Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung
Virus/Rootki Problem:R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyS

Virus/Rootki Problem:R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyS


Plagegeister aller Art und deren Bekämpfung: Virus/Rootki Problem:R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyS

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

 
Vorheriger Beitrag Vorheriger Beitrag   Nächster Beitrag Nächster Beitrag
Alt 04.10.2010, 17:16   #1
Demonico
 
Virus/Rootki Problem:R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyS - Pfeil

Virus/Rootki Problem:R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyS


Hallo! neues Mitglied erbittet Hilfe bei Problem ^^

Also mit diesem Problem habe ich mich zunächst an ein anderer Forum (ja Schande über mich) gewandt (Giga.de). Dort hat man mir auch früher schonmal geholfen. Die größten Schwierigkeiten konnte ich mit deren Hilfe auch beseitigen =)
ABER als es dann zu den letzten Schritten kam wurden mein Problem und ich wohl vergessen und mir wäre das irgendwie unangenehm, meinen Helfer extra zu errinnern...
Aufjedenfall vermute ich, dass sich noch immer auf meinem Netbook ein Rootkit befindet und ich kriegs nicht weg >.> Ich bin mir jetzt ehrlich gesagt nicht sicher ob ich die gesamte Vorgeschichte meines Viruses auch posten sollte... Das lasse ich erstmal... auf Anfrage, werd ich das aber natürlich nachholen! Im Folgenden werde ich dann ein HJT Logfile, ein neues OTL und von den letzten Scans, die ich im Rahmen der letzten Bearbeitung bei Giga.de ausführen sollte hochladen.

--HJT Logfile mit Verweis auf mein Problem:
Code:
ATTFilter
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:05:22, on 04.10.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programme\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\OpenOffice.org 3\program\soffice.exe
C:\Programme\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Java\jre6\bin\jucheck.exe
C:\Dokumente und Einstellungen\***\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O4 - HKLM\..\Run: [HDAudDeck] C:\Programme\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programme\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Programme\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Windows Search.lnk = C:\Programme\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe

--
End of file - 4267 bytes
Wie schon im Titel genannt liegt mein Problem wohl hier:
Code:
ATTFilter
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
-------------------

---OTL Logfiles neueste:
OTL.txt
Code:
ATTFilter
OTL logfile created on: 04.10.2010 17:39:50 - Run 7
OTL by OldTimer - Version 3.2.5.0     Folder = C:\Dokumente und Einstellungen\***\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
1.015,00 Mb Total Physical Memory | 457,00 Mb Available Physical Memory | 45,00% Memory free
2,00 Gb Paging File | 2,00 Gb Available in Paging File | 82,00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 149,05 Gb Total Space | 104,21 Gb Free Space | 69,92% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: NETBOOK
Current User Name: ***
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
 
========== Processes (SafeList) ==========
 
PRC - [2010.08.19 14:29:30 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Programme\Mozilla Firefox\firefox.exe
PRC - [2010.05.21 17:01:17 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\***\Desktop\OTL.exe
PRC - [2010.05.21 13:29:08 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Dokumente und Einstellungen\***\Desktop\HiJackThis.exe
PRC - [2009.09.21 14:07:11 | 000,386,480 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Java\jre6\bin\jucheck.exe
PRC - [2009.04.23 06:47:48 | 007,418,368 | ---- | M] (OpenOffice.org) -- C:\Programme\OpenOffice.org 3\program\soffice.bin
PRC - [2009.04.23 06:46:40 | 007,424,000 | ---- | M] (OpenOffice.org) -- C:\Programme\OpenOffice.org 3\program\soffice.exe
PRC - [2008.08.08 14:11:12 | 000,490,952 | ---- | M] (DT Soft Ltd) -- C:\Programme\DAEMON Tools Lite\daemon.exe
PRC - [2008.05.26 22:19:14 | 000,123,904 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Desktop Search\WindowsSearch.exe
PRC - [2008.04.14 14:00:00 | 001,036,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
 
 
========== Modules (SafeList) ==========
 
MOD - [2010.05.21 17:01:17 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\***\Desktop\OTL.exe
MOD - [2008.04.14 14:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
 
 
========== Win32 Services (SafeList) ==========
 
SRV - [2004.10.22 04:24:18 | 000,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
 
 
========== Driver Services (SafeList) ==========
 
DRV - [2010.02.11 14:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2009.12.06 19:02:50 | 000,281,760 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt)
DRV - [2009.12.06 19:02:49 | 000,025,888 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2009.12.06 18:12:52 | 000,717,296 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009.07.10 11:03:04 | 001,381,632 | R--- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\viahduaa.sys -- (VIAHdAudAddService)
DRV - [2008.07.10 10:33:00 | 000,306,176 | ---- | M] (Realtek Semiconductor Corporation                           ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rtl8187Se.sys -- (rtl8187Se)
DRV - [2008.04.14 14:00:00 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008.04.14 01:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB-Audiotreiber (WDM)
DRV - [2008.02.15 13:12:06 | 005,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
 
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.11\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.08.19 14:29:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.11\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2010.08.19 14:29:43 | 000,000,000 | ---D | M]
 
[2009.12.02 18:48:52 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\Mozilla\Extensions
[2010.10.04 17:12:43 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\Mozilla\Firefox\Profiles\165y198c.default\extensions
[2009.12.03 00:23:15 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Dokumente und Einstellungen\Dome\Anwendungsdaten\Mozilla\Firefox\Profiles\165y198c.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009.11.29 09:38:13 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2010.08.19 14:29:35 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010.08.19 14:29:35 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2010.08.19 14:29:35 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010.08.19 14:29:35 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010.08.19 14:29:35 | 000,000,801 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2010.08.04 23:16:52 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Programme\DAEMON Tools Lite\daemon.exe (DT Soft Ltd)
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\NPSWF32_FlashUtil.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Windows Search.lnk = C:\Programme\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O4 - Startup: C:\Dokumente und Einstellungen\***\Startmenü\Programme\Autostart\OpenOffice.org 3.1.lnk = C:\Programme\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O24 - Desktop WallPaper: C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Programme\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.09.18 21:19:53 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
 
========== Files - Modified Within 30 Days ==========
 
[2010.10.04 16:57:42 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.10.04 16:57:40 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.10.04 16:57:36 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.10.04 16:57:30 | 1064,685,568 | -HS- | M] () -- C:\hiberfil.sys
[2010.09.05 01:07:35 | 003,932,160 | -H-- | M] () -- C:\Dokumente und Einstellungen\***\NTUSER.DAT
[2010.09.05 01:07:35 | 000,000,190 | -HS- | M] () -- C:\Dokumente und Einstellungen\***\ntuser.ini
[2010.09.05 01:07:29 | 005,359,762 | -H-- | M] () -- C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Anwendungsdaten\IconCache.db
 
========== Files Created - No Company Name ==========
 
[2009.12.12 18:24:05 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2009.12.06 18:12:52 | 000,717,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009.11.28 22:55:46 | 000,281,760 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys
[2009.11.28 22:55:39 | 000,025,888 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys
[2009.09.22 14:31:33 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009.09.21 10:45:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Belinea.ini
[2009.09.18 14:13:29 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2009.06.26 16:51:30 | 000,000,484 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2008.10.07 10:13:30 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008.10.07 10:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008.10.07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008.10.07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008.10.07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008.10.07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008.10.07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008.10.07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008.10.07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008.10.07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008.05.26 22:23:36 | 000,016,834 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2008.05.26 22:23:34 | 000,024,188 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2008.05.26 22:23:32 | 000,016,568 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2008.02.15 13:21:56 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
 
========== LOP Check ==========
 
[2010.08.05 08:32:56 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\96B0EE00D6ADE293A7082DD46387B32C
[2009.12.06 18:12:46 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\DAEMON Tools
[2009.11.29 13:57:22 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\OpenOffice.org
[2009.11.29 13:11:19 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\ScummVM
[2009.12.21 14:14:53 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\Teeworlds
[2009.09.21 15:13:44 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\Windows Desktop Search
[2009.11.30 18:29:53 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\Windows Search
 
========== Purity Check ==========
 
 
< End of report >
Extra.txt:
Code:
ATTFilter
OTL logfile created on: 04.10.2010 17:39:50 - Run 7
OTL by OldTimer - Version 3.2.5.0     Folder = C:\Dokumente und Einstellungen\***\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
1.015,00 Mb Total Physical Memory | 457,00 Mb Available Physical Memory | 45,00% Memory free
2,00 Gb Paging File | 2,00 Gb Available in Paging File | 82,00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 149,05 Gb Total Space | 104,21 Gb Free Space | 69,92% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: NETBOOK
Current User Name: ***
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
 
========== Processes (SafeList) ==========
 
PRC - [2010.08.19 14:29:30 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Programme\Mozilla Firefox\firefox.exe
PRC - [2010.05.21 17:01:17 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\***\Desktop\OTL.exe
PRC - [2010.05.21 13:29:08 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Dokumente und Einstellungen\***\Desktop\HiJackThis.exe
PRC - [2009.09.21 14:07:11 | 000,386,480 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Java\jre6\bin\jucheck.exe
PRC - [2009.04.23 06:47:48 | 007,418,368 | ---- | M] (OpenOffice.org) -- C:\Programme\OpenOffice.org 3\program\soffice.bin
PRC - [2009.04.23 06:46:40 | 007,424,000 | ---- | M] (OpenOffice.org) -- C:\Programme\OpenOffice.org 3\program\soffice.exe
PRC - [2008.08.08 14:11:12 | 000,490,952 | ---- | M] (DT Soft Ltd) -- C:\Programme\DAEMON Tools Lite\daemon.exe
PRC - [2008.05.26 22:19:14 | 000,123,904 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Desktop Search\WindowsSearch.exe
PRC - [2008.04.14 14:00:00 | 001,036,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
 
 
========== Modules (SafeList) ==========
 
MOD - [2010.05.21 17:01:17 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\***\Desktop\OTL.exe
MOD - [2008.04.14 14:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
 
 
========== Win32 Services (SafeList) ==========
 
SRV - [2004.10.22 04:24:18 | 000,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
 
 
========== Driver Services (SafeList) ==========
 
DRV - [2010.02.11 14:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2009.12.06 19:02:50 | 000,281,760 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt)
DRV - [2009.12.06 19:02:49 | 000,025,888 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2009.12.06 18:12:52 | 000,717,296 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009.07.10 11:03:04 | 001,381,632 | R--- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\viahduaa.sys -- (VIAHdAudAddService)
DRV - [2008.07.10 10:33:00 | 000,306,176 | ---- | M] (Realtek Semiconductor Corporation                           ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rtl8187Se.sys -- (rtl8187Se)
DRV - [2008.04.14 14:00:00 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008.04.14 01:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB-Audiotreiber (WDM)
DRV - [2008.02.15 13:12:06 | 005,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
 
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.11\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.08.19 14:29:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.11\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2010.08.19 14:29:43 | 000,000,000 | ---D | M]
 
[2009.12.02 18:48:52 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\Mozilla\Extensions
[2010.10.04 17:12:43 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\Mozilla\Firefox\Profiles\165y198c.default\extensions
[2009.12.03 00:23:15 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\Mozilla\Firefox\Profiles\165y198c.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009.11.29 09:38:13 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions
[2010.08.19 14:29:35 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010.08.19 14:29:35 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2010.08.19 14:29:35 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010.08.19 14:29:35 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010.08.19 14:29:35 | 000,000,801 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2010.08.04 23:16:52 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Programme\DAEMON Tools Lite\daemon.exe (DT Soft Ltd)
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\NPSWF32_FlashUtil.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Windows Search.lnk = C:\Programme\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O4 - Startup: C:\Dokumente und Einstellungen\***\Startmenü\Programme\Autostart\OpenOffice.org 3.1.lnk = C:\Programme\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O24 - Desktop WallPaper: C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Programme\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.09.18 21:19:53 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========

 
========== Files - Modified Within 30 Days ==========
 
[2010.10.04 16:57:42 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.10.04 16:57:40 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.10.04 16:57:36 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.10.04 16:57:30 | 1064,685,568 | -HS- | M] () -- C:\hiberfil.sys
[2010.09.05 01:07:35 | 003,932,160 | -H-- | M] () -- C:\Dokumente und Einstellungen\***\NTUSER.DAT
[2010.09.05 01:07:35 | 000,000,190 | -HS- | M] () -- C:\Dokumente und Einstellungen\***\ntuser.ini
[2010.09.05 01:07:29 | 005,359,762 | -H-- | M] () -- C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Anwendungsdaten\IconCache.db
 
========== Files Created - No Company Name ==========
 
[2009.12.12 18:24:05 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2009.12.06 18:12:52 | 000,717,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009.11.28 22:55:46 | 000,281,760 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys
[2009.11.28 22:55:39 | 000,025,888 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys
[2009.09.22 14:31:33 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009.09.21 10:45:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Belinea.ini
[2009.09.18 14:13:29 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2009.06.26 16:51:30 | 000,000,484 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2008.10.07 10:13:30 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008.10.07 10:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008.10.07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008.10.07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008.10.07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008.10.07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008.10.07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008.10.07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008.10.07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008.10.07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008.05.26 22:23:36 | 000,016,834 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2008.05.26 22:23:34 | 000,024,188 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2008.05.26 22:23:32 | 000,016,568 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2008.02.15 13:21:56 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
 
========== LOP Check ==========
 
[2010.08.05 08:32:56 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\96B0EE00D6ADE293A7082DD46387B32C
[2009.12.06 18:12:46 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\DAEMON Tools
[2009.11.29 13:57:22 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\OpenOffice.org
[2009.11.29 13:11:19 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\ScummVM
[2009.12.21 14:14:53 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\Teeworlds
[2009.09.21 15:13:44 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\Windows Desktop Search
[2009.11.30 18:29:53 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\Windows Search
 
========== Purity Check ==========
< End of report >
--------------------------

So nun das interessantere und zwar hab ich da noch 2 weitere Scans.
Einmal von GMER das von GMER ist etwas älter... aber ich hab seitdem wirklich nichts an meinem Netbook gemacht also wird sich da doch nichts geändert haben, denke ich. Naja und dann eben noch von RootRepeal.

das erste Logfile vom automatische Scan von GMER:

Code:
ATTFilter
GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit quick scan 2010-08-09 19:47:09
Windows 5.1.2600 Service Pack 3
Running: s11580co.exe; Driver: C:\DOKUME~1\***\LOKALE~1\Temp\uwldqpog.sys


---- System - GMER 1.0.15 ----

SSDT    spsj.sys                ZwEnumerateKey [0xF73A6CA2]
SSDT    spsj.sys                ZwEnumerateValueKey [0xF73A7030]

---- Devices - GMER 1.0.15 ----

Device  \FileSystem\Ntfs \Ntfs  865681F8

---- EOF - GMER 1.0.15 ----
Dann das ausführliche, mit den Häkchen an: Drivers,Files,Processes,SSDT,Stealth Objects,Hidden Services,Shadow SSDT

Code:
ATTFilter
GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-08-09 21:09:59
Windows 5.1.2600 Service Pack 3
Running: s11580co.exe; Driver: C:\DOKUME~1\***\LOKALE~1\Temp\uwldqpog.sys

---- System - GMER 1.0.15 ----

SSDT      spmv.sys                                                                                                             ZwCreateKey [0xF73880E0]
SSDT      spmv.sys                                                                                                             ZwEnumerateKey [0xF73A6CA2]
SSDT      spmv.sys                                                                                                             ZwEnumerateValueKey [0xF73A7030]
SSDT      spmv.sys                                                                                                             ZwOpenKey [0xF73880C0]
SSDT      spmv.sys                                                                                                             ZwQueryKey [0xF73A7108]
SSDT      spmv.sys                                                                                                             ZwQueryValueKey [0xF73A6F88]
SSDT      spmv.sys                                                                                                             ZwSetValueKey [0xF73A719A]

INT 0x62  ?                                                                                                                    86569BF8
INT 0x63  ?                                                                                                                    86548BF8
INT 0x82  ?                                                                                                                    86569BF8
INT 0xA4  ?                                                                                                                    86548BF8
INT 0xB4  ?                                                                                                                    86548BF8

---- Kernel code sections - GMER 1.0.15 ----

?         spmv.sys                                                                                                             Das System kann die angegebene Datei nicht finden. !
.text     USBPORT.SYS!DllUnload                                                                                                F6B7C8AC 5 Bytes  JMP 865481D8 
.text     axvjomqf.SYS                                                                                                         F6B2D386 35 Bytes  [00, 00, 00, 00, 00, 00, 20, ...]
.text     axvjomqf.SYS                                                                                                         F6B2D3AA 24 Bytes  [00, 00, 00, 00, 00, 00, 00, ...]
.text     axvjomqf.SYS                                                                                                         F6B2D3C4 3 Bytes  [00, 70, 02] {ADD [EAX+0x2], DH}
.text     axvjomqf.SYS                                                                                                         F6B2D3C9 1 Byte  [2E]
.text     axvjomqf.SYS                                                                                                         F6B2D3C9 11 Bytes  [2E, 00, 00, 00, 5A, 02, 00, ...]
.text     ...                                                                                                                  
.text     C:\WINDOWS\system32\DRIVERS\atksgt.sys                                                                               section is writeable [0xA9ED5300, 0x3B6D8, 0xE8000020]
.text     C:\WINDOWS\system32\DRIVERS\lirsgt.sys                                                                               section is writeable [0xF78D0300, 0x1BEE, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text     C:\WINDOWS\system32\SearchIndexer.exe[1480] kernel32.dll!WriteFile                                                   7C810E27 7 Bytes  JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT       atapi.sys[HAL.dll!READ_PORT_UCHAR]                                                                                   [F7389040] spmv.sys
IAT       atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT]                                                                           [F738913C] spmv.sys
IAT       atapi.sys[HAL.dll!READ_PORT_USHORT]                                                                                  [F73890BE] spmv.sys
IAT       atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                                                          [F73897FC] spmv.sys
IAT       atapi.sys[HAL.dll!WRITE_PORT_UCHAR]                                                                                  [F73896D2] spmv.sys
IAT       \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR]                                                   [F7399048] spmv.sys
IAT       \SystemRoot\System32\Drivers\axvjomqf.SYS[HAL.dll!KfAcquireSpinLock]                                                 C0840CEC
IAT       \SystemRoot\System32\Drivers\axvjomqf.SYS[HAL.dll!READ_PORT_UCHAR]                                                   053C0D74
IAT       \SystemRoot\System32\Drivers\axvjomqf.SYS[HAL.dll!KeGetCurrentIrql]                                                  57B80974
IAT       \SystemRoot\System32\Drivers\axvjomqf.SYS[HAL.dll!KfRaiseIrql]                                                       8B000000
IAT       \SystemRoot\System32\Drivers\axvjomqf.SYS[HAL.dll!KfLowerIrql]                                                       56C35DE5
IAT       \SystemRoot\System32\Drivers\axvjomqf.SYS[HAL.dll!HalGetInterruptVector]                                             8D08758B
IAT       \SystemRoot\System32\Drivers\axvjomqf.SYS[HAL.dll!HalTranslateBusAddress]                                            8D51FC4D
IAT       \SystemRoot\System32\Drivers\axvjomqf.SYS[HAL.dll!KeStallExecutionProcessor]                                         8D52FD55
IAT       \SystemRoot\System32\Drivers\axvjomqf.SYS[HAL.dll!KfReleaseSpinLock]                                                 8D51FE4D
IAT       \SystemRoot\System32\Drivers\axvjomqf.SYS[HAL.dll!READ_PORT_BUFFER_USHORT]                                           8D52FF55
IAT       \SystemRoot\System32\Drivers\axvjomqf.SYS[HAL.dll!READ_PORT_USHORT]                                                  8D51F84D
IAT       \SystemRoot\System32\Drivers\axvjomqf.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                          5052F455
IAT       \SystemRoot\System32\Drivers\axvjomqf.SYS[HAL.dll!WRITE_PORT_UCHAR]                                                  EACAE856
IAT       \SystemRoot\System32\Drivers\axvjomqf.SYS[WMILIB.SYS!WmiSystemControl]                                               0FC08520
IAT       \SystemRoot\System32\Drivers\axvjomqf.SYS[WMILIB.SYS!WmiCompleteRequest]                                             0001B185

---- Devices - GMER 1.0.15 ----

Device    \FileSystem\Ntfs \Ntfs                                                                                               865681F8
Device    \Driver\usbehci \Device\USBPDO-0                                                                                     865311F8
Device    \Driver\NetBT \Device\NetBT_Tcpip_{F17C00ED-C6BC-49D5-A2F0-861DDAB418DF}                                             86004500
Device    \Driver\usbuhci \Device\USBPDO-1                                                                                     864F51F8
Device    \Driver\usbuhci \Device\USBPDO-2                                                                                     864F51F8
Device    \Driver\PCI_PNP9360 \Device\00000046                                                                                 spmv.sys
Device    \Driver\usbuhci \Device\USBPDO-3                                                                                     864F51F8
Device    \Driver\usbuhci \Device\USBPDO-4                                                                                     864F51F8
Device    \Driver\Ftdisk \Device\HarddiskVolume1                                                                               865DA1F8
Device    \Driver\Cdrom \Device\CdRom0                                                                                         863E41F8
Device    \Driver\Cdrom \Device\CdRom1                                                                                         863E41F8
Device    \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3                                                                          [F7301B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device    \Driver\atapi \Device\Ide\IdePort0                                                                                   [F7301B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device    \Driver\atapi \Device\Ide\IdePort1                                                                                   [F7301B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device    \Driver\Cdrom \Device\CdRom2                                                                                         863E41F8
Device    \Driver\Cdrom \Device\CdRom3                                                                                         863E41F8
Device    \Driver\NetBT \Device\NetBt_Wins_Export                                                                              86004500
Device    \Driver\NetBT \Device\NetbiosSmb                                                                                     86004500
Device    \Driver\NetBT \Device\NetBT_Tcpip_{07E6D699-3D91-4155-AC03-B124EE196EF2}                                             86004500
Device    \Driver\usbuhci \Device\USBFDO-0                                                                                     864F51F8
Device    \Driver\usbuhci \Device\USBFDO-1                                                                                     864F51F8
Device    \FileSystem\MRxSmb \Device\LanmanDatagramReceiver                                                                    85E53500
Device    \Driver\usbuhci \Device\USBFDO-2                                                                                     864F51F8
Device    \FileSystem\MRxSmb \Device\LanmanRedirector                                                                          85E53500
Device    \Driver\usbuhci \Device\USBFDO-3                                                                                     864F51F8
Device    \Driver\usbehci \Device\USBFDO-4                                                                                     865311F8
Device    \Driver\Ftdisk \Device\FtControl                                                                                     865DA1F8
Device    \Driver\sptd \Device\427218110                                                                                       spmv.sys
Device    \Driver\axvjomqf \Device\Scsi\axvjomqf1Port2Path0Target0Lun0                                                         86422500
Device    \Driver\axvjomqf \Device\Scsi\axvjomqf1                                                                              86422500
Device    \Driver\axvjomqf \Device\Scsi\axvjomqf1Port2Path0Target2Lun0                                                         86422500
Device    \Driver\axvjomqf \Device\Scsi\axvjomqf1Port2Path0Target3Lun0                                                         86422500
Device    \Driver\axvjomqf \Device\Scsi\axvjomqf1Port2Path0Target1Lun0                                                         86422500
Device    \FileSystem\Cdfs \Cdfs                                                                                               85E3C500

---- Registry - GMER 1.0.15 ----

Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)                 
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                      C:\Programme\DAEMON Tools Lite\
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                      0
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                   0xCF 0x91 0x43 0x7F ...
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)        
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                             0x20 0x01 0x00 0x00 ...
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                          0xA4 0x3E 0x42 0x54 ...
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)  
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                    0xA2 0x68 0x37 0x43 ...
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)  
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh                    0xF8 0xCE 0xB2 0xD1 ...
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)  
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh                    0x42 0x99 0x13 0xCC ...
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)  
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh                    0x37 0x77 0xC2 0x6E ...
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)                 
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                      C:\Programme\DAEMON Tools Lite\
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                      0
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                   0xCF 0x91 0x43 0x7F ...
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)        
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                             0x20 0x01 0x00 0x00 ...
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                          0xA4 0x3E 0x42 0x54 ...
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)  
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                    0xA2 0x68 0x37 0x43 ...
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)  
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh                    0xF8 0xCE 0xB2 0xD1 ...
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)  
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh                    0x42 0x99 0x13 0xCC ...
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)  
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh                    0x37 0x77 0xC2 0x6E ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1                                                                   771343423
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2                                                                   285507792
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0                                                                   1
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4                                     
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                  C:\Programme\DAEMON Tools Lite\
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                  0
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                               0xCF 0x91 0x43 0x7F ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001                            
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                         0x20 0x01 0x00 0x00 ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                      0xA4 0x3E 0x42 0x54 ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40                      
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                0xA2 0x68 0x37 0x43 ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41                      
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh                0xF8 0xCE 0xB2 0xD1 ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42                      
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh                0x42 0x99 0x13 0xCC ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43                      
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh                0x37 0x77 0xC2 0x6E ...

---- EOF - GMER 1.0.15 ----
-----------------------------------
UND last but not least von Rootrepeal, alle Häkchen aktiviert:

Code:
ATTFilter
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:		2010/10/04 18:04
Program Version:		Version 1.3.5.0
Windows Version:		Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA355000	Size: 98304	File Visible: No	Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AB8000	Size: 8192	File Visible: No	Signed: -
Status: -

Name: PCI_PNP6070
Image Path: \Driver\PCI_PNP6070
Address: 0x00000000	Size: 0	File Visible: No	Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA957F000	Size: 49152	File Visible: No	Signed: -
Status: -

Name: spjc.sys
Image Path: spjc.sys
Address: 0xF7387000	Size: 1048576	File Visible: No	Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000	Size: 0	File Visible: No	Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\Dome\Anwendungsdaten\Mozilla\Firefox\Profiles\165y198c.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

SSDT
-------------------
#: 041	Function Name: NtCreateKey
Status: Hooked by "spjc.sys" at address 0xf73880e0

#: 071	Function Name: NtEnumerateKey
Status: Hooked by "spjc.sys" at address 0xf73a6ca2

#: 073	Function Name: NtEnumerateValueKey
Status: Hooked by "spjc.sys" at address 0xf73a7030

#: 119	Function Name: NtOpenKey
Status: Hooked by "spjc.sys" at address 0xf73880c0

#: 160	Function Name: NtQueryKey
Status: Hooked by "spjc.sys" at address 0xf73a7108

#: 177	Function Name: NtQueryValueKey
Status: Hooked by "spjc.sys" at address 0xf73a6f88

#: 247	Function Name: NtSetValueKey
Status: Hooked by "spjc.sys" at address 0xf73a719a

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System	Address: 0x865681f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System	Address: 0x865681f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System	Address: 0x865681f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System	Address: 0x865681f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x865681f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x865681f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System	Address: 0x865681f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System	Address: 0x865681f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x865681f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x865681f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System	Address: 0x865681f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x865681f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x865681f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x865681f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x865681f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x865681f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System	Address: 0x865681f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System	Address: 0x865681f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System	Address: 0x865681f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System	Address: 0x865681f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System	Address: 0x865681f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System	Address: 0x865681f8	Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System	Address: 0x8645a1f8	Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System	Address: 0x8645a1f8	Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8645a1f8	Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8645a1f8	Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System	Address: 0x8645a1f8	Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8645a1f8	Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System	Address: 0x8645a1f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System	Address: 0x865da1f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System	Address: 0x865da1f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System	Address: 0x865da1f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x865da1f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x865da1f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x865da1f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x865da1f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System	Address: 0x865da1f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System	Address: 0x865da1f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x865da1f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System	Address: 0x865da1f8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System	Address: 0x85e9a1f8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System	Address: 0x85e9a1f8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x85e9a1f8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x85e9a1f8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System	Address: 0x85e9a1f8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System	Address: 0x85e9a1f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System	Address: 0x863cf1f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System	Address: 0x863cf1f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System	Address: 0x863cf1f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System	Address: 0x863cf1f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x863cf1f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x863cf1f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x863cf1f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x863cf1f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System	Address: 0x863cf1f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x863cf1f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System	Address: 0x863cf1f8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System	Address: 0x8652b3e8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System	Address: 0x8652b3e8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8652b3e8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8652b3e8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System	Address: 0x8652b3e8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8652b3e8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System	Address: 0x8652b3e8	Size: 121

Object: Hidden Code [Driver: ae4z893t؅䵃慄؁ఉ瑎捦܉@考, IRP_MJ_CREATE]
Process: System	Address: 0x864241f8	Size: 121

Object: Hidden Code [Driver: ae4z893t؅䵃慄؁ఉ瑎捦܉@考, IRP_MJ_CLOSE]
Process: System	Address: 0x864241f8	Size: 121

Object: Hidden Code [Driver: ae4z893t؅䵃慄؁ఉ瑎捦܉@考, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x864241f8	Size: 121

Object: Hidden Code [Driver: ae4z893t؅䵃慄؁ఉ瑎捦܉@考, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x864241f8	Size: 121

Object: Hidden Code [Driver: ae4z893t؅䵃慄؁ఉ瑎捦܉@考, IRP_MJ_POWER]
Process: System	Address: 0x864241f8	Size: 121

Object: Hidden Code [Driver: ae4z893t؅䵃慄؁ఉ瑎捦܉@考, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x864241f8	Size: 121

Object: Hidden Code [Driver: ae4z893t؅䵃慄؁ఉ瑎捦܉@考, IRP_MJ_PNP]
Process: System	Address: 0x864241f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System	Address: 0x85e581f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅敓捁尀ﰀ؂ఆ䵃킘ﺠ, IRP_MJ_CREATE]
Process: System	Address: 0x85e2a1f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅敓捁尀ﰀ؂ఆ䵃킘ﺠ, IRP_MJ_CLOSE]
Process: System	Address: 0x85e2a1f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅敓捁尀ﰀ؂ఆ䵃킘ﺠ, IRP_MJ_READ]
Process: System	Address: 0x85e2a1f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅敓捁尀ﰀ؂ఆ䵃킘ﺠ, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x85e2a1f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅敓捁尀ﰀ؂ఆ䵃킘ﺠ, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x85e2a1f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅敓捁尀ﰀ؂ఆ䵃킘ﺠ, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x85e2a1f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅敓捁尀ﰀ؂ఆ䵃킘ﺠ, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x85e2a1f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅敓捁尀ﰀ؂ఆ䵃킘ﺠ, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x85e2a1f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅敓捁尀ﰀ؂ఆ䵃킘ﺠ, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x85e2a1f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅敓捁尀ﰀ؂ఆ䵃킘ﺠ, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x85e2a1f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅敓捁尀ﰀ؂ఆ䵃킘ﺠ, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x85e2a1f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅敓捁尀ﰀ؂ఆ䵃킘ﺠ, IRP_MJ_CLEANUP]
Process: System	Address: 0x85e2a1f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅敓捁尀ﰀ؂ఆ䵃킘ﺠ, IRP_MJ_PNP]
Process: System	Address: 0x85e2a1f8	Size: 121

==EOF==
--------------------

Ok ich gebe zu, das ist nicht wenig aber dann dürften fürs erste keine Fragen offen bleiben . Ich hoffe wirklich, dass mir hier jemand helfen kann und möchte und dass ich nicht wieder vergessen werde
Nun gut Spaß beiseite, ich fänds also echt klasse, wenn mir jemand helfen köönnte und lasst euch nicht von der Masse von Infos erschlagen!

Grüße
Demonico

 

Themen zu Virus/Rootki Problem:R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyS
0x00000001, bearbeitung, components, controlset002, desktop, error, firefox, format, frage, giga.de, hal.dll, hijack, hijackthis, hkus\s-1-5-18, home, homepage, internet, internet explorer, location, logfile, mozilla, nicht sicher, nodrives, object, oldtimer, problem, proxy, realtek, registry, rootkit, rootkit gmer rootrepeal hjt otl, searchplugins, security, software, sptd.sys, system, usbport.sys, windows, windows xp


« Pc laggt / internet langsam / speicherprobleme? | WOW Account gehackt, Festplatte/Emailaccout/IM betroffen? »


Ähnliche Themen: Virus/Rootki Problem:R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyS


  1. Malware in Hkcu/Microsoft/Windows/CurrentVersion/Run/BackgroundContainer
    Plagegeister aller Art und deren Bekämpfung - 14.12.2013 (18)
  2. 2 Trojaner gefunden HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Ytnaopy
    Log-Analyse und Auswertung - 24.05.2013 (56)
  3. Trojaner in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run nicht dauerhaft löschbar
    Plagegeister aller Art und deren Bekämpfung - 27.02.2013 (32)
  4. Trojaner Trojan.Agent.Gen in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Run¦1
    Log-Analyse und Auswertung - 02.02.2013 (24)
  5. Virus lässt sich nicht dauerhaft entfernen trotz Malware Progr. - HKCU/Software/VB an VBA Program settings/SrvID
    Plagegeister aller Art und deren Bekämpfung - 20.01.2013 (20)
  6. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dll (Trojan.Agent) -> Daten: C:\Users\Papa\AppData\Roaming\dll\svchost.exe -> Keine Aktio
    Log-Analyse und Auswertung - 13.01.2013 (10)
  7. Trojan.Ransom Registry Value HKCU\SOFTWARE\Microsoft\Windows\NT\CurrentVersion\Windows|Load
    Plagegeister aller Art und deren Bekämpfung - 27.10.2012 (31)
  8. (Trojan.ZbotR.Gen) in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{F94BBF9C-6512-2F70-5CF8-03CA54A5F682}
    Log-Analyse und Auswertung - 28.09.2012 (45)
  9. Trojan.Ransom Registry Value HKCU\SOFTWARE\Microsoft\Windows\NT\CurrentVersion\Windows|Load
    Plagegeister aller Art und deren Bekämpfung - 26.08.2012 (10)
  10. HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Ransom)
    Plagegeister aller Art und deren Bekämpfung - 20.07.2012 (10)
  11. R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    Log-Analyse und Auswertung - 22.04.2012 (3)
  12. Gleiches Problem wie Backdoor.Agent in HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Sh
    Plagegeister aller Art und deren Bekämpfung - 06.03.2012 (12)
  13. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{975670D0-7EFB-.....
    Plagegeister aller Art und deren Bekämpfung - 29.02.2012 (26)
  14. Backdoor.Agent in HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell
    Plagegeister aller Art und deren Bekämpfung - 28.01.2012 (13)
  15. O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
    Mülltonne - 02.12.2008 (0)
  16. Diablo Keylogger HKCU\Software\VB and VBA Program Settings\Options\Windows XP
    Mülltonne - 14.09.2006 (1)
  17. 06 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    Log-Analyse und Auswertung - 30.12.2005 (1)
Anleitungen und Tipps

- Für alle Hilfesuchenden! Was beachten?

- Anleitung: MyStartSearch.com entfernen

- Anleitung: WebSearches löschen

- Hilfe: iStartSurf entfernen – so gehts!

- Anleitung: Omiga Plus richtig entfernen

- Browser Viren entfernen


Zum Thema Virus/Rootki Problem:R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyS - Hallo! neues Mitglied erbittet Hilfe bei Problem ^^ Also mit diesem Problem habe ich mich zunächst an ein anderer Forum (ja Schande über mich) gewandt (Giga.de). Dort hat man mir - Virus/Rootki Problem:R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyS...
Archiv
Du betrachtest: Virus/Rootki Problem:R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyS auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131