|
Plagegeister aller Art und deren Bekämpfung: Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sysWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
16.08.2010, 07:45 | #1 |
| Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys Hallo, ich bekomme folgenden Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys über Malwarebytes nicht gelöscht. Über Eure Hilfe wäre ich sehr dankbar! Anbei die entsprechenden Logfiles: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Datenbank Version: 4434 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 16.08.2010 08:28:20 mbam-log-2010-08-16 (08-28-20).txt Art des Suchlaufs: Quick-Scan Durchsuchte Objekte: 135462 Laufzeit: 25 Minute(n), 15 Sekunde(n) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 1 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: C:\WINDOWS\system32\drivers\lpvmtsvd.sys (Rootkit.Agent) -> No action taken. OTLOTL Logfile: Code:
ATTFilter OTL logfile created on: 16.08.2010 07:03:38 - Run 2 OTL by OldTimer - Version 3.2.9.1 Folder = C:\Dokumente und Einstellungen\Administrator\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 511,00 Mb Total Physical Memory | 50,00 Mb Available Physical Memory | 10,00% Memory free 1,00 Gb Paging File | 1,00 Gb Available in Paging File | 66,00% Paging File free Paging file location(s): C:\pagefile.sys 768 1536 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme Drive C: | 37,25 Gb Total Space | 18,67 Gb Free Space | 50,12% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: GAL-0GHQ06EMM55 Current User Name: Administrator Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Dokumente und Einstellungen\Administrator\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Programme\Buhl finance\tax 2010 Standard\taxaktuell.exe () PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH) PRC - C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe (RealNetworks, Inc.) PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH) PRC - C:\Programme\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH) PRC - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.) PRC - C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\Programme\Windows Live Toolbar\msn_sl.exe (Microsoft Corporation) PRC - C:\Programme\Mindjet\MindManager 6\MmReminderService.exe (Mindjet) PRC - C:\Programme\AntiVir PersonalEdition Classic\sched.exe (Avira GmbH) PRC - C:\Programme\WinZip\WZQKPICK.EXE (WinZip Computing LP) PRC - C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe (H+BEDV Datentechnik GmbH) PRC - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.) PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIAHE.EXE (SEIKO EPSON CORPORATION) PRC - C:\Programme\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe (Tracker Software Products Ltd.) PRC - C:\WINDOWS\twain_32\SlimU2\HotKey.Exe (Pmx. Electronics Ltd.) PRC - C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe (Adobe Systems Inc.) ========== Modules (SafeList) ========== MOD - C:\Dokumente und Einstellungen\Administrator\Desktop\OTL.exe (OldTimer Tools) MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation) ========== Win32 Services (SafeList) ========== SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found SRV - (AntiVirService) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH) SRV - (AntiVirSchedulerService) -- C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH) SRV - (Apple Mobile Device) -- C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.) SRV - (WLSetupSvc) -- C:\Programme\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation) SRV - (AntiVirScheduler) -- C:\Programme\AntiVir PersonalEdition Classic\sched.exe (Avira GmbH) SRV - (IDriverT) -- C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe (Macrovision Corporation) SRV - (CVPND) -- C:\Programme\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.) SRV - (ose) -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH) DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH) DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH) DRV - (avgio) -- C:\Programme\Avira\AntiVir Desktop\avgio.sys (Avira GmbH) DRV - (CVPNDRVA) -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys (Cisco Systems, Inc.) DRV - (DNE) -- C:\WINDOWS\system32\drivers\dne2000.sys (Deterministic Networks, Inc.) DRV - (CVirtA) -- C:\WINDOWS\system32\drivers\CVirtA.sys (Cisco Systems, Inc.) DRV - (vsdatant) -- C:\WINDOWS\system32\vsdatant.sys (Zone Labs LLC) DRV - (rtl8139) NT-Treiber für Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\rtl8139.sys (Realtek Semiconductor Corporation) DRV - (BTWUSB) -- C:\WINDOWS\system32\drivers\btwusb.sys () DRV - (WBSD) Winbond Secure Digital Storage (SD/MMC) -- C:\WINDOWS\system32\drivers\wbsd.sys (Winbond Electronics Corp.) DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems) DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.) DRV - (w70n51) Intel(R) -- C:\WINDOWS\system32\drivers\w70n51.sys (Intel® Corporation) DRV - (OVT511Plus) -- C:\WINDOWS\system32\drivers\omcamvid.sys (OmniVision Technologies, Inc.) DRV - (SMCIRDA) -- C:\WINDOWS\system32\drivers\smcirda.sys (SMC) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = hxxp://www.google.com/ie IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = hxxp://www.google.com/ie IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com/ IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010.03.09 22:10:36 | 000,000,000 | ---D | M] O1 HOSTS File: ([2002.08.29 22:00:00 | 000,000,820 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx () O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O2 - BHO: (CmjBrowserHelperObject Object) - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Programme\Mindjet\MindManager 6\Mm6InternetExplorer.dll (Mindjet) O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.) O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll (Microsoft Corporation) O2 - BHO: (EpsonToolBandKicker Class) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION) O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll (Microsoft Corporation) O3 - HKLM\..\Toolbar: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION) O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O3 - HKCU\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll (Microsoft Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION) O4 - HKLM..\Run: [ATIModeChange] C:\WINDOWS\System32\Ati2mdxx.exe (ATI Technologies, Inc.) O4 - HKLM..\Run: [avgnt] C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe (H+BEDV Datentechnik GmbH) O4 - HKLM..\Run: [EPSON Stylus Photo R240 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE (SEIKO EPSON CORPORATION) O4 - HKLM..\Run: [HotKey] C:\WINDOWS\twain_32\SlimU2\HotKey.Exe (Pmx. Electronics Ltd.) O4 - HKLM..\Run: [MMReminderService] C:\Programme\Mindjet\MindManager 6\MmReminderService.exe (Mindjet) O4 - HKLM..\Run: [pdfSaver3] File not found O4 - HKLM..\Run: [TkBellExe] C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe (RealNetworks, Inc.) O4 - HKCU..\Run: [MsnMsgr] C:\PROGRA~1\WI1F86~1\MESSEN~1\msnmsgr.exe File not found O4 - HKCU..\Run: [pdfSaver3] C:\Programme\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe (Tracker Software Products Ltd.) O4 - HKCU..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.) O4 - Startup: C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart\Yahoo! Widgets.lnk = C:\Programme\Yahoo!\Widgets\YahooWidgets.exe File not found O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe (Adobe Systems Inc.) O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\t@x aktuell.lnk = C:\Programme\Buhl finance\tax 2010 Standard\taxaktuell.exe () O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\VPN Client.lnk = C:\WINDOWS\Installer\{24C67B54-0718-445E-B663-3138D9246BD1}\Icon3E5562ED7.ico () O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE (WinZip Computing LP) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8 - Extra context menu item: &Windows Live Search - C:\Programme\Windows Live Toolbar\msntb.dll (Microsoft Corporation) O8 - Extra context menu item: Digest - C:\Programme\NeuroPower\Digest2005\NPDigest.htm.ie () O8 - Extra context menu item: Google Sidewiki... - C:\Programme\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.) O9 - Extra Button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Programme\Mindjet\MindManager 6\Mm6InternetExplorer.dll (Mindjet) O9 - Extra Button: Digest - {F9341940-7640-4157-9C5C-7D86B7449E20} - C:\Programme\NeuroPower\Digest2005\Iereg.exe () O9 - Extra 'Tools' menuitem : Digest - {F9341940-7640-4157-9C5C-7D86B7449E20} - C:\Programme\NeuroPower\Digest2005\Iereg.exe () O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.) O12 - Plugin for: .spop - C:\Programme\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.) O15 - HKCU\..Trusted Domains: ([]msn in My Computer) O16 - DPF: {0000000A-9980-0010-8000-00AA00389B71} hxxp://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab (Reg Error: Key error.) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control) O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Key error.) O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab (Reg Error: Key error.) O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} hxxp://office.microsoft.com/officeupdate/content/opuc3.cab (Office Update Installation Engine) O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} hxxp://software-dl.real.com/016e92cb316664252f15/netzip/RdxIE601_de.cab (RdxIE Class) O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab (Symantec RuFSI Utility Class) O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} hxxp://download.divx.com/player/DivXBrowserPlugin.cab (DivXBrowserPlugin Object) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} hxxp://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab (IPSUploader4 Control) O16 - DPF: {CAC677B6-4963-4305-9066-0BD135CD9233} hxxp://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab (IPSUploader4 Control) O16 - DPF: {CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA} hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_10) O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06) O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab (Java Plug-in 1.5.0_09) O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Java Plug-in 1.5.0_10) O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01) O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Java Plug-in 1.6.0_02) O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03) O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07) O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.) O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.) O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation) O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Gemeinsame Dateien\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home O24 - Desktop WallPaper: C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.05.06 20:12:24 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O33 - MountPoints2\{fd8ee1e0-be6c-11db-8f74-00042371d4f1}\Shell - "" = AutoRun O33 - MountPoints2\{fd8ee1e0-be6c-11db-8f74-00042371d4f1}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{fd8ee1e0-be6c-11db-8f74-00042371d4f1}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010.08.15 22:38:10 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Malwarebytes [2010.08.15 22:37:50 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010.08.15 22:37:44 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes [2010.08.15 22:37:43 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010.08.15 22:37:42 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware [2010.08.15 22:37:00 | 006,153,648 | ---- | C] (Malwarebytes Corporation ) -- C:\Dokumente und Einstellungen\Administrator\Desktop\mbam-setup.exe [2010.08.15 22:33:00 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Administrator\Desktop\OTL.exe [2010.08.15 22:20:37 | 000,057,344 | ---- | C] (H+BEDV Datentechnik GmbH) -- C:\WINDOWS\System32\avsda.dll [2010.08.15 22:20:34 | 000,000,000 | ---D | C] -- C:\Programme\AntiVir PersonalEdition Classic [2010.08.15 22:20:34 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Classic [2010.08.15 22:19:03 | 066,950,544 | ---- | C] (Microsoft Corporation) -- C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\mpam-fe.exe [2010.08.15 22:14:33 | 000,221,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe [2010.08.13 16:58:11 | 000,000,000 | -HSD | C] -- C:\Config.Msi [8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010.08.16 07:19:06 | 000,741,376 | ---- | M] () -- C:\WINDOWS\System32\drivers\lpvmtsvd.sys [2010.08.16 07:16:17 | 000,000,262 | ---- | M] () -- C:\WINDOWS\tasks\Auf Updates für Windows Live Toolbar prüfen.job [2010.08.16 07:00:20 | 000,002,423 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\VPN Client.lnk [2010.08.16 06:59:13 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010.08.16 06:59:09 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job [2010.08.16 06:59:04 | 000,001,084 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job [2010.08.16 06:59:03 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1060284298-1957994488-1343024091-500.job [2010.08.16 06:58:41 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010.08.16 06:58:34 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010.08.16 06:56:47 | 008,912,896 | -H-- | M] () -- C:\Dokumente und Einstellungen\Administrator\NTUSER.DAT [2010.08.16 06:56:47 | 000,000,300 | -HS- | M] () -- C:\Dokumente und Einstellungen\Administrator\ntuser.ini [2010.08.16 06:55:00 | 000,001,088 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job [2010.08.15 22:39:50 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1060284298-1957994488-1343024091-500.job [2010.08.15 22:37:56 | 000,000,676 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010.08.15 22:37:05 | 006,153,648 | ---- | M] (Malwarebytes Corporation ) -- C:\Dokumente und Einstellungen\Administrator\Desktop\mbam-setup.exe [2010.08.15 22:33:05 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Administrator\Desktop\OTL.exe [2010.08.15 22:20:43 | 000,001,719 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\AntiVir PE Classic.lnk [2010.08.15 22:19:17 | 066,950,544 | ---- | M] (Microsoft Corporation) -- C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\mpam-fe.exe [2010.08.15 16:36:45 | 000,000,558 | -H-- | M] () -- C:\WINDOWS\tasks\Norton Security Scan for Administrator.job [2010.08.15 15:43:31 | 000,463,354 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat [2010.08.15 15:43:31 | 000,444,820 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2010.08.15 15:43:31 | 000,072,696 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2010.08.15 15:43:30 | 000,086,198 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat [2010.08.15 15:43:24 | 001,074,600 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2010.08.15 15:26:46 | 000,241,536 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2010.08.13 17:11:02 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2010.08.13 17:08:39 | 000,000,664 | ---- | M] () -- C:\WINDOWS\win.ini [2010.08.13 16:54:18 | 000,000,186 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI [2010.08.02 21:43:54 | 000,055,907 | ---- | M] () -- C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\Impfkalender.pdf [2010.07.30 19:53:16 | 000,872,960 | ---- | M] () -- C:\Dokumente und Einstellungen\Administrator\Desktop\Zukunft der Krankenhäuser.ppt [2010.07.29 21:36:26 | 001,094,486 | ---- | M] () -- C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\Hammer Unterlagen.pdf [2010.07.29 21:20:57 | 001,172,992 | ---- | M] () -- C:\Dokumente und Einstellungen\Administrator\Desktop\Katholische Krankenhäuser2.ppt [2010.07.27 08:29:42 | 008,503,296 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shell32.dll [2010.07.25 21:20:51 | 000,074,406 | ---- | M] () -- C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\Rechnung Rollo Rieper.pdf [8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files Created - No Company Name ========== [2010.08.15 22:37:56 | 000,000,676 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010.08.15 22:20:43 | 000,001,719 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\AntiVir PE Classic.lnk [2010.08.02 21:43:48 | 000,055,907 | ---- | C] () -- C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\Impfkalender.pdf [2010.07.30 19:53:16 | 000,872,960 | ---- | C] () -- C:\Dokumente und Einstellungen\Administrator\Desktop\Zukunft der Krankenhäuser.ppt [2010.07.29 21:36:12 | 001,094,486 | ---- | C] () -- C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\Hammer Unterlagen.pdf [2010.07.29 21:20:57 | 001,172,992 | ---- | C] () -- C:\Dokumente und Einstellungen\Administrator\Desktop\Katholische Krankenhäuser2.ppt [2010.07.25 21:20:45 | 000,074,406 | ---- | C] () -- C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\Rechnung Rollo Rieper.pdf [2010.04.15 13:39:17 | 000,000,186 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI [2010.03.22 21:07:39 | 000,741,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\lpvmtsvd.sys [2010.03.09 22:25:14 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini [2008.11.21 23:47:52 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll [2008.11.21 23:45:16 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest [2008.11.21 23:45:16 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest [2008.11.21 23:44:16 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll [2007.10.08 14:54:47 | 000,001,059 | ---- | C] () -- C:\WINDOWS\WISO.INI [2006.11.14 00:15:38 | 000,000,099 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini [2006.11.14 00:11:43 | 000,000,025 | ---- | C] () -- C:\WINDOWS\CDE R240R245EU.ini [2006.10.03 12:25:26 | 000,000,274 | ---- | C] () -- C:\WINDOWS\cdplayer.ini [2006.05.08 22:19:12 | 000,003,319 | ---- | C] () -- C:\WINDOWS\tm.ini [2006.05.08 22:15:25 | 000,000,267 | ---- | C] () -- C:\WINDOWS\buhl.ini [2006.05.08 09:47:59 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll [2006.05.08 09:47:54 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\adistres.dll [2006.05.08 09:39:22 | 000,000,400 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2006.05.07 17:43:45 | 000,065,568 | R--- | C] () -- C:\WINDOWS\System32\drivers\btwusb.sys [2006.05.07 17:43:45 | 000,017,388 | R--- | C] () -- C:\WINDOWS\System32\drivers\frmupgr.sys [2006.05.07 17:43:41 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\btw_ci.dll [2005.11.04 11:21:48 | 000,197,672 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll [2005.11.04 10:21:24 | 000,189,480 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll [2003.04.25 04:59:46 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll [2003.02.20 17:53:42 | 000,005,702 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI [2001.09.18 13:00:00 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\bmpproc.dll [2001.02.14 23:00:00 | 000,287,744 | ---- | C] () -- C:\WINDOWS\uno364mi.dll [2001.02.14 23:00:00 | 000,109,568 | ---- | C] () -- C:\WINDOWS\vos364mi.dll [2001.02.14 23:00:00 | 000,091,648 | ---- | C] () -- C:\WINDOWS\osl364mi.dll [2001.02.14 23:00:00 | 000,000,083 | ---- | C] () -- C:\WINDOWS\uno.ini < End of report > OTL Logfile: Code:
ATTFilter OTL Extras logfile created on: 16.08.2010 07:03:38 - Run 2 OTL by OldTimer - Version 3.2.9.1 Folder = C:\Dokumente und Einstellungen\Administrator\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 511,00 Mb Total Physical Memory | 50,00 Mb Available Physical Memory | 10,00% Memory free 1,00 Gb Paging File | 1,00 Gb Available in Paging File | 66,00% Paging File free Paging file location(s): C:\pagefile.sys 768 1536 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme Drive C: | 37,25 Gb Total Space | 18,67 Gb Free Space | 50,12% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: GAL-0GHQ06EMM55 Current User Name: Administrator Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* htmlfile [edit] -- "C:\Programme\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation) htmlfile [print] -- "C:\Programme\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015 "1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016 "500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017 "139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DoNotAllowExceptions" = 0 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015 "1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016 "500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017 "1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008 "139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "C:\Programme\Windows Live\Messenger\msnmsgr.exe" = C:\Programme\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- File not found "C:\Programme\Windows Live\Messenger\livecall.exe" = C:\Programme\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- File not found [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Programme\Java\j2re1.4.2_10\bin\javaw.exe" = C:\Programme\Java\j2re1.4.2_10\bin\javaw.exe:*:Enabled:javaw -- () "C:\Programme\Java\j2re1.4.2_10\bin\java.exe" = C:\Programme\Java\j2re1.4.2_10\bin\java.exe:*:Enabled:java -- () "C:\Programme\Kontiki\KService.exe" = C:\Programme\Kontiki\KService.exe:*:Enabled:Delivery Manager Service -- File not found "C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.) "C:\Programme\Windows Live\Messenger\msnmsgr.exe" = C:\Programme\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- File not found "C:\Programme\Windows Live\Messenger\livecall.exe" = C:\Programme\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- File not found "C:\Programme\iTunes\iTunes.exe" = C:\Programme\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 "{00D0200F-3B4D-4A2F-869E-533ED835A943}" = Hervorhebe-Funktion (Windows Live Toolbar) "{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour "{0AC49543-9CE2-4434-AD42-5AA6E2967FA5}" = Windows Live Toolbar "{0C3FB717-87A4-4634-84E7-C8D4ADA75C45}" = BDElster "{162B71B8-8464-4680-A086-601D555B331D}" = Apple Mobile Device Support "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer "{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{1F2899C5-8938-4232-98CC-7A075ECB3172}" = t@x 2010 Standard "{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email "{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime "{218761F6-CBF6-4973-B910-A33E6563A1EA}" = Windows Live Toolbar-Erweiterung (Windows Live Toolbar) "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer "{24C67B54-0718-445E-B663-3138D9246BD1}" = Cisco Systems VPN Client 4.8.00.0440 "{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 11 "{27F650A9-6FAB-41C8-8621-92FF0118B0C4}" = EPSON Easy Photo Print "{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}" = EPSON Scan Assistant "{2DD6C198-FA9A-40B4-8DE5-CE5206E3EB34}" = Smart Menus (Windows Live Toolbar) "{30145F57-0736-419A-98B0-954E97981B35}" = CortalConsors TradingAPI DE 1.0.7 "{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6 "{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9 "{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10 "{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java(TM) SE Runtime Environment 6 Update 1 "{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java(TM) 6 Update 2 "{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3 "{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5 "{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7 "{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}" = Google Earth "{40030378-9EB9-482A-AC10-195097CA624D}" = t@x 2009 Standard "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update "{7148F0A8-6813-11D6-A77B-00B0D0142100}" = Java 2 Runtime Environment, SE v1.4.2_10 "{73006B34-9743-4A39-AC37-38EDFCEB6DCE}" = Adobe Product/Adobe Studio Update 10/2001 "{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762 "{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}" = Windows Live Favorites für Windows Live Toolbar "{7A7B0BF3-2F00-4F03-8A9B-6ABCC07B90C6}" = Windows Live installer "{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec "{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}" = EPSON Web-To-Page "{804DE1A3-45D2-4AAC-8526-E9ADE47D84DF}" = Mindjet MindManager Pro 6 "{80A97464-A741-44B0-8AD6-0C16B1FEF7F6}" = Norton Security Scan "{83E2CFA9-E0EB-4E08-9F85-43E577FF3D60}" = Windows Live Anmelde-Assistent "{89EC8757-A934-11D6-8732-00105A376200}" = mapserver 4 COM-Module "{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player "{90110407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003 "{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{9F45E494-BFFB-4E85-B821-59BF40636640}" = Buhl finance - tax money "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter "{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{C26B06A9-27BB-45B0-9873-9C623EC2BA38}" = iTunes "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2 "{D8D22773-14BF-4178-A683-3DBA515C2A26}" = WISO Mein Geld 2008 Professional "{D90AFDE3-3E67-407A-ACA8-F0BAAD012F08}" = Safari "{E0091C29-DEE8-4B24-BF65-8C35B5940D77}" = Letstrade "{E728E952-DD4F-4BCD-A5C8-40FBFEFF91FE}" = OpenOffice.org Installer 1.0 "{E86BC406-944E-41F6-ADE6-2C136734C96B}" = EPSON File Manager "{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0 "Adobe Acrobat 5.0" = Adobe Acrobat 5.0 "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player Plugin "Adobe Shockwave Player" = Adobe Shockwave Player "Agere Systems Soft Modem" = Agere Systems AC'97 Modem "AntiVir PersonalEdition Classic" = Avira AntiVir PersonalEdition Classic "ATI Display Driver" = ATI Display Driver "Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus "Digest2005_is1" = Neuropower Digest 2005 "EPSON Printer and Utilities" = EPSON-Drucker-Software "ESPR240-Benutzerhandbuch" = ESPR240-Benutzerhandbuch "GMX ProfiFax" = GMX ProfiFax "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs "ie7" = Windows Internet Explorer 7 "ie8" = Windows Internet Explorer 8 "InstallShield_{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP "NeroShowTime!UninstallKey" = Nero ShowTime CE "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs "NSS" = Norton Security Scan "PDF-XChange 3_is1" = PDF-XChange 3.0 "RealPlayer 12.0" = RealPlayer "Slim USB2 Scanner" = Slim USB2 Scanner "Windows Live Toolbar" = Windows Live Toolbar "Windows Media Format Runtime" = Windows Media Format 11 runtime "Windows Media Player" = Windows Media Player 11 "Windows XP Service Pack" = Windows XP Service Pack 3 "WinZip" = WinZip "WMFDist11" = Windows Media Format 11 runtime "wmp11" = Windows Media Player 11 "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0 ========== HKEY_CURRENT_USER Uninstall List ========== [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "ActiveTrader 4.2.10_b1" = ActiveTrader 4.2.10_b1 ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 03.07.2010 16:00:09 | Computer Name = GAL-0GHQ06EMM55 | Source = Application Hang | ID = 1002 Description = Stillstehende Anwendung iexplore.exe, Version 8.0.6001.18702, Stillstandmodul hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000. Error - 25.07.2010 14:23:17 | Computer Name = GAL-0GHQ06EMM55 | Source = crypt32 | ID = 131083 Description = Die Extrahierung der Drittanbieterstammlisten aus der automatischen Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> ist fehlgeschlagen mit dem Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei. . Error - 25.07.2010 14:23:17 | Computer Name = GAL-0GHQ06EMM55 | Source = crypt32 | ID = 131083 Description = Die Extrahierung der Drittanbieterstammlisten aus der automatischen Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> ist fehlgeschlagen mit dem Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei. . Error - 01.08.2010 12:40:55 | Computer Name = GAL-0GHQ06EMM55 | Source = Avira AntiVir | ID = 4112 Description = Bei der Anforderung nach einer Resource des Betriebssystems trat ein Fehler auf. Die Resource 'ThreadInit' wurde nicht zugewiesen. Der Grund hierfür könnte zu wenig Hauptspeicher oder ein anderer Systemfehler sein. Fehlercode: 0x18 Error - 15.08.2010 09:43:55 | Computer Name = GAL-0GHQ06EMM55 | Source = Application Hang | ID = 1002 Description = Stillstehende Anwendung OUTLOOK.EXE, Version 11.0.8325.0, Stillstandmodul hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000. Error - 15.08.2010 09:43:56 | Computer Name = GAL-0GHQ06EMM55 | Source = Application Hang | ID = 1002 Description = Stillstehende Anwendung OUTLOOK.EXE, Version 11.0.8325.0, Stillstandmodul hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000. Error - 15.08.2010 10:43:09 | Computer Name = GAL-0GHQ06EMM55 | Source = crypt32 | ID = 131083 Description = Die Extrahierung der Drittanbieterstammlisten aus der automatischen Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> ist fehlgeschlagen mit dem Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei. . Error - 15.08.2010 10:43:09 | Computer Name = GAL-0GHQ06EMM55 | Source = crypt32 | ID = 131083 Description = Die Extrahierung der Drittanbieterstammlisten aus der automatischen Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> ist fehlgeschlagen mit dem Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei. . Error - 15.08.2010 16:08:40 | Computer Name = GAL-0GHQ06EMM55 | Source = Application Hang | ID = 1002 Description = Stillstehende Anwendung explorer.exe, Version 6.0.2900.5512, Stillstandmodul hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000. Error - 15.08.2010 17:37:36 | Computer Name = GAL-0GHQ06EMM55 | Source = Application Hang | ID = 1002 Description = Stillstehende Anwendung iexplore.exe, Version 8.0.6001.18702, Stillstandmodul hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000. [ System Events ] Error - 15.08.2010 09:29:44 | Computer Name = GAL-0GHQ06EMM55 | Source = Service Control Manager | ID = 7009 Description = Zeitüberschreitung (30000 ms) beim Verbindungsversuch mit Dienst HTTP-SSL. Error - 15.08.2010 09:29:44 | Computer Name = GAL-0GHQ06EMM55 | Source = Service Control Manager | ID = 7000 Description = Der Dienst "HTTP-SSL" wurde aufgrund folgenden Fehlers nicht gestartet: %%1053 Error - 15.08.2010 17:15:10 | Computer Name = GAL-0GHQ06EMM55 | Source = Service Control Manager | ID = 7026 Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: PCIIde Error - 15.08.2010 17:16:42 | Computer Name = GAL-0GHQ06EMM55 | Source = RemoteAccess | ID = 20106 Description = Die Schnittstelle "{AC3C477C-D918-4C8F-BA84-F819CB6E53BF}" kann nicht zu dem Router-Manager für das Protokoll IP hinzugefügt werden. Fehler: Die Funktion kann nicht abgeschlossen werden. Error - 15.08.2010 17:16:42 | Computer Name = GAL-0GHQ06EMM55 | Source = RemoteAccess | ID = 20106 Description = Die Schnittstelle "{97625F7E-271C-44DA-A5CD-435D5B45FBEB}" kann nicht zu dem Router-Manager für das Protokoll IP hinzugefügt werden. Fehler: Die Funktion kann nicht abgeschlossen werden. Error - 15.08.2010 17:16:42 | Computer Name = GAL-0GHQ06EMM55 | Source = RemoteAccess | ID = 20106 Description = Die Schnittstelle "{5CB68A60-E046-448D-83BB-78B5A34E6877}" kann nicht zu dem Router-Manager für das Protokoll IP hinzugefügt werden. Fehler: Die Funktion kann nicht abgeschlossen werden. Error - 16.08.2010 00:59:26 | Computer Name = GAL-0GHQ06EMM55 | Source = Service Control Manager | ID = 7026 Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: PCIIde Error - 16.08.2010 01:01:14 | Computer Name = GAL-0GHQ06EMM55 | Source = RemoteAccess | ID = 20106 Description = Die Schnittstelle "{AC3C477C-D918-4C8F-BA84-F819CB6E53BF}" kann nicht zu dem Router-Manager für das Protokoll IP hinzugefügt werden. Fehler: Die Funktion kann nicht abgeschlossen werden. Error - 16.08.2010 01:01:14 | Computer Name = GAL-0GHQ06EMM55 | Source = RemoteAccess | ID = 20106 Description = Die Schnittstelle "{97625F7E-271C-44DA-A5CD-435D5B45FBEB}" kann nicht zu dem Router-Manager für das Protokoll IP hinzugefügt werden. Fehler: Die Funktion kann nicht abgeschlossen werden. Error - 16.08.2010 01:01:14 | Computer Name = GAL-0GHQ06EMM55 | Source = RemoteAccess | ID = 20106 Description = Die Schnittstelle "{5CB68A60-E046-448D-83BB-78B5A34E6877}" kann nicht zu dem Router-Manager für das Protokoll IP hinzugefügt werden. Fehler: Die Funktion kann nicht abgeschlossen werden. < End of report > |
16.08.2010, 08:22 | #2 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys Hallo,
__________________Bitte Logs mit GMER und OSAM erstellen und posten. GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus Anschließend den bootkit_remover herunterladen. Entpacke das Tool in einen eigenen Ordner auf dem Desktop und führe in diesem Ordner die Datei remove.exe aus. Wenn Du Windows Vista oder Windows 7 verwendest, musst Du die remover.exe über ein Rechtsklick => als Administrator ausführen Ein schwarzes Fenster wird sich öffnen und automatisch nach bösartigen Veränderungen im MBR suchen. Poste dann bitte, ob es Veränderungen gibt und wenn ja in welchem device. Am besten alles posten was die remover.exe ausgibt.
__________________ |
16.08.2010, 19:58 | #3 |
| Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys Hallo Arne,
__________________das log-file von GMER lautet: GMER Logfile: Code:
ATTFilter GMER 1.0.15.15281 - hxxp://www.gmer.net Rootkit scan 2010-08-16 20:15:11 Windows 5.1.2600 Service Pack 3 Running: lvug7xpi.exe; Driver: C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\kwaiifog.sys ---- System - GMER 1.0.15 ---- SSDT F8B62DE6 ZwCreateKey SSDT F8B62DDC ZwCreateThread SSDT F8B62DEB ZwDeleteKey SSDT F8B62DF5 ZwDeleteValueKey SSDT F8B62DFA ZwLoadKey SSDT F8B62DC8 ZwOpenProcess SSDT F8B62DCD ZwOpenThread SSDT F8B62E04 ZwReplaceKey SSDT F8B62DFF ZwRestoreKey SSDT F8B62DF0 ZwSetValueKey ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!_abnormal_termination + 150 804E27BC 1 Byte [F5] ? wutbfqq.sys Das System kann die angegebene Datei nicht finden. ! ? C:\WINDOWS\system32\drivers\lpvmtsvd.sys Ein an das System angeschlossenes Gerät funktioniert nicht. PAGE Ntfs.sys F82EDE55 4 Bytes CALL 823D2B09 ---- User code sections - GMER 1.0.15 ---- .text C:\Programme\Internet Explorer\iexplore.exe[2528] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 41195501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[2528] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 4126DB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[2528] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 41364B6F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[2528] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 41364AA1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[2528] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 41364B0C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[2528] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 41364972 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[2528] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 413649D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[2528] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 41364BD2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[2528] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 41364A36 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[2556] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 41195501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[2556] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 41269AD5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[2556] USER32.dll!CallNextHookEx 7E37B3C6 5 Bytes JMP 4125D135 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[2556] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 4126DB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[2556] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 411D4666 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[2556] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 41364B6F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[2556] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 41364AA1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[2556] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 41364B0C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[2556] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 41364972 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[2556] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 413649D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[2556] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 41364BD2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[2556] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 41364A36 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[2556] ole32.dll!CoCreateInstance 774D057E 5 Bytes JMP 4126DB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[2556] ole32.dll!OleLoadFromStream 774F9C85 5 Bytes JMP 41364EF0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[3096] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 41195501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[3096] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 41269AD5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[3096] USER32.dll!CallNextHookEx 7E37B3C6 5 Bytes JMP 4125D135 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[3096] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 4126DB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[3096] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 411D4666 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[3096] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 41364B6F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[3096] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 41364AA1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[3096] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 41364B0C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[3096] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 41364972 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[3096] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 413649D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[3096] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 41364BD2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[3096] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 41364A36 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[3096] ole32.dll!CoCreateInstance 774D057E 5 Bytes JMP 4126DB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Programme\Internet Explorer\iexplore.exe[3096] ole32.dll!OleLoadFromStream 774F9C85 5 Bytes JMP 41364EF0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Programme\Internet Explorer\iexplore.exe[2556] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Programme\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation) IAT C:\Programme\Internet Explorer\iexplore.exe[3096] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Programme\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 82366DF8 ---- Services - GMER 1.0.15 ---- Service (*** hidden *** ) [BOOT] lpvmtsvd <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\lpvmtsvd@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\lpvmtsvd@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\lpvmtsvd@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\lpvmtsvd@Group Boot Bus Extender Reg HKLM\SYSTEM\ControlSet002\Services\lpvmtsvd@Type 1 Reg HKLM\SYSTEM\ControlSet002\Services\lpvmtsvd@Start 0 Reg HKLM\SYSTEM\ControlSet002\Services\lpvmtsvd@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet002\Services\lpvmtsvd@Group Boot Bus Extender Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A1ED4082D54CAA458629EDA4ED748FD\Usage@Program_Pro 1024508611 ---- EOF - GMER 1.0.15 ---- OSAM lässt sich leider nach dem Entpacken nicht öffnen. Als Grund wird ein Problem mit der Anwendungsdatei osam.exe angegeben. Dafür gibt der bootkiz_remover folgendes ab: Bootkit Remover (c) 2009 eSage Lab www.esagelab.com Program version: 1.1.0.0 OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600) System volume is \\.\C: \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 Boot sector MD5 is: 5ddc20efcc4d1dab37c348c7db7289cf Size Device Name MBR Status -------------------------------------------- 37 GB \\.\PhysicalDrive0 Unknown boot code Unknown boot code has been found on some of your physical disks. To inspect the boot code manually, dump the master boot sector: remover.exe dump <device_name> [output_file] To disinfect the master boot sector, use the following command: remover.exe fix <device_name> Done; Press any key to quit... Ich hoffe es hilft weiter. Danke vorab! |
16.08.2010, 21:28 | #5 |
| Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys Danke für den Tipp!. hier ist das OSAM log file: OSAM Logfile: Code:
ATTFilter Report of OSAM: Autorun Manager v5.0.11926.0 hxxp://www.online-solutions.ru/en/ Saved at 22:26:51 on 16.08.2010 OS: Windows XP Professional Service Pack 3 (Build 2600) Default Browser: Microsoft Corporation Internet Explorer 8.00.6001.18702 Scanner Settings [x] Rootkits detection (hidden registry) [x] Rootkits detection (hidden files) [x] Retrieve files information [x] Check Microsoft signatures Filters [ ] Trusted entries [ ] Empty entries [x] Hidden registry entries (rootkit activity) [x] Exclusively opened files [x] Not found files [x] Files without detailed information [x] Existing files [ ] Non-startable services [ ] Non-startable drivers [x] Active entries [x] Disabled entries [Common] -----( %SystemRoot%\Tasks )----- "AppleSoftwareUpdate.job" - "Apple Inc." - C:\Programme\Apple Software Update\SoftwareUpdate.exe "Auf Updates für Windows Live Toolbar prüfen.job" - "Microsoft Corporation" - C:\Programme\Windows Live Toolbar\MSNTBUP.EXE "GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe "GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe "Norton Security Scan for Administrator.job" - "Symantec Corporation" - C:\Programme\Norton Security Scan\Norton Security Scan\Engine\2.7.3.34\Nss.exe "RealUpgradeLogonTaskS-1-5-21-1060284298-1957994488-1343024091-500.job" - "RealNetworks, Inc." - C:\Programme\Real\RealUpgrade\realupgrade.exe "RealUpgradeScheduledTaskS-1-5-21-1060284298-1957994488-1343024091-500.job" - "RealNetworks, Inc." - C:\Programme\Real\RealUpgrade\realupgrade.exe "WGASetup.job" - "Microsoft Corporation" - C:\WINDOWS\system32\KB905474\wgasetup.exe [Control Panel Objects] -----( %SystemRoot%\system32 )----- "Ddbaccpl.cpl" - "DataDesign AG" - C:\WINDOWS\system32\Ddbaccpl.cpl "ddBACCTM.cpl" - "DataDesign AG" - C:\WINDOWS\system32\ddBACCTM.cpl "infocardcpl.cpl" - "Microsoft Corporation" - C:\WINDOWS\system32\infocardcpl.cpl "javacpl.cpl" - "Sun Microsystems, Inc." - C:\WINDOWS\system32\javacpl.cpl "pmxusb.cpl" - ? - C:\WINDOWS\system32\pmxusb.cpl (File signed by Microsoft | File found, but it contains no detailed information) -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )----- "Avira AntiVir Personal - Free Antivirus " - "Avira GmbH" - C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl "Avira AntiVir PersonalEdition Classic Konfiguration" - "Avira GmbH" - C:\PROGRA~1\ANTIVI~1\avconfig.cpl "QuickTime" - "Apple Inc." - C:\Programme\QuickTime\QTSystem\QuickTime.cpl [Drivers] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- "avgio" (avgio) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avgio.sys "avgntflt" (avgntflt) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avgntflt.sys "avipbb" (avipbb) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avipbb.sys "Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys (File not found) "Cisco Systems Inc. IPSec Driver" (CVPNDRVA) - "Cisco Systems, Inc." - C:\WINDOWS\system32\Drivers\CVPNDRVA.sys "i2omgmt" (i2omgmt) - ? - C:\WINDOWS\system32\drivers\i2omgmt.sys (File not found) "lbrtfdc" (lbrtfdc) - ? - C:\WINDOWS\system32\drivers\lbrtfdc.sys (File not found) "lpvmtsvd" (lpvmtsvd) - ? - C:\WINDOWS\system32\drivers\lpvmtsvd.sys (Hidden file | Hidden registry entry, rootkit activity | File found, but it contains no detailed information) "PCIDump" (PCIDump) - ? - C:\WINDOWS\system32\drivers\PCIDump.sys (File not found) "PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys (File not found) "PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys (File not found) "PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys (File not found) "PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys (File not found) "PxHelp20" (PxHelp20) - "Sonic Solutions" - C:\WINDOWS\System32\Drivers\PxHelp20.sys "ssmdrv" (ssmdrv) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\ssmdrv.sys "vsdatant" (vsdatant) - "Zone Labs LLC" - C:\WINDOWS\System32\vsdatant.sys "WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys (File not found) "WIDCOMM USB Bluetooth Driver" (BTWUSB) - ? - C:\WINDOWS\System32\Drivers\btwusb.sys [Explorer] -----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )----- {89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install -----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )----- {7D4D6379-F301-4311-BEBA-E26EB0561882} "NeroDigitalColumnHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll -----( HKLM\Software\Classes\Protocols\Filter )----- {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {807553E5-5146-11D5-A672-00B0D022E945} "text/xml" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL -----( HKLM\Software\Classes\Protocols\Handler )----- {32505114-5902-49B2-880A-1F7738E5A384} "Data Page Plugable Protocal mso-offdap11 Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\11\OWC11.DLL {3D9F03FA-7A94-11D3-BE81-0050048385D1} "Data Page Pluggable Protocol mso-offdap Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\10\OWC10.DLL {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )----- {23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - C:\Programme\7-Zip\7-zip.dll {42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" - ? - deskpan.dll (File not found) {1D2680C9-0E2A-469d-B787-065558BC7D43} "Fusion Cache" - "Microsoft Corporation" - c:\WINDOWS\system32\mscoree.dll {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "iTunes" - "Apple Inc." - C:\Programme\iTunes\iTunesMiniPlayer.dll {853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" - ? - (File not found | COM-object registry key not found) {32683183-48a0-441b-a342-7c2a440a9478} "Media Band" - ? - (File not found | COM-object registry key not found) {42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Programme\Microsoft Office\OFFICE11\msohev.dll {993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll {00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL {C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll {B327765E-D724-4347-8B16-78AE18552FC3} "NeroDigitalIconHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll {7F1CF152-04F8-453A-B34C-E609530A9DC8} "NeroDigitalPropSheetHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll {0006F045-0000-0000-C000-000000000046} "Outlook-Dateisymbolerweiterung" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} "RealOne Player Context Menu Class" - "RealNetworks, Inc." - c:\program files\real\realplayer\rpshell.dll {45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "H+BEDV Datentechnik GmbH" - C:\Programme\AntiVir PersonalEdition Classic\shlext.dll {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll {764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" - ? - (File not found | COM-object registry key not found) {e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll {BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Webordner" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL {E0D79304-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing LP" - C:\Programme\WinZip\wzshlstb.dll {E0D79305-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing LP" - C:\Programme\WinZip\wzshlstb.dll {E0D79306-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing LP" - C:\Programme\WinZip\wzshlstb.dll {E0D79307-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing LP" - C:\Programme\WinZip\wzshlstb.dll [Internet Explorer] -----( HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars )----- {32683183-48a0-441b-a342-7c2a440a9478} "{32683183-48a0-441b-a342-7c2a440a9478}" - ? - (File not found | COM-object registry key not found) -----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )----- <binary data> "EPSON Web-To-Page" - "SEIKO EPSON CORPORATION" - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll <binary data> "Google Toolbar" - "Google Inc." - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll ITBar7Height "ITBar7Height" - ? - (File not found | COM-object registry key not found) <binary data> "ITBar7Layout" - ? - (File not found | COM-object registry key not found) <binary data> "ITBarLayout" - ? - (File not found | COM-object registry key not found) <binary data> "Windows Live Toolbar" - "Microsoft Corporation" - C:\Programme\Windows Live Toolbar\msntb.dll -----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )----- DirectAnimation Java Classes "DirectAnimation Java Classes" - ? - (File not found | COM-object registry key not found) / file://C:\WINDOWS\Java\classes\dajava.cab {67DABFBF-D0AB-41FA-9C46-CC0F21721616} "DivXBrowserPlugin Object" - "DivX,Inc." - C:\Programme\DivX\DivX Web Player\npdivx32.dll / hxxp://download.divx.com/player/DivXBrowserPlugin.cab {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} "IPSUploader4 Control" - "IP Labs GmbH - Germany" - C:\WINDOWS\Downloaded Program Files\IPSUploader.ocx / hxxp://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab {CAC677B6-4963-4305-9066-0BD135CD9233} "IPSUploader4 Control" - "IP Labs GmbH - Germany" - C:\WINDOWS\Downloaded Program Files\IPSUploader4.ocx / hxxp://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab {CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA} "Java Plug-in 1.4.2_10" - "JavaSoft / Sun Microsystems, Inc." - C:\Programme\Java\j2re1.4.2_10\bin\npjpi142_10.dll / hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} "Java Plug-in 1.5.0_09" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_09\bin\npjpi150_09.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} "Java Plug-in 1.5.0_10" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_10\bin\npjpi150_10.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} "Java Plug-in 1.6.0_01" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_01\bin\npjpi160_01.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} "Java Plug-in 1.6.0_02" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_02\bin\npjpi160_02.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} "Java Plug-in 1.6.0_03" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} "Java Plug-in 1.6.0_05" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_05\bin\npjpi160_05.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} "Java Plug-in 1.6.0_07" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab {8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_11" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_11.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} "Java Plug-in 1.6.0_11" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_11.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_11" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_11.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab Microsoft XML Parser for Java "Microsoft XML Parser for Java" - ? - (File not found | COM-object registry key not found) / file://C:\WINDOWS\Java\classes\xmldso.cab {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} "Office Update Installation Engine" - "Microsoft Corporation" - C:\WINDOWS\opuc.dll / hxxp://office.microsoft.com/officeupdate/content/opuc3.cab {56336BCB-3D8A-11D6-A00B-0050DA18DE71} "RdxIE Class" - "RealNetworks, Inc." - C:\WINDOWS\Downloaded Program Files\RdxIE.dll / hxxp://software-dl.real.com/016e92cb316664252f15/netzip/RdxIE601_de.cab {166B1BCA-3F9C-11CF-8075-444553540000} "Shockwave ActiveX Control" - "Adobe Systems, Inc." - C:\WINDOWS\system32\Adobe\Director\SwDir.dll / hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab {D27CDB6E-AE6D-11CF-96B8-444553540000} "Shockwave Flash Object" - "Adobe Systems, Inc." - C:\WINDOWS\system32\Macromed\Flash\Flash10b.ocx / hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab {644E432F-49D3-41A1-8DD5-E099162EEEC5} "Symantec RuFSI Utility Class" - "Symantec Corporation" - C:\WINDOWS\Downloaded Program Files\rufsi.dll / hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab {0000000A-9980-0010-8000-00AA00389B71} "{0000000A-9980-0010-8000-00AA00389B71}" - ? - (File not found | COM-object registry key not found) / hxxp://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab {33564D57-0000-0010-8000-00AA00389B71} "{33564D57-0000-0010-8000-00AA00389B71}" - ? - (File not found | COM-object registry key not found) / hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB {33564D57-9980-0010-8000-00AA00389B71} "{33564D57-9980-0010-8000-00AA00389B71}" - ? - (File not found | COM-object registry key not found) / hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} "{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}" - ? - (File not found | COM-object registry key not found) / hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )----- "Digest" - ? - C:\Programme\NeuroPower\Digest2005\iereg.exe (File found, but it contains no detailed information) {FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Recherchieren" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL {AC41D38F-B56D-40AD-94E0-B493D130C959} "Send to Mindjet MindManager" - "Mindjet" - C:\Programme\Mindjet\MindManager 6\Mm6InternetExplorer.dll -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension )----- "Location" - "InterTrust Technologies Corporation, Inc." - C:\Programme\Internet Explorer\Plugins\NPDocBox.dll -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )----- <binary data> "EPSON Web-To-Page" - "SEIKO EPSON CORPORATION" - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll <binary data> "Google Toolbar" - "Google Inc." - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll <binary data> "Windows Live Toolbar" - "Microsoft Corporation" - C:\Programme\Windows Live Toolbar\msntb.dll -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )----- {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "AcroIEHlprObj Class" - ? - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx {AC41D38F-B56D-40AD-94E0-B493D130C959} "CmjBrowserHelperObject Object" - "Mindjet" - C:\Programme\Mindjet\MindManager 6\Mm6InternetExplorer.dll {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} "EpsonToolBandKicker Class" - "SEIKO EPSON CORPORATION" - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll {AA58ED58-01DD-4d91-8333-CF10577473F7} "Google Toolbar Helper" - "Google Inc." - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} "Google Toolbar Notifier BHO" - "Google Inc." - C:\Programme\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll {DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jp2ssv.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} "Java(tm) Plug-In SSV Helper" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\ssv.dll {E7E6F031-17CE-4C07-BC86-EABFE594F69C} "JQSIEStartDetectorImpl Class" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll {3049C3E9-B461-4BC5-8870-4C09146192CA} "RealPlayer Download and Record Plugin for Internet Explorer" - "RealPlayer" - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll {9030D464-4C02-4ABF-8ECC-5164760863C6} "Windows Live Anmelde-Hilfsprogramm" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} "Windows Live Toolbar Helper" - "Microsoft Corporation" - C:\Programme\Windows Live Toolbar\msntb.dll [Logon] -----( %AllUsersProfile%\Startmenü\Programme\Autostart )----- "Acrobat Assistant.lnk" - "Adobe Systems Inc." - C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe (Shortcut exists | File exists) "desktop.ini" - ? - C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini "t@x aktuell.lnk" - "R&S EDV-Beratung, Hannover" - C:\Programme\Buhl finance\tax 2010 Standard\taxaktuell.exe (Shortcut exists | File exists) "VPN Client.lnk" - "Cisco Systems, Inc." - C:\Programme\Cisco Systems\VPN Client\vpngui.exe (Shortcut exists | File exists) "WinZip Quick Pick.lnk" - "WinZip Computing, S.L." - C:\Programme\WinZip\WZQKPICK.EXE (Shortcut exists | File exists) -----( %UserProfile%\Startmenü\Programme\Autostart )----- "desktop.ini" - ? - C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart\desktop.ini "Yahoo! Widgets.lnk" - ? - C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart\Yahoo! Widgets.lnk (Shortcut exists | File not found) -----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )----- "MsnMsgr" - ? - "C:\PROGRA~1\WI1F86~1\MESSEN~1\msnmsgr.exe" /background (File not found) "pdfSaver3" - "Tracker Software Products Ltd." - "C:\Programme\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe" "Skype" - "Skype Technologies S.A." - "C:\Programme\Skype\\Phone\Skype.exe" /nosplash /minimized "swg" - "Google Inc." - "C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )----- "avgnt" - "H+BEDV Datentechnik GmbH" - "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min "HotKey" - "Pmx. Electronics Ltd." - C:\WINDOWS\Twain_32\SlimU2\HotKey.exe "iTunesHelper" - "Apple Inc." - "C:\Programme\iTunes\iTunesHelper.exe" "MMReminderService" - "Mindjet" - C:\Programme\Mindjet\MindManager 6\MMReminderService.exe "QuickTime Task" - "Apple Inc." - "C:\Programme\QuickTime\qttask.exe" -atboottime "SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Programme\Java\jre6\bin\jusched.exe" "TkBellExe" - "RealNetworks, Inc." - "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot [Print Monitors] -----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )----- "GMX Fax Monitor" - "GMX GmbH" - C:\WINDOWS\system32\UIGMXMON.DLL "Microsoft Document Imaging Writer Monitor" - "Microsoft Corporation" - C:\WINDOWS\system32\mdimon.dll "PDF Port" - "Adobe Systems Incorporated." - C:\WINDOWS\System32\pdfports.dll "PDF-XChange" - "Tracker Software" - C:\WINDOWS\system32\pxc25pm.dll [Services] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- ".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe "AntiVir PersonalEdition Classic Planer" (AntiVirScheduler) - "Avira GmbH" - C:\Programme\AntiVir PersonalEdition Classic\sched.exe "Apple Mobile Device" (Apple Mobile Device) - "Apple Inc." - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe "ASP.NET State Service" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe "Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avguard.exe "Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\sched.exe "Bonjour-Dienst" (Bonjour Service) - "Apple Inc." - C:\Programme\Bonjour\mDNSResponder.exe "Cisco Systems, Inc. VPN Service" (CVPND) - "Cisco Systems, Inc." - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe "Google Software Updater" (gusvc) - "Google" - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe "Google Update Service (gupdate)" (gupdate) - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe "InstallDriver Table Manager" (IDriverT) - "Macrovision Corporation" - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe "iPod-Dienst" (iPod Service) - "Apple Inc." - C:\Programme\iPod\bin\iPodService.exe "Java Quick Starter" (JavaQuickStarterService) - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jqs.exe "Office Source Engine" (ose) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE "Windows CardSpace" (idsvc) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe "Windows Presentation Foundation Font Cache 3.0.0.0" (FontCache3.0.0.0) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [Winlogon] -----( HKCU\Control Panel\IOProcs )----- "MVB" - ? - mvfs32.dll (File not found) -----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )----- "WgaLogon" - "Microsoft Corporation" - C:\WINDOWS\system32\WgaLogon.dll [Winsock Providers] -----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries )----- "mdnsNSP" - "Apple Inc." - C:\Programme\Bonjour\mdnsNSP.dll ===[ Logfile end ]=========================================[ Logfile end ]=== If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru |
17.08.2010, 08:40 | #6 | |
/// Winkelfunktion /// TB-Süch-Tiger™ | Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sysZitat:
Im Anschluss - falls noch nicht getan - die Datei remover.exe (vom BootkitRemover) vom Desktop nach c:\windows\system32 kopieren! Danach die Konsole starten über Start, Ausführen, cmd eintippen, ok. Den Text im folgenden Codefeld eintippen und mit Enter/Return ausführen: Code:
ATTFilter remover.exe fix \\.\PhysicalDrive0
__________________ --> Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys |
17.08.2010, 20:46 | #7 |
| Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys Hallo, zunächst das Ergebnis des OSAM logfile nach Deaktivierung: OSAM Logfile: Code:
ATTFilter Report of OSAM: Autorun Manager v5.0.11926.0 hxxp://www.online-solutions.ru/en/ Saved at 21:18:43 on 17.08.2010 OS: Windows XP Professional Service Pack 3 (Build 2600) Default Browser: Microsoft Corporation Internet Explorer 8.00.6001.18702 Scanner Settings [x] Rootkits detection (hidden registry) [x] Rootkits detection (hidden files) [x] Retrieve files information [x] Check Microsoft signatures Filters [ ] Trusted entries [ ] Empty entries [x] Hidden registry entries (rootkit activity) [x] Exclusively opened files [x] Not found files [x] Files without detailed information [x] Existing files [ ] Non-startable services [ ] Non-startable drivers [x] Active entries [x] Disabled entries [Common] -----( %SystemRoot%\Tasks )----- "AppleSoftwareUpdate.job" - "Apple Inc." - C:\Programme\Apple Software Update\SoftwareUpdate.exe "Auf Updates für Windows Live Toolbar prüfen.job" - "Microsoft Corporation" - C:\Programme\Windows Live Toolbar\MSNTBUP.EXE "GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe "GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe "Norton Security Scan for Administrator.job" - "Symantec Corporation" - C:\Programme\Norton Security Scan\Norton Security Scan\Engine\2.7.3.34\Nss.exe "RealUpgradeLogonTaskS-1-5-21-1060284298-1957994488-1343024091-500.job" - "RealNetworks, Inc." - C:\Programme\Real\RealUpgrade\realupgrade.exe "RealUpgradeScheduledTaskS-1-5-21-1060284298-1957994488-1343024091-500.job" - "RealNetworks, Inc." - C:\Programme\Real\RealUpgrade\realupgrade.exe "WGASetup.job" - "Microsoft Corporation" - C:\WINDOWS\system32\KB905474\wgasetup.exe [Control Panel Objects] -----( %SystemRoot%\system32 )----- "Ddbaccpl.cpl" - "DataDesign AG" - C:\WINDOWS\system32\Ddbaccpl.cpl "ddBACCTM.cpl" - "DataDesign AG" - C:\WINDOWS\system32\ddBACCTM.cpl "infocardcpl.cpl" - "Microsoft Corporation" - C:\WINDOWS\system32\infocardcpl.cpl "javacpl.cpl" - "Sun Microsystems, Inc." - C:\WINDOWS\system32\javacpl.cpl "pmxusb.cpl" - ? - C:\WINDOWS\system32\pmxusb.cpl (File signed by Microsoft | File found, but it contains no detailed information) -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )----- "Avira AntiVir Personal - Free Antivirus " - "Avira GmbH" - C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl "Avira AntiVir PersonalEdition Classic Konfiguration" - "Avira GmbH" - C:\PROGRA~1\ANTIVI~1\avconfig.cpl "QuickTime" - "Apple Inc." - C:\Programme\QuickTime\QTSystem\QuickTime.cpl [Drivers] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- "avgio" (avgio) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avgio.sys "avgntflt" (avgntflt) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avgntflt.sys "avipbb" (avipbb) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avipbb.sys "Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys (File not found) "Cisco Systems Inc. IPSec Driver" (CVPNDRVA) - "Cisco Systems, Inc." - C:\WINDOWS\system32\Drivers\CVPNDRVA.sys "i2omgmt" (i2omgmt) - ? - C:\WINDOWS\system32\drivers\i2omgmt.sys (File not found) "lbrtfdc" (lbrtfdc) - ? - C:\WINDOWS\system32\drivers\lbrtfdc.sys (File not found) "PCIDump" (PCIDump) - ? - C:\WINDOWS\system32\drivers\PCIDump.sys (File not found) "PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys (File not found) "PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys (File not found) "PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys (File not found) "PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys (File not found) "PxHelp20" (PxHelp20) - "Sonic Solutions" - C:\WINDOWS\System32\Drivers\PxHelp20.sys "ssmdrv" (ssmdrv) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\ssmdrv.sys "vsdatant" (vsdatant) - "Zone Labs LLC" - C:\WINDOWS\System32\vsdatant.sys "WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys (File not found) "WIDCOMM USB Bluetooth Driver" (BTWUSB) - ? - C:\WINDOWS\System32\Drivers\btwusb.sys (Disabled) "lpvmtsvd" (lpvmtsvd) - ? - C:\WINDOWS\system32\drivers\lpvmtsvd.sys (Hidden file | Hidden registry entry, rootkit activity | File found, but it contains no detailed information) [Explorer] -----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )----- {89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install -----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )----- {7D4D6379-F301-4311-BEBA-E26EB0561882} "NeroDigitalColumnHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll -----( HKLM\Software\Classes\Protocols\Filter )----- {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {807553E5-5146-11D5-A672-00B0D022E945} "text/xml" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL -----( HKLM\Software\Classes\Protocols\Handler )----- {32505114-5902-49B2-880A-1F7738E5A384} "Data Page Plugable Protocal mso-offdap11 Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\11\OWC11.DLL {3D9F03FA-7A94-11D3-BE81-0050048385D1} "Data Page Pluggable Protocol mso-offdap Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\10\OWC10.DLL {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )----- {23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - C:\Programme\7-Zip\7-zip.dll {42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" - ? - deskpan.dll (File not found) {1D2680C9-0E2A-469d-B787-065558BC7D43} "Fusion Cache" - "Microsoft Corporation" - c:\WINDOWS\system32\mscoree.dll {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "iTunes" - "Apple Inc." - C:\Programme\iTunes\iTunesMiniPlayer.dll {853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" - ? - (File not found | COM-object registry key not found) {32683183-48a0-441b-a342-7c2a440a9478} "Media Band" - ? - (File not found | COM-object registry key not found) {42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Programme\Microsoft Office\OFFICE11\msohev.dll {993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll {00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL {C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll {B327765E-D724-4347-8B16-78AE18552FC3} "NeroDigitalIconHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll {7F1CF152-04F8-453A-B34C-E609530A9DC8} "NeroDigitalPropSheetHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll {0006F045-0000-0000-C000-000000000046} "Outlook-Dateisymbolerweiterung" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} "RealOne Player Context Menu Class" - "RealNetworks, Inc." - c:\program files\real\realplayer\rpshell.dll {45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "H+BEDV Datentechnik GmbH" - C:\Programme\AntiVir PersonalEdition Classic\shlext.dll {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll {764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" - ? - (File not found | COM-object registry key not found) {e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll {BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Webordner" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL {E0D79304-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing LP" - C:\Programme\WinZip\wzshlstb.dll {E0D79305-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing LP" - C:\Programme\WinZip\wzshlstb.dll {E0D79306-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing LP" - C:\Programme\WinZip\wzshlstb.dll {E0D79307-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing LP" - C:\Programme\WinZip\wzshlstb.dll [Internet Explorer] -----( HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars )----- {32683183-48a0-441b-a342-7c2a440a9478} "{32683183-48a0-441b-a342-7c2a440a9478}" - ? - (File not found | COM-object registry key not found) -----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )----- <binary data> "EPSON Web-To-Page" - "SEIKO EPSON CORPORATION" - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll <binary data> "Google Toolbar" - "Google Inc." - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll ITBar7Height "ITBar7Height" - ? - (File not found | COM-object registry key not found) <binary data> "ITBar7Layout" - ? - (File not found | COM-object registry key not found) <binary data> "ITBarLayout" - ? - (File not found | COM-object registry key not found) <binary data> "Windows Live Toolbar" - "Microsoft Corporation" - C:\Programme\Windows Live Toolbar\msntb.dll -----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )----- DirectAnimation Java Classes "DirectAnimation Java Classes" - ? - (File not found | COM-object registry key not found) / file://C:\WINDOWS\Java\classes\dajava.cab {67DABFBF-D0AB-41FA-9C46-CC0F21721616} "DivXBrowserPlugin Object" - "DivX,Inc." - C:\Programme\DivX\DivX Web Player\npdivx32.dll / hxxp://download.divx.com/player/DivXBrowserPlugin.cab {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} "IPSUploader4 Control" - "IP Labs GmbH - Germany" - C:\WINDOWS\Downloaded Program Files\IPSUploader.ocx / hxxp://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab {CAC677B6-4963-4305-9066-0BD135CD9233} "IPSUploader4 Control" - "IP Labs GmbH - Germany" - C:\WINDOWS\Downloaded Program Files\IPSUploader4.ocx / hxxp://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab {CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA} "Java Plug-in 1.4.2_10" - "JavaSoft / Sun Microsystems, Inc." - C:\Programme\Java\j2re1.4.2_10\bin\npjpi142_10.dll / hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} "Java Plug-in 1.5.0_09" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_09\bin\npjpi150_09.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} "Java Plug-in 1.5.0_10" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_10\bin\npjpi150_10.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} "Java Plug-in 1.6.0_01" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_01\bin\npjpi160_01.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} "Java Plug-in 1.6.0_02" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_02\bin\npjpi160_02.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} "Java Plug-in 1.6.0_03" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} "Java Plug-in 1.6.0_05" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_05\bin\npjpi160_05.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} "Java Plug-in 1.6.0_07" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab {8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_11" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_11.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} "Java Plug-in 1.6.0_11" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_11.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_11" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_11.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab Microsoft XML Parser for Java "Microsoft XML Parser for Java" - ? - (File not found | COM-object registry key not found) / file://C:\WINDOWS\Java\classes\xmldso.cab {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} "Office Update Installation Engine" - "Microsoft Corporation" - C:\WINDOWS\opuc.dll / hxxp://office.microsoft.com/officeupdate/content/opuc3.cab {56336BCB-3D8A-11D6-A00B-0050DA18DE71} "RdxIE Class" - "RealNetworks, Inc." - C:\WINDOWS\Downloaded Program Files\RdxIE.dll / hxxp://software-dl.real.com/016e92cb316664252f15/netzip/RdxIE601_de.cab {166B1BCA-3F9C-11CF-8075-444553540000} "Shockwave ActiveX Control" - "Adobe Systems, Inc." - C:\WINDOWS\system32\Adobe\Director\SwDir.dll / hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab {D27CDB6E-AE6D-11CF-96B8-444553540000} "Shockwave Flash Object" - "Adobe Systems, Inc." - C:\WINDOWS\system32\Macromed\Flash\Flash10b.ocx / hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab {644E432F-49D3-41A1-8DD5-E099162EEEC5} "Symantec RuFSI Utility Class" - "Symantec Corporation" - C:\WINDOWS\Downloaded Program Files\rufsi.dll / hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab {0000000A-9980-0010-8000-00AA00389B71} "{0000000A-9980-0010-8000-00AA00389B71}" - ? - (File not found | COM-object registry key not found) / hxxp://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab {33564D57-0000-0010-8000-00AA00389B71} "{33564D57-0000-0010-8000-00AA00389B71}" - ? - (File not found | COM-object registry key not found) / hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB {33564D57-9980-0010-8000-00AA00389B71} "{33564D57-9980-0010-8000-00AA00389B71}" - ? - (File not found | COM-object registry key not found) / hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} "{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}" - ? - (File not found | COM-object registry key not found) / hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )----- "Digest" - ? - C:\Programme\NeuroPower\Digest2005\iereg.exe (File found, but it contains no detailed information) {FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Recherchieren" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL {AC41D38F-B56D-40AD-94E0-B493D130C959} "Send to Mindjet MindManager" - "Mindjet" - C:\Programme\Mindjet\MindManager 6\Mm6InternetExplorer.dll -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension )----- "Location" - "InterTrust Technologies Corporation, Inc." - C:\Programme\Internet Explorer\Plugins\NPDocBox.dll -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )----- <binary data> "EPSON Web-To-Page" - "SEIKO EPSON CORPORATION" - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll <binary data> "Google Toolbar" - "Google Inc." - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll <binary data> "Windows Live Toolbar" - "Microsoft Corporation" - C:\Programme\Windows Live Toolbar\msntb.dll -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )----- {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "AcroIEHlprObj Class" - ? - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx {AC41D38F-B56D-40AD-94E0-B493D130C959} "CmjBrowserHelperObject Object" - "Mindjet" - C:\Programme\Mindjet\MindManager 6\Mm6InternetExplorer.dll {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} "EpsonToolBandKicker Class" - "SEIKO EPSON CORPORATION" - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll {AA58ED58-01DD-4d91-8333-CF10577473F7} "Google Toolbar Helper" - "Google Inc." - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} "Google Toolbar Notifier BHO" - "Google Inc." - C:\Programme\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll {DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jp2ssv.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} "Java(tm) Plug-In SSV Helper" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\ssv.dll {E7E6F031-17CE-4C07-BC86-EABFE594F69C} "JQSIEStartDetectorImpl Class" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll {3049C3E9-B461-4BC5-8870-4C09146192CA} "RealPlayer Download and Record Plugin for Internet Explorer" - "RealPlayer" - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll {9030D464-4C02-4ABF-8ECC-5164760863C6} "Windows Live Anmelde-Hilfsprogramm" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} "Windows Live Toolbar Helper" - "Microsoft Corporation" - C:\Programme\Windows Live Toolbar\msntb.dll [Logon] -----( %AllUsersProfile%\Startmenü\Programme\Autostart )----- "Acrobat Assistant.lnk" - "Adobe Systems Inc." - C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe (Shortcut exists | File exists) "desktop.ini" - ? - C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini "t@x aktuell.lnk" - "R&S EDV-Beratung, Hannover" - C:\Programme\Buhl finance\tax 2010 Standard\taxaktuell.exe (Shortcut exists | File exists) "VPN Client.lnk" - "Cisco Systems, Inc." - C:\Programme\Cisco Systems\VPN Client\vpngui.exe (Shortcut exists | File exists) "WinZip Quick Pick.lnk" - "WinZip Computing, S.L." - C:\Programme\WinZip\WZQKPICK.EXE (Shortcut exists | File exists) -----( %UserProfile%\Startmenü\Programme\Autostart )----- "desktop.ini" - ? - C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart\desktop.ini "Yahoo! Widgets.lnk" - ? - C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart\Yahoo! Widgets.lnk (Shortcut exists | File not found) -----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )----- "MsnMsgr" - ? - "C:\PROGRA~1\WI1F86~1\MESSEN~1\msnmsgr.exe" /background (File not found) "pdfSaver3" - "Tracker Software Products Ltd." - "C:\Programme\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe" "Skype" - "Skype Technologies S.A." - "C:\Programme\Skype\\Phone\Skype.exe" /nosplash /minimized "swg" - "Google Inc." - "C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )----- "avgnt" - "H+BEDV Datentechnik GmbH" - "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min "HotKey" - "Pmx. Electronics Ltd." - C:\WINDOWS\Twain_32\SlimU2\HotKey.exe "iTunesHelper" - "Apple Inc." - "C:\Programme\iTunes\iTunesHelper.exe" "MMReminderService" - "Mindjet" - C:\Programme\Mindjet\MindManager 6\MMReminderService.exe "QuickTime Task" - "Apple Inc." - "C:\Programme\QuickTime\qttask.exe" -atboottime "SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Programme\Java\jre6\bin\jusched.exe" "TkBellExe" - "RealNetworks, Inc." - "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot [Print Monitors] -----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )----- "GMX Fax Monitor" - "GMX GmbH" - C:\WINDOWS\system32\UIGMXMON.DLL "Microsoft Document Imaging Writer Monitor" - "Microsoft Corporation" - C:\WINDOWS\system32\mdimon.dll "PDF Port" - "Adobe Systems Incorporated." - C:\WINDOWS\System32\pdfports.dll "PDF-XChange" - "Tracker Software" - C:\WINDOWS\system32\pxc25pm.dll [Services] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- ".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe "AntiVir PersonalEdition Classic Planer" (AntiVirScheduler) - "Avira GmbH" - C:\Programme\AntiVir PersonalEdition Classic\sched.exe "Apple Mobile Device" (Apple Mobile Device) - "Apple Inc." - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe "ASP.NET State Service" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe "Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avguard.exe "Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\sched.exe "Bonjour-Dienst" (Bonjour Service) - "Apple Inc." - C:\Programme\Bonjour\mDNSResponder.exe "Cisco Systems, Inc. VPN Service" (CVPND) - "Cisco Systems, Inc." - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe "Google Software Updater" (gusvc) - "Google" - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe "Google Update Service (gupdate)" (gupdate) - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe "InstallDriver Table Manager" (IDriverT) - "Macrovision Corporation" - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe "iPod-Dienst" (iPod Service) - "Apple Inc." - C:\Programme\iPod\bin\iPodService.exe "Java Quick Starter" (JavaQuickStarterService) - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jqs.exe "Office Source Engine" (ose) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE "Windows CardSpace" (idsvc) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe "Windows Presentation Foundation Font Cache 3.0.0.0" (FontCache3.0.0.0) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [Winlogon] -----( HKCU\Control Panel\IOProcs )----- "MVB" - ? - mvfs32.dll (File not found) -----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )----- "WgaLogon" - "Microsoft Corporation" - C:\WINDOWS\system32\WgaLogon.dll [Winsock Providers] -----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries )----- "mdnsNSP" - "Apple Inc." - C:\Programme\Bonjour\mdnsNSP.dll ===[ Logfile end ]=========================================[ Logfile end ]=== If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru Dann das OSAM logfile nach Löschen und Neustart: OSAM Logfile: Code:
ATTFilter Report of OSAM: Autorun Manager v5.0.11926.0 hxxp://www.online-solutions.ru/en/ Saved at 21:40:20 on 17.08.2010 OS: Windows XP Professional Service Pack 3 (Build 2600) Default Browser: Microsoft Corporation Internet Explorer 8.00.6001.18702 Scanner Settings [x] Rootkits detection (hidden registry) [x] Rootkits detection (hidden files) [x] Retrieve files information [x] Check Microsoft signatures Filters [ ] Trusted entries [ ] Empty entries [x] Hidden registry entries (rootkit activity) [x] Exclusively opened files [x] Not found files [x] Files without detailed information [x] Existing files [ ] Non-startable services [ ] Non-startable drivers [x] Active entries [x] Disabled entries [Common] -----( %SystemRoot%\Tasks )----- "AppleSoftwareUpdate.job" - "Apple Inc." - C:\Programme\Apple Software Update\SoftwareUpdate.exe "Auf Updates für Windows Live Toolbar prüfen.job" - "Microsoft Corporation" - C:\Programme\Windows Live Toolbar\MSNTBUP.EXE "GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe "GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe "Norton Security Scan for Administrator.job" - "Symantec Corporation" - C:\Programme\Norton Security Scan\Norton Security Scan\Engine\2.7.3.34\Nss.exe "RealUpgradeLogonTaskS-1-5-21-1060284298-1957994488-1343024091-500.job" - "RealNetworks, Inc." - C:\Programme\Real\RealUpgrade\realupgrade.exe "RealUpgradeScheduledTaskS-1-5-21-1060284298-1957994488-1343024091-500.job" - "RealNetworks, Inc." - C:\Programme\Real\RealUpgrade\realupgrade.exe "WGASetup.job" - "Microsoft Corporation" - C:\WINDOWS\system32\KB905474\wgasetup.exe [Control Panel Objects] -----( %SystemRoot%\system32 )----- "Ddbaccpl.cpl" - "DataDesign AG" - C:\WINDOWS\system32\Ddbaccpl.cpl "ddBACCTM.cpl" - "DataDesign AG" - C:\WINDOWS\system32\ddBACCTM.cpl "infocardcpl.cpl" - "Microsoft Corporation" - C:\WINDOWS\system32\infocardcpl.cpl "javacpl.cpl" - "Sun Microsystems, Inc." - C:\WINDOWS\system32\javacpl.cpl "pmxusb.cpl" - ? - C:\WINDOWS\system32\pmxusb.cpl (File signed by Microsoft | File found, but it contains no detailed information) -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )----- "Avira AntiVir Personal - Free Antivirus " - "Avira GmbH" - C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl "Avira AntiVir PersonalEdition Classic Konfiguration" - "Avira GmbH" - C:\PROGRA~1\ANTIVI~1\avconfig.cpl "QuickTime" - "Apple Inc." - C:\Programme\QuickTime\QTSystem\QuickTime.cpl [Drivers] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- "avgio" (avgio) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avgio.sys "avgntflt" (avgntflt) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avgntflt.sys "avipbb" (avipbb) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avipbb.sys "Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys (File not found) "Cisco Systems Inc. IPSec Driver" (CVPNDRVA) - "Cisco Systems, Inc." - C:\WINDOWS\system32\Drivers\CVPNDRVA.sys "i2omgmt" (i2omgmt) - ? - C:\WINDOWS\system32\drivers\i2omgmt.sys (File not found) "lbrtfdc" (lbrtfdc) - ? - C:\WINDOWS\system32\drivers\lbrtfdc.sys (File not found) "PCIDump" (PCIDump) - ? - C:\WINDOWS\system32\drivers\PCIDump.sys (File not found) "PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys (File not found) "PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys (File not found) "PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys (File not found) "PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys (File not found) "PxHelp20" (PxHelp20) - "Sonic Solutions" - C:\WINDOWS\System32\Drivers\PxHelp20.sys "ssmdrv" (ssmdrv) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\ssmdrv.sys "vsdatant" (vsdatant) - "Zone Labs LLC" - C:\WINDOWS\System32\vsdatant.sys "WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys (File not found) "WIDCOMM USB Bluetooth Driver" (BTWUSB) - ? - C:\WINDOWS\System32\Drivers\btwusb.sys [Explorer] -----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )----- {89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install -----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )----- {7D4D6379-F301-4311-BEBA-E26EB0561882} "NeroDigitalColumnHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll -----( HKLM\Software\Classes\Protocols\Filter )----- {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {807553E5-5146-11D5-A672-00B0D022E945} "text/xml" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL -----( HKLM\Software\Classes\Protocols\Handler )----- {32505114-5902-49B2-880A-1F7738E5A384} "Data Page Plugable Protocal mso-offdap11 Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\11\OWC11.DLL {3D9F03FA-7A94-11D3-BE81-0050048385D1} "Data Page Pluggable Protocol mso-offdap Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\10\OWC10.DLL {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )----- {23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - C:\Programme\7-Zip\7-zip.dll {42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" - ? - deskpan.dll (File not found) {1D2680C9-0E2A-469d-B787-065558BC7D43} "Fusion Cache" - "Microsoft Corporation" - c:\WINDOWS\system32\mscoree.dll {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "iTunes" - "Apple Inc." - C:\Programme\iTunes\iTunesMiniPlayer.dll {853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" - ? - (File not found | COM-object registry key not found) {32683183-48a0-441b-a342-7c2a440a9478} "Media Band" - ? - (File not found | COM-object registry key not found) {42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Programme\Microsoft Office\OFFICE11\msohev.dll {993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll {00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL {C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll {B327765E-D724-4347-8B16-78AE18552FC3} "NeroDigitalIconHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll {7F1CF152-04F8-453A-B34C-E609530A9DC8} "NeroDigitalPropSheetHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll {0006F045-0000-0000-C000-000000000046} "Outlook-Dateisymbolerweiterung" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} "RealOne Player Context Menu Class" - "RealNetworks, Inc." - c:\program files\real\realplayer\rpshell.dll {45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "H+BEDV Datentechnik GmbH" - C:\Programme\AntiVir PersonalEdition Classic\shlext.dll {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll {764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" - ? - (File not found | COM-object registry key not found) {e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll {BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Webordner" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL {E0D79304-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing LP" - C:\Programme\WinZip\wzshlstb.dll {E0D79305-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing LP" - C:\Programme\WinZip\wzshlstb.dll {E0D79306-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing LP" - C:\Programme\WinZip\wzshlstb.dll {E0D79307-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing LP" - C:\Programme\WinZip\wzshlstb.dll [Internet Explorer] -----( HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars )----- {32683183-48a0-441b-a342-7c2a440a9478} "{32683183-48a0-441b-a342-7c2a440a9478}" - ? - (File not found | COM-object registry key not found) -----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )----- <binary data> "EPSON Web-To-Page" - "SEIKO EPSON CORPORATION" - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll <binary data> "Google Toolbar" - "Google Inc." - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll ITBar7Height "ITBar7Height" - ? - (File not found | COM-object registry key not found) <binary data> "ITBar7Layout" - ? - (File not found | COM-object registry key not found) <binary data> "ITBarLayout" - ? - (File not found | COM-object registry key not found) <binary data> "Windows Live Toolbar" - "Microsoft Corporation" - C:\Programme\Windows Live Toolbar\msntb.dll -----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )----- DirectAnimation Java Classes "DirectAnimation Java Classes" - ? - (File not found | COM-object registry key not found) / file://C:\WINDOWS\Java\classes\dajava.cab {67DABFBF-D0AB-41FA-9C46-CC0F21721616} "DivXBrowserPlugin Object" - "DivX,Inc." - C:\Programme\DivX\DivX Web Player\npdivx32.dll / hxxp://download.divx.com/player/DivXBrowserPlugin.cab {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} "IPSUploader4 Control" - "IP Labs GmbH - Germany" - C:\WINDOWS\Downloaded Program Files\IPSUploader.ocx / hxxp://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab {CAC677B6-4963-4305-9066-0BD135CD9233} "IPSUploader4 Control" - "IP Labs GmbH - Germany" - C:\WINDOWS\Downloaded Program Files\IPSUploader4.ocx / hxxp://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab {CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA} "Java Plug-in 1.4.2_10" - "JavaSoft / Sun Microsystems, Inc." - C:\Programme\Java\j2re1.4.2_10\bin\npjpi142_10.dll / hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} "Java Plug-in 1.5.0_09" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_09\bin\npjpi150_09.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} "Java Plug-in 1.5.0_10" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_10\bin\npjpi150_10.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} "Java Plug-in 1.6.0_01" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_01\bin\npjpi160_01.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} "Java Plug-in 1.6.0_02" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_02\bin\npjpi160_02.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} "Java Plug-in 1.6.0_03" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} "Java Plug-in 1.6.0_05" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_05\bin\npjpi160_05.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} "Java Plug-in 1.6.0_07" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab {8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_11" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_11.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} "Java Plug-in 1.6.0_11" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_11.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_11" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_11.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab Microsoft XML Parser for Java "Microsoft XML Parser for Java" - ? - (File not found | COM-object registry key not found) / file://C:\WINDOWS\Java\classes\xmldso.cab {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} "Office Update Installation Engine" - "Microsoft Corporation" - C:\WINDOWS\opuc.dll / hxxp://office.microsoft.com/officeupdate/content/opuc3.cab {56336BCB-3D8A-11D6-A00B-0050DA18DE71} "RdxIE Class" - "RealNetworks, Inc." - C:\WINDOWS\Downloaded Program Files\RdxIE.dll / hxxp://software-dl.real.com/016e92cb316664252f15/netzip/RdxIE601_de.cab {166B1BCA-3F9C-11CF-8075-444553540000} "Shockwave ActiveX Control" - "Adobe Systems, Inc." - C:\WINDOWS\system32\Adobe\Director\SwDir.dll / hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab {D27CDB6E-AE6D-11CF-96B8-444553540000} "Shockwave Flash Object" - "Adobe Systems, Inc." - C:\WINDOWS\system32\Macromed\Flash\Flash10b.ocx / hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab {644E432F-49D3-41A1-8DD5-E099162EEEC5} "Symantec RuFSI Utility Class" - "Symantec Corporation" - C:\WINDOWS\Downloaded Program Files\rufsi.dll / hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab {0000000A-9980-0010-8000-00AA00389B71} "{0000000A-9980-0010-8000-00AA00389B71}" - ? - (File not found | COM-object registry key not found) / hxxp://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab {33564D57-0000-0010-8000-00AA00389B71} "{33564D57-0000-0010-8000-00AA00389B71}" - ? - (File not found | COM-object registry key not found) / hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB {33564D57-9980-0010-8000-00AA00389B71} "{33564D57-9980-0010-8000-00AA00389B71}" - ? - (File not found | COM-object registry key not found) / hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} "{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}" - ? - (File not found | COM-object registry key not found) / hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )----- "Digest" - ? - C:\Programme\NeuroPower\Digest2005\iereg.exe (File found, but it contains no detailed information) {FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Recherchieren" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL {AC41D38F-B56D-40AD-94E0-B493D130C959} "Send to Mindjet MindManager" - "Mindjet" - C:\Programme\Mindjet\MindManager 6\Mm6InternetExplorer.dll -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension )----- "Location" - "InterTrust Technologies Corporation, Inc." - C:\Programme\Internet Explorer\Plugins\NPDocBox.dll -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )----- <binary data> "EPSON Web-To-Page" - "SEIKO EPSON CORPORATION" - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll <binary data> "Google Toolbar" - "Google Inc." - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll <binary data> "Windows Live Toolbar" - "Microsoft Corporation" - C:\Programme\Windows Live Toolbar\msntb.dll -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )----- {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "AcroIEHlprObj Class" - ? - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx {AC41D38F-B56D-40AD-94E0-B493D130C959} "CmjBrowserHelperObject Object" - "Mindjet" - C:\Programme\Mindjet\MindManager 6\Mm6InternetExplorer.dll {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} "EpsonToolBandKicker Class" - "SEIKO EPSON CORPORATION" - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll {AA58ED58-01DD-4d91-8333-CF10577473F7} "Google Toolbar Helper" - "Google Inc." - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} "Google Toolbar Notifier BHO" - "Google Inc." - C:\Programme\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll {DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jp2ssv.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} "Java(tm) Plug-In SSV Helper" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\ssv.dll {E7E6F031-17CE-4C07-BC86-EABFE594F69C} "JQSIEStartDetectorImpl Class" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll {3049C3E9-B461-4BC5-8870-4C09146192CA} "RealPlayer Download and Record Plugin for Internet Explorer" - "RealPlayer" - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll {9030D464-4C02-4ABF-8ECC-5164760863C6} "Windows Live Anmelde-Hilfsprogramm" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} "Windows Live Toolbar Helper" - "Microsoft Corporation" - C:\Programme\Windows Live Toolbar\msntb.dll [Logon] -----( %AllUsersProfile%\Startmenü\Programme\Autostart )----- "Acrobat Assistant.lnk" - "Adobe Systems Inc." - C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe (Shortcut exists | File exists) "desktop.ini" - ? - C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini "t@x aktuell.lnk" - "R&S EDV-Beratung, Hannover" - C:\Programme\Buhl finance\tax 2010 Standard\taxaktuell.exe (Shortcut exists | File exists) "VPN Client.lnk" - "Cisco Systems, Inc." - C:\Programme\Cisco Systems\VPN Client\vpngui.exe (Shortcut exists | File exists) "WinZip Quick Pick.lnk" - "WinZip Computing, S.L." - C:\Programme\WinZip\WZQKPICK.EXE (Shortcut exists | File exists) -----( %UserProfile%\Startmenü\Programme\Autostart )----- "desktop.ini" - ? - C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart\desktop.ini "Yahoo! Widgets.lnk" - ? - C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart\Yahoo! Widgets.lnk (Shortcut exists | File not found) -----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )----- "MsnMsgr" - ? - "C:\PROGRA~1\WI1F86~1\MESSEN~1\msnmsgr.exe" /background (File not found) "pdfSaver3" - "Tracker Software Products Ltd." - "C:\Programme\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe" "Skype" - "Skype Technologies S.A." - "C:\Programme\Skype\\Phone\Skype.exe" /nosplash /minimized "swg" - "Google Inc." - "C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )----- "avgnt" - "H+BEDV Datentechnik GmbH" - "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min "HotKey" - "Pmx. Electronics Ltd." - C:\WINDOWS\Twain_32\SlimU2\HotKey.exe "iTunesHelper" - "Apple Inc." - "C:\Programme\iTunes\iTunesHelper.exe" "MMReminderService" - "Mindjet" - C:\Programme\Mindjet\MindManager 6\MMReminderService.exe "QuickTime Task" - "Apple Inc." - "C:\Programme\QuickTime\qttask.exe" -atboottime "SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Programme\Java\jre6\bin\jusched.exe" "TkBellExe" - "RealNetworks, Inc." - "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot [Print Monitors] -----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )----- "GMX Fax Monitor" - "GMX GmbH" - C:\WINDOWS\system32\UIGMXMON.DLL "Microsoft Document Imaging Writer Monitor" - "Microsoft Corporation" - C:\WINDOWS\system32\mdimon.dll "PDF Port" - "Adobe Systems Incorporated." - C:\WINDOWS\System32\pdfports.dll "PDF-XChange" - "Tracker Software" - C:\WINDOWS\system32\pxc25pm.dll [Services] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- ".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe "AntiVir PersonalEdition Classic Planer" (AntiVirScheduler) - "Avira GmbH" - C:\Programme\AntiVir PersonalEdition Classic\sched.exe "Apple Mobile Device" (Apple Mobile Device) - "Apple Inc." - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe "ASP.NET State Service" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe "Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avguard.exe "Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\sched.exe "Bonjour-Dienst" (Bonjour Service) - "Apple Inc." - C:\Programme\Bonjour\mDNSResponder.exe "Cisco Systems, Inc. VPN Service" (CVPND) - "Cisco Systems, Inc." - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe "Google Software Updater" (gusvc) - "Google" - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe "Google Update Service (gupdate)" (gupdate) - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe "InstallDriver Table Manager" (IDriverT) - "Macrovision Corporation" - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe "iPod-Dienst" (iPod Service) - "Apple Inc." - C:\Programme\iPod\bin\iPodService.exe "Java Quick Starter" (JavaQuickStarterService) - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jqs.exe "Office Source Engine" (ose) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE "Windows CardSpace" (idsvc) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe "Windows Presentation Foundation Font Cache 3.0.0.0" (FontCache3.0.0.0) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [Winlogon] -----( HKCU\Control Panel\IOProcs )----- "MVB" - ? - mvfs32.dll (File not found) -----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )----- "WgaLogon" - "Microsoft Corporation" - C:\WINDOWS\system32\WgaLogon.dll [Winsock Providers] -----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries )----- "mdnsNSP" - "Apple Inc." - C:\Programme\Bonjour\mdnsNSP.dll ===[ Logfile end ]=========================================[ Logfile end ]=== If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru Und abschließend das Ergebnis nach Anwendung des bootkit remover unter system 32: Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Dokumente und Einstellungen\Administrator> C:\Dokumente und Einstellungen\Administrator>remover.exe fix\\.\PhysicalDrive0 Bootkit Remover (c) 2009 eSage Lab www.esagelab.com Program version: 1.1.0.0 OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600) ERROR: Unknown command. Done; Press any key to quit... Sieht nicht danach aus, dass das Problem gelöst ist, oder? |
17.08.2010, 20:50 | #8 |
| Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys Sorry, das Ergebnis nach dem bootkit remover lautet wie folgt: Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Dokumente und Einstellungen\Administrator>remover.exe fix \\.\PhysicalDrive0 Bootkit Remover (c) 2009 eSage Lab www.esagelab.com Program version: 1.1.0.0 OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600) Restoring boot code at \\.\PhysicalDrive0... OK Done; Press any key to quit... |
17.08.2010, 21:17 | #9 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys Zwecks Kontrolle des MBRs: Downloade Dir bitte MBRCheck (by a_d_13) und speichere die Datei auf dem Desktop.
__________________ Logfiles bitte immer in CODE-Tags posten |
17.08.2010, 21:26 | #10 |
| Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys Voila! MBRCheck, version 1.2.3 (c) 2010, AD Command-line: Windows Version: Windows XP Professional Windows Information: Service Pack 3 (build 2600) Logical Drives Mask: 0x0000002c Kernel Drivers (total 134): 0x804D7000 \WINDOWS\system32\ntoskrnl.exe 0x806EF000 \WINDOWS\system32\hal.dll 0xF8A34000 \WINDOWS\system32\KDCOM.DLL 0xF8944000 \WINDOWS\system32\BOOTVID.dll 0xF84E4000 ACPI.sys 0xF8A36000 \WINDOWS\System32\DRIVERS\WMILIB.SYS 0xF84D3000 pci.sys 0xF8534000 isapnp.sys 0xF8544000 ohci1394.sys 0xF8554000 \WINDOWS\System32\DRIVERS\1394BUS.SYS 0xF8948000 compbatt.sys 0xF894C000 \WINDOWS\System32\DRIVERS\BATTC.SYS 0xF8AFC000 PCIIde.sys 0xF87B4000 \WINDOWS\System32\Drivers\PCIIDEX.SYS 0xF8A38000 intelide.sys 0xF84B5000 pcmcia.sys 0xF8564000 MountMgr.sys 0xF8496000 ftdisk.sys 0xF8A3A000 dmload.sys 0xF8470000 dmio.sys 0xF8950000 ACPIEC.sys 0xF8AFD000 \WINDOWS\System32\DRIVERS\OPRGHDLR.SYS 0xF87BC000 PartMgr.sys 0xF8574000 VolSnap.sys 0xF8458000 atapi.sys 0xF8584000 disk.sys 0xF8594000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS 0xF8438000 fltmgr.sys 0xF8426000 sr.sys 0xF85A4000 PxHelp20.sys 0xF840F000 KSecDD.sys 0xF8382000 Ntfs.sys 0xF8355000 NDIS.sys 0xF833B000 Mup.sys 0xF85B4000 agp440.sys 0xF85E4000 \SystemRoot\System32\DRIVERS\nic1394.sys 0xF8624000 \SystemRoot\System32\DRIVERS\intelppm.sys 0xF72F8000 \SystemRoot\System32\DRIVERS\ati2mtag.sys 0xF72E4000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS 0xF88CC000 \SystemRoot\System32\DRIVERS\usbuhci.sys 0xF72C0000 \SystemRoot\System32\DRIVERS\USBPORT.SYS 0xF88D4000 \SystemRoot\System32\DRIVERS\usbehci.sys 0xF88DC000 \SystemRoot\System32\DRIVERS\RTL8139.SYS 0xF707B000 \SystemRoot\System32\DRIVERS\w70n51.sys 0xF88E4000 \SystemRoot\System32\Drivers\WBSD.SYS 0xF8634000 \SystemRoot\System32\DRIVERS\serial.sys 0xF8317000 \SystemRoot\System32\DRIVERS\serenum.sys 0xF8644000 \SystemRoot\System32\DRIVERS\smcirda.sys 0xF8313000 \SystemRoot\System32\DRIVERS\irenum.sys 0xF7067000 \SystemRoot\System32\DRIVERS\parport.sys 0xF8654000 \SystemRoot\System32\DRIVERS\i8042prt.sys 0xF88EC000 \SystemRoot\System32\DRIVERS\kbdclass.sys 0xF88F4000 \SystemRoot\System32\DRIVERS\mouclass.sys 0xF8664000 \SystemRoot\System32\DRIVERS\imapi.sys 0xF8674000 \SystemRoot\System32\DRIVERS\cdrom.sys 0xF8684000 \SystemRoot\System32\DRIVERS\redbook.sys 0xF7044000 \SystemRoot\System32\DRIVERS\ks.sys 0xF88FC000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys 0xF6FBF000 \SystemRoot\system32\drivers\smwdm.sys 0xF6F9B000 \SystemRoot\system32\drivers\portcls.sys 0xF8694000 \SystemRoot\system32\drivers\drmk.sys 0xF6F83000 \SystemRoot\system32\drivers\aeaudio.sys 0xF6E65000 \SystemRoot\System32\DRIVERS\AGRSM.sys 0xF8904000 \SystemRoot\System32\Drivers\Modem.SYS 0xF82FF000 \SystemRoot\System32\DRIVERS\CmBatt.sys 0xF6E4A000 \SystemRoot\System32\DRIVERS\dne2000.sys 0xF8BB5000 \SystemRoot\System32\DRIVERS\audstub.sys 0xF6E38000 \SystemRoot\system32\DRIVERS\bridge.sys 0xF890C000 \SystemRoot\system32\DRIVERS\TDI.SYS 0xF8914000 \SystemRoot\System32\DRIVERS\rasirda.sys 0xF86A4000 \SystemRoot\System32\DRIVERS\rasl2tp.sys 0xF89C8000 \SystemRoot\System32\DRIVERS\ndistapi.sys 0xF6E21000 \SystemRoot\System32\DRIVERS\ndiswan.sys 0xF86B4000 \SystemRoot\System32\DRIVERS\raspppoe.sys 0xF86C4000 \SystemRoot\System32\DRIVERS\raspptp.sys 0xF6E10000 \SystemRoot\System32\DRIVERS\psched.sys 0xF86D4000 \SystemRoot\System32\DRIVERS\msgpc.sys 0xF891C000 \SystemRoot\System32\DRIVERS\ptilink.sys 0xF8924000 \SystemRoot\System32\DRIVERS\raspti.sys 0xF8A64000 \SystemRoot\System32\DRIVERS\CVirtA.sys 0xF6DE0000 \SystemRoot\System32\DRIVERS\rdpdr.sys 0xF86E4000 \SystemRoot\System32\DRIVERS\termdd.sys 0xF8A66000 \SystemRoot\System32\DRIVERS\swenum.sys 0xF6D82000 \SystemRoot\System32\DRIVERS\update.sys 0xF89E0000 \SystemRoot\System32\DRIVERS\mssmbios.sys 0xF8704000 \SystemRoot\System32\Drivers\NDProxy.SYS 0xF8734000 \SystemRoot\System32\DRIVERS\usbhub.sys 0xF8A68000 \SystemRoot\System32\DRIVERS\USBD.SYS 0xF8A6E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS 0xF8C0C000 \SystemRoot\System32\Drivers\Null.SYS 0xF8A70000 \SystemRoot\System32\Drivers\Beep.SYS 0xF87DC000 \SystemRoot\System32\drivers\vga.sys 0xF8A72000 \SystemRoot\System32\Drivers\mnmdd.SYS 0xF8A74000 \SystemRoot\System32\DRIVERS\RDPCDD.sys 0xF87E4000 \SystemRoot\System32\Drivers\Msfs.SYS 0xF87EC000 \SystemRoot\System32\Drivers\Npfs.SYS 0xF8A0C000 \SystemRoot\System32\DRIVERS\rasacd.sys 0xEEBD4000 \SystemRoot\System32\DRIVERS\ipsec.sys 0xEEB7B000 \SystemRoot\System32\DRIVERS\tcpip.sys 0xEEB53000 \SystemRoot\System32\DRIVERS\netbt.sys 0xF8A10000 \SystemRoot\System32\drivers\ws2ifsl.sys 0xEEB31000 \SystemRoot\System32\drivers\afd.sys 0xF8774000 \SystemRoot\System32\DRIVERS\netbios.sys 0xEEB06000 \SystemRoot\System32\DRIVERS\rdbss.sys 0xEEA96000 \SystemRoot\System32\DRIVERS\mrxsmb.sys 0xF8794000 \SystemRoot\System32\Drivers\Fips.SYS 0xEEA70000 \SystemRoot\System32\DRIVERS\ipnat.sys 0xF87A4000 \SystemRoot\System32\DRIVERS\wanarp.sys 0xF85F4000 \SystemRoot\System32\Drivers\btwusb.sys 0xEEA26000 \SystemRoot\system32\DRIVERS\avipbb.sys 0xF8A80000 \??\C:\Programme\Avira\AntiVir Desktop\avgio.sys 0xF7AAA000 \SystemRoot\System32\Drivers\Cdfs.SYS 0xEDAF9000 \SystemRoot\System32\Drivers\dump_atapi.sys 0xF8A8E000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS 0xBF800000 \SystemRoot\System32\win32k.sys 0xEEC27000 \SystemRoot\System32\drivers\Dxapi.sys 0xF8854000 \SystemRoot\System32\watchdog.sys 0xBF000000 \SystemRoot\System32\drivers\dxg.sys 0xF8B47000 \SystemRoot\System32\drivers\dxgthk.sys 0xBF012000 \SystemRoot\System32\ati2dvag.dll 0xBF059000 \SystemRoot\System32\ati3d2ag.dll 0xBFFA0000 \SystemRoot\System32\ATMFD.DLL 0xEDA44000 \SystemRoot\system32\DRIVERS\avgntflt.sys 0xED9DE000 \SystemRoot\System32\DRIVERS\irda.sys 0xEDA79000 \SystemRoot\System32\DRIVERS\ndisuio.sys 0xED781000 \SystemRoot\System32\DRIVERS\mrxdav.sys 0xF8A62000 \SystemRoot\System32\Drivers\ParVdm.SYS 0xED5E4000 \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys 0xED467000 \SystemRoot\system32\drivers\wdmaud.sys 0xED856000 \SystemRoot\system32\drivers\sysaudio.sys 0xED2CA000 \SystemRoot\System32\DRIVERS\srv.sys 0xECC49000 \SystemRoot\System32\Drivers\HTTP.sys 0xEC276000 \SystemRoot\system32\drivers\kmixer.sys 0x7C910000 \WINDOWS\system32\ntdll.dll Processes (total 51): 0 System Idle Process 4 System 1348 C:\WINDOWS\system32\smss.exe 1396 csrss.exe 1428 C:\WINDOWS\system32\winlogon.exe 1472 C:\WINDOWS\system32\services.exe 1484 C:\WINDOWS\system32\lsass.exe 1676 C:\WINDOWS\system32\svchost.exe 1724 svchost.exe 188 C:\WINDOWS\system32\svchost.exe 260 svchost.exe 368 svchost.exe 988 C:\WINDOWS\system32\spoolsv.exe 1036 C:\Programme\Avira\AntiVir Desktop\sched.exe 1120 svchost.exe 1776 C:\Programme\AntiVir PersonalEdition Classic\sched.exe 1788 C:\Programme\Avira\AntiVir Desktop\avguard.exe 1808 C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe 1832 C:\WINDOWS\system32\ati2evxx.exe 1860 C:\Programme\Bonjour\mDNSResponder.exe 1912 C:\Programme\Cisco Systems\VPN Client\cvpnd.exe 672 C:\Programme\Java\jre6\bin\jqs.exe 816 C:\Programme\Avira\AntiVir Desktop\avshadow.exe 620 C:\WINDOWS\system32\svchost.exe 564 C:\WINDOWS\explorer.exe 2552 C:\WINDOWS\AGRSMMSG.exe 2800 C:\Programme\Java\jre6\bin\jusched.exe 2808 C:\WINDOWS\twain_32\SlimU2\HotKey.Exe 2824 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIAHE.EXE 2832 C:\Programme\Mindjet\MindManager 6\MmReminderService.exe 2864 C:\Programme\iTunes\iTunesHelper.exe 2876 C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe 2888 C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe 2896 C:\WINDOWS\system32\ctfmon.exe 2904 C:\Programme\Skype\Phone\Skype.exe 2912 C:\Programme\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe 2920 C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe 2956 C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe 2968 C:\Programme\Buhl finance\tax 2010 Standard\taxaktuell.exe 3368 C:\Programme\WinZip\WZQKPICK.EXE 256 C:\Programme\iPod\bin\iPodService.exe 1264 alg.exe 3052 C:\WINDOWS\system32\wbem\wmiapsrv.exe 3112 C:\WINDOWS\system32\svchost.exe 476 C:\Programme\Skype\Plugin Manager\skypePM.exe 3744 C:\Programme\Internet Explorer\iexplore.exe 1212 C:\Programme\Internet Explorer\iexplore.exe 1720 C:\Programme\Java\jre6\bin\jucheck.exe 560 C:\Programme\Adobe\Acrobat 5.0\Acrobat\Acrobat.exe 1332 C:\Programme\Internet Explorer\iexplore.exe 3692 C:\Dokumente und Einstellungen\Administrator\Desktop\MBRCheck.exe \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS) PhysicalDrive0 Model Number: FUJITSUMHT2040AT, Rev: 009A Size Device Name MBR Status -------------------------------------------- 37 GB \\.\PhysicalDrive0 Windows XP MBR code detected SHA1: 31D100779DE502702C374F7C15687B56FCFD5528 Done! |
17.08.2010, 21:54 | #11 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys Dann bitte jetzt CF ausführen: ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
__________________ Logfiles bitte immer in CODE-Tags posten |
17.08.2010, 22:55 | #12 |
| Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys Voila, Combofix Logfile: Code:
ATTFilter ComboFix 10-08-17.02 - Administrator 17.08.2010 23:39:25.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.511.261 [GMT 2:00] ausgeführt von:: c:\dokumente und einstellungen\Administrator\Desktop\cofi.exe AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7} AV: Avira AntiVir PersonalEdition Classic *On-access scanning disabled* (Outdated) {00000000-0000-0000-0000-000000000000} AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {806ED0B3-FFA4-00DA-0D24-347CA8A3377C} AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {806ED0B3-FFA4-00EB-0D24-347CA8A3377C} . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Downloaded Program Files\RdxIE.dll . ((((((((((((((((((((((( Dateien erstellt von 2010-07-17 bis 2010-08-17 )))))))))))))))))))))))))))))) . 2010-08-17 21:08 . 2010-08-17 21:08 -------- d-----w- c:\programme\CCleaner 2010-08-17 19:39 . 2010-07-21 17:50 81920 ----a-w- c:\windows\system32\remover.exe 2010-08-17 18:59 . 2010-08-17 19:08 -------- d-----w- c:\dokumente und einstellungen\Administrator\Anwendungsdaten\Online Solutions 2010-08-16 20:15 . 2010-08-16 20:15 -------- d-----w- c:\programme\7-Zip 2010-08-16 18:42 . 2010-08-16 18:42 -------- d-----w- c:\dokumente und einstellungen\Administrator\Lokale Einstellungen\Anwendungsdaten\WinZip 2010-08-16 18:41 . 2010-08-16 18:41 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\WinZip 2010-08-15 20:38 . 2010-08-15 20:38 -------- d-----w- c:\dokumente und einstellungen\Administrator\Anwendungsdaten\Malwarebytes 2010-08-15 20:37 . 2010-04-29 10:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-08-15 20:37 . 2010-08-15 20:37 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes 2010-08-15 20:37 . 2010-04-29 10:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-08-15 20:37 . 2010-08-15 20:37 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware 2010-08-15 20:20 . 2010-08-17 20:21 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Classic 2010-08-15 20:14 . 2010-05-21 12:14 221568 ------w- c:\windows\system32\MpSigStub.exe . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-08-17 21:31 . 2006-06-18 20:02 -------- d-----w- c:\dokumente und einstellungen\Administrator\Anwendungsdaten\Skype 2010-08-17 19:01 . 2010-03-22 19:07 741376 ----a-w- c:\windows\system32\drivers\lpvmtsvd.sys 2010-08-17 18:18 . 2009-11-02 20:58 -------- d-----w- c:\dokumente und einstellungen\Administrator\Anwendungsdaten\skypePM 2010-08-16 13:28 . 2010-06-18 16:08 -------- d-----w- c:\programme\Gemeinsame Dateien\Symantec Shared 2010-08-15 13:43 . 2002-08-29 20:00 463354 ----a-w- c:\windows\system32\perfh007.dat 2010-08-15 13:43 . 2002-08-29 20:00 86198 ----a-w- c:\windows\system32\perfc007.dat 2010-07-30 17:58 . 2007-02-17 09:55 -------- d-----w- c:\dokumente und einstellungen\Administrator\Anwendungsdaten\U3 2010-06-30 12:28 . 2002-08-29 20:00 149504 ----a-w- c:\windows\system32\schannel.dll 2010-06-24 12:22 . 2006-06-23 11:27 916480 ----a-w- c:\windows\system32\wininet.dll 2010-06-24 09:02 . 2002-08-29 20:00 1852032 ----a-w- c:\windows\system32\win32k.sys 2010-06-22 20:29 . 2010-06-22 20:29 501936 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Google\Google Toolbar\Update\gtb14D.tmp.exe 2010-06-21 15:27 . 2002-08-29 20:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys 2010-06-17 14:03 . 2002-08-29 20:00 80384 ----a-w- c:\windows\system32\iccvid.dll 2010-06-14 14:31 . 2006-05-06 18:09 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe 2010-06-14 07:41 . 2006-09-13 05:09 1172480 ----a-w- c:\windows\system32\msxml3.dll . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\programme\Skype\\Phone\Skype.exe" [2010-05-13 26192168] "pdfSaver3"="c:\programme\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe" [2004-09-05 380928] "swg"="c:\programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-12 39408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AGRSMMSG"="AGRSMMSG.exe" [2003-05-06 88267] "ATIModeChange"="Ati2mdxx.exe" [2002-08-28 28672] "SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [2008-12-18 136600] "EPSON Stylus Photo R240 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE" [2005-04-25 98304] "MMReminderService"="c:\programme\Mindjet\MindManager 6\MMReminderService.exe" [2006-06-22 31232] "QuickTime Task"="c:\programme\QuickTime\qttask.exe" [2009-01-05 413696] "iTunesHelper"="c:\programme\iTunes\iTunesHelper.exe" [2009-03-12 342312] "avgnt"="c:\programme\AntiVir PersonalEdition Classic\avgnt.exe" [2006-01-18 229416] "TkBellExe"="c:\programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2010-03-09 202256] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360] c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\ Acrobat Assistant.lnk - c:\programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-5-8 49254] t@x aktuell.lnk - c:\programme\Buhl finance\tax 2010 Standard\taxaktuell.exe [2009-11-25 558376] VPN Client.lnk - c:\windows\Installer\{24C67B54-0718-445E-B663-3138D9246BD1}\Icon3E5562ED7.ico [2008-1-5 6144] WinZip Quick Pick.lnk - c:\programme\WinZip\WZQKPICK.EXE [2010-4-5 494920] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Programme\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Programme\\Java\\j2re1.4.2_10\\bin\\javaw.exe"= "c:\\Programme\\Java\\j2re1.4.2_10\\bin\\java.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Programme\\Bonjour\\mDNSResponder.exe"= "c:\\Programme\\iTunes\\iTunes.exe"= "c:\\Programme\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Programme\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015 "1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016 "500:UDP"= 500:UDP:@xpsp2res.dll,-22017 R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [12.07.2009 22:36 135336] R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\drivers\wbsd.sys [07.05.2006 17:40 26240] S2 gupdate;Google Update Service (gupdate);c:\programme\Google\Update\GoogleUpdate.exe [08.02.2010 21:40 135664] . Inhalt des "geplante Tasks" Ordners 2010-07-09 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\programme\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2010-08-17 c:\windows\Tasks\Auf Updates für Windows Live Toolbar prüfen.job - c:\programme\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20] 2010-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\programme\Google\Update\GoogleUpdate.exe [2010-02-08 19:40] 2010-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\programme\Google\Update\GoogleUpdate.exe [2010-02-08 19:40] 2010-08-16 c:\windows\Tasks\Norton Security Scan for Administrator.job - c:\programme\Norton Security Scan\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-06-18 07:48] 2010-08-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1060284298-1957994488-1343024091-500.job - c:\programme\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09] 2010-08-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1060284298-1957994488-1343024091-500.job - c:\programme\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09] 2010-08-17 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-04-10 20:18] . . ------- Zusätzlicher Suchlauf ------- . uStart Page = hxxp://www.google.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: &Windows Live Search - c:\programme\Windows Live Toolbar\msntb.dll/search.htm IE: Add to Windows &Live Favorites - hxxp://favorites.live.com/quickadd.aspx IE: Digest - c:\programme\NeuroPower\Digest2005\npdigest.htm.ie IE: Google Sidewiki... - c:\programme\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: {{F9341940-7640-4157-9C5C-7D86B7449E20} - c:\programme\NeuroPower\Digest2005\iereg.exe DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} - hxxp://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab . - - - - Entfernte verwaiste Registrierungseinträge - - - - HKLM-Run-pdfSaver3 - (no file) ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net Rootkit scan 2010-08-17 23:46 Windows 5.1.2600 Service Pack 3 NTFS Scanne versteckte Prozesse... Scanne versteckte Autostarteinträge... Scanne versteckte Dateien... Scan erfolgreich abgeschlossen versteckte Dateien: 0 ************************************************************************** . --------------------- Gesperrte Registrierungsschluessel --------------------- [HKEY_USERS\S-1-5-21-1060284298-1957994488-1343024091-500\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (Administrator) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ba,d4,a4,c1,e1,d4,63,4c,9d,f6,44,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ba,d4,a4,c1,e1,d4,63,4c,9d,f6,44,\ [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\ [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*] "7040110900063D11C8EF10054038389C"="C?\\WINDOWS\\System32\\FM20ENU.DLL" . Zeit der Fertigstellung: 2010-08-17 23:52:28 ComboFix-quarantined-files.txt 2010-08-17 21:52 Vor Suchlauf: 9 Verzeichnis(se), 21.317.492.736 Bytes frei Nach Suchlauf: 11 Verzeichnis(se), 22.702.436.352 Bytes frei WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn - - End Of File - - 97BAC6FAC009F6AECD9269E634DE47CE |
18.08.2010, 08:25 | #13 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys Sieht ok aus. Mach bitte zur Kontrolle Vollscans mit Malwarebytes und SUPERAntiSpyware und poste die Logs. Denk dran beide Tools zu updaten vor dem Scan!!
__________________ Logfiles bitte immer in CODE-Tags posten |
19.08.2010, 06:58 | #14 |
| Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys Ich bin eher pessimistisch. Der Rechner ist wieder total langsam, so dass ich nur Malwarebytes laufen lassen konnte mit folgendem Ergebnis: Malwarebytes' Anti-Malware 1.46 Malwarebytes Datenbank Version: 4446 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 19.08.2010 07:48:56 mbam-log-2010-08-19 (07-48-56).txt Art des Suchlaufs: Quick-Scan Durchsuchte Objekte: 131848 Laufzeit: 1 Stunde(n), 1 Minute(n), 10 Sekunde(n) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 2 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: C:\antivir_workstation_win7u_de_h148.exe (Spyware.Onlinegames) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\lpvmtsvd.sys (Rootkit.Agent) -> Quarantined and deleted successfully. |
Themen zu Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys |
0x00000001, agere systems, antivir, avgntflt.sys, avira, bho, bonjour, components, error, fehler, firefox, flash player, format, geld, google, homepage, iexplore.exe, installation, location, mozilla, msvcrt, oldtimer, otl.exe, plug-in, realtek, registry, rootkit, rundll, security scan, software, studio, system, tcp, tracker, updates, windows, windows internet, windows internet explorer |