Messenger Virus

Herku · 10.06.2010, 17:52

Hallöle,

ich hab mir wie einige hier auch diesen Messenger Virus mit dem Bild eingefangen. Bei mir war es nur keine Freundin, keine Schwester und auch net mein Hund, der den Link betätigte, sondern ich selbst ._.

Ich hab mal alles gemacht wie es in diesem Thread beschrieben steht. Programme nacheinander Ausgeführt und so:

Zitat:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Datenbank Version: 4186

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

10.06.2010 17:06:22
mbam-log-2010-06-10 (17-06-22).txt

Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 138997
Laufzeit: 5 Minute(n), 18 Sekunde(n)

Infizierte Speicherprozesse: 1
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 6
Infizierte Registrierungswerte: 3
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 5

Infizierte Speicherprozesse:
C:\Users\Public\winscdvn.exe (Worm.Pushbot) -> Unloaded process successfully.

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CLASSES_ROOT\Interface\{7b9a715e-9d87-4c21-bf9e-f914f2fa953f} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eaf2ccee-21a1-4203-9f36-4929fd104d43} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{6d3f5de4-e980-4407-a10f-9ac771abaae6} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d6f180cb-e683-41a3-8cd2-c53dbaa0530d} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{d6f180cb-e683-41a3-8cd2-c53dbaa0530d} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d6f180cb-e683-41a3-8cd2-c53dbaa0530d} (Adware.ISTBar) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows firewall manager (Worm.Pushbot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{d6f180cb-e683-41a3-8cd2-c53dbaa0530d} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{d6f180cb-e683-41a3-8cd2-c53dbaa0530d} (Adware.ISTBar) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\Users\Public\winscdvn.exe (Worm.Pushbot) -> Quarantined and deleted successfully.
C:\Program Files\Rightdown Software SearchBar\rssb.dll (Adware.ISTBar) -> Quarantined and deleted successfully.
C:\Users\Hendrik\AppData\Local\Temp\sgv.exe (Worm.Pushbot) -> Quarantined and deleted successfully.
C:\Users\Hendrik\AppData\Local\Temp\TMP00000001E423F2358F94F6F5 (Worm.Pushbot) -> Delete on reboot.
C:\Users\Hendrik\downloads\IMG0737830249202010.JPG.scr (Worm.Bot) -> Quarantined and deleted successfully.

Ich hoffe ich hab alles richtig gemacht

Die Dateien von OTS sind im Anhang, leider musste ich sie aufteilen.

Schonmal Dankeschön für alle Hilfen bis hier hin und vor allem für die kostbare Zeit, die für mich investiert wird.

cosinus · 10.06.2010, 21:20

Hallo und

Mach bitte einen Vollscan mit Malwarebytes und poste auch das Log.

Herku · 11.06.2010, 16:13

So sorry hat ein wenig gedauert. Hier der Log vom kompletten scan:

Zitat:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Datenbank Version: 4186

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

11.06.2010 17:11:07
mbam-log-2010-06-11 (17-11-07).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|F:\|G:\|)
Durchsuchte Objekte: 330972
Laufzeit: 2 Stunde(n), 40 Minute(n), 8 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\Program Files\AutoIt3\Extras\SQLite\sqlite3.exe (Trojan.Clicker) -> Quarantined and deleted successfully.

cosinus · 13.06.2010, 13:30

Sieht ziemlich unauffällig aus. Mach bitte mal einen Durchgang mit CF, das Tool nimmt uns viel Arbeit ab:

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix

Lade dir ComboFix hier herunter auf deinen Desktop. Benenne es beim Runterladen um in cofi.exe.

Dann folgende Anleitung durchlesen und abarbeiten -> CCleaner Systembereinigung

Schliesse alle Programme, vor allem dein Antivirenprogramm und andere Hintergrundwächter sowie deinen Internetbrowser.

Starte cofi.exe von deinem Desktop aus, bestätige die Warnmeldungen, führe die Updates durch (falls vorgeschlagen), installiere die Wiederherstellungskonsole (falls vorgeschlagen) und lass dein System durchsuchen.
Vermeide es auch während Combofix läuft die Maus und Tastatur zu benutzen.

Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte kopieren ([Strg]a, [Strg]c) und in deinen Beitrag einfügen ([Strg]v). Die Datei findest du außerdem unter: C:\ComboFix.txt.

Wichtiger Hinweis:

Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Herku · 14.06.2010, 14:06

So, hier der Combofix Log.

Combofix Logfile:

Code:

ATTFilter

ComboFix 10-06-13.04 - Hendrik 14.06.2010  14:41:10.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.49.1031.18.3070.1618 [GMT 2:00]
ausgeführt von:: c:\users\Hendrik\Desktop\cofi.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Hendrik\AppData\Roaming\Desktopicon
c:\users\Hendrik\AppData\Roaming\Desktopicon\eBay.ico
c:\users\Hendrik\AppData\Roaming\Desktopicon\uninst.exe

.
(((((((((((((((((((((((   Dateien erstellt von 2010-05-14 bis 2010-06-14  ))))))))))))))))))))))))))))))
.

2010-06-14 12:51 . 2010-06-14 12:51	--------	d-----w-	c:\users\Gast\AppData\Local\temp
2010-06-14 12:51 . 2010-06-14 12:51	--------	d-----w-	c:\users\Default\AppData\Local\temp
2010-06-13 11:13 . 2010-06-13 11:13	--------	d-----w-	c:\program files\Microsoft Silverlight
2010-06-12 22:55 . 2010-06-12 22:55	71992	----a-w-	c:\programdata\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-06-10 14:58 . 2010-06-10 14:58	--------	d-----w-	c:\users\Hendrik\AppData\Roaming\Malwarebytes
2010-06-10 14:58 . 2010-04-29 10:19	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-10 14:58 . 2010-06-10 14:58	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-06-10 14:58 . 2010-06-10 14:58	--------	d-----w-	c:\programdata\Malwarebytes
2010-06-10 14:58 . 2010-04-29 10:19	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-06-10 14:37 . 2010-06-10 14:37	--------	d-----w-	c:\program files\CCleaner
2010-06-09 15:57 . 2010-04-05 17:01	67072	----a-w-	c:\windows\system32\asycfilt.dll
2010-06-09 15:54 . 2010-05-26 17:06	34304	----a-w-	c:\windows\system32\atmlib.dll
2010-06-09 15:54 . 2010-05-26 14:47	289792	----a-w-	c:\windows\system32\atmfd.dll
2010-06-09 15:42 . 2010-05-01 14:13	2037248	----a-w-	c:\windows\system32\win32k.sys
2010-05-26 10:32 . 2010-04-23 14:13	2048	----a-w-	c:\windows\system32\tzres.dll
2010-05-23 13:37 . 2010-05-23 13:37	--------	d-----r-	C:\Sandbox
2010-05-23 13:36 . 2010-05-23 13:36	--------	d-----w-	c:\program files\Sandboxie
2010-05-21 15:11 . 2010-05-21 15:11	--------	d-----w-	c:\users\Hendrik\AppData\Roaming\LolClient
2010-05-21 14:43 . 2010-05-21 14:44	38784	----a-w-	c:\users\Hendrik\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-05-21 14:43 . 2010-05-21 14:44	38784	----a-w-	c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-05-21 14:43 . 2010-05-21 14:44	--------	d-----w-	c:\program files\Common Files\Adobe AIR
2010-05-21 13:30 . 2010-05-21 14:00	--------	d-----w-	c:\users\Hendrik\AppData\Local\PMB Files
2010-05-21 13:30 . 2010-05-21 13:30	--------	d-----w-	c:\programdata\PMB Files
2010-05-21 13:30 . 2010-05-21 13:30	--------	d-----w-	c:\program files\Pando Networks
2010-05-18 14:23 . 2010-05-18 14:24	--------	d-----w-	C:\devkitPro
2010-05-18 13:25 . 2010-04-12 15:29	411368	----a-w-	c:\windows\system32\deployJava1.dll

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-14 12:50 . 2009-03-31 12:55	--------	d-----w-	c:\users\Hendrik\AppData\Roaming\Skype
2010-06-14 12:07 . 2009-03-31 16:23	--------	d-----w-	c:\users\Hendrik\AppData\Roaming\ICQ
2010-06-14 12:06 . 2009-05-14 14:26	--------	d-----w-	c:\users\Hendrik\AppData\Roaming\skypePM
2010-06-14 12:00 . 2008-04-16 11:11	618442	----a-w-	c:\windows\system32\perfh007.dat
2010-06-14 12:00 . 2008-04-16 11:11	122842	----a-w-	c:\windows\system32\perfc007.dat
2010-06-13 20:44 . 2008-12-05 18:55	12	----a-w-	c:\windows\bthservsdp.dat
2010-06-13 11:12 . 2009-10-04 10:13	--------	d-----w-	c:\program files\Microsoft
2010-06-13 11:06 . 2008-12-05 21:29	45056	----a-w-	c:\windows\system32\acovcnt.exe
2010-06-12 23:00 . 2010-02-02 14:31	--------	d-----w-	c:\program files\Safari
2010-06-12 08:35 . 2009-04-14 17:37	7592	----a-w-	c:\users\Hendrik\AppData\Local\d3d9caps.dat
2010-06-10 15:06 . 2010-01-17 00:21	--------	d-----w-	c:\program files\Rightdown Software SearchBar
2010-06-10 13:14 . 2006-11-02 11:18	--------	d-----w-	c:\program files\Windows Mail
2010-06-10 10:45 . 2008-12-05 19:03	--------	d-----w-	c:\programdata\Microsoft Help
2010-06-09 19:32 . 2010-02-16 16:51	--------	d-----w-	c:\program files\ICQ7.0
2010-06-06 11:19 . 2010-05-14 14:03	--------	d-----w-	c:\users\Hendrik\AppData\Roaming\Xfire
2010-06-03 23:43 . 2009-11-19 20:19	--------	d-----w-	c:\users\Hendrik\AppData\Roaming\vlc
2010-05-30 18:38 . 2010-04-30 15:12	--------	d-----w-	c:\users\Hendrik\AppData\Roaming\Audacity
2010-05-24 14:47 . 2009-03-31 12:19	124547	----a-w-	c:\programdata\nvModes.dat
2010-05-18 13:25 . 2009-04-20 18:44	--------	d-----w-	c:\program files\Java
2010-05-14 14:07 . 2010-05-14 13:42	--------	d-----w-	c:\program files\THQ
2010-05-14 14:06 . 2008-12-05 19:17	--------	d--h--w-	c:\program files\InstallShield Installation Information
2010-05-14 14:03 . 2010-05-14 14:03	--------	d-s---w-	c:\program files\Xfire
2010-05-14 13:49 . 2010-05-14 13:49	8192	----a-r-	c:\users\Hendrik\AppData\Roaming\Microsoft\Installer\{D0B36BAF-3E9D-423E-8821-ED238C18DB0A}\IconD0B36BAF3.exe
2010-05-14 13:49 . 2010-05-14 13:49	6144	----a-r-	c:\users\Hendrik\AppData\Roaming\Microsoft\Installer\{D0B36BAF-3E9D-423E-8821-ED238C18DB0A}\Icon83F12F734.exe
2010-05-14 13:49 . 2010-05-14 13:49	11264	----a-r-	c:\users\Hendrik\AppData\Roaming\Microsoft\Installer\{D0B36BAF-3E9D-423E-8821-ED238C18DB0A}\Icon8F99E711.exe
2010-05-10 20:38 . 2009-09-29 18:25	--------	d-----w-	c:\program files\Opera
2010-05-07 23:23 . 2010-05-07 21:04	--------	d-----w-	c:\program files\mektek.net
2010-05-07 21:04 . 2010-05-07 21:04	26582	----a-r-	c:\users\Hendrik\AppData\Roaming\Microsoft\Installer\{6583D00E-0924-4950-8BE9-5D09FE70B333}\_A56E24F757E8A738F8C492.exe
2010-05-07 21:04 . 2010-05-07 21:04	26582	----a-r-	c:\users\Hendrik\AppData\Roaming\Microsoft\Installer\{6583D00E-0924-4950-8BE9-5D09FE70B333}\_17A37D12E91C20333FE6AE.exe
2010-05-04 15:25 . 2010-05-04 15:18	--------	d-----w-	c:\users\Hendrik\AppData\Roaming\Guitar Pro 6
2010-05-04 15:18 . 2010-05-04 15:18	--------	d-----w-	c:\programdata\Guitar Pro 6
2010-05-04 05:59 . 2010-06-09 15:47	916480	----a-w-	c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-09 15:47	71680	----a-w-	c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-09 15:47	109056	----a-w-	c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-09 15:47	133632	----a-w-	c:\windows\system32\ieUnatt.exe
2010-05-01 20:43 . 2010-05-01 20:42	--------	d-----w-	c:\program files\iTunes
2010-05-01 20:43 . 2010-05-01 20:43	--------	d-----w-	c:\program files\iPod
2010-05-01 20:43 . 2009-12-17 19:49	--------	d-----w-	c:\program files\Common Files\Apple
2010-05-01 20:38 . 2010-05-01 20:38	--------	d-----w-	c:\program files\Bonjour
2010-05-01 20:36 . 2010-05-01 20:36	73000	----a-w-	c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-01 20:34 . 2010-05-01 20:34	--------	d-----w-	c:\programdata\WindowsSearch
2010-05-01 12:58 . 2009-04-23 19:32	--------	d-----w-	c:\users\Hendrik\AppData\Roaming\gtk-2.0
2010-04-30 15:12 . 2010-04-30 15:12	--------	d-----w-	c:\program files\Conduit
2010-04-30 15:12 . 2010-04-30 15:12	--------	d-----w-	c:\program files\Softonic_Deutsch
2010-04-30 15:12 . 2010-04-30 15:11	--------	d-----w-	c:\program files\Audacity 1.3 Beta (Unicode)
2010-04-30 13:57 . 2010-04-15 15:52	--------	d-----w-	c:\program files\Paint.NET
2010-04-22 19:16 . 2010-04-22 19:16	--------	d-----w-	c:\program files\WiFiConnector
2010-04-20 11:48 . 2010-04-20 11:48	--------	d-----w-	c:\program files\Common Files\Skype
2010-04-18 20:35 . 2010-04-18 20:35	--------	d-----w-	c:\program files\AutoIt3
2010-04-18 20:32 . 2009-03-31 12:17	--------	d-----w-	c:\program files\Common Files\Adobe
2010-04-15 16:14 . 2010-04-15 15:57	89280248	----a-w-	c:\users\Hendrik\AppData\Roaming\Samsung\New PC Studio\LiveUpdate\Setup_For_Full_Update_IH2_7.exe
2010-04-08 11:20 . 2010-04-08 11:20	91424	----a-w-	c:\windows\system32\dnssd.dll
2010-04-08 11:20 . 2010-04-08 11:20	107808	----a-w-	c:\windows\system32\dns-sd.exe
2010-03-27 23:15 . 2010-03-27 23:15	79144	----a-w-	c:\programdata\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-03-24 20:40 . 2009-03-31 12:13	107024	----a-w-	c:\users\Hendrik\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-24 19:55 . 2009-04-05 09:57	107024	----a-w-	c:\users\Gast\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-19 12:25 . 2009-04-25 10:05	977816 begin_of_the_skype_highlighting**************05 977816******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************05 977816******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************05 977816******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************05 977816******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************05 977816******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************05 977816******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************05 977816******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************05 977816******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************05 977816******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************05 977816******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************05 977816******end_of_the_skype_highlighting	----a-w-	c:\program files\HyCam2.exe
2010-03-17 20:39 . 2010-03-17 20:39	509552	----a-w-	c:\programdata\Google\Google Toolbar\Update\gtbFF1E.tmp.exe
2010-03-15 12:45 . 2009-04-25 10:05	5784	----a-w-	c:\program files\HyCam2.tlb
2010-03-12 11:55 . 2009-04-25 10:05	115216	----a-w-	c:\program files\HyCam2.chm
2010-03-12 10:50 . 2009-04-25 10:05	173992	----a-w-	c:\program files\UnHyCam2.exe
2010-03-11 18:16 . 2009-04-25 10:05	132608	----a-w-	c:\program files\CamRes2.dll
2009-12-31 16:03 . 2009-04-25 10:05	44032	----a-w-	c:\program files\MClick2.dll
2008-07-02 03:28 . 2008-07-02 03:28	61440	----a-w-	c:\program files\Common Files\CPInstallAction.dll
2008-05-23 10:08 . 2009-04-25 10:05	3271	----a-w-	c:\program files\agreement.txt
2008-05-22 17:35 . 2008-05-22 17:35	51962	----a-w-	c:\program files\Common Files\banner.jpg
2007-06-12 18:34 . 2007-06-12 18:34	35822	----a-w-	c:\program files\Common Files\ASPG_icon.ico
2006-07-09 04:13 . 2009-04-25 10:05	82	----a-w-	c:\program files\HomePage.url
2004-05-05 11:57 . 2009-04-25 10:05	2018	----a-w-	c:\program files\readme.txt
2004-04-22 10:00 . 2009-04-25 10:05	626	----a-w-	c:\program files\HyCam2.exe.manifest
1999-06-24 10:49 . 2009-04-25 10:05	421	----a-w-	c:\program files\8-44100u.wav
1999-06-24 10:49 . 2009-04-25 10:05	587	----a-w-	c:\program files\8-44100d.wav
1999-06-24 10:47 . 2009-04-25 10:05	225	----a-w-	c:\program files\8-22050u.wav
1999-06-24 10:47 . 2009-04-25 10:05	317	----a-w-	c:\program files\8-22050d.wav
1999-06-24 10:46 . 2009-04-25 10:05	135	----a-w-	c:\program files\8-11025u.wav
1999-06-24 10:46 . 2009-04-25 10:05	183	----a-w-	c:\program files\8-11025d.wav
1999-06-24 10:44 . 2009-04-25 10:05	127	----a-w-	c:\program files\8-8000u.wav
1999-06-24 10:43 . 2009-04-25 10:05	151	----a-w-	c:\program files\8-8000d.wav
1999-06-24 10:41 . 2009-04-25 10:05	220	----a-w-	c:\program files\16-8000u.wav
1999-06-24 10:40 . 2009-04-25 10:05	260	----a-w-	c:\program files\16-8000d.wav
1999-06-24 10:38 . 2009-04-25 10:05	956	----a-w-	c:\program files\16-44100u.wav
1999-06-24 10:37 . 2009-04-25 10:05	1186	----a-w-	c:\program files\16-44100d.wav
1999-06-24 10:34 . 2009-04-25 10:05	442	----a-w-	c:\program files\16-22050u.wav
1999-06-24 10:34 . 2009-04-25 10:05	652	----a-w-	c:\program files\16-22050d.wav
1999-06-24 09:54 . 2009-04-25 10:05	340	----a-w-	c:\program files\16-11025d.wav
1999-06-24 09:50 . 2009-04-25 10:05	326	----a-w-	c:\program files\16-11025u.wav
2009-03-31 20:47 . 2009-03-31 19:28	324976	----a-w-	c:\program files\mozilla firefox\components\coFFPlgn.dll
2009-11-05 14:16 . 2009-03-31 16:07	119808	----a-w-	c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{8dbb6d8e-e4a6-4e3b-9753-af78b226441c}"= "c:\program files\Softonic_Deutsch\tbSoft.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{8dbb6d8e-e4a6-4e3b-9753-af78b226441c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8dbb6d8e-e4a6-4e3b-9753-af78b226441c}]
2009-12-31 09:53	2349080	----a-w-	c:\program files\Softonic_Deutsch\tbSoft.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{081230F8-EA50-42A9-983C-D22ABC2EED3B}"= "c:\program files\FreeRIP3\Toolband.dll" [2009-10-16 282624]
"{8dbb6d8e-e4a6-4e3b-9753-af78b226441c}"= "c:\program files\Softonic_Deutsch\tbSoft.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{081230f8-ea50-42a9-983c-d22abc2eed3b}]
[HKEY_CLASSES_ROOT\ToolBand.ToolBandObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{0097E905-1DFB-4A9C-9871-A4F95FD58945}]
[HKEY_CLASSES_ROOT\ToolBand.ToolBandObj]

[HKEY_CLASSES_ROOT\clsid\{8dbb6d8e-e4a6-4e3b-9753-af78b226441c}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{081230F8-EA50-42A9-983C-D22ABC2EED3B}"= "c:\program files\FreeRIP3\Toolband.dll" [2009-10-16 282624]

[HKEY_CLASSES_ROOT\clsid\{081230f8-ea50-42a9-983c-d22abc2eed3b}]
[HKEY_CLASSES_ROOT\ToolBand.ToolBandObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{0097E905-1DFB-4A9C-9871-A4F95FD58945}]
[HKEY_CLASSES_ROOT\ToolBand.ToolBandObj]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-05 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883840]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2009-04-02 102400]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2010-02-03 394984]
"ICQ"="c:\program files\ICQ7.0\ICQ.exe" [2010-06-08 133368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"CLMLServer"="c:\program files\ASUS\AI TouchMedia\AI TouchMedia\Kernel\CLML\CLMLSvc.exe" [2008-06-12 196608]
"P2Go_Menu"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"PCMAgent"="c:\program files\ASUS\AI TouchMedia\AI TouchMedia\PCMAgent.exe" [2008-06-12 212992]
"PlayMovie"="c:\program files\ASUS\AI TouchMedia\PlayMovie\PMVService.exe" [2008-05-20 172032]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-05 30192]
"HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2008-01-12 98304]
"ATKOSD2"="c:\program files\ASUS\ATKOSD2\ATKOSD2.exe" [2008-07-15 7651328]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-25 13543968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-25 92704]
"RtHDVCpl"="RtHDVCpl.exe" [2008-06-13 6183456]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMedia.exe" [2008-06-25 159744]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-03 1328424]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-11 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-02-19 1089536]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Ulead Memory Card Detector"="c:\program files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe" [2002-09-12 40960]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2008-12-05 3054136]
"ASUS Camera ScreenSaver"="c:\windows\AsScrProlog.exe" [2008-12-05 47672]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2010-03-30 1820040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]

c:\users\Hendrik\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-4-10 752168]
phase-6 Reminder.lnk - c:\program files\phase-6\phase-6\reminder\reminder.exe [2009-7-13 1032192]
Registrierungsprogramm ausfhren.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2010-4-22 1073152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):79,2b,9c,45,85,67,ca,01

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-17 135664]
R3 AVerAF15;AVerMedia BDA Digital Tuner;c:\windows\system32\Drivers\AVerAF15.sys [2007-07-17 269056]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-01-29 29736]
R3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-11-05 30192]
R3 PAC207;SoC PC-Camera;c:\windows\system32\DRIVERS\PFC027.SYS [2006-12-05 507136]
R3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\DRIVERS\ss_bbus.sys [2009-03-20 90112]
R3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\DRIVERS\ss_bmdfl.sys [2009-03-20 14976]
R3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\DRIVERS\ss_bmdm.sys [2009-03-20 121856]
S0 lullaby;lullaby;c:\windows\system32\DRIVERS\lullaby.sys [2008-05-29 15416]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\ASUS\AI TouchMedia\PlayMovie\000.fcl [2008-05-20 61424]
S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-06-10 108289]
S2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2009-08-05 24640]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-03-31 233472]
S2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2010-03-30 1107336]
S2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [2010-01-03 246520]
S2 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\system32\plcndis5.sys [2004-05-17 17280]
S3 DCamUSBET;USB2.0 1.3M UVC WebCam;c:\windows\system32\DRIVERS\etDevice.sys [2007-09-06 474624]
S3 FiltUSBET;ET USB Device Lower Filter;c:\windows\system32\DRIVERS\etFilter.sys [2008-02-05 206464]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-03-31 36608]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2007-12-19 54784]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2009-05-28 4233728]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-06-25 43040]
S3 ScanUSBET;ET USB Still Image Capture Device;c:\windows\system32\DRIVERS\etScan.sys [2008-01-31 6528]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs	REG_MULTI_SZ   	BthServ
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 18:14	451872	----a-w-	c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Inhalt des "geplante Tasks" Ordners

2010-06-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-17 20:57]

2010-06-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-17 20:57]

2010-06-14 c:\windows\Tasks\User_Feed_Synchronization-{DC9042BE-4D87-4D79-99A4-F19A2CC94F8E}.job
- c:\windows\system32\msfeedssync.exe [2010-06-09 04:30]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1351351
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=ASUS&bmod=ASUS
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: &FreeRIP Search - c:\program files\FreeRIP3\Toolband.dll/MENUSEARCH.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Hendrik\AppData\Roaming\Mozilla\Firefox\Profiles\6fbedacu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1351351&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://ogame.de/|hxxp://www.homebrewwelt.com/|hxxp://board.nostale.de/|hxxp://de.ikariam.com/|hxxp://de.mmogame.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1351351&q=
FF - component: c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\SEPsearchhelperff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\users\Hendrik\AppData\Roaming\Mozilla\Firefox\Profiles\6fbedacu.default\extensions\{8dbb6d8e-e4a6-4e3b-9753-af78b226441c}\components\FFExternalAlert.dll
FF - component: c:\users\Hendrik\AppData\Roaming\Mozilla\Firefox\Profiles\6fbedacu.default\extensions\{8dbb6d8e-e4a6-4e3b-9753-af78b226441c}\components\RadioWMPCore.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Hendrik\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\users\Hendrik\AppData\Roaming\Mozilla\Firefox\Profiles\6fbedacu.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX Richtlinien ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

AddRemove-eBay Icon - c:\users\Hendrik\AppData\Roaming\Desktopicon\uninst.exe
AddRemove-TeamSpeak 3 Client - h:\liberkey\MyApps\TeamSpeak\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2010-06-14 14:51
Windows 6.0.6002 Service Pack 2 NTFS

Scanne versteckte Prozesse... 

Scanne versteckte Autostarteinträge... 

Scanne versteckte Dateien... 

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\ASUS\AI TouchMedia\PlayMovie\000.fcl"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-1470412310-2290689196-1735228460-1000\Software\SecuROM\License information*]
"datasecu"=hex:62,df,fe,c0,aa,11,50,bd,b4,2b,29,02,13,41,bb,f8,b3,86,d9,01,89,
   59,26,aa,85,08,bc,05,33,ca,51,f5,1e,f0,26,f1,46,03,42,9e,5a,c1,12,a8,71,70,\
"rkeysecu"=hex:2e,8d,de,ce,c6,38,c5,a5,de,58,6b,db,03,d5,6e,a8

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:00000000
.
Zeit der Fertigstellung: 2010-06-14  14:59:05
ComboFix-quarantined-files.txt  2010-06-14 12:58

Vor Suchlauf: 12 Verzeichnis(se), 65'203'277'824 Bytes frei
Nach Suchlauf: 17 Verzeichnis(se), 65'566'289'920 Bytes frei

- - End Of File - - 73A17D21214721073EBC54C51D47908F

--- --- ---

cosinus · 14.06.2010, 14:09

Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten. GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus

Herku · 18.06.2010, 14:06

So hab jetzt schonmal GMER:
GMER Logfile:
GMER Logfile:

Code:

ATTFilter

GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-06-18 15:04:57
Windows 6.0.6002 Service Pack 2
Running: o7io8gh6.exe; Driver: C:\Users\Hendrik\AppData\Local\Temp\kxddipoc.sys


---- System - GMER 1.0.15 ----

SSDT            9D9F563C                                                                                             ZwCreateThread
SSDT            9D9F5628                                                                                             ZwOpenProcess
SSDT            9D9F562D                                                                                             ZwOpenThread
SSDT            9D9F5637                                                                                             ZwTerminateProcess

Code            A6432C4C                                                                                             ZwTraceEvent
Code            A6432C4B                                                                                             NtTraceEvent

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!NtTraceEvent                                                                            82A77376 5 Bytes  JMP A6432C50 
.text           ntkrnlpa.exe!KeSetEvent + 221                                                                        82AF8984 4 Bytes  [3C, 56, 9F, 9D] {CMP AL, 0x56; LAHF ; POPF }
.text           ntkrnlpa.exe!KeSetEvent + 3F1                                                                        82AF8B54 4 Bytes  [28, 56, 9F, 9D] {SUB [ESI-0x61], DL; POPF }
.text           ntkrnlpa.exe!KeSetEvent + 40D                                                                        82AF8B70 4 Bytes  [2D, 56, 9F, 9D]
.text           ntkrnlpa.exe!KeSetEvent + 621                                                                        82AF8D84 4 Bytes  [37, 56, 9F, 9D] {AAA ; PUSH ESI; LAHF ; POPF }
PAGE            ntkrnlpa.exe!NtRequestPort + 2                                                                       82C57F08 5 Bytes  JMP A6432CF0 
PAGE            ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 2                                                           82C8949B 5 Bytes  JMP A6432E30 
PAGE            ntkrnlpa.exe!NtRequestWaitReplyPort + 2                                                              82C8FA70 5 Bytes  JMP A6432D90 
.text           C:\Windows\system32\DRIVERS\nvlddmkm.sys                                                             section is writeable [0x8E804340, 0x3EB477, 0xE8000020]
                C:\Program Files\ASUS\AI TouchMedia\PlayMovie\000.fcl                                                entry point in "" section [0xA304341C]
.clc            C:\Program Files\ASUS\AI TouchMedia\PlayMovie\000.fcl                                                unknown last code section [0xA3044000, 0x1000, 0xE0000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT             C:\Windows\Explorer.EXE[5516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown]                [74007817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[5516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage]                 [7405A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[5516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI]             [7400BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[5516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode]       [73FFF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[5516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup]                 [740075E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[5516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC]              [73FFE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[5516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM]  [74038395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[5516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream]     [7400DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[5516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight]             [73FFFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[5516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth]              [73FFFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[5516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage]               [73FF71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[5516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM]       [7408CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[5516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile]          [7402C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[5516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics]             [73FFD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[5516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree]                       [73FF6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[5516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc]                      [73FF687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[5516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode]         [74002AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                                                              Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                                                              Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice  \FileSystem\fastfat \Fat                                                                             fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002243c50f6f                          
Reg             HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002243c50f6f@001e7d9535cc             0x3E 0x90 0xB7 0x22 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002243c50f6f@0026bbb03166             0xF9 0x97 0x24 0x65 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002243c50f6f (not active ControlSet)      
Reg             HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002243c50f6f@001e7d9535cc                 0x3E 0x90 0xB7 0x22 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002243c50f6f@0026bbb03166                 0xF9 0x97 0x24 0x65 ...

---- EOF - GMER 1.0.15 ----

--- --- ---

--- --- ---

Code:

ATTFilter

Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 15:28:20 on 18.06.2010

OS: Windows Vista Home Premium Edition Service Pack 2 (Build 6002), 32-bit
Default Browser: Mozilla Corporation Firefox 3.6.3

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries


[AppInit DLLs]
-----( HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows )-----
"AppInit_DLLs" - "Google" - C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[Common]
-----( %SystemRoot%\Tasks )-----
"GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe
"GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe

[Control Panel Objects]
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"mlcfg32.cpl" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\MLCFG32.CPL
"Pando" - "Pando Networks" - C:\Program Files\Pando Networks\Media Booster\PMB.cpl
"QuickTime" - "Apple Inc." - C:\Program Files\QuickTime\QTSystem\QuickTime.cpl

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"ASMMAP" (ASMMAP) - ? - C:\Program Files\ATKGFNEX\ASMMAP.sys
"avgio" (avgio) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\avgio.sys
"avgntflt" (avgntflt) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avgntflt.sys
"avipbb" (avipbb) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avipbb.sys
"catchme" (catchme) - ? - C:\Users\Hendrik\AppData\Local\Temp\catchme.sys  (File not found)
"FsUsbExDisk" (FsUsbExDisk) - ? - C:\Windows\system32\FsUsbExDisk.SYS  (File found, but it contains no detailed information)
"ghaio" (ghaio) - ? - C:\Program Files\ASUS\NB Probe\SPM\ghaio.sys  (File found, but it contains no detailed information)
"Hamachi Network Interface" (hamachi) - "LogMeIn, Inc." - C:\Windows\System32\DRIVERS\hamachi.sys
"IP in IP Tunnel Driver" (IpInIp) - ? - C:\Windows\System32\DRIVERS\ipinip.sys  (File not found)
"IPX Traffic Filter Driver" (NwlnkFlt) - ? - C:\Windows\System32\DRIVERS\nwlnkflt.sys  (File not found)
"IPX Traffic Forwarder Driver" (NwlnkFwd) - ? - C:\Windows\System32\DRIVERS\nwlnkfwd.sys  (File not found)
"kxddipoc" (kxddipoc) - ? - C:\Users\Hendrik\AppData\Local\Temp\kxddipoc.sys  (Hidden registry entry, rootkit activity | File not found)
"lullaby" (lullaby) - "Windows (R) Codename Longhorn DDK provider" - C:\Windows\System32\DRIVERS\lullaby.sys
"Nintendo Wi-Fi USB Connector Service" (RT25USBAP) - "Ralink Technology Inc." - C:\Windows\System32\DRIVERS\rt25usbap.sys
"PLCNDIS5 NDIS Protocol Driver" (PLCNDIS5) - "Intellon, Inc." - C:\Windows\system32\plcndis5.sys
"PxHelp20" (PxHelp20) - "Sonic Solutions" - C:\Windows\System32\Drivers\PxHelp20.sys
"SbieDrv" (SbieDrv) - "tzuk" - C:\Program Files\Sandboxie\SbieDrv.sys
"ssmdrv" (ssmdrv) - "Avira GmbH" - C:\Windows\System32\DRIVERS\ssmdrv.sys
"{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}" ({49DE1C67-83F8-4102-99E0-C16DCC7EEC796}) - "Cyberlink Corp." - C:\Program Files\ASUS\AI TouchMedia\PlayMovie\000.fcl

[Explorer]
-----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )-----
{10880D85-AAD9-4558-ABDC-2AB1552D831F} "LightScribe Control Panel" - "Hewlett-Packard Company" - "C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
-----( HKLM\Software\Classes\Protocols\Filter )-----
{807563E5-5146-11D5-A672-00B0D022E945} "Microsoft Office InfoPath XML Mime Filter" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
-----( HKLM\Software\Classes\Protocols\Handler )-----
{314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
{828030A1-22C1-4009-854F-8E305202313F} "livecall" - "Microsoft Corporation" - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
{828030A1-22C1-4009-854F-8E305202313F} "msnim" - "Microsoft Corporation" - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
{03C514A3-1EFB-4856-9F99-10D7BE1653C0} "Windows Live Mail HTML Asynchronous Pluggable Protocol Handler" - "Microsoft Corporation" - C:\Program Files\Windows Live\Mail\mailcomm.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks )-----
{AEB6717E-7E19-11d0-97EE-00C04FD91972} "{AEB6717E-7E19-11d0-97EE-00C04FD91972}" - ? -   (File not found | COM-object registry key not found)
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{911051fa-c21c-4246-b470-070cd8df6dc4} ".cab or .zip files" - ? -   (File not found | COM-object registry key not found)
{23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - C:\Program Files\7-Zip\7-zip.dll
{1b24a030-9b20-49bc-97ac-1be4426f9e59} "ActiveDirectory Folder" - ? -   (File not found | COM-object registry key not found)
{34449847-FD14-4fc8-A75A-7432F5181EFB} "ActiveDirectory Folder" - ? -   (File not found | COM-object registry key not found)
{0563DB41-F538-4B37-A92D-4659049B7766} "CLSID_WLMCMimeFilter" - "Microsoft Corporation" - C:\Program Files\Windows Live\Mail\mailcomm.dll
{0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} "Contacts folder" - ? -   (File not found | COM-object registry key not found)
{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5} "dBpoweramp Music Converter" - ? -   (File not found | COM-object registry key not found)
{2C2577C2-63A7-40e3-9B7F-586602617ECB} "Explorer Query Band" - ? -   (File not found | COM-object registry key not found)
{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" - ? -   (File not found | COM-object registry key not found)
{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "iTunes" - "Apple Inc." - C:\Program Files\iTunes\iTunesMiniPlayer.dll
{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\msohevi.dll
{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C} "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL
{00020d75-0000-0000-c000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL
{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "OpenOffice.org Column Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{087B3AE3-E237-4467-B8DB-5A38AB959AC9} "OpenOffice.org Infotip Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{63542C48-9552-494A-84F7-73AA6A7C99C1} "OpenOffice.org Property Sheet Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{3B092F0C-7696-40E3-A80F-68D74DA84210} "OpenOffice.org Thumbnail Viewer" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{0006F045-0000-0000-C000-000000000046} "Outlook File Icon Extension" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL
{C8494E42-ACDD-4739-B0FB-217361E4894F} "Sam Account Folder" - ? -   (File not found | COM-object registry key not found)
{E29F9716-5C08-4FCD-955A-119FDB5A522D} "Sam Account Folder" - ? -   (File not found | COM-object registry key not found)
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\shlext.dll
{2BE99FD4-A181-4996-BFA9-58C5FFD11F6C} "Windows Live Photo Gallery Autoplay Drop Target" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe
{00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C} "Windows Live Photo Gallery Editor Drop Target" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe
{00F3712A-CA79-45B4-9E4D-D7891E7F8B9D} "Windows Live Photo Gallery Editor Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll
{00F30F90-3E96-453B-AFCD-D71989ECC2C7} "Windows Live Photo Gallery Viewer Autoplay Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll
{00F33137-EE26-412F-8D71-F84E4C2C6625} "Windows Live Photo Gallery Viewer Autoplay Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll
{00F374B7-B390-4884-B372-2FC349F2172B} "Windows Live Photo Gallery Viewer Drop Target" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe
{00F346CB-35A4-465B-8B8F-65A29DBAB1F6} "Windows Live Photo Gallery Viewer Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll
{da67b8ad-e81b-4c70-9b91b417b5e33527} "Windows Search Shell Service" - ? -   (File not found | COM-object registry key not found)
{06A2568A-CED6-4187-BB20-400B8C02BE5A} "{06A2568A-CED6-4187-BB20-400B8C02BE5A}" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoAcquireWizard.exe

[Internet Explorer]
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
<binary data> "FreeRIP.com Toolbar" - ? - C:\Program Files\FreeRIP3\Toolband.dll
<binary data> "Google Toolbar" - "Google Inc." - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
ITBar7Height "ITBar7Height" - ? -   (File not found | COM-object registry key not found)
<binary data> "ITBar7Layout" - ? -   (File not found | COM-object registry key not found)
<binary data> "{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" - ? -   (File not found | COM-object registry key not found)
-----( HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks )-----
{855F3B16-6D32-4fe6-8A56-BBB695989046} "ICQToolBar" - "ICQ" - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
{8dbb6d8e-e4a6-4e3b-9753-af78b226441c} "Softonic Deutsch Toolbar" - "Conduit Ltd." - C:\Program Files\Softonic_Deutsch\tbSoft.dll
 "{855F3B16-6D32-4fe6-8A56-BBB695989046}" - ? -   (File not found | COM-object registry key not found)
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_20" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} "Java Plug-in 1.6.0_20" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_20" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\npjpi160_20.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
{48E73304-E1D6-4330-914C-F5F514E3486C} "An OneNote senden" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
"ICQ7" - "ICQ, LLC." - C:\Program Files\ICQ7.0\ICQ.exe
{5F7B1267-94A9-47F5-98DB-E99415F33AEC} "In Blog veröffentlichen" - "Microsoft Corporation" - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Research" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )-----
<binary data> "&Windows Live Toolbar" - "Microsoft Corporation" - C:\Program Files\Windows Live\Toolbar\wltcore.dll
<binary data> "FreeRIP.com Toolbar" - ? - C:\Program Files\FreeRIP3\Toolband.dll
<binary data> "Google Toolbar" - "Google Inc." - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
{855F3B16-6D32-4fe6-8A56-BBB695989046} "ICQToolBar" - "ICQ" - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} "NCO Toolbar 2.0" - ? -   (File not found | COM-object registry key not found)
{8dbb6d8e-e4a6-4e3b-9753-af78b226441c} "Softonic Deutsch Toolbar" - "Conduit Ltd." - C:\Program Files\Softonic_Deutsch\tbSoft.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "Adobe PDF Reader" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} "Google Toolbar Helper" - "Google Inc." - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} "Google Toolbar Notifier BHO" - "Google Inc." - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
{DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2ssv.dll
{6EBF7485-159F-4bff-A14F-B9E3AAC4465B} "Search Helper" - "Microsoft Corporation" - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
{8dbb6d8e-e4a6-4e3b-9753-af78b226441c} "Softonic Deutsch Toolbar" - "Conduit Ltd." - C:\Program Files\Softonic_Deutsch\tbSoft.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} "Windows Live ID-Anmelde-Hilfsprogramm" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} "Windows Live Toolbar Helper" - "Microsoft Corporation" - C:\Program Files\Windows Live\Toolbar\wltcore.dll
{5C255C8A-E604-49b4-9D64-90988571CECB} "{5C255C8A-E604-49b4-9D64-90988571CECB}" - ? -   (File not found | COM-object registry key not found)
{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} "{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}" - ? -   (File not found | COM-object registry key not found)
{6D53EC84-6AAE-4787-AEEE-F4628F01010C} "{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" - ? -   (File not found | COM-object registry key not found)

[Logon]
-----( %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE  (Shortcut exists | File exists)
"desktop.ini" - ? - C:\Users\Hendrik\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
"OpenOffice.org 3.1.lnk" - ? - C:\Program Files\OpenOffice.org 3\program\quickstart.exe  (Shortcut exists | File found, but it contains no detailed information | File exists)
-----( %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"Bluetooth.lnk" - "Broadcom Corporation." - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe  (Shortcut exists | File exists)
"desktop.ini" - ? - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
"phase-6 Reminder.lnk" - "phase-6" - C:\Program Files\phase-6\phase-6\reminder\reminder.exe  (Shortcut exists | File exists)
"Registrierungsprogramm ausführen.lnk" - ? - C:\Program Files\WiFiConnector\NintendoWFCReg.exe  (Shortcut exists | File exists)
-----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )-----
"AutoStartNPSAgent" - "Samsung Electronics Co., Ltd." - C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
"ICQ" - "ICQ, LLC." - "C:\Program Files\ICQ7.0\ICQ.exe" silent loginmode=4
"LightScribe Control Panel" - "Hewlett-Packard Company" - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
"msnmsgr" - "Microsoft Corporation" - "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
"SandboxieControl" - "tzuk" - "C:\Program Files\Sandboxie\SbieCtrl.exe"
"Skype" - "Skype Technologies S.A." - "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
"swg" - "Google Inc." - "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
-----( HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd )-----
"StartupPrograms" - ? - rdpclip  (File not found)
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"Adobe Reader Speed Launcher" - "Adobe Systems Incorporated" - "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"AppleSyncNotifier" - "Apple Inc." - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
"ASUS Camera ScreenSaver" - ? - C:\Windows\AsScrProlog.exe  (File found, but it contains no detailed information)
"ASUS Screen Saver Protector" - "ASUS" - C:\Windows\AsScrPro.exe
"ATKMEDIA" - "ASUS" - C:\Program Files\ASUS\ATK Media\DMedia.exe
"ATKOSD2" - "ASUS" - C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe
"avgnt" - "Avira GmbH" - "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
"BrMfcWnd" - "Brother Industries, Ltd." - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
"CLMLServer" - "CyberLink" - "C:\Program Files\ASUS\AI TouchMedia\AI TouchMedia\Kernel\CLML\CLMLSvc.exe"
"ControlCenter3" - "Brother Industries, Ltd." - C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
"Google Desktop Search" - "Google" - "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"HControlUser" - ? - C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe
"IndexSearch" - "Nuance Communications, Inc." - "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
"iTunesHelper" - "Apple Inc." - "C:\Program Files\iTunes\iTunesHelper.exe"
"LogMeIn Hamachi Ui" - "LogMeIn Inc." - "C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
"P2Go_Menu" - "CyberLink Corp." - "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
"PaperPort PTD" - "Nuance Communications, Inc." - "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
"PCMAgent" - "CyberLink Corp." - "C:\Program Files\ASUS\AI TouchMedia\AI TouchMedia\PCMAgent.exe"
"PlayMovie" - "CyberLink Corp." - "C:\Program Files\ASUS\AI TouchMedia\PlayMovie\PMVService.exe"
"PPort11reminder" - "Nuance Communications, Inc." - "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
"QuickTime Task" - "Apple Inc." - "C:\Program Files\QuickTime\QTTask.exe" -atboottime
"SSBkgdUpdate" - "Nuance Communications, Inc." - "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
"Ulead Memory Card Detector" - "Ulead Systems, Inc." - C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe

[Print Monitors]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----
"Send To Microsoft OneNote Monitor" - "Microsoft Corporation" - C:\Windows\system32\msonpmon.dll

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"Apache2.2" (Apache2.2) - "Apache Software Foundation" - C:\xampp\apache\bin\httpd.exe
"Apple Mobile Device" (Apple Mobile Device) - "Apple Inc." - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
"ASLDR Service" (ASLDRService) - ? - C:\Program Files\ASUS\ATK Hotkey\ASLDRSrv.exe
"ATKGFNEX Service" (ATKGFNEXSrv) - ? - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
"Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
"Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\sched.exe
"Bluetooth Service" (btwdins) - "Broadcom Corporation." - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
"Dienst "Bonjour"" (Bonjour Service) - "Apple Inc." - C:\Program Files\Bonjour\mDNSResponder.exe
"FileZilla Server" (FileZilla Server) - "FileZilla Project" - C:\xampp\FileZillaFTP\FileZilla server.exe
"FsUsbExService" (FsUsbExService) - "Teruten" - C:\Windows\system32\FsUsbExService.Exe
"Google Desktop Manager 5.9.909.30391" (GoogleDesktopManager-093009-130223) - "Google" - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
"Google Software Updater" (gusvc) - "Google" - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
"Google Update Service (gupdate)" (gupdate) - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe
"ICQ Service" (ICQ Service) - ? - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
"InstallDriver Table Manager" (IDriverT) - "Macrovision Corporation" - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
"iPod-Dienst" (iPod Service) - "Apple Inc." - C:\Program Files\iPod\bin\iPodService.exe
"LightScribeService Direct Disc Labeling Service" (LightScribeService) - "Hewlett-Packard Company" - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
"LogMeIn Hamachi 2.0 Tunneling Engine" (Hamachi2Svc) - "LogMeIn Inc." - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
"Microsoft Office Diagnostics Service" (odserv) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
"MySQL" (MySQL) - ? - C:\xampp\mysql\bin\mysqld.exe  (File found, but it contains no detailed information)
"Office Source Engine" (ose) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"Sandboxie Service" (SbieSvc) - "tzuk" - C:\Program Files\Sandboxie\SbieSvc.exe
"SeaPort" (SeaPort) - "Microsoft Corporation" - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
"ServiceLayer" (ServiceLayer) - "Nokia." - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
"spmgr" (spmgr) - ? - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
"Windows Live ID Sign-in Assistant" (wlidsvc) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

[Winsock Providers]
-----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries )-----
"mdnsNSP" - "Apple Inc." - C:\Program Files\Bonjour\mdnsNSP.dll

===[ Logfile end ]=========================================[ Logfile end ]===

If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru

Der andere kommt dann schnellstmöglich nach.

EDIT: Osam angefügt

cosinus · 19.06.2010, 15:07

Sieht ok aus, keine Hinweise auf Rootkits!

Mach bitte zur Kontrolle Vollscans mit Malwarebytes und SUPERAntiSpyware und poste die Logs.
Denk dran beide Tools zu updaten vor dem Scan!!

10.06.2010, 21:20	#2
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Messenger Virus Hallo und Mach bitte einen Vollscan mit Malwarebytes und poste auch das Log. __________________ __________________

14.06.2010, 14:09	#6
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Messenger Virus Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten. GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus __________________ --> Messenger Virus

19.06.2010, 15:07	#8
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Messenger Virus Sieht ok aus, keine Hinweise auf Rootkits! Mach bitte zur Kontrolle Vollscans mit Malwarebytes und SUPERAntiSpyware und poste die Logs. Denk dran beide Tools zu updaten vor dem Scan!! __________________ Logfiles bitte immer in CODE-Tags posten

Messenger Virus

Plagegeister aller Art und deren Bekämpfung: Messenger Virus

Messenger Virus

Messenger Virus

Messenger Virus

Messenger Virus

Messenger Virus

Messenger Virus

Messenger Virus

Messenger Virus

Ähnliche Themen: Messenger Virus