exe 2040 Services 0 13.360 K
AppleMobileDeviceService. 340 Services 0 3.816 K
BullGuardUpdate.exe 392 Services 0 5.700 K
svchost.exe 352 Services 0 75.668 K
mDNSResponder.exe 540 Services 0 4.800 K
ServiceController.exe 584 Services 0 14.056 K
LSSrvc.exe 1404 Services 0 3.396 K
svchost.exe 1544 Services 0 6.988 K
TUProgSt.exe 828 Services 0 8.212 K
svchost.exe 1652 Services 0 2.156 K
SearchIndexer.exe 1844 Services 0 22.032 K
GCS.exe 2076 Services 0 46.328 K
WUDFHost.exe 2220 Services 0 5.164 K
taskeng.exe 2432 Services 0 5.896 K
svchost.exe 4004 Services 0 5.152 K
svchost.exe 4040 Services 0 6.564 K
dwm.exe 3664 Console 1 81.776 K
explorer.exe 3692 Console 1 65.240 K
taskeng.exe 3728 Console 1 11.640 K
MSASCui.exe 3244 Console 1 11.872 K
RtHDVCpl.exe 3504 Console 1 8.004 K
wmdc.exe 4028 Console 1 5.584 K
avgnt.exe 3780 Console 1 2.312 K
sidebar.exe 3416 Console 1 33.020 K
MOM.exe 3396 Console 1 4.000 K
CCC.exe 3588 Console 1 11.492 K
firefox.exe 3232 Console 1 189.400 K
SearchProtocolHost.exe 3988 Services 0 8.784 K
cmd.exe 3188 Console 1 2.864 K
conime.exe 3380 Console 1 3.568 K
SearchFilterHost.exe 3008 Services 0 5.336 K
tasklist.exe 3200 Console 1 4.868 K
WmiPrvSE.exe 596 Services 0 5.880 K
***** Ende des Scans 09.06.2010 um 22:50:49,73 ***
CCleaner: Code:
ATTFilter Ja HKCU:Run Sidebar C:\Program Files\Windows Sidebar\sidebar.exe /autoRun Nein HKCU:Run ICQ "C:\Program Files\ICQ6.5\ICQ.exe" silent Nein HKCU:Run Skype "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized Ja HKLM:Run Windows Defender %ProgramFiles%\Windows Defender\MSASCui.exe -hide Ja HKLM:Run RtHDVCpl RtHDVCpl.exe Ja HKLM:Run Windows Mobile Device Center %windir%\WindowsMobile\wmdc.exe Ja HKLM:Run avgnt "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min Ja HKLM:Run BullGuard "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" -boot Ja HKLM:Run MSConfig "C:\Windows\System32\msconfig.exe" /auto Ja HKLM:Run StartCCC C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe Ja HKLM:Run Skytel Skytel.exe Ja HKLM:Run Malwarebytes Anti-Malware (reboot) "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript Nein HKLM:Run QuickTime Task "C:\Program Files\QuickTime\QTTask.exe" -atboottime Nein HKLM:Run toolbar_eula_launcher C:\Program Files\GoogleEULA\EULALauncher.exe Nein HKLM:Run WinampAgent "C:\Program Files\Winamp\winampa.exe" Nein Startup User OpenOffice.org 2.4.lnk C:\PROGRA~1\OPENOF~1.4\program\QUICKS~1.EXE [CODE] GMER Logfile: Code:
ATTFilter GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-06-09 23:30:40
Windows 6.0.6002 Service Pack 2
Running: io7wnz65.exe; Driver: C:\Users\Lynaya\AppData\Local\Temp\kwryrpow.sys
---- System - GMER 1.0.15 ----
SSDT 9C791AEC ZwCreateThread
SSDT 9C791AD8 ZwOpenProcess
SSDT 9C791ADD ZwOpenThread
SSDT 9C791AE7 ZwTerminateProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 221 844F4984 4 Bytes [EC, 1A, 79, 9C] {IN AL, DX ; SBB BH, [ECX-0x64]}
.text ntkrnlpa.exe!KeSetEvent + 3F1 844F4B54 4 Bytes [D8, 1A, 79, 9C] {FCOMP DWORD [EDX]; JNS 0xffffffffffffffa0}
.text ntkrnlpa.exe!KeSetEvent + 40D 844F4B70 4 Bytes [DD, 1A, 79, 9C] {FSTP QWORD [EDX]; JNS 0xffffffffffffffa0}
.text ntkrnlpa.exe!KeSetEvent + 621 844F4D84 4 Bytes [E7, 1A, 79, 9C] {OUT 0x1a, EAX; JNS 0xffffffffffffffa0}
? System32\Drivers\abfayyq.sys Ein an das System angeschlossenes Gerät funktioniert nicht. !
.reloc C:\Windows\system32\drivers\acedrv11.sys section is executable [0x9E87D300, 0x25D4C, 0xE0000060]
---- User code sections - GMER 1.0.15 ----
? C:\Windows\System32\svchost.exe[4004] image checksum mismatch; time/date stamp mismatch; unknown module: imagehlp.dll
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!HeapSetInformation] 81EC8B55
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 000814EC
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!CreateActCtxW] 6A575300
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ReleaseActCtx] FF335B04
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 6A575757
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrlenW] 7D895701
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] F045C7F8
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!InterlockedExchange] 00004E20
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] FFFC5D89
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] 40208015
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetModuleHandleA] F4458900
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] 840FC73B
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetTickCount] 00000132
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 94358B56
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 53004020
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 51F04D8D
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!TerminateProcess] FF50026A
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 458D53D6
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] 066A50F0
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] FFF475FF
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ExitProcess] 458D53D6
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetProcessAffinityUpdateMode] 056A50F0
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 0C5D8BD6
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetErrorMode] 3B04438B
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!HeapFree] 4020C868
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] EC858D00
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LocalFree] 68FFFFF7
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!CloseHandle] 00000800
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LocalAlloc] AC15FF50
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] 83004020
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 07EB10C4
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!FreeLibrary] F7EC85C6
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!Sleep] 5700FFFF
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetProcAddress] 0C320068
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!DeactivateActCtx] 8DFF6A8C
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] FFF7EC85
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetLastError] [75FF50FF] C:\Windows\system32\SHELL32.dll (Allgemeine Windows-Shell-DLL/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ActivateActCtx] F475FF08
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrcmpW] F08B0040
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] A9840FF7
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__p__commode] 1F75087B
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_adjust_fdiv] FC458D57
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__setusermatherr] EC458D50
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_amsg_exit] 00056850
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_initterm] FF562000
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [msvcrt.dll!exit] 40208C15
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__p__fmode] 74C08500
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_exit] EC458B06
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [msvcrt.dll!memcpy] 8D084389
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [msvcrt.dll!memset] 6850FC45
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__set_app_type] 00000800
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [msvcrt.dll!?terminate@@YAXXZ] F7EC858D
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_except_handler4_common] 5650FFFF
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_controlfp] 208815FF
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_cexit] 4EEB0040
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__wgetmainargs] 74FC7D39
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_XcptFilter] 04438B5E
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] FF565033
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] 4020A815
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] 89595900
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] 74C73B03
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 047B8B37
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 03FC4D8B
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] ECB58DF8
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!RegDisablePredefinedCacheEx] F3FFFFF7
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] 00000800
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] F7EC858D
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] FF50FFFF
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 15FFF875
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] [00402088] C:\Windows\System32\svchost.exe (Hostprozess für Windows-Dienste/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] C085FF33
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 0874F73B
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlFreeHeap] A415FF56
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlCopySid] 59004020
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] FF047B89
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 15FFF875
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] [00402084] C:\Windows\System32\svchost.exe (Hostprozess für Windows-Dienste/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlInitializeSid] FFF475FF
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 40208415
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSetProcessIsCritical] C0335E00
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] 5FF87D39
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlInitializeCriticalSection] 5BC0950F
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerListen] 10EC83EC
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] 8DDB3353
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 5350F845
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] 53535353
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 02206853
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 206A0000
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] 458D026A
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 5D8850F0
IAT C:\Windows\System32\svchost.exe[4004] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] F15D88F0
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 88A9B538
AttachedDevice \FileSystem\Ntfs \Ntfs BdFileSpy.sys
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat BdFileSpy.sys
---- Services - GMER 1.0.15 ----
Service (*** hidden *** ) [BOOT] abfayyq <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet004\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\ControlSet004\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\ControlSet004\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet005\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\ControlSet005\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\ControlSet005\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet005\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet006\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\ControlSet006\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\ControlSet006\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet006\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet007\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\ControlSet007\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\ControlSet007\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet007\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet008\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\ControlSet008\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\ControlSet008\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet008\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet009\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\ControlSet009\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\ControlSet009\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet009\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet010\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\ControlSet010\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\ControlSet010\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet010\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet011\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\ControlSet011\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\ControlSet011\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet011\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet012\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\ControlSet012\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\ControlSet012\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet012\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet013\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\ControlSet013\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\ControlSet013\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet013\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet014\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\ControlSet014\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\ControlSet014\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet014\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet015\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\ControlSet015\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\ControlSet015\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet015\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet016\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\ControlSet016\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\ControlSet016\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet016\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet017\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\ControlSet017\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\ControlSet017\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet017\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet018\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\ControlSet018\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\ControlSet018\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet018\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet019\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\ControlSet019\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\ControlSet019\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet019\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet020\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\ControlSet020\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\ControlSet020\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet020\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet021\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\ControlSet021\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\ControlSet021\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet021\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet022\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\ControlSet022\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\ControlSet022\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet022\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet023\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\ControlSet023\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\ControlSet023\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet023\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet024\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\ControlSet024\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\ControlSet024\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet024\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet025\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\ControlSet025\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\ControlSet025\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet025\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet026\Services\abfayyq@Type 1
Reg HKLM\SYSTEM\ControlSet026\Services\abfayyq@Start 0
Reg HKLM\SYSTEM\ControlSet026\Services\abfayyq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet026\Services\abfayyq@Group Boot Bus Extender
Reg HKLM\SOFTWARE\Classes\CLSID\{B6A930A0-A4F5-43A5-9B4E-6189A6C2B9E8}@t!s!d!f!`!`!\24!t!s!t!t!r!d!r!s!\30! 19583823
---- EOF - GMER 1.0.15 ----
|
|
09.06.2010, 22:53
| #4 |
| | Trojaner PWS:Win32/Daurso.A -- penetrant und resistent Nachtrag (der Post war länger als erlaubt .. ) RootRepeal: Drivers Scan: Code:
ATTFilter ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/06/09 23:33
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================
Drivers
-------------------
Name: abfayyq.sys
Image Path: C:\Windows\System32\Drivers\abfayyq.sys
Address: 0x80D13000 Size: 761856 File Visible: No Signed: -
Status: -
Name: acedrv11.sys
Image Path: C:\Windows\system32\drivers\acedrv11.sys
Address: 0x9E861000 Size: 270464 File Visible: - Signed: -
Status: -
Name: acpi.sys
Image Path: C:\Windows\system32\drivers\acpi.sys
Address: 0x80C95000 Size: 286720 File Visible: - Signed: -
Status: -
Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x84448000 Size: 3903488 File Visible: - Signed: -
Status: -
Name: afd.sys
Image Path: C:\Windows\system32\drivers\afd.sys
Address: 0x92801000 Size: 294912 File Visible: - Signed: -
Status: -
Name: atapi.sys
Image Path: C:\Windows\system32\drivers\atapi.sys
Address: 0x80E7E000 Size: 32768 File Visible: - Signed: -
Status: -
Name: ataport.SYS
Image Path: C:\Windows\system32\drivers\ataport.SYS
Address: 0x80E86000 Size: 122880 File Visible: - Signed: -
Status: -
Name: atikmdag.sys
Image Path: C:\Windows\system32\DRIVERS\atikmdag.sys
Address: 0x90802000 Size: 7503872 File Visible: - Signed: -
Status: -
Name: avgio.sys
Image Path: C:\Program Files\Avira\AntiVir Desktop\avgio.sys
Address: 0x9296C000 Size: 6144 File Visible: - Signed: -
Status: -
Name: avgntflt.sys
Image Path: C:\Windows\system32\DRIVERS\avgntflt.sys
Address: 0x929EB000 Size: 81920 File Visible: - Signed: -
Status: -
Name: avipbb.sys
Image Path: C:\Windows\system32\DRIVERS\avipbb.sys
Address: 0x92950000 Size: 114688 File Visible: - Signed: -
Status: -
Name: bcmwl6.sys
Image Path: C:\Windows\system32\DRIVERS\bcmwl6.sys
Address: 0x84B7B000 Size: 479232 File Visible: - Signed: -
Status: -
Name: BdFileSpy.sys
Image Path: C:\Windows\system32\drivers\BdFileSpy.sys
Address: 0x915F3000 Size: 44160 File Visible: - Signed: -
Status: -
Name: Beep.SYS
Image Path: C:\Windows\System32\Drivers\Beep.SYS
Address: 0x927C8000 Size: 28672 File Visible: - Signed: -
Status: -
Name: BOOTVID.dll
Image Path: C:\Windows\system32\BOOTVID.dll
Address: 0x80695000 Size: 32768 File Visible: - Signed: -
Status: -
Name: bowser.sys
Image Path: C:\Windows\system32\DRIVERS\bowser.sys
Address: 0x83927000 Size: 102400 File Visible: - Signed: -
Status: -
Name: cdd.dll
Image Path: C:\Windows\System32\cdd.dll
Address: 0x9BCE0000 Size: 57344 File Visible: - Signed: -
Status: -
Name: cdfs.sys
Image Path: C:\Windows\system32\DRIVERS\cdfs.sys
Address: 0x929AB000 Size: 90112 File Visible: - Signed: -
Status: -
Name: cdrom.sys
Image Path: C:\Windows\system32\DRIVERS\cdrom.sys
Address: 0x90FD7000 Size: 98304 File Visible: - Signed: -
Status: -
Name: CI.dll
Image Path: C:\Windows\system32\CI.dll
Address: 0x806DE000 Size: 917504 File Visible: - Signed: -
Status: -
Name: CLASSPNP.SYS
Image Path: C:\Windows\system32\drivers\CLASSPNP.SYS
Address: 0x8C9B5000 Size: 135168 File Visible: - Signed: -
Status: -
Name: CLFS.SYS
Image Path: C:\Windows\system32\CLFS.SYS
Address: 0x8069D000 Size: 266240 File Visible: - Signed: -
Status: -
Name: crashdmp.sys
Image Path: C:\Windows\System32\Drivers\crashdmp.sys
Address: 0x929C1000 Size: 53248 File Visible: - Signed: -
Status: -
Name: crcdisk.sys
Image Path: C:\Windows\system32\drivers\crcdisk.sys
Address: 0x8C9D6000 Size: 36864 File Visible: - Signed: -
Status: -
Name: dfsc.sys
Image Path: C:\Windows\System32\Drivers\dfsc.sys
Address: 0x92939000 Size: 94208 File Visible: - Signed: -
Status: -
Name: disk.sys
Image Path: C:\Windows\system32\drivers\disk.sys
Address: 0x8C9A4000 Size: 69632 File Visible: - Signed: -
Status: -
Name: drmk.sys
Image Path: C:\Windows\system32\drivers\drmk.sys
Address: 0x915AA000 Size: 151552 File Visible: - Signed: -
Status: -
Name: dump_atapi.sys
Image Path: C:\Windows\System32\Drivers\dump_atapi.sys
Address: 0x929D9000 Size: 32768 File Visible: No Signed: -
Status: -
Name: dump_dumpata.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys
Address: 0x929CE000 Size: 45056 File Visible: No Signed: -
Status: -
Name: Dxapi.sys
Image Path: C:\Windows\System32\drivers\Dxapi.sys
Address: 0x929E1000 Size: 40960 File Visible: - Signed: -
Status: -
Name: dxgkrnl.sys
Image Path: C:\Windows\System32\drivers\dxgkrnl.sys
Address: 0x90F2A000 Size: 659456 File Visible: - Signed: -
Status: -
Name: ecache.sys
Image Path: C:\Windows\System32\drivers\ecache.sys
Address: 0x8C97D000 Size: 159744 File Visible: - Signed: -
Status: -
Name: fastfat.SYS
Image Path: C:\Windows\System32\Drivers\fastfat.SYS
Address: 0x92983000 Size: 163840 File Visible: - Signed: -
Status: -
Name: fetnd5.sys
Image Path: C:\Windows\system32\DRIVERS\fetnd5.sys
Address: 0x84BF0000 Size: 45568 File Visible: - Signed: -
Status: -
Name: fileinfo.sys
Image Path: C:\Windows\system32\drivers\fileinfo.sys
Address: 0x80ED6000 Size: 65536 File Visible: - Signed: -
Status: -
Name: fltmgr.sys
Image Path: C:\Windows\system32\drivers\fltmgr.sys
Address: 0x80EA4000 Size: 204800 File Visible: - Signed: -
Status: -
Name: Fs_Rec.SYS
Image Path: C:\Windows\System32\Drivers\Fs_Rec.SYS
Address: 0x927B8000 Size: 36864 File Visible: - Signed: -
Status: -
Name: fwpkclnt.sys
Image Path: C:\Windows\System32\drivers\fwpkclnt.sys
Address: 0x8C6EA000 Size: 110592 File Visible: - Signed: -
Status: -
Name: GEARAspiWDM.sys
Image Path: C:\Windows\System32\Drivers\GEARAspiWDM.sys
Address: 0x90FEF000 Size: 21120 File Visible: - Signed: -
Status: -
Name: hal.dll
Image Path: C:\Windows\system32\hal.dll
Address: 0x84415000 Size: 208896 File Visible: - Signed: -
Status: -
Name: HDAudBus.sys
Image Path: C:\Windows\system32\DRIVERS\HDAudBus.sys
Address: 0x8C71D000 Size: 577536 File Visible: - Signed: -
Status: -
Name: HdAudio.sys
Image Path: C:\Windows\system32\drivers\HdAudio.sys
Address: 0x9153E000 Size: 258048 File Visible: - Signed: -
Status: -
Name: HIDCLASS.SYS
Image Path: C:\Windows\system32\DRIVERS\HIDCLASS.SYS
Address: 0x928B3000 Size: 65536 File Visible: - Signed: -
Status: -
Name: HIDPARSE.SYS
Image Path: C:\Windows\system32\DRIVERS\HIDPARSE.SYS
Address: 0x927D8000 Size: 28672 File Visible: - Signed: -
Status: -
Name: hidusb.sys
Image Path: C:\Windows\system32\DRIVERS\hidusb.sys
Address: 0x928AA000 Size: 36864 File Visible: - Signed: -
Status: -
Name: HTTP.sys
Image Path: C:\Windows\system32\drivers\HTTP.sys
Address: 0xA8E06000 Size: 446464 File Visible: - Signed: -
Status: -
Name: i8042prt.sys
Image Path: C:\Windows\system32\DRIVERS\i8042prt.sys
Address: 0x80F89000 Size: 77824 File Visible: - Signed: -
Status: -
Name: intelppm.sys
Image Path: C:\Windows\system32\DRIVERS\intelppm.sys
Address: 0x8C70E000 Size: 61440 File Visible: - Signed: -
Status: -
Name: kbdclass.sys
Image Path: C:\Windows\system32\DRIVERS\kbdclass.sys
Address: 0x9146E000 Size: 45056 File Visible: - Signed: -
Status: -
Name: kbdhid.sys
Image Path: C:\Windows\system32\DRIVERS\kbdhid.sys
Address: 0x928EA000 Size: 36864 File Visible: - Signed: -
Status: -
Name: kdcom.dll
Image Path: C:\Windows\system32\kdcom.dll
Address: 0x8060D000 Size: 28672 File Visible: - Signed: -
Status: -
Name: ks.sys
Image Path: C:\Windows\system32\DRIVERS\ks.sys
Address: 0x9147B000 Size: 172032 File Visible: - Signed: -
Status: -
Name: ksecdd.sys
Image Path: C:\Windows\System32\Drivers\ksecdd.sys
Address: 0x80EE6000 Size: 462848 File Visible: - Signed: -
Status: -
Name: kwryrpow.sys
Image Path: C:\Users\Lynaya\AppData\Local\Temp\kwryrpow.sys
Address: 0xA8E83000 Size: 93056 File Visible: No Signed: -
Status: -
Name: lltdio.sys
Image Path: C:\Windows\system32\DRIVERS\lltdio.sys
Address: 0x838B3000 Size: 65536 File Visible: - Signed: -
Status: -
Name: luafv.sys
Image Path: C:\Windows\system32\drivers\luafv.sys
Address: 0x8C9DF000 Size: 110592 File Visible: - Signed: -
Status: -
Name: mcupdate_GenuineIntel.dll
Image Path: C:\Windows\system32\mcupdate_GenuineIntel.dll
Address: 0x80614000 Size: 458752 File Visible: - Signed: -
Status: -
Name: monitor.sys
Image Path: C:\Windows\system32\DRIVERS\monitor.sys
Address: 0x914E9000 Size: 61440 File Visible: - Signed: -
Status: -
Name: mouclass.sys
Image Path: C:\Windows\system32\DRIVERS\mouclass.sys
Address: 0x80F9C000 Size: 45056 File Visible: - Signed: -
Status: -
Name: mountmgr.sys
Image Path: C:\Windows\System32\drivers\mountmgr.sys
Address: 0x80E6E000 Size: 65536 File Visible: - Signed: -
Status: -
Name: mpsdrv.sys
Image Path: C:\Windows\System32\drivers\mpsdrv.sys
Address: 0x83940000 Size: 86016 File Visible: - Signed: -
Status: -
Name: mrxsmb.sys
Image Path: C:\Windows\system32\DRIVERS\mrxsmb.sys
Address: 0x83955000 Size: 126976 File Visible: - Signed: -
Status: -
Name: mrxsmb10.sys
Image Path: C:\Windows\system32\DRIVERS\mrxsmb10.sys
Address: 0x83974000 Size: 233472 File Visible: - Signed: -
Status: -
Name: mrxsmb20.sys
Image Path: C:\Windows\system32\DRIVERS\mrxsmb20.sys
Address: 0x839AD000 Size: 98304 File Visible: - Signed: -
Status: -
Name: Msfs.SYS
Image Path: C:\Windows\System32\Drivers\Msfs.SYS
Address: 0x927EF000 Size: 45056 File Visible: - Signed: -
Status: -
Name: msisadrv.sys
Image Path: C:\Windows\system32\drivers\msisadrv.sys
Address: 0x80CE4000 Size: 32768 File Visible: - Signed: -
Status: -
Name: msiscsi.sys
Image Path: C:\Windows\system32\DRIVERS\msiscsi.sys
Address: 0x80FA7000 Size: 192512 File Visible: - Signed: -
Status: -
Name: msrpc.sys
Image Path: C:\Windows\system32\drivers\msrpc.sys
Address: 0x84B15000 Size: 176128 File Visible: - Signed: -
Status: -
Name: mssmbios.sys
Image Path: C:\Windows\system32\DRIVERS\mssmbios.sys
Address: 0x914A5000 Size: 40960 File Visible: - Signed: -
Status: -
Name: mup.sys
Image Path: C:\Windows\System32\Drivers\mup.sys
Address: 0x8C96E000 Size: 61440 File Visible: - Signed: -
Status: -
Name: ndis.sys
Image Path: C:\Windows\system32\drivers\ndis.sys
Address: 0x84A0A000 Size: 1093632 File Visible: - Signed: -
Status: -
Name: ndistapi.sys
Image Path: C:\Windows\system32\DRIVERS\ndistapi.sys
Address: 0x80E00000 Size: 45056 File Visible: - Signed: -
Status: -
Name: ndisuio.sys
Image Path: C:\Windows\system32\DRIVERS\ndisuio.sys
Address: 0x838ED000 Size: 40960 File Visible: - Signed: -
Status: -
Name: ndiswan.sys
Image Path: C:\Windows\system32\DRIVERS\ndiswan.sys
Address: 0x91403000 Size: 143360 File Visible: - Signed: -
Status: -
Name: NDProxy.SYS
Image Path: C:\Windows\System32\Drivers\NDProxy.SYS
Address: 0x9152D000 Size: 69632 File Visible: - Signed: -
Status: -
Name: netbios.sys
Image Path: C:\Windows\system32\DRIVERS\netbios.sys
Address: 0x928C3000 Size: 57344 File Visible: - Signed: -
Status: -
Name: netbt.sys
Image Path: C:\Windows\System32\DRIVERS\netbt.sys
Address: 0x92862000 Size: 204800 File Visible: - Signed: -
Status: -
Name: NETIO.SYS
Image Path: C:\Windows\system32\drivers\NETIO.SYS
Address: 0x84B40000 Size: 241664 File Visible: - Signed: -
Status: -
Name: Npfs.SYS
Image Path: C:\Windows\System32\Drivers\Npfs.SYS
Address: 0x915CF000 Size: 57344 File Visible: - Signed: -
Status: -
Name: nsiproxy.sys
Image Path: C:\Windows\system32\drivers\nsiproxy.sys
Address: 0x9292F000 Size: 40960 File Visible: - Signed: -
Status: -
Name: Ntfs.sys
Image Path: C:\Windows\System32\Drivers\Ntfs.sys
Address: 0x8C80C000 Size: 1114112 File Visible: - Signed: -
Status: -
Name: ntkrnlpa.exe
Image Path: C:\Windows\system32\ntkrnlpa.exe
Address: 0x84448000 Size: 3903488 File Visible: - Signed: -
Status: -
Name: Null.SYS
Image Path: C:\Windows\System32\Drivers\Null.SYS
Address: 0x927C1000 Size: 28672 File Visible: - Signed: -
Status: -
Name: nwifi.sys
Image Path: C:\Windows\system32\DRIVERS\nwifi.sys
Address: 0x838C3000 Size: 172032 File Visible: - Signed: -
Status: -
Name: pacer.sys
Image Path: C:\Windows\system32\DRIVERS\pacer.sys
Address: 0x92894000 Size: 90112 File Visible: - Signed: -
Status: -
Name: parport.sys
Image Path: C:\Windows\system32\DRIVERS\parport.sys
Address: 0x80F71000 Size: 98304 File Visible: - Signed: -
Status: -
Name: partmgr.sys
Image Path: C:\Windows\System32\drivers\partmgr.sys
Address: 0x80DCD000 Size: 61440 File Visible: - Signed: -
Status: -
Name: parvdm.sys
Image Path: C:\Windows\system32\DRIVERS\parvdm.sys
Address: 0x9E85A000 Size: 28672 File Visible: - Signed: -
Status: -
Name: pci.sys
Image Path: C:\Windows\system32\drivers\pci.sys
Address: 0x80CEC000 Size: 159744 File Visible: - Signed: -
Status: -
Name: PCIIDEX.SYS
Image Path: C:\Windows\system32\drivers\PCIIDEX.SYS
Address: 0x80E60000 Size: 57344 File Visible: - Signed: -
Status: -
Name: peauth.sys
Image Path: C:\Windows\system32\drivers\peauth.sys
Address: 0x9E8A4000 Size: 909312 File Visible: - Signed: -
Status: -
Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x84448000 Size: 3903488 File Visible: - Signed: -
Status: -
Name: portcls.sys
Image Path: C:\Windows\system32\drivers\portcls.sys
Address: 0x9157D000 Size: 184320 File Visible: - Signed: -
Status: -
Name: PSHED.dll
Image Path: C:\Windows\system32\PSHED.dll
Address: 0x80684000 Size: 69632 File Visible: - Signed: -
Status: -
Name: rasacd.sys
Image Path: C:\Windows\System32\DRIVERS\rasacd.sys
Address: 0x927CF000 Size: 36864 File Visible: - Signed: -
Status: -
Name: rasl2tp.sys
Image Path: C:\Windows\system32\DRIVERS\rasl2tp.sys
Address: 0x80FE1000 Size: 94208 File Visible: - Signed: -
Status: -
Name: raspppoe.sys
Image Path: C:\Windows\system32\DRIVERS\raspppoe.sys
Address: 0x91426000 Size: 61440 File Visible: - Signed: -
Status: -
Name: raspptp.sys
Image Path: C:\Windows\system32\DRIVERS\raspptp.sys
Address: 0x91435000 Size: 81920 File Visible: - Signed: -
Status: -
Name: rassstp.sys
Image Path: C:\Windows\system32\DRIVERS\rassstp.sys
Address: 0x91449000 Size: 86016 File Visible: - Signed: -
Status: -
Name: RAW
Image Path: \FileSystem\RAW
Address: 0x84448000 Size: 3903488 File Visible: - Signed: -
Status: -
Name: rdbss.sys
Image Path: C:\Windows\system32\DRIVERS\rdbss.sys
Address: 0x928F3000 Size: 245760 File Visible: - Signed: -
Status: -
Name: RDPCDD.sys
Image Path: C:\Windows\System32\DRIVERS\RDPCDD.sys
Address: 0x927DF000 Size: 32768 File Visible: - Signed: -
Status: -
Name: rdpencdd.sys
Image Path: C:\Windows\system32\drivers\rdpencdd.sys
Address: 0x927E7000 Size: 32768 File Visible: - Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xA8E9A000 Size: 49152 File Visible: No Signed: -
Status: -
Name: rspndr.sys
Image Path: C:\Windows\system32\DRIVERS\rspndr.sys
Address: 0x838F7000 Size: 77824 File Visible: - Signed: -
Status: -
Name: RTKVHDA.sys
Image Path: C:\Windows\system32\drivers\RTKVHDA.sys
Address: 0x92605000 Size: 1780864 File Visible: - Signed: -
Status: -
Name: secdrv.SYS
Image Path: C:\Windows\System32\Drivers\secdrv.SYS
Address: 0x9E982000 Size: 40960 File Visible: - Signed: -
Status: -
Name: serenum.sys
Image Path: C:\Windows\system32\DRIVERS\serenum.sys
Address: 0x84A00000 Size: 40960 File Visible: - Signed: -
Status: -
Name: serial.sys
Image Path: C:\Windows\system32\DRIVERS\serial.sys
Address: 0x80F57000 Size: 106496 File Visible: - Signed: -
Status: -
Name: smb.sys
Image Path: C:\Windows\system32\DRIVERS\smb.sys
Address: 0x80DEB000 Size: 81920 File Visible: - Signed: -
Status: -
Name: spldr.sys
Image Path: C:\Windows\System32\Drivers\spldr.sys
Address: 0x8C966000 Size: 32768 File Visible: - Signed: -
Status: -
Name: spsys.sys
Image Path: C:\Windows\system32\drivers\spsys.sys
Address: 0x83803000 Size: 720896 File Visible: - Signed: -
Status: -
Name: srv.sys
Image Path: C:\Windows\System32\DRIVERS\srv.sys
Address: 0x9E80C000 Size: 319488 File Visible: - Signed: -
Status: -
Name: srv2.sys
Image Path: C:\Windows\System32\DRIVERS\srv2.sys
Address: 0x839C5000 Size: 159744 File Visible: - Signed: -
Status: -
Name: srvnet.sys
Image Path: C:\Windows\System32\DRIVERS\srvnet.sys
Address: 0x8390A000 Size: 118784 File Visible: - Signed: -
Status: -
Name: ssmdrv.sys
Image Path: C:\Windows\system32\DRIVERS\ssmdrv.sys
Address: 0x928E4000 Size: 23040 File Visible: - Signed: -
Status: -
Name: storport.sys
Image Path: C:\Windows\system32\DRIVERS\storport.sys
Address: 0x807BE000 Size: 266240 File Visible: - Signed: -
Status: -
Name: swenum.sys
Image Path: C:\Windows\system32\DRIVERS\swenum.sys
Address: 0x91479000 Size: 4992 File Visible: - Signed: -
Status: -
Name: tcpip.sys
Image Path: C:\Windows\System32\drivers\tcpip.sys
Address: 0x8C600000 Size: 958464 File Visible: - Signed: -
Status: -
Name: tcpipreg.sys
Image Path: C:\Windows\System32\drivers\tcpipreg.sys
Address: 0x9E98C000 Size: 49152 File Visible: - Signed: -
Status: -
Name: TDI.SYS
Image Path: C:\Windows\system32\DRIVERS\TDI.SYS
Address: 0x80FD6000 Size: 45056 File Visible: - Signed: -
Status: -
Name: tdx.sys
Image Path: C:\Windows\system32\DRIVERS\tdx.sys
Address: 0x915DD000 Size: 90112 File Visible: - Signed: -
Status: -
Name: termdd.sys
Image Path: C:\Windows\system32\DRIVERS\termdd.sys
Address: 0x9145E000 Size: 65536 File Visible: - Signed: -
Status: -
Name: TSDDD.dll
Image Path: C:\Windows\System32\TSDDD.dll
Address: 0x9BCC0000 Size: 36864 File Visible: - Signed: -
Status: -
Name: tunmp.sys
Image Path: C:\Windows\system32\DRIVERS\tunmp.sys
Address: 0x8C705000 Size: 36864 File Visible: - Signed: -
Status: -
Name: tunnel.sys
Image Path: C:\Windows\system32\DRIVERS\tunnel.sys
Address: 0x8C800000 Size: 45056 File Visible: - Signed: -
Status: -
Name: uagp35.sys
Image Path: C:\Windows\system32\DRIVERS\uagp35.sys
Address: 0x8C955000 Size: 69632 File Visible: - Signed: -
Status: -
Name: umbus.sys
Image Path: C:\Windows\system32\DRIVERS\umbus.sys
Address: 0x914AF000 Size: 53248 File Visible: - Signed: -
Status: -
Name: usbccgp.sys
Image Path: C:\Windows\system32\DRIVERS\usbccgp.sys
Address: 0x92849000 Size: 94208 File Visible: - Signed: -
Status: -
Name: USBD.SYS
Image Path: C:\Windows\system32\DRIVERS\USBD.SYS
Address: 0x92860000 Size: 8192 File Visible: - Signed: -
Status: -
Name: usbehci.sys
Image Path: C:\Windows\system32\DRIVERS\usbehci.sys
Address: 0x8C7E8000 Size: 61440 File Visible: - Signed: -
Status: -
Name: usbhub.sys
Image Path: C:\Windows\system32\DRIVERS\usbhub.sys
Address: 0x914F8000 Size: 217088 File Visible: - Signed: -
Status: -
Name: USBPORT.SYS
Image Path: C:\Windows\system32\DRIVERS\USBPORT.SYS
Address: 0x8C7AA000 Size: 253952 File Visible: - Signed: -
Status: -
Name: USBSTOR.SYS
Image Path: C:\Windows\system32\DRIVERS\USBSTOR.SYS
Address: 0x9296E000 Size: 86016 File Visible: - Signed: -
Status: -
Name: usbuhci.sys
Image Path: C:\Windows\system32\DRIVERS\usbuhci.sys
Address: 0x90FF5000 Size: 45056 File Visible: - Signed: -
Status: -
Name: vga.sys
Image Path: C:\Windows\System32\drivers\vga.sys
Address: 0x914BC000 Size: 49152 File Visible: - Signed: -
Status: -
Name: viaide.sys
Image Path: C:\Windows\system32\drivers\viaide.sys
Address: 0x80E58000 Size: 32768 File Visible: - Signed: -
Status: -
Name: VIDEOPRT.SYS
Image Path: C:\Windows\System32\drivers\VIDEOPRT.SYS
Address: 0x914C8000 Size: 135168 File Visible: - Signed: -
Status: -
Name: volmgr.sys
Image Path: C:\Windows\system32\drivers\volmgr.sys
Address: 0x80DDC000 Size: 61440 File Visible: - Signed: -
Status: -
Name: volmgrx.sys
Image Path: C:\Windows\System32\drivers\volmgrx.sys
Address: 0x80E0E000 Size: 303104 File Visible: - Signed: -
Status: -
Name: volsnap.sys
Image Path: C:\Windows\system32\drivers\volsnap.sys
Address: 0x8C91C000 Size: 233472 File Visible: - Signed: -
Status: -
Name: wanarp.sys
Image Path: C:\Windows\system32\DRIVERS\wanarp.sys
Address: 0x928D1000 Size: 77824 File Visible: - Signed: -
Status: -
Name: watchdog.sys
Image Path: C:\Windows\System32\drivers\watchdog.sys
Address: 0x90FCB000 Size: 49152 File Visible: - Signed: -
Status: -
Name: Wdf01000.sys
Image Path: C:\Windows\system32\drivers\Wdf01000.sys
Address: 0x80C0C000 Size: 507904 File Visible: - Signed: -
Status: -
Name: WDFLDR.SYS
Image Path: C:\Windows\system32\drivers\WDFLDR.SYS
Address: 0x80C88000 Size: 53248 File Visible: - Signed: -
Status: -
Name: Win32k
Image Path: \Driver\Win32k
Address: 0x9BAA0000 Size: 2105344 File Visible: - Signed: -
Status: -
Name: win32k.sys
Image Path: C:\Windows\System32\win32k.sys
Address: 0x9BAA0000 Size: 2105344 File Visible: - Signed: -
Status: -
Name: WMILIB.SYS
Image Path: C:\Windows\system32\drivers\WMILIB.SYS
Address: 0x80CDB000 Size: 36864 File Visible: - Signed: -
Status: -
Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x84448000 Size: 3903488 File Visible: - Signed: -
Status: -
Name: WUDFPf.sys
Image Path: C:\Windows\system32\DRIVERS\WUDFPf.sys
Address: 0x9E9AD000 Size: 73728 File Visible: - Signed: -
Status: -
Name: WUDFRd.sys
Image Path: C:\Windows\system32\DRIVERS\WUDFRd.sys
Address: 0x9E998000 Size: 83328 File Visible: - Signed: -
Status: -
Code:
ATTFilter ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/06/09 23:33
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================
Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x88a9b538 Size: 861
Code:
ATTFilter ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/06/09 23:34
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================
Hidden Services
-------------------
Service Name: abfayyq
Image PathC:\Windows\system32\drivers\abfayyq.sys
|
|
11.06.2010, 07:39
| #5 |
| /// Helfer-Team | Trojaner PWS:Win32/Daurso.A -- penetrant und resistent hi 1. - zwei gleichzeitig installierte und aktivierte Antivirenprogramme: AntiVir/Avira & BullGuard Beide Scanner haben nämlich nur ein Ziel, dein System sinnvoll gegen Schädlingen zu prüfen/schützen. Damit sie behindern sich gegenseitig und eine Doppelbelastung ist im System, die Folge kann ein Crash sein, oder im schlechtesten fall, kannst Du über eine komplette Neuinstallation freuen! Mehr AV Programme bedeutet nicht mehr Sicherheit! Deinstalliere also eines der AV-Programme und lass nur noch eins auf deinem PC laufen!! 2. CCleaner - hast Du nicht richtig gemacht! Liste der installierten Programme anzuzeigen und mir posten:
3. - Kopiere den Text aus der Code-Box in ein Notepad-Dokument und speichere ihn als remove.txt auf deiner Festplatte C:\ Code:
ATTFilter Drivers to delete:
abfayyq
Files to delete:
C:\Windows\system32\drivers\abfayyq.sys
→ Empfehle ich Dir die Antivirus-Software zu deaktivieren - nach dem Lauf nicht vergessen wieder einzuschalten → die avenger.exe per Doppelklick starten → füge den Inhalt aus der Codebox vollständig und unverändert in das leere Textfeld bei "Input script here" ein → dann klicke auf "Execute" → wirst Du gefragt, ob Du das Script ausführen willst. Beantworte die Frage "Ja". → auf die Fragae ob dein Rechner jetzt neu starten soll "Rebot now" bejahe bitte auch → nach Neustart wird ein Dos Fenster aufgehen. → wenn wieder geschlossen ist, es öffnet sich der Editor mit die Scanergebnisse : C:\avenger.txt → kopiere und füge den Inhalt direkt aus der Textdatei hier rein |
|
11.06.2010, 10:56
| #6 |
| | Trojaner PWS:Win32/Daurso.A -- penetrant und resistent Vielen Dank, dass du mir hilfst. Jetzt hoffentlich das richtige Log von CCLeaner: Code:
ATTFilter Adobe Flash Player 10 ActiveX Adobe Systems Incorporated 21.01.2009 10.0.12.36
Adobe Flash Player Plugin Adobe Systems Incorporated 08.07.2008 9.0.124.0
Adobe Reader 8.1.3 - Deutsch Adobe Systems Incorporated 24.08.2009 100,0MB 8.1.3
Apple Application Support Apple Inc. 04.05.2010 39,7MB 1.2.1
Apple Mobile Device Support Apple Inc. 04.05.2010 19,7MB 3.0.1.3
Apple Software Update Apple Inc. 02.10.2008 2,16MB 2.1.1.116
ATI Catalyst Install Manager ATI Technologies, Inc. 12.09.2009 13,8MB 3.0.641.0
Avira AntiVir Personal - Free Antivirus Avira GmbH 30.06.2009 71,7MB
AVM FRITZ!Box Dokumentation AVM Berlin 03.02.2009 3,07MB
AVM FRITZ!Box Druckeranschluss AVM Berlin 03.02.2009
Bonjour Apple Inc. 04.05.2010 0,76MB 2.0.1.2
BullGuard 7.0 for Vista BullGuard Software 01.01.2008 31,4MB 7.0 for Vista
CCleaner Piriform 08.06.2010 2,82MB 2.32
CVSNT 2.5.03.2382 March Hare Software 19.04.2008 8,92MB 2.5.03.2382
Diagram Designer 13.02.2008 1,38MB
DivX Codec DivX, Inc. 06.09.2008 1,40MB 6.8.4
DivX Converter DivX, Inc. 06.09.2008 30,4MB 6.6.1
DivX Player 06.09.2008 15,4MB 6.8.2
DivX Web Player DivX,Inc. 06.09.2008 2,93MB 1.4.0
Drakensang dtp 12.12.2009 9.000,6MB
Free YouTube Download 2.3 DVDVideoSoft Limited. 06.11.2009 2,65MB
Free YouTube to iPod Converter version 3.1 DVDVideoSoft Limited. 29.03.2009 2,23MB
GlassFish V2 24.01.2008 142,5MB
Guild 2 King's Edition JoWood 02.02.2009 2.984,6MB 1.0.0
HijackThis 2.0.2 TrendMicro 08.06.2010 0,39MB 2.0.2
ICQ6.5 ICQ 21.01.2009 44,3MB 6.5
IKEA Home Planner IKEA IT 09.04.2010 167,3MB 2.0.3
iPhone-Konfigurationsprogramm Apple Inc. 17.09.2009 22,4MB 2.1.0.163
iTunes Apple Inc. 04.05.2010 160,0MB 9.1.1.12
Java(TM) 6 Update 20 Sun Microsystems, Inc. 26.02.2010 97,7MB 6.0.200
Java(TM) 6 Update 3 Sun Microsystems, Inc. 24.01.2008 133,2MB 1.6.0.30
Java(TM) 6 Update 4 Sun Microsystems, Inc. 08.04.2008 137,7MB 1.6.0.40
Java(TM) 6 Update 5 Sun Microsystems, Inc. 14.05.2008 136,2MB 1.6.0.50
Java(TM) 6 Update 7 Sun Microsystems, Inc. 26.07.2008 136,2MB 1.6.0.70
Java(TM) SE Development Kit 6 Sun Microsystems, Inc. 24.01.2008 245,3MB 1.6.0.0
Java(TM) SE Runtime Environment 6 Sun Microsystems, Inc. 24.01.2008 115,2MB 1.6.0.0
Malwarebytes' Anti-Malware Malwarebytes Corporation 18.05.2010 3,91MB
MEDIONbox Medion 14.08.2007 27,0MB 1.09.0000.00050
Microsoft .NET Framework 1.1 14.08.2007
Microsoft .NET Framework 3.5 Language Pack SP1 - DEU Microsoft Corporation 26.10.2009 37,0MB
Microsoft .NET Framework 3.5 SP1 Microsoft Corporation 13.09.2009 27,8MB
Microsoft Visual C++ 2005 Redistributable Microsoft Corporation 19.04.2008 0,41MB 8.0.56336
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Corporation 30.06.2009 0,58MB 9.0.30729
MiKTeX 2.7 MiKTeX.org 01.12.2008 218,3MB 2.7
Mobipocket Reader 6.2 Mobipocket.com 30.03.2009 11,2MB 6.2.608
Mozilla Firefox (3.6.3) Mozilla 11.04.2010 32,4MB 3.6.3 (de)
Mozilla Sunbird (0.8) Mozilla 26.05.2008 17,8MB 0.8 (de)
Mozilla Thunderbird (2.0.0.24) Mozilla 16.03.2010 28,4MB 2.0.0.24 (de)
MSXML 4.0 SP2 (KB925672) Microsoft Corporation 27.06.2007 1,24MB 4.20.9839.0
MSXML 4.0 SP2 (KB927978) Microsoft Corporation 27.06.2007 1,24MB 4.20.9841.0
MSXML 4.0 SP2 (KB936181) Microsoft Corporation 14.08.2007 1,28MB 4.20.9848.0
MSXML 4.0 SP2 (KB954430) Microsoft Corporation 12.09.2009 1,29MB 4.20.9870.0
MSXML 4.0 SP2 (KB973688) Microsoft Corporation 24.11.2009 1,35MB 4.20.9876.0
Nero 7 Essentials Nero AG 27.06.2007 458,1MB 7.02.4288
NetBeans IDE 6.0 24.01.2008 402,6MB
OpenOffice.org 3.1 OpenOffice.org 26.02.2010 371,2MB 3.1.9420
ProtectDisc Driver, Version 11 ProtectDisc Software GmbH 12.12.2009 100,00KB 11.0.0.12
QuickTime Apple Inc. 04.05.2010 73,8MB 7.66.71.0
Realtek High Definition Audio Driver Realtek Semiconductor Corp. 14.08.2007 14,8MB 6.0.1.5433
Roll 22.05.2010 322,7MB
Sid Meier's Civilization 4 Firaxis Games 23.12.2008 1.509,4MB 1.74
Sid Meier's Civilization 4 - Beyond the Sword Firaxis Games 23.12.2008 1.439,0MB 3.01
Sid Meier's Civilization 4 - Warlords Firaxis Games 23.12.2008 562,9MB 2.13
Skype™ 4.0 Skype Technologies S.A. 26.05.2009 32,3MB 4.0.226
Spelling Dictionaries Support For Adobe Reader 8 Adobe Systems 24.08.2009 32,5MB 8.0.0
SupernaturalScreensaver 21.09.2009
TeamSpeak 2 RC2 Dominating Bytes Design 03.01.2008 2.0.32.60
TeXnicCenter Version 1 Beta 7.50 TeXnicCenter.org 01.12.2008 11,6MB Version 1 Beta 7.50
TeXnicCenter Version 2.0 Alpha 2 The TeXnicCenter Team 19.02.2010 16,9MB 2.0 Alpha 2
TuneUp Utilities 2009 TuneUp Software 18.05.2010 190,4MB 8.0.3100.31
Uninstall 1.0.0.1 06.11.2009 14,6MB
VideoLAN VLC media player 0.8.6d VideoLAN Team 15.02.2008 32,2MB 0.8.6d
Winamp Nullsoft, Inc 03.01.2008 27,1MB 5.51
Windows Installer Clean Up Microsoft Corporation 12.09.2009 0,30MB 3.00.00.0000
Windows Mobile Device Center Driver Update Microsoft Corporation 18.03.2009 42,4MB 6.1.6965.0
Windows Mobile-Gerätecenter Microsoft Corporation 18.03.2009 27,5MB 6.1.6965.0
Windows Mobile-Ressourcen Microsoft Corporation 19.03.2009 7,20MB 1.0
WinRAR 27.04.2008 3,66MB
World of Warcraft Blizzard Entertainment 25.05.2010 3.3.3.11723
Code:
ATTFilter Logfile of The Avenger Version 2.0, (c) by Swandog46
hxxp://swandog46.geekstogo.com
Platform: Windows Vista
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Driver "abfayyq" deleted successfully.
File "C:\Windows\system32\drivers\abfayyq.sys" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
|
|
11.06.2010, 10:58
| #7 |
| | Trojaner PWS:Win32/Daurso.A -- penetrant und resistent AntiVir/Avira hat das Rootkit gerade wieder gemeldet ... nachdem Avenger rebootet hatte ... behält Avender den Driver (und AntiVir meldet es jedes Mal) oder ist das nur beim ersten Reboot? Code:
ATTFilter In der Datei 'C:\Avenger\abfayyq.sys'
wurde ein Virus oder unerwünschtes Programm 'RKIT/Bubnix.AU' [trojan] gefunden.
Ausgeführte Aktion: Zugriff verweigern
|
|
12.06.2010, 07:16
| #8 | |
| /// Helfer-Team | Trojaner PWS:Win32/Daurso.A -- penetrant und resistent hi Die Entscheidung ist nicht einfach, die Zeiten für PC-Nutzer sind härter geworden, da die "Virenprogrammierer" fast täglich produzieren hunderttausende neue Viren und einen großen Schritt voran... Zitat:
Als weitere wichtige Vorsichtsmaßnahme: - Aktuellen Sicherheitsstand ist oberstes Gebot - Aktualisiern der Betriebssysteme (Patches und Service Packs) und ALLE Anwendungsprogramme - Eingeschränktes Benutzerkonto - nicht als Administrator surfen! -> Benutzerkonten einrichten - Unbekannten E-Mail-Anhang und Link in E-Mail (Chatprogramme) nicht öffnen - E-Mails mit angehängter Datei sind ideale Transporteure für trojanische Pferde und Viren. - Auf Filesharing-Tauschbörse verzichten - Man weiß nicht, was man bekommt, da jeder dritte Download Spyware oder andere Schädlinge enthält. - Den Besuch unsicherer Seiten vermeiden - Webseiten können so programmiert sein, dass ein Klick auf weiterführende Links eine Schadsoftware startet "Drive by Download" - Vorsicht vor Internetschwindlereien! Worum geht es? Neben seriösen Gratisangeboten locken im Internet viele schein-bare Gratisangebote - wenn die heruntergeladene Datei oder Programm ursprunglich selbst infiziert (Keygen, gecrackte Software), es gibt kein Antivirenprogramm und/oder Sicherheitstool der Welt, das dir 100 % zentigen Schutz bietet bzw das Eindringen von Trojanern zu verhindern kann! ** Das gesunde Misstrauen im Netz soll vor Gefahren und Fallen bewahren!-> SETI@home - [Sicherheit] Sicherheitskonzept Wenn ich mich entscheiden müsste, zwischen Avira und BullGuard, dann der kostenlosen AntiVir Personal (Freeware) ist mein TopFavorit. Neben einer guten Erkennung von Schadsoftware, der Ressourcenverbrauch ist gering, tägliche Aktualisierung Überzeug dich selbst: Hol dir Informationen bei Google... 1. C:\avenger\backup.zip löschen– (mit den Inhalt der gelöschten Dateien) → Papierkorb leeren 2. Nun bitte noch mal, wie oben beschrieben, Gmer laufen lassen:-> Punkt 5. - http://www.trojaner-board.de/86267-t...tml#post527196 Geändert von kira (12.06.2010 um 07:24 Uhr) |
|
12.06.2010, 10:59
| #9 |
| | Trojaner PWS:Win32/Daurso.A -- penetrant und resistent Danke für die Tipps. Eigehandelt hab ich mir das ganze über eine angebliche PayPal-Email .. hier nochmal Gmer: [CODE] GMER Logfile: GMER Logfile: Code:
ATTFilter GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-06-12 11:55:03
Windows 6.0.6002 Service Pack 2
Running: io7wnz65.exe; Driver: C:\Users\Lynaya\AppData\Local\Temp\kwryrpow.sys
---- System - GMER 1.0.15 ----
SSDT 9C93F2DC ZwCreateThread
SSDT 9C93F2C8 ZwOpenProcess
SSDT 9C93F2CD ZwOpenThread
SSDT 9C93F2D7 ZwTerminateProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 221 848B4984 4 Bytes [DC, F2, 93, 9C] {FDIVR ST(2), ST; XCHG EBX, EAX; PUSHF }
.text ntkrnlpa.exe!KeSetEvent + 3F1 848B4B54 4 Bytes [C8, F2, 93, 9C] {ENTER 0x93f2, 0x9c}
.text ntkrnlpa.exe!KeSetEvent + 40D 848B4B70 4 Bytes [CD, F2, 93, 9C] {INT 0xf2; XCHG EBX, EAX; PUSHF }
.text ntkrnlpa.exe!KeSetEvent + 621 848B4D84 4 Bytes [D7, F2, 93, 9C]
.reloc C:\Windows\system32\drivers\acedrv11.sys section is executable [0x83872300, 0x25D4C, 0xE0000060]
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs BdFileSpy.sys
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat BdFileSpy.sys
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Classes\CLSID\{B6A930A0-A4F5-43A5-9B4E-6189A6C2B9E8}@t!s!d!f!`!`!\24!t!s!t!t!r!d!r!s!\30! 19583823
---- EOF - GMER 1.0.15 ----
--- --- --- |
|
13.06.2010, 00:25
| #10 |
| /// Helfer-Team | Trojaner PWS:Win32/Daurso.A -- penetrant und resistent Ok, sieht schon mla gut aus für eine gründliche Reinigung werden noch einige Schritte nötig: 1. Die alte Java-Versionen verbleiben auf dem PC...aus Sicherheitsgründen müssen entfernt werden,auch in Zukunft darauf achten! also die alten Einträge bitte deinstallieren/entfernen Code:
ATTFilter Java(TM) 6 Update 3
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 7
den Java-Cache leeren/Punkt 7. u. 8. über Systemsteuerung -> Java... 3. Adobe Reader aktualisieren : um die neueste Version von Adobe zu erhalten klick hier: Adobe Reader - oder über das Programm selbst kannst auch die Updatefunktion aufrufen 4. alle Anwendungen schließen → Ordner für temporäre Dateien bitte leeren **Der Temp Ordner,ist für temporäre Dateien,also der Inhalt kann man ohne weiteres löschen.- Dateien, die noch in Benutzung sind, nicht löschbar. **Lösche nur den Inhalt der Ordner, nicht die Ordner selbst!
5. reinige dein System mit Ccleaner:
6.
7. Auch auf USB-Sticks, selbstgebrannten Datenträgern, externen Festplatten und anderen Datenträgern können Viren transportiert werden. Man muss daher durch regelmäßige Prüfungen auf Schäden, die durch Malware verursacht worden sein können, überwacht werden. Hierfür sind ser gut geegnet und empfohlen, die auf dem Speichermedium gesicherten Daten, mit Hilfe des kostenlosen Online Scanners zu prüfen. → Also alle vorhandenen externen Laufwerke inkl. evtl. vorhandener USB-Sticks an den Rechner anschließen, aber dabei die Shift-Taste gedrückt halten, damit die Autorun-Funktion nicht ausgeführt wird. Außerdem kann man die Autostarteigenschaft auch ausschalten: → Windows-Sicherheit: Datenträger-Autorun deaktivieren- bebilderte Anleitung v.Leonidas/3dcenter.org → Autorun/Autoplay gezielt für Laufwerkstypen oder -buchstaben abschalten/wintotal.de → Diese Silly -Beschreibung stützt die Annahme, dass er über einen USB-Stick kam. Die Ursache ist durch formatieren des Sticks aus der Welt geschafft, Du solltest darauf achten, dass dort keine Datei autorun.inf wieder auftaucht und etwas wählerisch sein, wo Du deinen Stick reinsteckst. → Den kompletten Rechner (also das ganze System) zu überprüfen (Systemprüfung ohne Säuberung) mit Kaspersky Online Scanner/klicke hier → um mit dem Vorgang fortzufahren klicke auf "Accept" → dann wähle "My computer" aus - Es dauert einige Zeit, bis ein Komplett-Scan durch gelaufen ist, also bitte um Geduld! Es kann einige Zeit dauern, bis der Scan abgeschlossen ist - je nach Größe der Festplatte eine oder mehrere Stunden - also Geduld... → Report angezeigt, klicke auf "Save as" - den bitte kopieren und in deinem Thread hier einfügen Vor dem Scan Einstellungen im Internet Explorer: → "Extras→ Internetoptionen→ Sicherheit": → alles auf Standardstufe stellen → Active X erlauben - damit die neue Virendefinitionen installiert werden können 8. poste erneut - nach der vorgenommenen Reinigungsaktion: ► TrendMicro™ HijackThis™ -Logfile - Keine offenen Fenster, solang bis HijackThis läuft!! Geändert von kira (13.06.2010 um 00:34 Uhr) |
|
| Themen zu Trojaner PWS:Win32/Daurso.A -- penetrant und resistent |
| acroiehelper.dll, adblock, antivir, ask.com, avgntflt.sys, avira, bho, bonjour, components, corp./icp, error, firefox, firefox 3.6.3, firefox.exe, flash player, fontcache, gcs.exe, google, home, home premium, install.exe, intranet, location, logfile, maleware, mozilla, mozilla thunderbird, mp3, nodrives, nvstor.sys, oldtimer, otl.exe, penetrant, plug-in, programdata, pws:win32/daurso.a, realtek, registry, rundll, saver, sched.exe, searchplugins, security, shell32.dll, sketchup, skype.exe, software, super, svchost.exe, system, teamspeak, trojan.downloader, trojaner, udp, vista, vlc media player, windows |
Linear-Darstellung
