| |
| |||||||
Log-Analyse und Auswertung: Redirect von Suchmaschinen-ErgebnissenWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
04.09.2010, 14:44
| #1 |
| |  Redirect von Suchmaschinen-Ergebnissen Hallo zusammen, ich habe folgendes Problem: Suchmaschinen-Ergebnisse (Google wie auch Yahoo) werden grundsätzlich auf eine Seite "154click.info" redirected. Das Ganze passiert sowohl unter Firefox 3.6.8 wie auch im Internet Explorer 6.0.2900. Ich habe mich nun einige Stunden als Gastleser hier im Board umgeschaut, aber keinerlei Lösungen gefunden, zumal ich diverse Malware-Killer habe laufen lassen. Hitnergrund: Anfang der Woche habe ich erfolgreich eine Malware entfernt (sog. Scareware, die mit Antivirlock zusammenhing). Das Suchmaschinenproblem besteht aber immer noch (schon wieder?). Zweites Problem: Es ist nicht mein eigener Rechner, sondern der meines Schwagers, und den Familienbesuch werden wir heute beenden, d.h. ab morgen müsste ich das per "Fernwartung" beheben lassen. Nun aber erstmal die ersten Logfiles entsprechend der Anleitung. HJT: HiJackthis Logfile: Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:26:18, on 04.09.2010 Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3264) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Programme\Avira\AntiVir Desktop\avguard.exe C:\Programme\Avira\AntiVir Desktop\avshadow.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Avira\AntiVir Desktop\sched.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Programme\Bonjour\mDNSResponder.exe C:\Programme\Tobit ClipInc\Server\ClipInc-Server.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Programme\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\Programme\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\RunDll32.exe C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe C:\Programme\Microsoft Hardware\Mouse\point32.exe C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Programme\Winamp\Winampa.exe C:\Programme\Java\jre6\bin\jusched.exe C:\Programme\iTunes\iTunesHelper.exe C:\Programme\Avira\AntiVir Desktop\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Tobit ClipInc\Player\ClipIncTray.exe C:\Programme\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe C:\Programme\Spybot - Search & Destroy\TeaTimer.exe C:\Programme\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe C:\Programme\WISO\Sparbuch 2010\meinsparbuchheute.exe C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Programme\iPod\bin\iPodService.exe C:\Programme\Gemeinsame Dateien\Teleca Shared\Generic.exe C:\Programme\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe P:\rootkit\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://de.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = h**p://www.3dconnexion.com/checkupdates O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp\Winampa.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ClipIncSrvTray] "C:\Programme\Tobit ClipInc\Player\ClipIncTray.exe" O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Programme\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\RunOnce: [3DxAssociateFileExts] C:\Programme\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-20\..\RunOnce: [3DxAssociateFileExts] C:\Programme\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [3DxAssociateFileExts] C:\Programme\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [3DxAssociateFileExts] C:\Programme\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Start 3DxWare.lnk = C:\Programme\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe O4 - Global Startup: WISO Mein Sparbuch heute.lnk = C:\Programme\WISO\Sparbuch 2010\meinsparbuchheute.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{15CB6312-7F79-439D-8AAA-2FA672622CCD}: NameServer = 192.168.122.252,192.168.122.253 O17 - HKLM\System\CS1\Services\Tcpip\..\{15CB6312-7F79-439D-8AAA-2FA672622CCD}: NameServer = 192.168.122.252,192.168.122.253 O17 - HKLM\System\CS3\Services\Tcpip\..\{15CB6312-7F79-439D-8AAA-2FA672622CCD}: NameServer = 192.168.122.252,192.168.122.253 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Dienst "Bonjour" (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe O23 - Service: ClipInc 001 (ClipInc001) - Unknown owner - C:\Programme\Tobit ClipInc\Server\ClipInc-Server.exe O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Update Service (gupdate1c9cda9bd59d81e) (gupdate1c9cda9bd59d81e) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Programme\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe -- End of file - 9042 bytes MBAM: Malwarebytes' Anti-Malware 1.46 ***.malwarebytes.org Datenbank Version: 4541 Windows 5.1.2600 Service Pack 3, v.3264 Internet Explorer 6.0.2900.3264 04.09.2010 15:09:45 mbam-log-2010-09-04 (15-09-45).txt Art des Suchlaufs: Quick-Scan Durchsuchte Objekte: 167951 Laufzeit: 6 Minute(n), 7 Sekunde(n) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 0 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: (Keine bösartigen Objekte gefunden) Defrogger: defogger_disable by jpshortstuff (23.02.10.1) Log created at 15:12 on 04/09/2010 (XXX) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. Checking for services/drivers... -=E.O.F=- OTL.txt Hinweis: Da ich die OTL.txt nicht per C&P hier hereinbekomme (Text wird zu lang) und die txt-Datei zu groß ist, werde ich sie als Antwort auf das Thema hier direkt posten. Extras.txt:OTL EXTRAS Logfile: Code:
ATTFilter OTL Extras logfile created on: 04.09.2010 14:43:32 - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Dokumente und Einstellungen\XXX\Desktop\Analyse
Windows XP Professional Edition Service Pack 3, v.3264 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.3264)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
1,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 53,00% Memory free
3,00 Gb Paging File | 2,00 Gb Available in Paging File | 84,00% Paging File free
Paging file location(s): C:\pagefile.sys 1920 3840 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 195,31 Gb Total Space | 157,76 Gb Free Space | 80,78% Space Free | Partition Type: NTFS
Drive D: | 17,58 Gb Total Space | 0,48 Gb Free Space | 2,71% Space Free | Partition Type: NTFS
Drive E: | 19,53 Gb Total Space | 3,04 Gb Free Space | 15,58% Space Free | Partition Type: NTFS
Drive F: | 63,48 Gb Total Space | 32,40 Gb Free Space | 51,04% Space Free | Partition Type: NTFS
Drive G: | 270,45 Gb Total Space | 265,89 Gb Free Space | 98,32% Space Free | Partition Type: NTFS
Drive H: | 19,68 Gb Total Space | 3,05 Gb Free Space | 15,49% Space Free | Partition Type: FAT32
Drive I: | 18,80 Gb Total Space | 1,07 Gb Free Space | 5,68% Space Free | Partition Type: FAT32
Drive J: | 64,52 Gb Total Space | 35,65 Gb Free Space | 55,26% Space Free | Partition Type: NTFS
Computer Name: XXX
Current User Name: XXX
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Programme\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Programme\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Programme\Winamp\Winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Programme\Winamp\Winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Programme\Winamp\Winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Programme\Autodesk\Inventor Publisher Technology Preview 1\Inventor Publisher.exe" = C:\Programme\Autodesk\Inventor Publisher Technology Preview 1\Inventor Publisher.exe:*:Enabled:Inventor Publisher Technology Preview 1 -- (Autodesk, Inc.)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Programme\Tobit ClipInc\Server\ClipInc-Server.exe" = C:\Programme\Tobit ClipInc\Server\ClipInc-Server.exe:*:Enabled:ClipInc Server -- ()
"C:\Programme\Tobit ClipInc\Player\ClipInc-Player.exe" = C:\Programme\Tobit ClipInc\Player\ClipInc-Player.exe:*:Enabled:ClipInc Player -- (Tobit.Software)
"C:\Programme\Tobit ClipInc\Player\RadioRecorder.exe" = C:\Programme\Tobit ClipInc\Player\RadioRecorder.exe:*:Enabled:WDR RadioRecorder -- (Tobit.Software)
"C:\Programme\LeechFTP\Leechftp.exe" = C:\Programme\LeechFTP\Leechftp.exe:*:Enabled:LeechFTP -- (jan debis)
"C:\Programme\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe" = C:\Programme\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe:*:Enabled:Sony Ericsson Media Manager 1.2 -- (Sony Creative Software Inc.)
"C:\Programme\Sony Ericsson\Update Service\Update Service.exe" = C:\Programme\Sony Ericsson\Update Service\Update Service.exe:*:Enabled:Update Service -- ()
"C:\Programme\Autodesk\Inventor Publisher Technology Preview 1\Inventor Publisher.exe" = C:\Programme\Autodesk\Inventor Publisher Technology Preview 1\Inventor Publisher.exe:*:Enabled:Inventor Publisher Technology Preview 1 -- (Autodesk, Inc.)
"C:\Programme\iTunes\iTunes.exe" = C:\Programme\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000407-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{05880A23-4032-42E7-9703-7D54F62B2CBC}" = 3Dconnexion Plug-In for NX 4.0
"{089B1349-BA53-43B1-A2C9-DBF9A7F8FD30}" = MOTORRAD Tourenplaner 2008/2009
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{14B3B883-5110-4A25-B53B-C92DD35C90C9}" = 3Dconnexion Plug-In for NX 6.0
"{154446DA-45DB-49F2-A284-D2C8AE997193}" = 3Dconnexion Plug-In for Photoshop CS3
"{1A6A053D-2216-4418-A6CC-B56447D277CA}" = 3Dconnexion Plug-In for Maya 8.5
"{1A986F4A-5DBA-4A6F-8CE3-973066C2587C}" = 3Dconnexion Plug-in for QuickTime VR
"{1B4EDAA6-E7A7-41DB-B7F0-07A4CD47DE12}" = 3Dconnexion Add-In for SolidWorks
"{1C2BF45B-DB85-4D90-842C-05F129215807}" = 3Dconnexion Plug-In for Maya 7
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FD0C5C1-B01B-4B4C-9607-E5D3B3D1318F}" = Microsoft IntelliPoint 4.1
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 17
"{2CD6BBA0-17C8-4789-9B9B-B36F7E815F6A}" = DWG TrueView 2007
"{2FFE93F0-BB72-4E52-8761-354D1AAA9387}" = Sony Ericsson PC Suite 6.009.00
"{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3D4BC848-51AD-4C5C-8EE6-5E4E06C09D9A}" = Autodesk Inventor 2008 SP3 Client Update for Autodesk Vault Server 2010
"{3D9892BB-A751-4E48-ADC8-E4289956CE1D}" = QuickTime
"{3F451B32-9977-46CA-BE4A-AD34E56718E5}" = 3Dconnexion Plug-In for Pro/ENGINEER WF4
"{46653DF9-CF76-4127-9FC6-B3E43EBD83CE}" = 3Dconnexion Picture Viewer
"{46B70DEB-97B3-4E38-B746-EC16905E6A8F}" = WISO Sparbuch 2010
"{4B61A046-F3A2-4902-AD0E-00EEAA7D58EE}" = 3Dconnexion Plug-In for Pro/ENGINEER
"{52969324-463B-4643-BF36-854BE2BECB89}" = Autodesk Inventor 2010 Language Pack - Deutsch
"{5545EEE1-FA36-4F76-B6BE-5696E7F4E2D6}" = VBA (2627.01)
"{5545EEE4-FA36-4F76-B6BE-5696E7F4E2D6}" = VBA (2701.01)
"{55D9E026-DCB0-46FF-B60A-68B972228CF6}" = Autodesk Design Review 2010
"{56B79408-7B19-4AFF-BA61-397DA861B7F7}" = 3Dconnexion Plug-In for Maya 8
"{5783F2D7-6003-0407-0002-0060B0CE6BBA}" = Autodesk Mechanical Desktop 2008
"{5783F2D7-8005-0407-0002-0060B0CE6BBA}" = AutoCAD Mechanical 2010
"{5783F2D7-8005-0407-1002-0060B0CE6BBA}" = AutoCAD Mechanical 2010 Language Pack - Deutsch
"{5783F2D7-8028-0409-0000-0060B0CE6BBA}" = DWG TrueView 2010
"{590D4F8F-98FE-47FA-AC2B-3F22FDCF7C09}" = ShareIns
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6ABE15E2-2246-4616-B27A-DA49484E88BA}" = Autodesk Inventor Publisher Technology Preview 1
"{6F411DB4-EC41-482B-AD46-384957928F69}" = AOEMView 2008
"{71807498-D8E2-41C6-84CD-8ED7A076B6EC}" = NVIDIA Performance Drivers
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7446D38D-DF79-4CFD-ADB8-A935610677CE}" = 3Dconnexion Plug-In for Photoshop CS4
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = Avanquest update
"{7AB3A249-FB81-416B-917A-A2A10E74C503}" = iTunes
"{7F4DD591-1200-0409-0000-7107D70F3DB4}" = Autodesk Inventor Suite 2008
"{7F4DD591-1400-0409-0000-7107D70F3DB4}" = Autodesk Inventor 2010
"{84C0C8FC-2C33-4854-88F1-602119315A9F}" = 3Dconnexion Plug-In for Maya 6
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{8937FCB2-2FC6-4FC3-9FB5-DE2C92DB9C38}" = Microsoft .NET Framework 2.0 Language Pack - DEU
"{8A22501F-8C34-46B8-B700-A9F071C0F1D0}" = 3Dconnexion Plug-In for Maya 2009
"{8B91DD1A-F42F-41C9-B3B7-089CF226ADE9}" = 3Dconnexion Add-In for Inventor
"{91BB7AFD-1A56-4B70-9CDE-396DDDECFCB6}" = 3Dconnexion Plug-In for Maya 6.5
"{94FB906A-CF42-4128-A509-D353026A607E}" = REALTEK Gigabit and Fast Ethernet NIC Driver
"{98EA51C9-B0B0-45BC-8641-3E119EA47D7B}" = Sony Ericsson Media Manager 1.2
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4F084CE-8EE1-49ED-A091-8C21CA3A32DB}" = 3Dconnexion Add-On for XSI
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9DDB465-D9DF-4614-A302-A0DD57BD9E50}" = 3Dconnexion Add-In for Solid Edge
"{AC76BA86-7AD7-1031-7B44-A81300000003}" = Adobe Reader 8.1.3 - Deutsch
"{AE875B96-F556-4EA2-877E-0468D93A29F4}" = 3Dconnexion 3DxWare
"{AEB9948B-4FF2-47C9-990E-47014492A0FE}" = MSXML 6.0 Parser
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{B369734D-9BE0-4C6E-ABE9-47BA81E95CFF}" = 3Dconnexion Plug-In for NX 5.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B596FC49-3467-4D85-BFDC-3B0608438287}" = 3Dconnexion Plug-In for 3ds max 6 - 8
"{B8E952E3-A823-443A-8493-39A0CCE0E3EB}" = HP Photo and Imaging 1.0 - Scanjet 3500c Series
"{BAFCA6AC-8B37-405B-B57E-C1D45DE70ACC}" = 3Dconnexion 3DxSoftware
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1ECB98D-1D38-4DBC-976C-457E6BE6EA2B}" = 3Dconnexion Plug-in for Acrobat 3D
"{C3DEE2E2-46A0-43C8-9705-718E28AFBFBD}" = ADRFF
"{C41120E7-1982-4BE2-B74C-BB2DA3EC8C32}" = powerPARTS 2006.1
"{C4A4C029-45F9-4816-8A1D-0F7E3521BFA4}" = 3Dconnexion Extension for SketchUp
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE078A83-F697-4177-8471-4EB4505159B6}" = 3Dconnexion Plug-In for 3ds Max 9
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D7A95B1E-BCCE-4C81-9AA0-355EC67E9EDD}" = 3Dconnexion Add-In for AutoCAD 2007
"{D7F99D33-3E37-49C1-B0AE-F2DEDEAC1D60}" = 3Dconnexion Plug-In for Maya 2008
"{E1F01B60-88C3-4D98-AC00-27D0E57D0479}" = 3Dconnexion Plug-In for 3ds Max 2008
"{E2982B94-37A4-45FD-A879-AC69C4CA870F}" = Jalbum
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{EDFBE122-E5D3-42D7-89D4-E633B015DA56}" = 3Dconnexion Add-In for AutoCAD 2009
"{F6455F2B-1C7E-4217-8E34-4F7217D19775}" = 3Dconnexion Plug-In for 3ds Max 2009
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"{F996076C-BED5-45D6-9C10-39BC7B005F77}" = 3Dconnexion Plug-In for Photoshop CS2
"{FB26A501-6BA6-459B-89AA-9736730752FB}" = VoiceOver Kit
"{FC906D5C-91F9-4DA4-A765-6DCBB669F317}" = Sony Ericsson PC Suite
"{FCB10DE3-E190-4A7E-B06A-FAC61567ABFC}" = MySQL Tools for 5.0
"{FCF29369-D818-42E4-9604-78A950D8A14E}" = 3Dconnexion Add-In for AutoCAD 2008
"{FFAB5ABB-8AAB-42E2-847F-1743E51E01E9}" = Disc2Phone
"ACDSee Trial-Version" = ACDSee Trial-Version
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Amazon MP3-Downloader" = Amazon MP3-Downloader 1.0.5
"AOEMView 2008" = AOEMView 2008
"AutoCAD Mechanical 2010" = AutoCAD Mechanical 2010
"Autodesk Design Review 2010" = Autodesk Design Review 2010
"Autodesk Inventor 2010" = Autodesk Inventor 2010 Deutsch (German)
"Autodesk Inventor 2010 SP1" = Autodesk Inventor 2010 SP1
"Autodesk Mechanical Desktop 2008" = Autodesk Mechanical Desktop 2008
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Canon Digital Camera USB WIA Driver" = Canon Digital Camera USB WIA Driver
"Canon PhotoStitch 3.1" = Canon Utilities PhotoStitch 3.1
"Canon Setup Utility 2.0" = Canon Setup Utility 2.0
"Canon Utilities RAW Image Converter" = Canon Utilities RAW Image Converter
"CANONBJ_Deinstall_CNMCP78.DLL" = Canon iP4200
"C-Media Audio" = C-Media 3D Audio
"Corel Applications" = Corel Applications
"DWG TrueView 2010" = DWG TrueView 2010
"FileZilla Client" = FileZilla Client 3.3.1
"Free M4a to MP3 Converter_is1" = Free M4a to MP3 Converter 6.1
"FRITZ!DSL" = AVM FRITZ!DSL
"Google Chrome" = Google Chrome
"Google Updater" = Google Updater
"HijackThis" = HijackThis 2.0.2
"IrfanView" = IrfanView (remove only)
"Jalbum_0" = Jalbum 8.1
"LeechFTP" = LeechFTP
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MediaNavigation.CDLabelPrint" = CD-LabelPrint
"Micrografx Graphics Suite 2 Enterprise" = Micrografx Graphics Suite 2 Enterprise
"Micrografx Picture Publisher 7" = Micrografx Picture Publisher 7
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0 Language Pack - DEU" = Microsoft .NET Framework 2.0 Language Pack - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Autodesk Mechanical Desktop 2008 Performance Driver" = NVIDIA Performance Driver for Autodesk Mechanical Desktop 2008
"NVIDIA Drivers" = NVIDIA Drivers
"PhotoRecord" = Canon PhotoRecord
"Pixum ePrint" = Pixum ePrint 1.2
"RemoteCapture" = Canon Utilities RemoteCapture 2.1
"Tobit ClipInc Server" = Tobit.Software clipinc.fx und WDR RadioRecorder
"Update Service" = Update Service
"VLC media player" = VLC media player 0.9.8a
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Winamp" = Winamp (remove only)
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoomBrowserEXDeInstall" = Canon Utilities ZoomBrowser EX
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 13.01.2010 15:52:43 | Computer Name = XXX | Source = Application Error | ID = 1000
Description = Faulting application radiorecorder.exe, version 5.0.0.873, faulting
module urlmon.dll, fault address 0x7df5b5ce.
Error - 13.01.2010 15:52:52 | Computer Name = XXX | Source = Application Error | ID = 1000
Description = Faulting application radiorecorder.exe, version 5.0.0.873, faulting
module urlmon.dll, fault address 0x7df5b5ce.
Error - 18.01.2010 15:48:40 | Computer Name = XXX | Source = SecurityCenter | ID = 1802
Description = Das Windows-Sicherheitscenter konnte keine Ereignisabfragen mit der
WMI herstellen, um Antivirus- und Firewallprogramme von Drittanbietern zu überwachen.
Error - 27.01.2010 15:30:20 | Computer Name = XXX | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung generic.exe, Version 1.4.12.0, fehlgeschlagenes
Modul unknown, Version 0.0.0.0, Fehleradresse 0x70655276.
Error - 02.02.2010 18:10:38 | Computer Name = XXX | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung OUTLOOK.EXE, Version 9.0.0.2416, Stillstandmodul
hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.
[ System Events ]
Error - 04.09.2010 07:50:58 | Computer Name = XXX | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Dienst "Bonjour"" ist vom Dienst "TCP/IP-Protokolltreiber"
abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%31
Error - 04.09.2010 07:50:58 | Computer Name = XXX | Source = Service Control Manager | ID = 7001
Description = Der Dienst "IPSEC-Dienste" ist vom Dienst "IPSEC-Treiber" abhängig,
der aufgrund folgenden Fehlers nicht gestartet wurde: %%31
Error - 04.09.2010 07:50:58 | Computer Name = XXX | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Simple Mail Transfer Protocol (SMTP)" ist vom Dienst "IIS
Admin" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068
Error - 04.09.2010 07:50:58 | Computer Name = XXX | Source = Service Control Manager | ID = 7001
Description = Der Dienst "WWW-Publishing" ist vom Dienst "IIS Admin" abhängig, der
aufgrund folgenden Fehlers nicht gestartet wurde: %%1068
Error - 04.09.2010 07:50:58 | Computer Name = XXX | Source = Service Control Manager | ID = 7026
Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT NETDSL RasAcd Rdbss ssmdrv Tcpip
Error - 04.09.2010 07:51:16 | Computer Name = XXX | Source = DCOM | ID = 10005
Description = Bei DCOM ist der Fehler "%1084" aufgetreten, als der Dienst "EventSystem"
mit den Argumenten "" gestartet wurde, um den folgenden Server zu verwenden: {1BE1F766-5536-11D1-B726-00C04FB926AF}
Error - 04.09.2010 07:53:19 | Computer Name = XXX | Source = DCOM | ID = 10005
Description = Bei DCOM ist der Fehler "%1084" aufgetreten, als der Dienst "StiSvc"
mit den Argumenten "" gestartet wurde, um den folgenden Server zu verwenden: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
Error - 04.09.2010 07:59:18 | Computer Name = XXX | Source = DCOM | ID = 10005
Description = Bei DCOM ist der Fehler "%1084" aufgetreten, als der Dienst "StiSvc"
mit den Argumenten "" gestartet wurde, um den folgenden Server zu verwenden: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
Error - 04.09.2010 08:12:24 | Computer Name = XXX | Source = DCOM | ID = 10005
Description = Bei DCOM ist der Fehler "%1084" aufgetreten, als der Dienst "EventSystem"
mit den Argumenten "" gestartet wurde, um den folgenden Server zu verwenden: {1BE1F766-5536-11D1-B726-00C04FB926AF}
Error - 04.09.2010 08:13:22 | Computer Name = XXX | Source = DCOM | ID = 10016
Description = Durch die Berechtigungseinstellungen (Anwendungsspezifisch) wird der
SID (S-1-5-18) für Benutzer NT-AUTORITÄT\SYSTEM keine Startberechtigung (Lokal)
für die COM-Serveranwendung mit CLSID {DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B} gewährt.
Diese Sicherheitsberechtigung kann mit dem Verwaltungsprogramm für Komponentendienste
geändert werden.
< End of report >
Da ich bereits mit einigen Tools gearbeitet hatte, hier auch deren Logs: RootRepeal ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2010/09/04 14:16 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xB76C8000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF79F3000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB64D2000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! Path: C:\WINDOWS\Temp\GUR3.tmp Status: Invisible to the Windows API! Path: C:\WINDOWS\Temp\BIT5.tmp Status: Invisible to the Windows API! SSDT ------------------- #: 053 Function Name: NtCreateThread Status: Hooked by "<unknown>" at address 0xf7aa3b6c #: 122 Function Name: NtOpenProcess Status: Hooked by "<unknown>" at address 0xf7aa3b58 #: 128 Function Name: NtOpenThread Status: Hooked by "<unknown>" at address 0xf7aa3b5d ==EOF== F-Secure Blacklight 09/04/10 14:35:29 [Info]: BlackLight Engine 2.2.1092 initialized 09/04/10 14:35:29 [Info]: OS: 5.1 build 2600 (Service Pack 3, v.3264) 09/04/10 14:35:29 [Note]: 7019 4 09/04/10 14:35:29 [Note]: 7005 0 09/04/10 14:35:31 [Note]: 7006 0 09/04/10 14:35:31 [Note]: 7011 3180 09/04/10 14:35:31 [Note]: 7035 0 09/04/10 14:35:31 [Note]: 7026 0 09/04/10 14:35:32 [Note]: 7026 0 09/04/10 14:35:34 [Note]: FSRAW library version 1.7.1024 09/04/10 14:38:18 [Note]: 2000 1012 09/04/10 14:41:21 [Note]: 7007 0 GMER läuft noch, allerdings befürchte ich, dass wir unseren Familienbesuch hier beenden werden, bevor der vollständige Scan erledigt ist. Falls ich das GMER-Logfile noch bekommen sollte bevor ich die 3 Stunden auf der Autobahn bin, werde ich das hier noch anhängen, andernfalls als gesonderte Antwort auf meinen Beitrag posten. Der Virenscanner meines Schwagers ist die freie Avira-Version mit letztem Update vom 01.09.2010. Guido Seltsam, wenn ich die OTL.txt hier per C&P poste bekomme ich grundsätzlichen ein Problem mit dem PHP-Script: Fatal error: Maximum execution time of 30 seconds exceeded in /www/htdocs/tbcom/includes/functions.php on line 1838 Also dann, gesplittet in 2 Anhängen: OTL.txt Hallo, heute habe ich dann per eMail dann auch noch das GMER-Log von meinem Schwager bekommen: GMER Logfile: Code:
ATTFilter GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-09-04 22:43:44
Windows 5.1.2600 Service Pack 3, v.3264
Running: gmer.exe; Driver: C:\DOKUME~1\XXX\LOKALE~1\Temp\pgldypow.sys
---- System - GMER 1.0.15 ----
SSDT B9EF9934 ZwCreateThread
SSDT B9EF9920 ZwOpenProcess
SSDT B9EF9925 ZwOpenThread
---- Kernel code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB92DD360, 0x348EE7, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
? C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe[244] C:\WINDOWS\system32\PSAPI.DLL IMAGE_DOS_SIGNATURE not found;
.text C:\Programme\Tobit ClipInc\Server\ClipInc-Server.exe[336] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes JMP 0049F8A0 C:\Programme\Tobit ClipInc\Server\ClipInc-Server.exe
.text C:\Programme\Tobit ClipInc\Player\ClipIncTray.exe[384] USER32.dll!GetSysColor 7E368E78 5 Bytes JMP 100482A0 C:\Programme\Tobit ClipInc\Player\TOBITCLT.dll
.text C:\Programme\Tobit ClipInc\Player\ClipIncTray.exe[384] USER32.dll!GetSysColorBrush 7E368EAB 5 Bytes JMP 100482E0 C:\Programme\Tobit ClipInc\Player\TOBITCLT.dll
.text C:\Programme\Tobit ClipInc\Player\ClipIncTray.exe[384] USER32.dll!SetScrollInfo 7E369056 7 Bytes JMP 10053CC0 C:\Programme\Tobit ClipInc\Player\TOBITCLT.dll
.text C:\Programme\Tobit ClipInc\Player\ClipIncTray.exe[384] USER32.dll!GetScrollInfo 7E370272 7 Bytes JMP 10053C10 C:\Programme\Tobit ClipInc\Player\TOBITCLT.dll
.text C:\Programme\Tobit ClipInc\Player\ClipIncTray.exe[384] USER32.dll!ShowScrollBar 7E37F303 5 Bytes JMP 10053D90 C:\Programme\Tobit ClipInc\Player\TOBITCLT.dll
.text C:\Programme\Tobit ClipInc\Player\ClipIncTray.exe[384] USER32.dll!GetScrollPos 7E37F714 5 Bytes JMP 10053C50 C:\Programme\Tobit ClipInc\Player\TOBITCLT.dll
.text C:\Programme\Tobit ClipInc\Player\ClipIncTray.exe[384] USER32.dll!SetScrollPos 7E37F760 5 Bytes JMP 10053D00 C:\Programme\Tobit ClipInc\Player\TOBITCLT.dll
.text C:\Programme\Tobit ClipInc\Player\ClipIncTray.exe[384] USER32.dll!GetScrollRange 7E37F797 5 Bytes JMP 10053C80 C:\Programme\Tobit ClipInc\Player\TOBITCLT.dll
.text C:\Programme\Tobit ClipInc\Player\ClipIncTray.exe[384] USER32.dll!SetScrollRange 7E37F9AB 5 Bytes JMP 10053D40 C:\Programme\Tobit ClipInc\Player\TOBITCLT.dll
.text C:\Programme\Tobit ClipInc\Player\ClipIncTray.exe[384] USER32.dll!DrawFrameControl 7E38E947 7 Bytes JMP 100475B0 C:\Programme\Tobit ClipInc\Player\TOBITCLT.dll
.text C:\Programme\Tobit ClipInc\Player\ClipIncTray.exe[384] USER32.dll!EnableScrollBar 7E3B7FFD 7 Bytes JMP 10053BD0 C:\Programme\Tobit ClipInc\Player\TOBITCLT.dll
.text C:\Programme\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[392] USER32.dll!DefWindowProcA + 11A 7E36DE38 7 Bytes JMP 10031D10 C:\Programme\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
.text C:\Programme\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[392] USER32.dll!SetWindowRgn + 2BF 7E370EFD 7 Bytes JMP 10031C80 C:\Programme\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
.text C:\Programme\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[392] USER32.dll!SetClipboardData + 19D 7E38114B 7 Bytes JMP 10031CF0 C:\Programme\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
? C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe[752] C:\WINDOWS\system32\msvcrt.dll IMAGE_DOS_SIGNATURE not found;
.text C:\WINDOWS\Explorer.EXE[2032] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 009E874A
? C:\Programme\Gemeinsame Dateien\Teleca Shared\Generic.exe[2972] C:\WINDOWS\system32\msvcrt.dll IMAGE_DOS_SIGNATURE not found;
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
|
| Themen zu Redirect von Suchmaschinen-Ergebnissen |
| anfang, antivir guard, avira, bho, bonjour, canon, converter, desktop, error, extras.txt, firefox, firefox.exe, flash player, google, google chrome, hijack, hijackthis, hkus\s-1-5-18, hängen, location, national, oldtimer, otl.txt, plug-in, problem, realtek, registry, rootkit, saver, security, server, shell32.dll, sparbuch, suchmaschine, system, vlc media player, windows, windows xp, windows-sicherheitscenter, wiso |
Baum-Darstellung