| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: winlogonWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
11.11.2010, 23:14
| #16 |
| /// Winkelfunktion /// TB-Süch-Tiger™   |  winlogon Hast Du ZoneAlarm noch nicht deinstalliert? Wir müssen nochmal mit CF ran: => File-Upload.net - cosinus.zip Die cosinus.zip runterladen und nach c:\cosinus entpacken, dann so wieder vorgehen: Combofix - Scripten 1. Starte das Notepad (Start / Ausführen / notepad[Enter]) 2. Jetzt füge mit copy/paste den ganzen Inhalt der untenstehenden Codebox in das Notepad Fenster ein. Code:
ATTFilter FCopy::
c:\cosinus\explorer.exe | c:\windows\explorer.exe
c:\cosinus\winlogon.exe | c:\windows\system32\winlogon.exe
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4547:TCP"=-
3. Speichere im Notepad als CFScript.txt auf dem Desktop. 4. Deaktivere den Guard Deines Antivirenprogramms und eine eventuell vorhandene Software Firewall. (Auch Guards von Ad-, Spyware Programmen und den Tea Timer (wenn vorhanden) !) 5. Dann ziehe die CFScript.txt auf die cofi.exe, so wie es im unteren Bild zu sehen ist. Damit wird Combofix neu gestartet.  6. Nach dem Neustart (es wird gefragt ob Du neustarten willst), poste bitte die folgenden Log Dateien: Combofix.txt Hinweis: Das obige Script ist nur für diesen einen User in dieser Situtation erstellt worden. Es ist auf keinen anderen Rechner portierbar und darf nicht anderweitig verwandt werden, da es das System nachhaltig schädigen kann!
__________________ Logfiles bitte immer in CODE-Tags posten  |
|
12.11.2010, 01:26
| #17 |
 | winlogon zonealarm wurde deinstalliert, schon beim erstenmal
__________________Combofix Logfile: Code:
ATTFilter ComboFix 10-11-07.A2 - Martin 12.11.2010 1:16.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.43.1033.18.2047.1526 [GMT 1:00]
ausgeführt von:: c:\documents and settings\Martin\Desktop\cofi.exe
Benutzte Befehlsschalter :: c:\documents and settings\Martin\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\explorer.exe
C:\winlogon.exe
c:\windows\system32\winlogon.exe . . . ist infiziert!!
Infizierte Kopie von c:\windows\explorer.exe wurde gefunden und desinfiziert
Kopie von - c:\windows\ServicePackFiles\i386\explorer.exe wurde wiederhergestellt
.
((((((((((((((((((((((( Dateien erstellt von 2010-10-12 bis 2010-11-12 ))))))))))))))))))))))))))))))
.
2010-11-08 21:58 . 2010-11-08 21:58 -------- d-----w- C:\_OTL
2010-11-06 22:43 . 2010-11-06 22:44 -------- d-----w- C:\!KillBox
2010-11-06 09:31 . 2010-11-06 09:31 -------- d-----w- c:\documents and settings\All Users\Application Data\KONAMI
2010-11-05 22:03 . 2001-08-17 12:28 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2010-11-05 22:02 . 2001-08-17 21:36 26624 -c--a-w- c:\windows\system32\dllcache\umaxu22.dll
2010-11-05 22:01 . 2001-08-17 11:13 37961 -c--a-w- c:\windows\system32\dllcache\tdk100b.sys
2010-11-05 22:00 . 2001-08-17 12:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2010-11-05 21:59 . 2001-08-17 11:50 101760 -c--a-w- c:\windows\system32\dllcache\sis300ip.sys
2010-11-05 21:58 . 2001-08-17 21:36 79872 -c--a-w- c:\windows\system32\dllcache\rwia430.dll
2010-11-05 21:57 . 2001-08-17 13:07 19840 -c--a-w- c:\windows\system32\dllcache\philtune.sys
2010-11-05 21:56 . 2001-08-17 11:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2010-11-05 21:55 . 2008-04-13 23:16 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2010-11-05 21:54 . 2001-08-17 21:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-11-05 21:53 . 2001-08-17 21:36 61952 -c--a-w- c:\windows\system32\dllcache\icam4ext.dll
2010-11-05 21:52 . 2001-08-17 21:36 9759 -c--a-w- c:\windows\system32\dllcache\hsf_inst.dll
2010-11-05 21:51 . 2001-08-17 11:13 27165 -c--a-w- c:\windows\system32\dllcache\fetnd5.sys
2010-11-05 21:51 . 2001-08-17 11:10 22090 -c--a-w- c:\windows\system32\dllcache\fem556n5.sys
2010-11-05 21:51 . 2001-08-17 11:12 24618 -c--a-w- c:\windows\system32\dllcache\fa410nd5.sys
2010-11-05 21:51 . 2001-08-17 11:12 16074 -c--a-w- c:\windows\system32\dllcache\fa312nd5.sys
2010-11-05 21:51 . 2001-08-17 11:11 11850 -c--a-w- c:\windows\system32\dllcache\f3ab18xj.sys
2010-11-05 21:51 . 2001-08-17 11:11 12362 -c--a-w- c:\windows\system32\dllcache\f3ab18xi.sys
2010-11-05 21:51 . 2001-08-17 12:52 7040 -c--a-w- c:\windows\system32\dllcache\exabyte2.sys
2010-11-05 21:51 . 2001-08-17 11:12 16998 -c--a-w- c:\windows\system32\dllcache\ex10.sys
2010-11-05 21:47 . 2001-08-17 21:36 6729 -c--a-w- c:\windows\system32\dllcache\disrvci.dll
2010-11-05 21:46 . 2001-08-17 12:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2010-11-05 20:45 . 2010-11-11 21:10 513024 ----a-w- c:\windows\system32\winlogon.exe
2010-11-05 14:44 . 2010-11-05 14:44 -------- d-----w- c:\documents and settings\Martin\Application Data\AVG10
2010-11-05 14:44 . 2010-11-05 14:44 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-11-05 14:44 . 2010-11-12 00:12 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-11-05 14:44 . 2010-11-05 14:44 -------- d-----w- c:\program files\AVG
2010-11-05 14:37 . 2010-11-05 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-11-05 14:12 . 2010-11-05 14:12 -------- d-----w- c:\program files\Enigma Software Group
2010-11-03 04:52 . 2010-11-03 04:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-02 18:39 . 2010-06-28 12:00 46592 ----a-w- c:\windows\system32\vsutil_loc0407.dll
2010-11-02 18:07 . 2008-04-14 04:42 1033728 ----a-w- c:\windows\explorer.exe
2010-11-02 17:58 . 2010-11-05 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-11-02 16:57 . 2010-11-11 20:54 -------- d-----w- c:\windows\Internet Logs
2010-11-02 16:41 . 2010-11-02 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\fssg
2010-11-02 16:38 . 2010-11-02 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\f-secure
2010-11-01 16:34 . 2010-11-01 16:34 -------- d-----w- c:\documents and settings\Martin\Application Data\TrojanHunter
2010-10-27 22:04 . 2010-10-27 22:05 -------- d-----w- c:\documents and settings\Martin\Local Settings\Application Data\Temp
2010-10-26 17:20 . 2010-10-26 17:21 -------- d-----w- c:\program files\Graboid
2010-10-26 10:52 . 2010-10-26 10:52 -------- d-----w- c:\documents and settings\Martin\Application Data\Malwarebytes
2010-10-26 10:41 . 2010-10-26 10:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-10-26 10:41 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-26 10:41 . 2010-10-26 10:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-26 10:41 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-26 10:36 . 2010-10-26 10:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\ProgSense
2010-10-26 10:36 . 2010-10-26 10:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Orbit
2010-10-26 10:33 . 2010-10-26 10:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-10-26 09:34 . 2010-10-26 09:35 -------- d-----w- c:\documents and settings\Martin\Application Data\FCAAC60ADBD2A67431F87ADADD3EE6E0
2010-10-25 17:55 . 2010-10-25 17:56 -------- d-----w- c:\documents and settings\Martin\Application Data\Youtube Downloader HD
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-12 00:13 . 2010-11-12 00:13 687173 ----a-w- C:\cosinus.zip
.
------- Sigcheck -------
[-] 2010-11-11 . 2F1F63845DB7EB2C6BD4EAB69F2B728C . 513024 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[-] 2008-04-14 . 358F7515ABCDCBB13201A42BEADD170E . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-11-09_06.19.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-12 00:21 . 2010-11-12 00:21 16384 c:\windows\Temp\Perflib_Perfdata_7e8.dat
+ 2010-11-11 21:23 . 2010-11-11 21:23 16384 c:\windows\Temp\Perflib_Perfdata_614.dat
+ 2004-08-04 12:00 . 2010-11-09 06:22 83950 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2010-11-02 18:23 83950 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-11-09 06:22 476318 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-11-02 18:23 476318 c:\windows\system32\perfh009.dat
+ 2010-11-11 21:49 . 2010-11-11 21:49 3019264 c:\windows\Installer\1796a9.msi
+ 2010-11-11 21:48 . 2010-11-11 21:48 1543680 c:\windows\Installer\1796a5.msi
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AVer HID Receiver.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AVer HID Receiver.lnk
backup=c:\windows\pss\AVer HID Receiver.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AVerQuick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AVerQuick.lnk
backup=c:\windows\pss\AVerQuick.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Martin^Start Menu^Programs^Startup^Folding@home-gpu.lnk]
path=c:\documents and settings\Martin\Start Menu\Programs\Startup\Folding@home-gpu.lnk
backup=c:\windows\pss\Folding@home-gpu.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Martin^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Martin\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2009-12-21 17:35 640440 ----a-w- f:\software\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2009-12-22 00:26 38840 ----a-w- f:\software\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 06:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]
2010-02-05 19:50 2521464 ----a-w- c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2009-03-02 09:14 57344 ----a-w- c:\windows\ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2007-10-04 16:38 307200 ----a-w- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 04:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-12-29 10:40 687560 ----a-w- e:\program\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-03-05 15:32 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 10:44 31072 ----a-w- e:\program\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LCDMon]
2008-11-06 11:21 1548296 ----a-w- c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LGDCore]
2008-11-06 11:39 2816520 ----a-w- c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LgDevAgt]
2008-11-06 11:41 358920 ----a-w- c:\program files\Logitech\GamePanel Software\LGDevAgt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-10-06 14:34 18750976 ----a-w- c:\windows\RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S7UB Start]
2008-07-14 23:02 102453 ----a-w- e:\program files\Common Files\Siemens\S7UBTOOX\S7ubTstx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-12-11 14:38 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 14:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMonitorVMUVC]
2008-06-16 01:02 135168 ----a-w- c:\program files\Vimicro Corporation\VMUVC\VMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gupdate1c9dc50e11d5e64"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"e:\\Program\\BitTorrent\\bittorrent.exe"=
"e:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"e:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/3/2009 1:18 AM 717296]
R2 almservice;Automation License Manager Service;e:\program files\Common Files\Siemens\SWS\almsrv\almsrvx.exe [5/20/2008 3:10 PM 1146880]
R2 AVerRemote;AVerRemote;c:\program files\Common Files\AVerMedia\Service\AVerRemote.exe [6/18/2010 7:26 PM 344064]
R2 AVerScheduleService;AVerScheduleService;c:\program files\Common Files\AVerMedia\Service\AVerScheduleService.exe [6/18/2010 7:26 PM 389120]
R2 Dpmtrcdd;Dpmtrcdd;c:\windows\system32\drivers\dpmtrcdd.sys [6/25/2007 3:47 PM 28363]
R2 IGDCTRL;AVM IGD CTRL Service;e:\program\FRITZ!DSL\IGDCTRL.EXE [9/4/2007 10:14 AM 87344]
R2 s7asysvx;S7 Global Services;g:\program\Siemens\Step7\S7BIN\s7asysvx.exe [7/14/2008 7:02 PM 69685]
R2 s7oiehsx;SIMATIC IEPG Help Service;e:\program files\Common Files\Siemens\S7IEPG\s7oiehsx.exe [7/3/2008 1:30 PM 1571912]
R2 S7opcsrtx;PROFINET IO RT-Protocol (LLDP);c:\windows\system32\drivers\s7opcsrtx.sys [7/3/2008 1:04 PM 31232]
R2 s7snsrtx;PROFINET IO RT-Protocol;c:\windows\system32\drivers\s7snsrtx.sys [7/30/2007 12:06 PM 71168]
R2 S7TraceServiceX;S7TraceServiceX;c:\program files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe [7/3/2008 1:30 PM 240712]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 AF05BDA;Cinergy T USB XE service;c:\windows\system32\drivers\AF05BDA.sys [4/25/2009 4:48 PM 117376]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/19/2009 4:27 PM 1684736]
S3 AVerAF35;AVerMedia A835 USB DVB-T;c:\windows\system32\drivers\AVerAF35.sys [6/18/2010 7:28 PM 474880]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2/11/2010 1:19 PM 36608]
S3 s7oefs_x;SIMATIC MPI/EFS Driver;c:\windows\system32\drivers\s7oefs_x.sys [10/18/2002 2:34 AM 30512]
S3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\drivers\VMUVC.sys [9/2/2010 8:00 AM 252032]
S3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [9/2/2010 8:00 AM 398720]
S4 gupdate1c9dc50e11d5e64;Google Update Service (gupdate1c9dc50e11d5e64);c:\program files\Google\Update\GoogleUpdate.exe [5/24/2009 10:20 AM 133104]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Inhalt des "geplante Tasks" Ordners
2010-11-07 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.1.0.13\DriverRobot.exe [2009-10-18 20:35]
2010-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-24 09:20]
2010-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-24 09:20]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.com/
IE: &Download by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: An vorhandene PDF-Datei anfügen - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Do&wnload selected by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/202
IE: In Adobe PDF konvertieren - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Linkziel an vorhandene PDF-Datei anhängen - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Linkziel in Adobe PDF konvertieren - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Nach Microsoft E&xel exportieren - e:\program\MICROS~1\Office12\EXCEL.EXE/3000
IE: Save Flash - e:\program\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
IE: Save YouTube Video - e:\program\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/217
FF - ProfilePath - c:\documents and settings\Martin\Application Data\Mozilla\Firefox\Profiles\hag7fc90.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (de)
FF - prefs.js: browser.startup.homepage - www.google.at
FF - component: e:\program files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabXpcom.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: e:\program\Google\Picasa3\npPicasa3.dll
FF - plugin: e:\program\VideoLAN\VLC\npvlc.dll
---- FIREFOX Richtlinien ----
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
e:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2010-11-12 01:21
Windows 5.1.2600 Service Pack 3 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
[HKEY_USERS\S-1-5-21-1004336348-1563985344-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:20,77,a7,13,4d,57,e7,e8,f0,71,d5,4e,f0,fe,81,02,ba,e8,04,20,06,f0,12,
ff,a0,3a,e8,55,45,eb,4e,ba,69,97,3d,64,ae,00,f3,4c,ba,e1,09,ca,88,7d,80,8c,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49
[HKEY_USERS\S-1-5-21-1004336348-1563985344-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:7d,b4,35,b9,89,0b,d1,22,ec,e3,6a,6c,19,e1,c7,73,d3,d5,30,67,23,
55,da,9f,42,e1,82,db,07,d2,9f,27,e8,e9,44,bb,dc,19,cb,aa,98,73,df,bb,29,2e,\
"rkeysecu"=hex:9b,04,a8,92,08,fb,4f,36,8b,5e,a1,13,bb,bb,01,d1
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:97,5d,d3,2c,23,ce,9f,1f,b5,4c,46,8b,97,b4,c3,aa,1e,d2,5a,0e,57,
91,8f,44,d6,46,e1,d8,d2,fd,d3,50,fd,80,f8,fe,aa,26,03,84,3c,e9,20,1b,17,ec,\
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:97,5d,d3,2c,23,ce,9f,1f,b5,4c,46,8b,97,b4,c3,aa,1e,d2,5a,0e,57,
91,8f,44,d6,46,e1,d8,d2,fd,d3,50,fd,80,f8,fe,aa,26,03,84,3c,e9,20,1b,17,ec,\
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3828)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
e:\program\CDBurnerXP\NMSAccessU.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2010-11-12 01:23:49 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2010-11-12 00:23
ComboFix2.txt 2010-11-11 21:25
ComboFix3.txt 2010-11-09 06:21
Vor Suchlauf: 15.900.323.840 bytes free
Nach Suchlauf: 15.885.885.440 bytes free
- - End Of File - - 83E136E3E9300873900DE65411C35A21
|
|
12.11.2010, 06:14
| #18 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | winlogon Lässt sich mit CF nicht fixen
__________________ PartedMagic 1. Lade Dir das ISO-Image von PartedMagic herunter, müssten ca. 70 MB sein 2. Brenn es per Imagebrennfunktion auf CD, geht zB mit ImgBurn oder Nero per Imagebrennfunktion unter Windows 3. Boote von der gebrannten CD, im Bootmenü von Option 1 starten und warten bis der Linux-Desktop oben ist  4. Du müsstest ein Symbol "Mount Devices" finden, das doppelklicken 5. Mounte die Partition wo Windows installiert ist, meistens ist es /dev/sda1 6. Benenne auf der Windows-Partition die Dateien um: /windows/system32/winlogon.exe in winlogon.vir /windows/explorer.exe in explorer.vir 7. Kopiere die beiden sauberen Dateien aus der cosinus.zip (ggf vorher per Rechtsklick entpacken) in die jew. Ordner - winlogon.exe nach windows/system32, die explorer.exe in den windows ordner 8. Starte den Rechner neu und boote Windows 9. Die in Linux umbenannte Dateien bei Virustotal.com auswerten lassen und Ergebnislinks posten
__________________ |
|
14.11.2010, 11:40
| #19 |
| | winlogon Hi, die neuen .exe Dateien, wären somit ok? Wie gehe ich mit den .vir um, löschen? Wie kann ich in Zukunft solch einen Fall vermeiden, habe immer AVG free verwendet und bis dato keine Schwierigkeiten gehabt. anbei die Links: explorer: hxxp://www.virustotal.com/file-scan/reanalysis.html?id=34205b1a8f2b67ad40c7268956ce0b986f5efd096022591c8a11206744f4fb70-1289730818 hxxp://www.virustotal.com/file-scan/report.html?id=34205b1a8f2b67ad40c7268956ce0b986f5efd096022591c8a11206744f4fb70-1289730818 winlogon: hxxp://www.virustotal.com/file-scan/report.html?id=15bfd2571480a86f939b3280dc6ef87ae6c17536ec4091fa9acb655e7fd6c041-1289730918 Mfg Martin |
|
14.11.2010, 18:43
| #20 | |
| /// Winkelfunktion /// TB-Süch-Tiger™ | winlogonZitat:
Mach mal bitte einen neuen Durchgang mit CF mit neuer cofi.exe - ich will sehen ob das Ersetzen der Dateien diesmal von dauerhaftem Erfolg ist oder ob die kürzlich zurückkopierten Dateien wieder infiziert wurden: ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
__________________ Logfiles bitte immer in CODE-Tags posten |
|
14.11.2010, 20:35
| #21 |
| | winlogon Hi, Combofix Logfile: Code:
ATTFilter ComboFix 10-11-13.01 - Martin 14.11.2010 20:30:17.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.43.1033.18.2047.1526 [GMT 1:00]
ausgeführt von:: c:\documents and settings\Martin\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Neuer Wiederherstellungspunkt wurde erstellt
.
((((((((((((((((((((((( Dateien erstellt von 2010-10-14 bis 2010-11-14 ))))))))))))))))))))))))))))))
.
2010-11-14 10:14 . 2010-11-11 22:10 1036800 ----a-w- c:\windows\explorer.exe
2010-11-14 10:14 . 2010-11-11 22:09 513024 ----a-w- c:\windows\system32\winlogon.exe
2010-11-08 21:58 . 2010-11-08 21:58 -------- d-----w- C:\_OTL
2010-11-06 22:43 . 2010-11-06 22:44 -------- d-----w- C:\!KillBox
2010-11-06 09:31 . 2010-11-06 09:31 -------- d-----w- c:\documents and settings\All Users\Application Data\KONAMI
2010-11-05 22:03 . 2001-08-17 12:28 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2010-11-05 22:02 . 2001-08-17 21:36 26624 -c--a-w- c:\windows\system32\dllcache\umaxu22.dll
2010-11-05 22:01 . 2001-08-17 11:13 37961 -c--a-w- c:\windows\system32\dllcache\tdk100b.sys
2010-11-05 22:00 . 2001-08-17 12:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2010-11-05 21:59 . 2001-08-17 11:50 101760 -c--a-w- c:\windows\system32\dllcache\sis300ip.sys
2010-11-05 21:58 . 2001-08-17 21:36 79872 -c--a-w- c:\windows\system32\dllcache\rwia430.dll
2010-11-05 21:57 . 2001-08-17 13:07 19840 -c--a-w- c:\windows\system32\dllcache\philtune.sys
2010-11-05 21:56 . 2001-08-17 11:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2010-11-05 21:55 . 2008-04-13 23:16 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2010-11-05 21:54 . 2001-08-17 21:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-11-05 21:53 . 2001-08-17 21:36 61952 -c--a-w- c:\windows\system32\dllcache\icam4ext.dll
2010-11-05 21:52 . 2001-08-17 21:36 9759 -c--a-w- c:\windows\system32\dllcache\hsf_inst.dll
2010-11-05 21:51 . 2001-08-17 11:13 27165 -c--a-w- c:\windows\system32\dllcache\fetnd5.sys
2010-11-05 21:51 . 2001-08-17 11:10 22090 -c--a-w- c:\windows\system32\dllcache\fem556n5.sys
2010-11-05 21:51 . 2001-08-17 11:12 24618 -c--a-w- c:\windows\system32\dllcache\fa410nd5.sys
2010-11-05 21:51 . 2001-08-17 11:12 16074 -c--a-w- c:\windows\system32\dllcache\fa312nd5.sys
2010-11-05 21:51 . 2001-08-17 11:11 11850 -c--a-w- c:\windows\system32\dllcache\f3ab18xj.sys
2010-11-05 21:51 . 2001-08-17 11:11 12362 -c--a-w- c:\windows\system32\dllcache\f3ab18xi.sys
2010-11-05 21:51 . 2001-08-17 12:52 7040 -c--a-w- c:\windows\system32\dllcache\exabyte2.sys
2010-11-05 21:51 . 2001-08-17 11:12 16998 -c--a-w- c:\windows\system32\dllcache\ex10.sys
2010-11-05 21:47 . 2001-08-17 21:36 6729 -c--a-w- c:\windows\system32\dllcache\disrvci.dll
2010-11-05 21:46 . 2001-08-17 12:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2010-11-05 20:45 . 2010-11-11 21:10 513024 ----a-w- c:\windows\system32\winlogon.vir
2010-11-05 14:44 . 2010-11-05 14:44 -------- d-----w- c:\documents and settings\Martin\Application Data\AVG10
2010-11-05 14:44 . 2010-11-05 14:44 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-11-05 14:44 . 2010-11-12 00:12 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-11-05 14:44 . 2010-11-05 14:44 -------- d-----w- c:\program files\AVG
2010-11-05 14:37 . 2010-11-05 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-11-05 14:12 . 2010-11-05 14:12 -------- d-----w- c:\program files\Enigma Software Group
2010-11-03 04:52 . 2010-11-03 04:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-02 18:39 . 2010-06-28 12:00 46592 ----a-w- c:\windows\system32\vsutil_loc0407.dll
2010-11-02 18:07 . 2008-04-14 04:42 1033728 ----a-w- c:\windows\explorer.vir
2010-11-02 17:58 . 2010-11-05 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-11-02 16:57 . 2010-11-11 20:54 -------- d-----w- c:\windows\Internet Logs
2010-11-02 16:41 . 2010-11-02 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\fssg
2010-11-02 16:38 . 2010-11-02 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\f-secure
2010-11-01 16:34 . 2010-11-01 16:34 -------- d-----w- c:\documents and settings\Martin\Application Data\TrojanHunter
2010-10-27 22:04 . 2010-10-27 22:05 -------- d-----w- c:\documents and settings\Martin\Local Settings\Application Data\Temp
2010-10-26 17:20 . 2010-10-26 17:21 -------- d-----w- c:\program files\Graboid
2010-10-26 10:52 . 2010-10-26 10:52 -------- d-----w- c:\documents and settings\Martin\Application Data\Malwarebytes
2010-10-26 10:41 . 2010-10-26 10:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-10-26 10:41 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-26 10:41 . 2010-10-26 10:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-26 10:41 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-26 10:36 . 2010-10-26 10:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\ProgSense
2010-10-26 10:36 . 2010-10-26 10:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Orbit
2010-10-26 10:33 . 2010-10-26 10:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-10-26 09:34 . 2010-10-26 09:35 -------- d-----w- c:\documents and settings\Martin\Application Data\FCAAC60ADBD2A67431F87ADADD3EE6E0
2010-10-25 17:55 . 2010-10-25 17:56 -------- d-----w- c:\documents and settings\Martin\Application Data\Youtube Downloader HD
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-12 00:13 . 2010-11-12 00:13 687173 ----a-w- C:\cosinus.zip
.
------- Sigcheck -------
[-] 2010-11-11 . F09A527B422E25C478E38CAA0E44417A . 513024 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[-] 2010-11-11 . 418045A93CD87A352098AB7DABE1B53E . 1036800 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-11-09_06.19.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-14 10:28 . 2010-11-14 10:28 16384 c:\windows\Temp\Perflib_Perfdata_678.dat
+ 2004-08-04 12:00 . 2010-11-09 06:22 83950 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2010-11-02 18:23 83950 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-11-09 06:22 476318 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-11-02 18:23 476318 c:\windows\system32\perfh009.dat
+ 2010-11-11 21:49 . 2010-11-11 21:49 3019264 c:\windows\Installer\1796a9.msi
+ 2010-11-11 21:48 . 2010-11-11 21:48 1543680 c:\windows\Installer\1796a5.msi
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AVer HID Receiver.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AVer HID Receiver.lnk
backup=c:\windows\pss\AVer HID Receiver.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AVerQuick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AVerQuick.lnk
backup=c:\windows\pss\AVerQuick.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Martin^Start Menu^Programs^Startup^Folding@home-gpu.lnk]
path=c:\documents and settings\Martin\Start Menu\Programs\Startup\Folding@home-gpu.lnk
backup=c:\windows\pss\Folding@home-gpu.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Martin^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Martin\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2009-12-21 17:35 640440 ----a-w- f:\software\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2009-12-22 00:26 38840 ----a-w- f:\software\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 06:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]
2010-02-05 19:50 2521464 ----a-w- c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2009-03-02 09:14 57344 ----a-w- c:\windows\ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2007-10-04 16:38 307200 ----a-w- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 04:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-12-29 10:40 687560 ----a-w- e:\program\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-03-05 15:32 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 10:44 31072 ----a-w- e:\program\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LCDMon]
2008-11-06 11:21 1548296 ----a-w- c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LGDCore]
2008-11-06 11:39 2816520 ----a-w- c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LgDevAgt]
2008-11-06 11:41 358920 ----a-w- c:\program files\Logitech\GamePanel Software\LGDevAgt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-10-06 14:34 18750976 ----a-w- c:\windows\RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S7UB Start]
2008-07-14 23:02 102453 ----a-w- e:\program files\Common Files\Siemens\S7UBTOOX\S7ubTstx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-12-11 14:38 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 14:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMonitorVMUVC]
2008-06-16 01:02 135168 ----a-w- c:\program files\Vimicro Corporation\VMUVC\VMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gupdate1c9dc50e11d5e64"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"e:\\Program\\BitTorrent\\bittorrent.exe"=
"e:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"e:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"g:\\Games\\PES11\\pes2011.exe"=
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/3/2009 1:18 AM 717296]
R2 almservice;Automation License Manager Service;e:\program files\Common Files\Siemens\SWS\almsrv\almsrvx.exe [5/20/2008 3:10 PM 1146880]
R2 AVerRemote;AVerRemote;c:\program files\Common Files\AVerMedia\Service\AVerRemote.exe [6/18/2010 7:26 PM 344064]
R2 AVerScheduleService;AVerScheduleService;c:\program files\Common Files\AVerMedia\Service\AVerScheduleService.exe [6/18/2010 7:26 PM 389120]
R2 Dpmtrcdd;Dpmtrcdd;c:\windows\system32\drivers\dpmtrcdd.sys [6/25/2007 3:47 PM 28363]
R2 IGDCTRL;AVM IGD CTRL Service;e:\program\FRITZ!DSL\IGDCTRL.EXE [9/4/2007 10:14 AM 87344]
R2 s7asysvx;S7 Global Services;g:\program\Siemens\Step7\S7BIN\s7asysvx.exe [7/14/2008 7:02 PM 69685]
R2 s7oiehsx;SIMATIC IEPG Help Service;e:\program files\Common Files\Siemens\S7IEPG\s7oiehsx.exe [7/3/2008 1:30 PM 1571912]
R2 S7opcsrtx;PROFINET IO RT-Protocol (LLDP);c:\windows\system32\drivers\s7opcsrtx.sys [7/3/2008 1:04 PM 31232]
R2 s7snsrtx;PROFINET IO RT-Protocol;c:\windows\system32\drivers\s7snsrtx.sys [7/30/2007 12:06 PM 71168]
R2 S7TraceServiceX;S7TraceServiceX;c:\program files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe [7/3/2008 1:30 PM 240712]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 AF05BDA;Cinergy T USB XE service;c:\windows\system32\drivers\AF05BDA.sys [4/25/2009 4:48 PM 117376]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/19/2009 4:27 PM 1684736]
S3 AVerAF35;AVerMedia A835 USB DVB-T;c:\windows\system32\drivers\AVerAF35.sys [6/18/2010 7:28 PM 474880]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2/11/2010 1:19 PM 36608]
S3 s7oefs_x;SIMATIC MPI/EFS Driver;c:\windows\system32\drivers\s7oefs_x.sys [10/18/2002 2:34 AM 30512]
S3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\drivers\VMUVC.sys [9/2/2010 8:00 AM 252032]
S3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [9/2/2010 8:00 AM 398720]
S4 gupdate1c9dc50e11d5e64;Google Update Service (gupdate1c9dc50e11d5e64);c:\program files\Google\Update\GoogleUpdate.exe [5/24/2009 10:20 AM 133104]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Inhalt des "geplante Tasks" Ordners
2010-11-07 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.1.0.13\DriverRobot.exe [2009-10-18 20:35]
2010-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-24 09:20]
2010-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-24 09:20]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.com/
IE: &Download by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: An vorhandene PDF-Datei anfügen - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Do&wnload selected by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/202
IE: In Adobe PDF konvertieren - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Linkziel an vorhandene PDF-Datei anhängen - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Linkziel in Adobe PDF konvertieren - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Nach Microsoft E&xel exportieren - e:\program\MICROS~1\Office12\EXCEL.EXE/3000
IE: Save Flash - e:\program\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
IE: Save YouTube Video - e:\program\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/217
FF - ProfilePath - c:\documents and settings\Martin\Application Data\Mozilla\Firefox\Profiles\hag7fc90.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (de)
FF - prefs.js: browser.startup.homepage - www.google.at
FF - component: e:\program files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabXpcom.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: e:\program\Google\Picasa3\npPicasa3.dll
FF - plugin: e:\program\VideoLAN\VLC\npvlc.dll
---- FIREFOX Richtlinien ----
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
e:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2010-11-14 20:32
Windows 5.1.2600 Service Pack 3 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
[HKEY_USERS\S-1-5-21-1004336348-1563985344-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:20,77,a7,13,4d,57,e7,e8,f0,71,d5,4e,f0,fe,81,02,ba,e8,04,20,06,f0,12,
ff,a0,3a,e8,55,45,eb,4e,ba,69,97,3d,64,ae,00,f3,4c,ba,e1,09,ca,88,7d,80,8c,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49
[HKEY_USERS\S-1-5-21-1004336348-1563985344-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:7d,b4,35,b9,89,0b,d1,22,ec,e3,6a,6c,19,e1,c7,73,d3,d5,30,67,23,
55,da,9f,42,e1,82,db,07,d2,9f,27,e8,e9,44,bb,dc,19,cb,aa,98,73,df,bb,29,2e,\
"rkeysecu"=hex:9b,04,a8,92,08,fb,4f,36,8b,5e,a1,13,bb,bb,01,d1
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:97,5d,d3,2c,23,ce,9f,1f,b5,4c,46,8b,97,b4,c3,aa,1e,d2,5a,0e,57,
91,8f,44,d6,46,e1,d8,d2,fd,d3,50,fd,80,f8,fe,aa,26,03,84,3c,e9,20,1b,17,ec,\
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:97,5d,d3,2c,23,ce,9f,1f,b5,4c,46,8b,97,b4,c3,aa,1e,d2,5a,0e,57,
91,8f,44,d6,46,e1,d8,d2,fd,d3,50,fd,80,f8,fe,aa,26,03,84,3c,e9,20,1b,17,ec,\
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3540)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
.
Zeit der Fertigstellung: 2010-11-14 20:34:01
ComboFix-quarantined-files.txt 2010-11-14 19:33
ComboFix2.txt 2010-11-12 00:23
ComboFix3.txt 2010-11-11 21:25
ComboFix4.txt 2010-11-09 06:21
Vor Suchlauf: 15.761.002.496 bytes free
Nach Suchlauf: 15.743.012.864 bytes free
- - End Of File - - 35756ADC67B286C0CE19A15B48BC4E0A
Lg |
|
14.11.2010, 21:07
| #22 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | winlogonCode:
ATTFilter [-] 2010-11-11 . F09A527B422E25C478E38CAA0E44417A . 513024 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[-] 2010-11-11 . 418045A93CD87A352098AB7DABE1B53E . 1036800 . . [6.00.2900.5512] . . c:\windows\explorer.exe
Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten. GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus - die Online-Abfrage durch OSAM bitte überspringen. Bei OSAM bitte darauf auch achten, dass Du das Log auch als *.log und nicht *.html oder so abspeicherst. Downloade Dir danach bitte MBRCheck (by a_d_13) und speichere die Datei auf dem Desktop.
__________________ Logfiles bitte immer in CODE-Tags posten |
|
14.11.2010, 22:01
| #23 |
| | winlogon Hi, Osam: OSAM Logfile: Code:
ATTFilter Report of OSAM: Autorun Manager v5.0.11926.0 hxxp://www.online-solutions.ru/en/ Saved at 21:57:45 on 14.11.2010 OS: Windows XP Professional Service Pack 3 (Build 2600) Default Browser: Microsoft Corporation Internet Explorer 7.00.6000.16915 Scanner Settings [x] Rootkits detection (hidden registry) [x] Rootkits detection (hidden files) [x] Retrieve files information [x] Check Microsoft signatures Filters [ ] Trusted entries [ ] Empty entries [x] Hidden registry entries (rootkit activity) [x] Exclusively opened files [x] Not found files [x] Files without detailed information [x] Existing files [ ] Non-startable services [ ] Non-startable drivers [x] Active entries [x] Disabled entries [Common] -----( %SystemRoot%\Tasks )----- "GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe "GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe "Driver Robot.job" - ? - C:\Program Files\Driver Robot\1.1.0.13\DriverRobot.exe [Control Panel Objects] -----( %SystemRoot%\system32 )----- "DivXControlPanelApplet.cpl" - "DivX, Inc." - C:\WINDOWS\system32\DivXControlPanelApplet.cpl "infocardcpl.cpl" - "Microsoft Corporation" - C:\WINDOWS\system32\infocardcpl.cpl "javacpl.cpl" - "Sun Microsystems, Inc." - C:\WINDOWS\system32\javacpl.cpl "S7epaepx.cpl" - "SIEMENS AG" - C:\WINDOWS\system32\S7epaepx.cpl "S7EPATDX.CPL" - "SIEMENS AG" - C:\WINDOWS\system32\S7EPATDX.CPL "S7UBCPLX.CPL" - "SIEMENS AG" - C:\WINDOWS\system32\S7UBCPLX.CPL "wuaucpl.cpl" - "Microsoft Corporation" - C:\WINDOWS\system32\wuaucpl.cpl -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )----- "Adobe Version Cue CS4" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.cpl "lgLcdCpl" - "Logitech Inc." - C:\Program Files\Logitech\GamePanel Software\LCD Manager\LgLcdCpl.cpl "mlcfg32.cpl" - "Microsoft Corporation" - E:\Program\MICROS~1\Office12\MLCFG32.CPL "Nero BurnRights" - "Nero AG" - E:\Program\Nero 9\Nero 9\Nero BurnRights\NeroBurnRights_cpl.cpl [Drivers] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- "a9ks41g6" (a9ks41g6) - "Microsoft Corporation" - C:\WINDOWS\system32\drivers\a9ks41g6.sys (Hidden registry entry, rootkit activity | File signed by Microsoft) "adfs" (adfs) - "Adobe Systems, Inc." - C:\WINDOWS\system32\drivers\adfs.sys "AnyDVD" (AnyDVD) - "SlySoft, Inc." - C:\WINDOWS\System32\Drivers\AnyDVD.sys "atksgt" (atksgt) - ? - C:\WINDOWS\System32\DRIVERS\atksgt.sys (File found, but it contains no detailed information) "AVG Anti-Rootkit Driver" (Avgrkx86) - ? - C:\WINDOWS\System32\DRIVERS\avgrkx86.sys (File not found) "AVG TDI Driver" (Avgtdix) - ? - C:\WINDOWS\System32\DRIVERS\avgtdix.sys (File not found) "AVGIDSDriver" (AVGIDSDriver) - ? - C:\WINDOWS\System32\DRIVERS\AVGIDSDriver.Sys (File not found) "AVGIDSEH" (AVGIDSEH) - ? - C:\WINDOWS\System32\DRIVERS\AVGIDSEH.Sys (File not found) "AVGIDSFilter" (AVGIDSFilter) - ? - C:\WINDOWS\System32\DRIVERS\AVGIDSFilter.Sys (File not found) "AVGIDSShim" (AVGIDSShim) - ? - C:\WINDOWS\System32\DRIVERS\AVGIDSShim.Sys (File not found) "catchme" (catchme) - ? - C:\DOCUME~1\Martin\LOCALS~1\Temp\catchme.sys (File not found) "Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys (File not found) "Cinergy T USB XE service" (AF05BDA) - "AfaTech " - C:\WINDOWS\System32\DRIVERS\AF05BDA.sys "Dpmtrcdd" (Dpmtrcdd) - "SIEMENS AG" - C:\WINDOWS\System32\DRIVERS\dpmtrcdd.sys "ElbyCDIO Driver" (ElbyCDIO) - "Elaborate Bytes AG" - C:\WINDOWS\System32\Drivers\ElbyCDIO.sys "ENTECH" (ENTECH) - "EnTech Taiwan" - C:\WINDOWS\system32\DRIVERS\ENTECH.sys "esgiguard" (esgiguard) - ? - C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys (File not found) "FsUsbExDisk" (FsUsbExDisk) - ? - C:\WINDOWS\system32\FsUsbExDisk.SYS (File found, but it contains no detailed information) "i2omgmt" (i2omgmt) - ? - C:\WINDOWS\system32\drivers\i2omgmt.sys (File not found) "lbrtfdc" (lbrtfdc) - ? - C:\WINDOWS\system32\drivers\lbrtfdc.sys (File not found) "lirsgt" (lirsgt) - ? - C:\WINDOWS\System32\DRIVERS\lirsgt.sys (File found, but it contains no detailed information) "mbr" (mbr) - ? - C:\DOCUME~1\Martin\LOCALS~1\Temp\mbr.sys (Hidden registry entry, rootkit activity | File not found) "PCIDump" (PCIDump) - ? - C:\WINDOWS\system32\drivers\PCIDump.sys (File not found) "PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys (File not found) "PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys (File not found) "PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys (File not found) "PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys (File not found) "PROFINET IO RT-Protocol" (s7snsrtx) - "SIEMENS AG" - C:\WINDOWS\System32\DRIVERS\s7snsrtx.sys "PROFINET IO RT-Protocol (LLDP)" (S7opcsrtx) - "SIEMENS AG" - C:\WINDOWS\System32\DRIVERS\s7opcsrtx.sys "PxHelp20" (PxHelp20) - "Sonic Solutions" - C:\WINDOWS\System32\Drivers\PxHelp20.sys "pxtdqpow" (pxtdqpow) - ? - C:\DOCUME~1\Martin\LOCALS~1\Temp\pxtdqpow.sys (Hidden registry entry, rootkit activity | File not found) "SIMATIC Industrial Ethernet (ISO)" (SNTIE) - "SIEMENS AG" - C:\WINDOWS\System32\DRIVERS\sntie.sys "SIMATIC MPI/EFS Driver" (s7oefs_x) - "SIEMENS AG" - C:\WINDOWS\System32\drivers\s7oefs_x.sys "sptd" (sptd) - "Duplex Secure Ltd." - C:\WINDOWS\System32\Drivers\sptd.sys (File is exclusively opened, access blocked) "StarOpen" (StarOpen) - ? - C:\WINDOWS\system32\drivers\StarOpen.sys (File found, but it contains no detailed information) "Vimicro Camera Filter Service VMUVC" (vvftUVC) - "Vimicro Corporation" - C:\WINDOWS\System32\drivers\vvftUVC.sys "Vimicro Camera Service VMUVC" (VMUVC) - "Vimicro Corporation" - C:\WINDOWS\System32\Drivers\VMUVC.sys "WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys (File not found) [Explorer] -----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )----- {89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install -----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )----- {C9E60ED7-FEAE-477b-B6A6-7D62103A0C6B} "NeroDigitalColumnHandler Class" - "Nero AG" - C:\Program Files\Common Files\Nero\SMC\NeroDigitalExt.dll {F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" - ? - E:\Program\Open Office\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll -----( HKLM\Software\Classes\Protocols\Filter )----- {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {807563E5-5146-11D5-A672-00B0D022E945} "Microsoft Office InfoPath XML Mime Filter" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL -----( HKLM\Software\Classes\Protocols\Handler )----- {314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL {88FED34C-F0CA-4636-A375-3CB6248B04CD} "Local Groove Web Services Protocol" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveSystemServices.dll -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks )----- {B5A7F190-DDA6-4420-B3BA-52453494E6CD} "Groove GFS Stub Execution Hook" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )----- {23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - C:\Program Files\7-Zip\7-zip.dll {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} "Acrobat Elements Context Menu" - "Adobe Systems Inc." - F:\Software\Adobe\Acrobat 9.0\Acrobat Elements\ContextMenu.dll {5F327514-6C5E-4d60-8F16-D07FA08A78ED} "Auto Update Property Sheet Extension" - "Microsoft Corporation" - C:\WINDOWS\system32\wuaucpl.cpl {D66DC78C-4F61-447F-942B-3FB6980118CF} "CInfoTipShellExt Class" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\VISSHE.DLL {42071714-76d4-11d1-8b24-00a0c9068ff3} "Display Panning CPL Extension" - ? - deskpan.dll (File not found) {872A9397-E0D6-4e28-B64D-52B8D0A7EA35} "DisplayCplExt Class" - "Advanced Micro Devices, Inc." - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiamaxx.dll {853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Encryption Context Menu" - ? - (File not found | COM-object registry key not found) {E81FFB23-40E2-431C-A041-76AEA0E4B04C} "Enterprise-Projekte" - "Microsoft Corporation" - E:\Program\MICROS~1\Office12\NAMEEXT.DLL {99FD978C-D287-4F50-827F-B2C658EDA8E7} "Groove Explorer Icon Overlay 1 (GFS Unread Stub)" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll {AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} "Groove Explorer Icon Overlay 2 (GFS Stub)" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll {920E6DB1-9907-4370-B3A0-BAFC03D81399} "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll {16F3DD56-1AF5-4347-846D-7C10C4192619} "Groove Explorer Icon Overlay 3 (GFS Folder)" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll {2916C86E-86A6-43FE-8112-43ABE6BF8DCC} "Groove Explorer Icon Overlay 4 (GFS Unread Mark)" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll {2A541AE1-5BF6-4665-A8A3-CFA9672E4291} "Groove Folder Synchronization" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll {72853161-30C5-4D22-B7F9-0BBC1D38A37E} "Groove GFS Browser Helper" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll {6C467336-8281-4E60-8204-430CED96822D} "Groove GFS Context Menu Handler" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll {B5A7F190-DDA6-4420-B3BA-52453494E6CD} "Groove GFS Stub Execution Hook" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll {A449600E-1DC6-4232-B948-9BD794D62056} "Groove GFS Stub Icon Handler" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll {387E725D-DC16-4D76-B310-2C93ED4752A0} "Groove XML Icon Handler" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll {506F4668-F13E-4AA1-BB04-B43203AB3CC0} "ImageExtractorShellExt Class" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\VISSHE.DLL {B2260382-5E6E-4EEB-9E6F-1122AC37C1E4} "JtWinShellExt" - ? - (File not found | COM-object registry key not found) {42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\msohevi.dll {993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll {5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C} "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" - "Microsoft Corporation" - E:\Program\MICROS~1\Office12\ONFILTER.DLL {00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - E:\Program\MICROS~1\Office12\MLSHEXT.DLL {C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll {97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2} "NeroCoverEdLiveIcons Class" - "Nero AG" - E:\Program\Nero 9\Nero 9\Nero CoverDesigner\CoverEdExtension.dll {C9E60ED7-FEAE-477b-B6A6-7D62103A0C6B} "NeroDigitalColumnHandler Class" - "Nero AG" - C:\Program Files\Common Files\Nero\SMC\NeroDigitalExt.dll {1CA6BBC9-E9FA-4021-822B-075DF1837B63} "NeroDigitalIconHandler Class" - "Nero AG" - C:\Program Files\Common Files\Nero\SMC\NeroDigitalExt.dll {4FBFFA8D-F390-471a-AE46-FEB93623AD63} "NeroDigitalInfoHandler Class" - "Nero AG" - C:\Program Files\Common Files\Nero\SMC\NeroDigitalExt.dll {846083A4-BFC6-4447-985C-6578B466A7D7} "NeroDigitalPropSheetHandler Class" - "Nero AG" - C:\Program Files\Common Files\Nero\SMC\NeroDigitalExt.dll {EDCC595A-F0EE-4d81-B554-D5D01C7AFB87} "NeroDigitalThumbnailHandler Class" - "Nero AG" - C:\Program Files\Common Files\Nero\SMC\NeroDigitalExt.dll {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "OpenOffice.org Column Handler" - ? - E:\Program\Open Office\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll {087B3AE3-E237-4467-B8DB-5A38AB959AC9} "OpenOffice.org Infotip Handler" - ? - E:\Program\Open Office\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll {63542C48-9552-494A-84F7-73AA6A7C99C1} "OpenOffice.org Property Sheet Handler" - ? - E:\Program\Open Office\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll {3B092F0C-7696-40E3-A80F-68D74DA84210} "OpenOffice.org Thumbnail Viewer" - ? - E:\Program\Open Office\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll {0006F045-0000-0000-C000-000000000046} "Outlook File Icon Extension" - "Microsoft Corporation" - E:\Program\MICROS~1\Office12\OLKFSTUB.DLL {764BF0E1-F219-11ce-972D-00AA00A14F56} "Shell extensions for file compression" - ? - (File not found | COM-object registry key not found) {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - C:\WINDOWS\system32\dfshim.dll {e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - C:\WINDOWS\system32\dfshim.dll {5E2121EE-0300-11D4-8D3B-444553540000} "SimpleShlExt Class" - "Advanced Micro Devices, Inc." - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} "UnlockerShellExtension" - ? - E:\Program Files\Unlocker\UnlockerCOM.dll (File found, but it contains no detailed information) {BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Web Folders" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL {45670FA8-ED97-4F44-BC93-305082590BFB} "Windows XPS Document Metadata Handler" - "Microsoft Corporation" - C:\WINDOWS\System32\XPSSHHDR.DLL {44121072-A222-48f2-A58A-6D9AD51EBBE9} "Windows XPS Document Thumbnail Handler" - "Microsoft Corporation" - C:\WINDOWS\System32\XPSSHHDR.DLL [Internet Explorer] -----( HKCU\SOFTWARE\Microsoft\Internet Explorer\Extensions )----- {F81D52BF-F2F1-4F49-BF5F-05664E803039} "Flash" - ? - (File not found | COM-object registry key not found) -----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )----- <binary data> "Adobe PDF" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll <binary data> "EPSON Web-To-Page" - "SEIKO EPSON CORPORATION" - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll <binary data> "Grab Pro" - ? - E:\Program Files\Orbitdownloader\GrabPro.dll <binary data> "ITBar7Layout" - ? - (File not found | COM-object registry key not found) <binary data> "{32099AAC-C132-4136-9E9A-4E364A424E17}" - ? - (File not found | COM-object registry key not found) -----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )----- {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} "Java Plug-in 1.6.0_07" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab {8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_18" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\npjpi160_18.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} "Java Plug-in 1.6.0_18" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\npjpi160_18.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_18" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\npjpi160_18.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )----- {48E73304-E1D6-4330-914C-F5F514E3486C} "An OneNote senden" - "Microsoft Corporation" - E:\Program\MICROS~1\Office12\ONBttnIE.dll {FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Research" - "Microsoft Corporation" - E:\Program\MICROS~1\Office12\REFIEBAR.DLL -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )----- <binary data> "Adobe PDF" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} "Contribute Toolbar" - "Adobe Systems Incorporated." - F:\Software\Adobe\Adobe Contribute CS4\contributeieplugin.dll <binary data> "EPSON Web-To-Page" - "SEIKO EPSON CORPORATION" - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll <binary data> "Grab Pro" - ? - E:\Program Files\Orbitdownloader\GrabPro.dll -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )----- {AE7CD045-E861-484f-8273-0445EE161910} "Adobe PDF Conversion Toolbar Helper" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll {18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "Adobe PDF Reader" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll {074C1DC5-9320-4A9A-947D-C042949C6216} "ContributeBHO Class" - "Adobe Systems Incorporated." - F:\Software\Adobe\Adobe Contribute CS4\contributeieplugin.dll {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} "EpsonToolBandKicker Class" - "SEIKO EPSON CORPORATION" - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll {72853161-30C5-4D22-B7F9-0BBC1D38A37E} "Groove GFS Browser Helper" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll {DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2ssv.dll {E7E6F031-17CE-4C07-BC86-EABFE594F69C} "JQSIEStartDetectorImpl Class" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll {000123B4-9B42-4900-B3F7-F4B073EFC214} "Octh Class" - "Orbitdownloader.com" - E:\Program Files\Orbitdownloader\orbitcth.dll {F4971EE7-DAA0-4053-9964-665D8EE6A077} "SmartSelect Class" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll {9030D464-4C02-4ABF-8ECC-5164760863C6} "Windows Live Anmelde-Hilfsprogramm" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [Logon] -----( %AllUsersProfile%\Start Menu\Programs\Startup )----- "desktop.ini" - ? - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini -----( %UserProfile%\Start Menu\Programs\Startup )----- "desktop.ini" - ? - C:\Documents and Settings\Martin\Start Menu\Programs\Startup\desktop.ini -----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon )----- "Shell" - "Microsoft Corporation" - C:\WINDOWS\Explorer.exe [Network Providers] -----( HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order )----- "Adobe Drive CS4 Network" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll [Print Monitors] -----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )----- "EPSON Stylus Photo RX585 Series 32MonitorBE" - "SEIKO EPSON CORPORATION" - C:\WINDOWS\system32\E_FLBCLE.DLL "Microsoft Document Imaging Writer Monitor" - "Microsoft Corporation" - C:\WINDOWS\system32\mdimon.dll "PDFCreator" - ? - C:\WINDOWS\system32\pdfcmnnt.dll (File found, but it contains no detailed information) "Send To Microsoft OneNote Monitor" - "Microsoft Corporation" - C:\WINDOWS\system32\msonpmon.dll [Services] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- ".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe "Adobe Version Cue CS4" (Adobe Version Cue CS4) - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe "ASP.NET State Service" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe "Automation License Manager Service" (almservice) - "SIEMENS AG" - E:\Program Files\Common Files\Siemens\sws\almsrv\almsrvx.exe "AVerRemote" (AVerRemote) - "AVerMedia" - C:\Program Files\Common Files\AVerMedia\Service\AVerRemote.exe "AVerScheduleService" (AVerScheduleService) - ? - C:\Program Files\Common Files\AVerMedia\Service\AVerScheduleService.exe "AVM IGD CTRL Service" (IGDCTRL) - "AVM Berlin" - E:\Program\FRITZ!DSL\IGDCTRL.EXE "FLEXnet Licensing Service" (FLEXnet Licensing Service) - "Acresso Software Inc." - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe "getPlus(R) Helper" (getPlusHelper) - "NOS Microsystems Ltd." - C:\Program Files\NOS\bin\getPlus_Helper.dll "Google Updater Service" (gusvc) - "Google" - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe "InstallDriver Table Manager" (IDriverT) - "Macrovision Corporation" - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe "Java Quick Starter" (JavaQuickStarterService) - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jqs.exe "Microsoft Office Diagnostics Service" (odserv) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE "Microsoft Office Groove Audit Service" (Microsoft Office Groove Audit Service) - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveAuditService.exe "Nero BackItUp Scheduler 4.0" (Nero BackItUp Scheduler 4.0) - "Nero AG" - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe "NMSAccess" (NMSAccess) - ? - E:\Program\CDBurnerXP\NMSAccessU.exe (File found, but it contains no detailed information) "Office Source Engine" (ose) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE "S7 Global Services" (s7asysvx) - "SIEMENS AG" - G:\Program\Siemens\Step7\S7BIN\s7asysvx.exe "S7TraceServiceX" (S7TraceServiceX) - "SIEMENS AG" - C:\Program Files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe "SIMATIC IEPG Help Service" (s7oiehsx) - "SIEMENS AG" - E:\Program Files\Common Files\Siemens\S7IEPG\s7oiehsx.exe "SQL Server (SQLEXPRESS)" (MSSQL$SQLEXPRESS) - "Microsoft Corporation" - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe "SQL Server VSS Writer" (SQLWriter) - "Microsoft Corporation" - C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe "Windows CardSpace" (idsvc) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [Winlogon] -----( HKCU\Control Panel\IOProcs )----- "MVB" - ? - mvfs32.dll (File not found) ===[ Logfile end ]=========================================[ Logfile end ]=== Gmer hat nicht einwandfrei funktioniert, habe daher es ohne File-Scan probiert, das hat geklapt: GMER Logfile: Code:
ATTFilter GMER 1.0.15.15530 - hxxp://www.gmer.net
Rootkit scan 2010-11-14 21:54:30
Windows 5.1.2600 Service Pack 3
Running: l1cqvlvk.exe; Driver: C:\DOCUME~1\Martin\LOCALS~1\Temp\pxtdqpow.sys
---- System - GMER 1.0.15 ----
SSDT spnz.sys ZwCreateKey [0xB9EA80E0]
SSDT spnz.sys ZwEnumerateKey [0xB9EC6CA2]
SSDT spnz.sys ZwEnumerateValueKey [0xB9EC7030]
SSDT spnz.sys ZwOpenKey [0xB9EA80C0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys ZwOpenProcess [0xA7DB06C0]
SSDT spnz.sys ZwQueryKey [0xB9EC7108]
SSDT spnz.sys ZwQueryValueKey [0xB9EC6F88]
SSDT spnz.sys ZwSetValueKey [0xB9EC719A]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys ZwTerminateProcess [0xA7DB0770]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys ZwTerminateThread [0xA7DB0810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys ZwWriteVirtualMemory [0xA7DB08B0]
INT 0x63 ? 8A624BF8
INT 0x63 ? 8A624BF8
INT 0x63 ? 8A624BF8
INT 0x63 ? 8A624BF8
INT 0x63 ? 8A3BFF00
INT 0x63 ? 8A624BF8
INT 0x83 ? 8A624BF8
INT 0x83 ? 8A624BF8
INT 0x83 ? 8A3BFF00
INT 0x83 ? 8A624BF8
INT 0x84 ? 8A3BFF00
INT 0xA4 ? 8A3BFF00
INT 0xA4 ? 8A3BFF00
INT 0xA4 ? 8A3BFF00
INT 0xA4 ? 8A3BFF00
INT 0xB4 ? 8A3BFF00
Code \??\C:\DOCUME~1\Martin\LOCALS~1\Temp\catchme.sys pIofCallDriver
---- Kernel code sections - GMER 1.0.15 ----
? spnz.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB926E000, 0x223937, 0xE8000020]
.text USBPORT.SYS!DllUnload B92258AC 5 Bytes JMP 8A3BF4E0
.text a9ks41g6.SYS B919C386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text a9ks41g6.SYS B919C3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a9ks41g6.SYS B919C3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text a9ks41g6.SYS B919C3C9 1 Byte [2E]
.text a9ks41g6.SYS B919C3C9 11 Bytes [2E, 00, 00, 00, 5C, 02, 00, ...] {ADD CS:[EAX], AL; ADD [EDX+EAX+0x0], BL; ADD [EAX], AL; ADD [EAX], AL}
.text ...
.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xA9777300, 0x3B6D8, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xBA3A8300, 0x1BEE, 0xE8000020]
? C:\DOCUME~1\Martin\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\DOCUME~1\Martin\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? system32\DRIVERS\avgrkx86.sys The system cannot find the path specified. !
? system32\DRIVERS\avgtdix.sys The system cannot find the path specified. !
? system32\DRIVERS\AVGIDSShim.Sys The system cannot find the path specified. !
? system32\DRIVERS\AVGIDSEH.Sys The system cannot find the path specified. !
? system32\DRIVERS\AVGIDSFilter.Sys The system cannot find the path specified. !
? system32\DRIVERS\AVGIDSDriver.Sys The system cannot find the path specified. !
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA9040] spnz.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA913C] spnz.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA90BE] spnz.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA97FC] spnz.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA96D2] spnz.sys
IAT \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!KfAcquireSpinLock] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!READ_PORT_UCHAR] 8D3F0304
IAT \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!KeGetCurrentIrql] CB033043
IAT \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!KfRaiseIrql] 0673C13B
IAT \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!KfLowerIrql] C13B0003
IAT \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!HalGetInterruptVector] 8366FA72
IAT \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!HalTranslateBusAddress] 75000E7B
IAT \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!KeStallExecutionProcessor] 0B7D80E3
IAT \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!KfReleaseSpinLock] 307B8D00
IAT \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00AA840F
IAT \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 6A000E7A
IAT \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!WRITE_PORT_UCHAR] C6647400
IAT \SystemRoot\System32\Drivers\a9ks41g6.SYS[WMILIB.SYS!WmiSystemControl] 4F8B0200
IAT \SystemRoot\System32\Drivers\a9ks41g6.SYS[WMILIB.SYS!WmiCompleteRequest] 968D5140
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8A6231F8
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys
Device \FileSystem\Fastfat \FatCdrom 88D47500
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys
Device \Driver\usbuhci \Device\USBPDO-0 8A3CE1F8
Device \Driver\PCI_PNP0910 \Device\00000045 spnz.sys
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A6941F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A6941F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A6941F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A6941F8
Device \Driver\usbuhci \Device\USBPDO-1 8A3CE1F8
Device \Driver\usbuhci \Device\USBPDO-2 8A3CE1F8
Device \Driver\usbehci \Device\USBPDO-3 8A29D368
Device \Driver\usbuhci \Device\USBPDO-4 8A3CE1F8
Device \Driver\usbuhci \Device\USBPDO-5 8A3CE1F8
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys
Device \Driver\usbuhci \Device\USBPDO-6 8A3CE1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A6251F8
Device \Driver\usbehci \Device\USBPDO-7 8A29D368
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A6251F8
Device \Driver\Cdrom \Device\CdRom0 8A25D368
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-12 [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-7 [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort4 [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort5 [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A6251F8
Device \Driver\Cdrom \Device\CdRom1 8A25D368
Device \Driver\Ftdisk \Device\HarddiskVolume4 8A6251F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A43C500
Device \Driver\NetBT \Device\NetbiosSmb 8A43C500
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys
Device \Driver\usbuhci \Device\USBFDO-0 8A3CE1F8
Device \Driver\usbuhci \Device\USBFDO-1 8A3CE1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A3A5500
Device \Driver\usbuhci \Device\USBFDO-2 8A3CE1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A3A5500
Device \Driver\usbehci \Device\USBFDO-3 8A29D368
Device \Driver\Ftdisk \Device\FtControl 8A6251F8
Device \Driver\usbuhci \Device\USBFDO-4 8A3CE1F8
Device \Driver\usbuhci \Device\USBFDO-5 8A3CE1F8
Device \Driver\sptd \Device\2890654660 spnz.sys
Device \Driver\usbuhci \Device\USBFDO-6 8A3CE1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{E146FA9B-20A8-46C7-8A0A-3390C6E56897} 8A43C500
Device \Driver\usbehci \Device\USBFDO-7 8A29D368
Device \Driver\a9ks41g6 \Device\Scsi\a9ks41g61 8A2C1500
Device \Driver\a9ks41g6 \Device\Scsi\a9ks41g61Port6Path0Target0Lun0 8A2C1500
Device \FileSystem\Fastfat \Fat 88D47500
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys
Device \FileSystem\Cdfs \Cdfs 89B93370
---- Threads - GMER 1.0.15 ----
Thread System [4:2572] A7D317FF
---- Processes - GMER 1.0.15 ----
Library E:\Program\AVG\AVG10\avgse.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [3540] 0x6C330000
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 E:\Program\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xEB 0x6D 0x75 0xC8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC0 0xC1 0xFA 0x1E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x41 0x32 0x0D 0x8E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x0D 0x14 0x47 0x79 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x2A 0x1B 0x66 0x20 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x5D 0x2A 0x87 0x81 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 E:\Program\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xEB 0x6D 0x75 0xC8 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC0 0xC1 0xFA 0x1E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x41 0x32 0x0D 0x8E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x0D 0x14 0x47 0x79 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x2A 0x1B 0x66 0x20 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x5D 0x2A 0x87 0x81 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0x97 0x5D 0xD3 0x2C ...
---- EOF - GMER 1.0.15 ----
MBR: MBRCheck, version 1.2.3 (c) 2010, AD Command-line: Windows Version: Windows XP Professional Windows Information: Service Pack 3 (build 2600) Logical Drives Mask: 0x000000fd Kernel Drivers (total 143): 0x804D7000 \WINDOWS\system32\ntkrnlpa.exe 0x806E4000 \WINDOWS\system32\hal.dll 0xBA5A8000 \WINDOWS\system32\KDCOM.DLL 0xBA4B8000 \WINDOWS\system32\BOOTVID.dll 0xB9EA7000 spnz.sys 0xBA5AA000 \WINDOWS\System32\Drivers\WMILIB.SYS 0xB9E8F000 \WINDOWS\System32\Drivers\SCSIPORT.SYS 0xB9E61000 ACPI.sys 0xB9E50000 pci.sys 0xBA0A8000 isapnp.sys 0xBA670000 pciide.sys 0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS 0xBA0B8000 MountMgr.sys 0xB9E31000 ftdisk.sys 0xBA5AC000 dmload.sys 0xB9E0B000 dmio.sys 0xBA330000 PartMgr.sys 0xBA0C8000 VolSnap.sys 0xB9DF3000 atapi.sys 0xBA0D8000 disk.sys 0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS 0xB9DD3000 fltmgr.sys 0xB9DC1000 sr.sys 0xBA0F8000 PxHelp20.sys 0xB9DAA000 KSecDD.sys 0xB9D1D000 Ntfs.sys 0xB9CF0000 NDIS.sys 0xBA108000 ohci1394.sys 0xBA118000 \WINDOWS\system32\DRIVERS\1394BUS.SYS 0xB9CD6000 Mup.sys 0xBA208000 \SystemRoot\system32\DRIVERS\nic1394.sys 0xBA288000 \SystemRoot\system32\DRIVERS\intelppm.sys 0xB926D000 \SystemRoot\system32\DRIVERS\ati2mtag.sys 0xB9259000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS 0xB9231000 \SystemRoot\system32\DRIVERS\HDAudBus.sys 0xBA3D0000 \SystemRoot\system32\DRIVERS\usbuhci.sys 0xB920D000 \SystemRoot\system32\DRIVERS\USBPORT.SYS 0xBA3D8000 \SystemRoot\system32\DRIVERS\usbehci.sys 0xBA298000 \SystemRoot\system32\DRIVERS\l1e51x86.sys 0xBA3E0000 \SystemRoot\system32\DRIVERS\fdc.sys 0xBA5D0000 \SystemRoot\system32\DRIVERS\ASACPI.sys 0xBA2A8000 \SystemRoot\system32\DRIVERS\serial.sys 0xBA574000 \SystemRoot\system32\DRIVERS\serenum.sys 0xBA2B8000 \SystemRoot\system32\DRIVERS\imapi.sys 0xB91F5000 \SystemRoot\System32\Drivers\AnyDVD.sys 0xBA2C8000 \SystemRoot\system32\DRIVERS\cdrom.sys 0xBA2D8000 \SystemRoot\system32\DRIVERS\redbook.sys 0xB91D2000 \SystemRoot\system32\DRIVERS\ks.sys 0xB919C000 \SystemRoot\System32\Drivers\a9ks41g6.SYS 0xBA6CD000 \SystemRoot\system32\DRIVERS\audstub.sys 0xBA2E8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys 0xBA58C000 \SystemRoot\system32\DRIVERS\ndistapi.sys 0xB9185000 \SystemRoot\system32\DRIVERS\ndiswan.sys 0xBA2F8000 \SystemRoot\system32\DRIVERS\raspppoe.sys 0xBA308000 \SystemRoot\system32\DRIVERS\raspptp.sys 0xBA440000 \SystemRoot\system32\DRIVERS\TDI.SYS 0xBA448000 \SystemRoot\system32\DRIVERS\ptilink.sys 0xBA450000 \SystemRoot\system32\DRIVERS\raspti.sys 0xB90B5000 \SystemRoot\system32\DRIVERS\rdpdr.sys 0xBA318000 \SystemRoot\system32\DRIVERS\termdd.sys 0xBA458000 \SystemRoot\system32\DRIVERS\kbdclass.sys 0xBA460000 \SystemRoot\system32\DRIVERS\mouclass.sys 0xBA5D6000 \SystemRoot\system32\DRIVERS\swenum.sys 0xB9057000 \SystemRoot\system32\DRIVERS\update.sys 0xBA5A4000 \SystemRoot\system32\DRIVERS\mssmbios.sys 0xBA168000 \SystemRoot\System32\Drivers\NDProxy.SYS 0xBA198000 \SystemRoot\system32\DRIVERS\usbhub.sys 0xBA5DA000 \SystemRoot\system32\DRIVERS\USBD.SYS 0xACA38000 \SystemRoot\system32\drivers\RtkHDAud.sys 0xACA14000 \SystemRoot\system32\drivers\portcls.sys 0xBA1A8000 \SystemRoot\system32\drivers\drmk.sys 0xBA470000 \SystemRoot\system32\DRIVERS\flpydisk.sys 0xBA5DE000 \SystemRoot\System32\Drivers\Fs_Rec.SYS 0xBA70A000 \SystemRoot\System32\Drivers\Null.SYS 0xBA5E0000 \SystemRoot\System32\Drivers\Beep.SYS 0xBA480000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS 0xBA488000 \SystemRoot\System32\drivers\vga.sys 0xBA5E2000 \SystemRoot\System32\Drivers\mnmdd.SYS 0xBA5E4000 \SystemRoot\System32\DRIVERS\RDPCDD.sys 0xBA490000 \SystemRoot\System32\Drivers\Msfs.SYS 0xBA498000 \SystemRoot\System32\Drivers\Npfs.SYS 0xBA56C000 \SystemRoot\system32\DRIVERS\rasacd.sys 0xAC951000 \SystemRoot\system32\DRIVERS\ipsec.sys 0xBA1D8000 \SystemRoot\system32\DRIVERS\msgpc.sys 0xAC8F8000 \SystemRoot\system32\DRIVERS\tcpip.sys 0xAC8D0000 \SystemRoot\system32\DRIVERS\netbt.sys 0xAC8AA000 \SystemRoot\system32\DRIVERS\ipnat.sys 0xBA1E8000 \SystemRoot\system32\DRIVERS\wanarp.sys 0xAC7E8000 \SystemRoot\System32\drivers\afd.sys 0xBA1F8000 \SystemRoot\system32\DRIVERS\netbios.sys 0xAC7BD000 \SystemRoot\system32\DRIVERS\rdbss.sys 0xAC74D000 \SystemRoot\system32\DRIVERS\mrxsmb.sys 0xBA218000 \SystemRoot\System32\Drivers\Fips.SYS 0xBA4A0000 \SystemRoot\System32\Drivers\ElbyCDIO.sys 0xB9037000 \SystemRoot\system32\DRIVERS\hidusb.sys 0xBA238000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS 0xBA340000 \SystemRoot\system32\DRIVERS\usbccgp.sys 0xBA248000 \SystemRoot\System32\Drivers\Cdfs.SYS 0xAC707000 \SystemRoot\System32\Drivers\usbvideo.sys 0xBA258000 \SystemRoot\system32\drivers\usbaudio.sys 0xBA268000 \SystemRoot\system32\DRIVERS\arp1394.sys 0xACA10000 \SystemRoot\system32\DRIVERS\mouhid.sys 0xACA08000 \SystemRoot\system32\DRIVERS\kbdhid.sys 0xAC6EF000 \SystemRoot\System32\Drivers\dump_atapi.sys 0xBA5EC000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS 0xBF800000 \SystemRoot\System32\win32k.sys 0xAC9FC000 \SystemRoot\System32\drivers\Dxapi.sys 0xBA3A0000 \SystemRoot\System32\watchdog.sys 0xBF000000 \SystemRoot\System32\drivers\dxg.sys 0xBA7E3000 \SystemRoot\System32\drivers\dxgthk.sys 0xBF012000 \SystemRoot\System32\ati2dvag.dll 0xBF060000 \SystemRoot\System32\ati2cqag.dll 0xBF0FC000 \SystemRoot\System32\atikvmag.dll 0xBF196000 \SystemRoot\System32\atiok3x2.dll 0xBF1FB000 \SystemRoot\System32\ati3duag.dll 0xBF557000 \SystemRoot\System32\ativvaxx.dll 0xBFFA0000 \SystemRoot\System32\ATMFD.DLL 0xA9A62000 \SystemRoot\system32\DRIVERS\sntie.sys 0xA9BA6000 \SystemRoot\system32\DRIVERS\ndisuio.sys 0xBA478000 \SystemRoot\system32\DRIVERS\s7opcsrtx.sys 0xA9A28000 \SystemRoot\system32\DRIVERS\s7snsrtx.sys 0xA97F3000 \SystemRoot\system32\DRIVERS\mrxdav.sys 0xA97BA000 \SystemRoot\System32\Drivers\adfs.SYS 0xA9777000 \SystemRoot\system32\DRIVERS\atksgt.sys 0xA984C000 \SystemRoot\System32\DRIVERS\dpmtrcdd.sys 0xBA3A8000 \SystemRoot\system32\DRIVERS\lirsgt.sys 0xA956D000 \SystemRoot\system32\DRIVERS\srv.sys 0xA8BFE000 \SystemRoot\system32\drivers\wdmaud.sys 0xA9495000 \SystemRoot\system32\drivers\sysaudio.sys 0xBA4A8000 \??\C:\DOCUME~1\Martin\LOCALS~1\Temp\mbr.sys 0xBA668000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS 0xBA430000 \??\C:\DOCUME~1\Martin\LOCALS~1\Temp\catchme.sys 0xA7EC9000 \SystemRoot\System32\Drivers\Fastfat.SYS 0xBA400000 \SystemRoot\system32\DRIVERS\avgrkx86.sys 0xA7C12000 \SystemRoot\system32\DRIVERS\avgtdix.sys 0xA7DAE000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys 0xA7D6E000 \SystemRoot\system32\DRIVERS\AVGIDSEH.Sys 0xA9990000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys 0xA7BEA000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys 0xA76B6000 \??\C:\DOCUME~1\Martin\LOCALS~1\Temp\pxtdqpow.sys 0xA768B000 \SystemRoot\system32\drivers\kmixer.sys 0x7C900000 \WINDOWS\system32\ntdll.dll 0x10000000 \Program\DAEMON Tools Lite\daemon.dll Processes (total 34): 0 System Idle Process 4 System 436 C:\WINDOWS\system32\smss.exe 524 csrss.exe 560 C:\WINDOWS\system32\winlogon.exe 608 C:\WINDOWS\system32\services.exe 620 C:\WINDOWS\system32\lsass.exe 784 C:\WINDOWS\system32\ati2evxx.exe 804 C:\WINDOWS\system32\svchost.exe 852 svchost.exe 928 C:\WINDOWS\system32\svchost.exe 1032 svchost.exe 1104 svchost.exe 1204 C:\WINDOWS\system32\spoolsv.exe 1284 C:\WINDOWS\system32\ati2evxx.exe 1480 svchost.exe 1516 E:\Program Files\Common Files\Siemens\SWS\almsrv\almsrvx.exe 1528 C:\Program Files\Common Files\AVerMedia\Service\AVerRemote.exe 1544 C:\Program Files\Common Files\AVerMedia\Service\AVerScheduleService.exe 1628 E:\Program\FRITZ!DSL\IGDCTRL.EXE 1656 C:\Program Files\Java\jre6\bin\jqs.exe 1680 sqlservr.exe 1808 E:\Program\CDBurnerXP\NMSAccessU.exe 1880 G:\Program\Siemens\Step7\S7BIN\s7asysvx.exe 1956 E:\Program Files\Common Files\Siemens\S7IEPG\s7oiehsx.exe 2004 C:\Program Files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe 168 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe 184 C:\WINDOWS\system32\svchost.exe 2068 alg.exe 2656 C:\Program Files\Google\Update\GoogleUpdate.exe 3540 C:\WINDOWS\explorer.exe 1860 C:\WINDOWS\system32\ctfmon.exe 3500 E:\Program\Mozilla Firefox\firefox.exe 3016 C:\Documents and Settings\Martin\Desktop\MBRCheck.exe \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS) \\.\E: --> \\.\PhysicalDrive0 at offset 0x0000000c`34f34a00 (NTFS) \\.\F: --> \\.\PhysicalDrive0 at offset 0x00000024`9ed8e200 (NTFS) \\.\G: --> \\.\PhysicalDrive0 at offset 0x0000003d`08be7a00 (NTFS) PhysicalDrive0 Model Number: SAMSUNGHD502IJ, Rev: 1AA01113 Size Device Name MBR Status -------------------------------------------- 465 GB \\.\PhysicalDrive0 Windows XP MBR code detected SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A Done! |
|
15.11.2010, 05:11
| #24 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | winlogon Sieht ok aus. Mach bitte zur Kontrolle Vollscans mit Malwarebytes und SUPERAntiSpyware und poste die Logs. Denk dran beide Tools zu updaten vor dem Scan!!
__________________ Logfiles bitte immer in CODE-Tags posten |
|
16.11.2010, 00:05
| #25 |
| | winlogon Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 5121 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 15.11.2010 23:33:32 mbam-log-2010-11-15 (23-33-32).txt Scan type: Full scan (C:\|E:\|F:\|G:\|) Objects scanned: 476975 Time elapsed: 39 minute(s), 27 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\explorer.vir (Heuristics.Reserved.Word.Exploit) -> No action taken. C:\WINDOWS\system32\winlogon.vir (Heuristics.Reserved.Word.Exploit) -> No action taken. |
|
16.11.2010, 01:05
| #26 |
| | winlogon SUPERAntiSpyware Scan Log hxxp://www.superantispyware.com Generated 11/16/2010 at 01:04 AM Application Version : 4.45.1000 Core Rules Database Version : 5863 Trace Rules Database Version: 3675 Scan type : Complete Scan Total Scan Time : 00:54:36 Memory items scanned : 477 Memory threats detected : 0 Registry items scanned : 10332 Registry threats detected : 0 File items scanned : 157310 File threats detected : 1 Adware.Tracking Cookie C:\Documents and Settings\Martin\Cookies\martin@avgtechnologies.112.2o7[1].txt |
|
16.11.2010, 08:52
| #27 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | winlogon Sieht ok aus, da wurden nur Cookies gefunden. Und die Dateien, die du mit Linux umbenannt hast, die können gelöscht werden. Noch Probleme oder weitere Funde in der Zwischenzeit?
__________________ Logfiles bitte immer in CODE-Tags posten |
|
| Themen zu winlogon |
| avg, datei, gescannt, infiziert, jotti, killbox, logon, logon.exe, reparieren, tagen, vermeide, versucht, winlogon, winlogon.exe |
Linear-Darstellung
