| |
| |||||||
Log-Analyse und Auswertung: Hartnäckiger TR/ATRAPS.Gen und anderer BefallWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
16.01.2011, 16:57
| #1 |
 |  Hartnäckiger TR/ATRAPS.Gen und anderer Befall Hallo! Ich habe mir wohl gestern beim surfen gleich einen ganzen Packen an Viren zugezogen und mich jetzt nach diversen mehr oder weniger erfolglosen Rettungsversuchen doch dazu entschieden hier ein Thema zu erstellen. Folgendes hat sich bisher getan: Dass ich mir was böses eingehandelt hatte war mir gestern relativ schnell klar, da sich auf einmal spontan Firefox Fenster mit Werbung öffneten, alle Weiterleitungen von google in einem Fehler endeten und auf einmal ein Systemproxy aktiviert war. Also hab ich zunächst mit Antivir und Spybot alles durchgescannt und damit scheinbar schon diverses Ungeziefer erwischt doch als ich dann neustarten wollte kam die böse Überraschung und mein PC fuhr immer wieder kurz vor dem Anmeldedialog runter. Zu meiner Verwunderung konnte ich das allerdings relativ schnell mit der Vista boot dvd bzw. der Reparatur option beheben. Sofort lies ich nochmals einen Scan laufen der dann auch ohne Fund blieb und ich war schon guter Hoffnung dass es sich damit erledigt haben könnte aber zum glück hatte ich es trotzdem weiterhin vermieden mich bei sensiblen Diensten anzumelden. Heute morgen tauchten dann auf einmal in regelmäßigen Abständen Antivir Guard Warnungen auf welche meldeten, dass die datei C:/Windows/temp/<zufälligerordner>/<zufälligername>.exe eine Signatur des Trojaners TR/ATRAPS.Gen enthält doch sobald ich mir den pfad anschauen wollte löschten sich die dateien immer wieder von selbst. Als temporäre Maßnahme habe ich jetzt erstmal die Zugriffsrechte auf diesen "temp" ordner für alle benutzergruppen überschrieben und seitdem habe ich auch keine Meldung mehr bekommen. Während meiner weiteren Recherche habe ich dann auch noch einen Malwarebytes scan gemacht der wiederum ~8 Probleme entdeckt und behoben hat sowie mit dem CCleaner alle daten und die registry bereinigt. Desweiteren ist es warscheinlich noch erwähnenstwert, dass ich auch den folgenden Guide befolgt habe um jenen sshnas21.dll virus zu entfernen: hxxp://www.administrator.de/Sshnas21.dll_konnt_nicht_gefunden_werden_(Achtung_Trojaner).html Im Anhang befinden sich die geforderten logs sowie die beiden MBAM logs der Scans die ich zuvor schon gemacht hatte. Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:39:10, on 16.01.2011 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Program Files\Soluto\soluto.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Avira\AntiVir Desktop\avgnt.exe D:\Treiber\Logitech\SetPointP\SetPoint.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE F:\HJT\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://192.168.1.251/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8075 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Program Files\Soluto\soluto.exe /userinit, O1 - Hosts: ::1 localhost O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Microsoft Web Test Recorder 10.0 Helper - {DDA57003-0068-4ed2-9D32-4D1EC707D94D} - F:\Program Files\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll O2 - BHO: (no name) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - (no file) O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [EvtMgr6] D:\Treiber\Logitech\SetPointP\SetPoint.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ICQ] "F:\Program Files\ICQ7.0\ICQ.exe" silent minimized loginmode=3 O4 - Startup: Dropbox.lnk = C:\Users\XXX\AppData\Roaming\Dropbox\bin\Dropbox.exe O9 - Extra button: ICQ7 - {88EB38EF-4D2C-436D-ABD3-56B232674062} - F:\Program Files\ICQ7.0\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ7 - {88EB38EF-4D2C-436D-ABD3-56B232674062} - F:\Program Files\ICQ7.0\ICQ.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{98450460-BAFF-4377-AAF8-9BB1E90C820C}: NameServer = 192.168.1.252,134.91.4.152 O17 - HKLM\System\CS2\Services\Tcpip\..\{98450460-BAFF-4377-AAF8-9BB1E90C820C}: NameServer = 192.168.1.252,134.91.4.152 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Dienst "Bonjour" (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: lmab_device - - C:\Windows\system32\LMabcoms.exe O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: Soluto PCGenome Core Service (SolutoService) - Soluto - C:\Program Files\Soluto\SolutoService.exe O23 - Service: SmartSVN Status Cache (statuscached) - Unknown owner - F:\Program Files\SmartSVN 6.5\bin\statuscached.exe O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe O23 - Service: Windows Service Manager (svchost32) - Unknown owner - C:\Windows\system32\drivers\svchost.exe (file missing) O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe O23 - Service: TunngleService - Tunngle.net GmbH - F:\Program Files\Tunngle\TnglCtrl.exe -- End of file - 6212 bytes |
|
17.01.2011, 10:45
| #2 | |
| /// Winkelfunktion /// TB-Süch-Tiger™   | Hartnäckiger TR/ATRAPS.Gen und anderer BefallZitat:
__________________ |
|
17.01.2011, 11:23
| #3 |
| | Hartnäckiger TR/ATRAPS.Gen und anderer Befall Sind die beiden folgenden Pfade die jenigen in denen ich die Logs finden sollte?
__________________C:\ProgramData\Avira\AntiVir Desktop\LOGFILES C:\ProgramData\Spybot - Search & Destroy\Logs Falls ja bin ich ziemlich aufgeschmissen, denn darin befinden sich lediglich noch 2 bzw. 3 logs von gestern die allesamt ohne Funde oder einmal nur mit einem false positive verlaufen sind. Antivir zeigt mir unter "Berichte" zwar noch die ganzen vorherigen Suchläufe an und wie viele Funde es gab etc. aber die zugehörgen Logs scheinen verschwunden. |
|
17.01.2011, 11:39
| #4 | |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Hartnäckiger TR/ATRAPS.Gen und anderer BefallZitat:
__________________ Logfiles bitte immer in CODE-Tags posten  |
|
17.01.2011, 11:59
| #5 |
| | Hartnäckiger TR/ATRAPS.Gen und anderer Befall Das hatte ich mal vor längerer Zeit eingerichtet nachdem ich in einer c't Ausgabe gelesen hab wie Photoshop CS4 wohl heimlich immer wieder adobe server kontaktieren kann. |
|
17.01.2011, 13:07
| #6 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Hartnäckiger TR/ATRAPS.Gen und anderer Befall Beende alle Programme, starte OTL und kopiere folgenden Text in die "Custom Scan/Fixes" Box (unten in OTL): (das ":OTL" muss mitkopiert werden!!!) Hinweis: Falls Du Deinen Benutzernamen unkenntlich gemacht hast, musst Du das Ausgesternte in Deinen richtigen Benutzernamen wieder verwandeln, sonst funktioniert das Script nicht!! Code:
ATTFilter :OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8075
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{b6c9f841-e72c-11de-9c40-001cc0b0155c}\Shell - "" = AutoRun
O33 - MountPoints2\{b6c9f841-e72c-11de-9c40-001cc0b0155c}\Shell\AutoRun\command - "" = E:\AutoRunCD.exe
[2011.01.15 17:18:08 | 000,000,049 | ---- | M] () -- C:\Windows\VYWnuxO
[2011.01.15 17:18:08 | 000,000,049 | ---- | M] () -- C:\Windows\jPToXpud
[2011.01.15 17:18:08 | 000,000,047 | ---- | M] () -- C:\Windows\ja1Fju
[2011.01.15 17:18:08 | 000,000,047 | ---- | M] () -- C:\Windows\F3KhQsegnb
[2011.01.15 17:18:08 | 000,000,047 | ---- | M] () -- C:\Windows\3LaFX
[2011.01.15 17:18:08 | 000,000,046 | ---- | M] () -- C:\Windows\yWtCUTMp5
[2011.01.15 17:18:08 | 000,000,046 | ---- | M] () -- C:\Windows\XfnPNQyC6I
[2011.01.15 17:18:08 | 000,000,046 | ---- | M] () -- C:\Windows\8KJLK
[2011.01.15 17:18:08 | 000,000,045 | ---- | M] () -- C:\Windows\qakTXKXG
[2011.01.15 17:18:08 | 000,000,045 | ---- | M] () -- C:\Windows\LIRWAjbJL
[2011.01.15 17:18:08 | 000,000,045 | ---- | M] () -- C:\Windows\KgkacKvFkr
[2011.01.15 17:18:08 | 000,000,045 | ---- | M] () -- C:\Windows\aO7CsaqTeE
[2011.01.15 17:18:08 | 000,000,044 | ---- | M] () -- C:\Windows\WpfC6U
[2011.01.15 17:18:08 | 000,000,044 | ---- | M] () -- C:\Windows\TvxkqPyhab
[2011.01.15 17:18:08 | 000,000,044 | ---- | M] () -- C:\Windows\LobYqvG8
[2011.01.15 17:18:08 | 000,000,044 | ---- | M] () -- C:\Windows\I6hYicJA3S
[2011.01.15 17:18:08 | 000,000,044 | ---- | M] () -- C:\Windows\Hllw7ED
[2011.01.15 17:18:08 | 000,000,044 | ---- | M] () -- C:\Windows\excf5
[2011.01.15 17:18:08 | 000,000,044 | ---- | M] () -- C:\Windows\2AxueOjfH
[2011.01.15 17:18:08 | 000,000,043 | ---- | M] () -- C:\Windows\Y2gCA3R
[2011.01.15 17:18:08 | 000,000,043 | ---- | M] () -- C:\Windows\XNGUm
[2011.01.15 17:18:08 | 000,000,043 | ---- | M] () -- C:\Windows\ClG7wDcCA6
[2011.01.15 17:18:08 | 000,000,043 | ---- | M] () -- C:\Windows\Bs2m7
[2011.01.15 17:18:08 | 000,000,042 | ---- | M] () -- C:\Windows\Y4aRDeKi
[2011.01.15 17:18:08 | 000,000,042 | ---- | M] () -- C:\Windows\GElIqO
[2011.01.15 17:18:08 | 000,000,042 | ---- | M] () -- C:\Windows\EgtaGlPSn
[2011.01.15 17:18:08 | 000,000,042 | ---- | M] () -- C:\Windows\d6VqmEED
[2011.01.15 17:18:08 | 000,000,042 | ---- | M] () -- C:\Windows\4kLkF
[2011.01.15 17:18:08 | 000,000,041 | ---- | M] () -- C:\Windows\uCKsvH
[2011.01.15 17:18:08 | 000,000,041 | ---- | M] () -- C:\Windows\lF7dA
[2011.01.15 17:18:08 | 000,000,041 | ---- | M] () -- C:\Windows\hdxUaetJ
[2011.01.15 17:18:08 | 000,000,040 | ---- | M] () -- C:\Windows\yFIlMW
[2011.01.15 17:18:08 | 000,000,040 | ---- | M] () -- C:\Windows\sMftko7U5
[2011.01.15 17:18:08 | 000,000,040 | ---- | M] () -- C:\Windows\O14OOtm
[2011.01.15 17:18:08 | 000,000,040 | ---- | M] () -- C:\Windows\nMp6T
[2011.01.15 17:18:08 | 000,000,040 | ---- | M] () -- C:\Windows\kJnPGuxLa
[2011.01.15 17:18:08 | 000,000,040 | ---- | M] () -- C:\Windows\2pvNUHB
[2011.01.15 17:18:08 | 000,000,039 | ---- | M] () -- C:\Windows\y3c6NQ
[2011.01.15 17:18:08 | 000,000,039 | ---- | M] () -- C:\Windows\XguGQgm
[2011.01.15 17:18:08 | 000,000,039 | ---- | M] () -- C:\Windows\nCGp7Inyy8
[2011.01.15 17:18:08 | 000,000,039 | ---- | M] () -- C:\Windows\3PWAT
[2011.01.15 17:18:08 | 000,000,038 | ---- | M] () -- C:\Windows\p4tFS73C8
[2011.01.15 17:18:08 | 000,000,038 | ---- | M] () -- C:\Windows\oFavpHE
[2011.01.15 17:18:08 | 000,000,038 | ---- | M] () -- C:\Windows\MoUb3
[2011.01.15 17:18:08 | 000,000,038 | ---- | M] () -- C:\Windows\k5JNwo
[2011.01.15 17:18:08 | 000,000,037 | ---- | M] () -- C:\Windows\aocJOpGaI
[2011.01.15 17:18:08 | 000,000,037 | ---- | M] () -- C:\Windows\7Ssd7nroKT
[2011.01.15 17:18:08 | 000,000,037 | ---- | M] () -- C:\Windows\4jVbl
[2011.01.15 17:18:08 | 000,000,036 | ---- | M] () -- C:\Windows\w5L3V8d3G4
[2011.01.15 17:18:08 | 000,000,036 | ---- | M] () -- C:\Windows\qTKQjvWAk
[2011.01.15 17:18:08 | 000,000,036 | ---- | M] () -- C:\Windows\nYb8DqV
[2011.01.15 17:18:08 | 000,000,036 | ---- | M] () -- C:\Windows\5Rtlo
[2011.01.15 17:18:08 | 000,000,035 | ---- | M] () -- C:\Windows\pWlrBpNrd
[2011.01.15 17:18:08 | 000,000,035 | ---- | M] () -- C:\Windows\NNJWxceg
[2011.01.15 17:18:08 | 000,000,035 | ---- | M] () -- C:\Windows\iHWYueYjP
[2011.01.15 17:18:08 | 000,000,034 | ---- | M] () -- C:\Windows\Os8NVKnoek
[2011.01.15 17:18:08 | 000,000,034 | ---- | M] () -- C:\Windows\ITSMsSFxG
[2011.01.15 17:18:08 | 000,000,034 | ---- | M] () -- C:\Windows\iPrdtIX
[2011.01.15 17:18:08 | 000,000,033 | ---- | M] () -- C:\Windows\FIYg17O
[2011.01.15 17:18:08 | 000,000,032 | ---- | M] () -- C:\Windows\pSGex4mkEX
[2011.01.15 17:18:08 | 000,000,032 | ---- | M] () -- C:\Windows\ldfkLVWd5
[2011.01.15 17:18:08 | 000,000,032 | ---- | M] () -- C:\Windows\fPpw1wx
[2011.01.15 17:18:08 | 000,000,032 | ---- | M] () -- C:\Windows\ehfGHeMqmH
[2011.01.15 17:18:08 | 000,000,032 | ---- | M] () -- C:\Windows\cqT73Kkrqg
[2011.01.15 17:18:08 | 000,000,032 | ---- | M] () -- C:\Windows\Bvqha
[2011.01.15 17:18:08 | 000,000,031 | ---- | M] () -- C:\Windows\WOi3DI
[2011.01.15 17:18:08 | 000,000,031 | ---- | M] () -- C:\Windows\LH8U36Cr
[2011.01.15 17:18:08 | 000,000,031 | ---- | M] () -- C:\Windows\gFKAKt1qF
[2011.01.15 17:18:08 | 000,000,030 | ---- | M] () -- C:\Windows\RaNokcC
[2011.01.15 17:18:08 | 000,000,030 | ---- | M] () -- C:\Windows\mLx4Q6M
[2011.01.15 17:18:08 | 000,000,030 | ---- | M] () -- C:\Windows\JtvaSiB
[2011.01.15 17:18:08 | 000,000,030 | ---- | M] () -- C:\Windows\h5oDwMa6
[2011.01.15 17:18:08 | 000,000,030 | ---- | M] () -- C:\Windows\5eOexm
[2011.01.15 17:18:08 | 000,000,029 | ---- | M] () -- C:\Windows\uLVAps1Np
[2011.01.15 17:18:08 | 000,000,029 | ---- | M] () -- C:\Windows\CCgPBY1a
[2011.01.15 17:18:08 | 000,000,029 | ---- | M] () -- C:\Windows\7QQlj78i
[2011.01.15 17:18:08 | 000,000,029 | ---- | M] () -- C:\Windows\45e6DK5oRi
[2011.01.15 17:18:08 | 000,000,028 | ---- | M] () -- C:\Windows\V4jNEIf1oJ
[2011.01.15 17:18:08 | 000,000,028 | ---- | M] () -- C:\Windows\GnOJEOW
[2011.01.15 17:18:08 | 000,000,028 | ---- | M] () -- C:\Windows\FLYkS
[2011.01.15 17:18:08 | 000,000,028 | ---- | M] () -- C:\Windows\b31Oi1GRP
[2011.01.15 17:18:08 | 000,000,028 | ---- | M] () -- C:\Windows\3XkypbOv2
[2011.01.15 17:18:08 | 000,000,027 | ---- | M] () -- C:\Windows\calmlS6tS
[2011.01.15 17:18:08 | 000,000,026 | ---- | M] () -- C:\Windows\LBILmrYc
[2011.01.15 17:18:08 | 000,000,026 | ---- | M] () -- C:\Windows\2T8esRwaW
[2011.01.15 17:18:08 | 000,000,025 | ---- | M] () -- C:\Windows\EhPUBO
[2011.01.15 17:18:07 | 000,000,047 | ---- | M] () -- C:\Windows\xia5b
[2011.01.15 17:18:07 | 000,000,043 | ---- | M] () -- C:\Windows\WlMfD4
[2011.01.15 17:18:07 | 000,000,040 | ---- | M] () -- C:\Windows\ignc5nJmi
[2011.01.15 17:18:07 | 000,000,039 | ---- | M] () -- C:\Windows\lHaxOG
[2011.01.15 17:18:07 | 000,000,037 | ---- | M] () -- C:\Windows\Vuktdt
[2011.01.15 17:18:07 | 000,000,036 | ---- | M] () -- C:\Windows\31c7Dn5c
[2011.01.15 17:18:07 | 000,000,033 | ---- | M] () -- C:\Windows\C4ywfGIdA
[2011.01.15 17:18:07 | 000,000,031 | ---- | M] () -- C:\Windows\8biiMRj
[2011.01.15 17:18:07 | 000,000,030 | ---- | M] () -- C:\Windows\4I5WGIT
[2011.01.15 17:18:07 | 000,000,028 | ---- | M] () -- C:\Windows\IgFj75oRh
[2011.01.15 17:18:07 | 000,000,027 | ---- | M] () -- C:\Windows\DQxjxlU
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:6DFF1A8A
:Commands
[purity]
[emptytemp]
Das Logfile müsste geöffnet werden, wenn Du nach dem Fixen auf ok klickst, poste das bitte. Evtl. wird der Rechner neu gestartet.
__________________ --> Hartnäckiger TR/ATRAPS.Gen und anderer Befall |
|
17.01.2011, 13:39
| #7 |
| | Hartnäckiger TR/ATRAPS.Gen und anderer Befall Alles klar und danke schonmal  Hier der Log: Code:
ATTFilter All processes killed
========== OTL ==========
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun|DWORD:1 /E : value set successfully!
C:\autoexec.bat moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b6c9f841-e72c-11de-9c40-001cc0b0155c}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b6c9f841-e72c-11de-9c40-001cc0b0155c}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b6c9f841-e72c-11de-9c40-001cc0b0155c}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b6c9f841-e72c-11de-9c40-001cc0b0155c}\ not found.
File E:\AutoRunCD.exe not found.
C:\Windows\VYWnuxO moved successfully.
C:\Windows\jPToXpud moved successfully.
C:\Windows\ja1Fju moved successfully.
C:\Windows\F3KhQsegnb moved successfully.
C:\Windows\3LaFX moved successfully.
C:\Windows\yWtCUTMp5 moved successfully.
C:\Windows\XfnPNQyC6I moved successfully.
C:\Windows\8KJLK moved successfully.
C:\Windows\qakTXKXG moved successfully.
C:\Windows\LIRWAjbJL moved successfully.
C:\Windows\KgkacKvFkr moved successfully.
C:\Windows\aO7CsaqTeE moved successfully.
C:\Windows\WpfC6U moved successfully.
C:\Windows\TvxkqPyhab moved successfully.
C:\Windows\LobYqvG8 moved successfully.
C:\Windows\I6hYicJA3S moved successfully.
C:\Windows\Hllw7ED moved successfully.
C:\Windows\excf5 moved successfully.
C:\Windows\2AxueOjfH moved successfully.
C:\Windows\Y2gCA3R moved successfully.
C:\Windows\XNGUm moved successfully.
C:\Windows\ClG7wDcCA6 moved successfully.
C:\Windows\Bs2m7 moved successfully.
C:\Windows\Y4aRDeKi moved successfully.
C:\Windows\GElIqO moved successfully.
C:\Windows\EgtaGlPSn moved successfully.
C:\Windows\d6VqmEED moved successfully.
C:\Windows\4kLkF moved successfully.
C:\Windows\uCKsvH moved successfully.
C:\Windows\lF7dA moved successfully.
C:\Windows\hdxUaetJ moved successfully.
C:\Windows\yFIlMW moved successfully.
C:\Windows\sMftko7U5 moved successfully.
C:\Windows\O14OOtm moved successfully.
C:\Windows\nMp6T moved successfully.
C:\Windows\kJnPGuxLa moved successfully.
C:\Windows\2pvNUHB moved successfully.
C:\Windows\y3c6NQ moved successfully.
C:\Windows\XguGQgm moved successfully.
C:\Windows\nCGp7Inyy8 moved successfully.
C:\Windows\3PWAT moved successfully.
C:\Windows\p4tFS73C8 moved successfully.
C:\Windows\oFavpHE moved successfully.
C:\Windows\MoUb3 moved successfully.
C:\Windows\k5JNwo moved successfully.
C:\Windows\aocJOpGaI moved successfully.
C:\Windows\7Ssd7nroKT moved successfully.
C:\Windows\4jVbl moved successfully.
C:\Windows\w5L3V8d3G4 moved successfully.
C:\Windows\qTKQjvWAk moved successfully.
C:\Windows\nYb8DqV moved successfully.
C:\Windows\5Rtlo moved successfully.
C:\Windows\pWlrBpNrd moved successfully.
C:\Windows\NNJWxceg moved successfully.
C:\Windows\iHWYueYjP moved successfully.
C:\Windows\Os8NVKnoek moved successfully.
C:\Windows\ITSMsSFxG moved successfully.
C:\Windows\iPrdtIX moved successfully.
C:\Windows\FIYg17O moved successfully.
C:\Windows\pSGex4mkEX moved successfully.
C:\Windows\ldfkLVWd5 moved successfully.
C:\Windows\fPpw1wx moved successfully.
C:\Windows\ehfGHeMqmH moved successfully.
C:\Windows\cqT73Kkrqg moved successfully.
C:\Windows\Bvqha moved successfully.
C:\Windows\WOi3DI moved successfully.
C:\Windows\LH8U36Cr moved successfully.
C:\Windows\gFKAKt1qF moved successfully.
C:\Windows\RaNokcC moved successfully.
C:\Windows\mLx4Q6M moved successfully.
C:\Windows\JtvaSiB moved successfully.
C:\Windows\h5oDwMa6 moved successfully.
C:\Windows\5eOexm moved successfully.
C:\Windows\uLVAps1Np moved successfully.
C:\Windows\CCgPBY1a moved successfully.
C:\Windows\7QQlj78i moved successfully.
C:\Windows\45e6DK5oRi moved successfully.
C:\Windows\V4jNEIf1oJ moved successfully.
C:\Windows\GnOJEOW moved successfully.
C:\Windows\FLYkS moved successfully.
C:\Windows\b31Oi1GRP moved successfully.
C:\Windows\3XkypbOv2 moved successfully.
C:\Windows\calmlS6tS moved successfully.
C:\Windows\LBILmrYc moved successfully.
C:\Windows\2T8esRwaW moved successfully.
C:\Windows\EhPUBO moved successfully.
C:\Windows\xia5b moved successfully.
C:\Windows\WlMfD4 moved successfully.
C:\Windows\ignc5nJmi moved successfully.
C:\Windows\lHaxOG moved successfully.
C:\Windows\Vuktdt moved successfully.
C:\Windows\31c7Dn5c moved successfully.
C:\Windows\C4ywfGIdA moved successfully.
C:\Windows\8biiMRj moved successfully.
C:\Windows\4I5WGIT moved successfully.
C:\Windows\IgFj75oRh moved successfully.
C:\Windows\DQxjxlU moved successfully.
ADS C:\ProgramData\TEMP:6DFF1A8A deleted successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Public
->Temp folder emptied: 0 bytes
User: XXX
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 34424 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 5507331 bytes
->Google Chrome cache emptied: 0 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 689 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 5,00 mb
OTL by OldTimer - Version 3.2.20.2 log created on 01172011_132927
Files\Folders moved on Reboot...
Registry entries deleted on Reboot...
|
|
17.01.2011, 13:46
| #8 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Hartnäckiger TR/ATRAPS.Gen und anderer Befall Dann bitte jetzt CF ausführen: ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
__________________ Logfiles bitte immer in CODE-Tags posten |
|
17.01.2011, 16:15
| #9 |
| | Hartnäckiger TR/ATRAPS.Gen und anderer Befall Hm... als ich Combofix gestartet habe hat sich kurz nachdem der Ladebalken das ende erreichte mein PC einfach abgeschaltet. Ich denke ich habe auch die vorherigen Schritte korrekt ausgeführt: CCleaner hat alles aufgeräumt, in der Registry stand nur noch der alte AntiVir fehler den ich ja ignorieren kann und (Hintergrund)programme hatte ich auch soweit wie möglich auch beendet. |
|
17.01.2011, 16:21
| #10 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Hartnäckiger TR/ATRAPS.Gen und anderer Befall Probiers nochmal aus.
__________________ Logfiles bitte immer in CODE-Tags posten |
|
17.01.2011, 17:21
| #11 |
| | Hartnäckiger TR/ATRAPS.Gen und anderer Befall So jetzt hab ich es noch ein paar mal mit dem gleichen Ergebnis ausprobiert bis ich per Spybot Antivir komplett aus dem systemstart genommen hab und HijackThis mir auch versichert hat, dass Explorer.exe der einzige von meinem Konto aus laufende Prozess ist. Dadurch ist der PC jetzt allerdings an der selben Stelle komplett Eingefroren anstatt sich auszuschalten. Ein letztes mal hab ich es nun jetzt noch einmal probiert und es scheint wieder alles beim alten zu sein. |
|
17.01.2011, 19:16
| #12 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Hartnäckiger TR/ATRAPS.Gen und anderer Befall Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten. GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus - die Online-Abfrage durch OSAM bitte überspringen. Bei OSAM bitte darauf auch achten, dass Du das Log auch als *.log und nicht *.html oder so abspeicherst. Downloade Dir danach bitte MBRCheck (by a_d_13) und speichere die Datei auf dem Desktop.
__________________ Logfiles bitte immer in CODE-Tags posten |
|
17.01.2011, 20:43
| #13 |
| | Hartnäckiger TR/ATRAPS.Gen und anderer Befall Ok hier die logs: GMER: Code:
ATTFilter GMER 1.0.15.15530 - hxxp://www.gmer.net
Rootkit scan 2011-01-17 20:29:45
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort5 STM3500418AS rev.CC37
Running: g2m3e4r.exe; Driver: F:\Temp\awlcrpob.sys
---- Kernel code sections - GMER 1.0.15 ----
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8F803000, 0x349D76, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\Explorer.EXE[912] ntdll.dll!NtProtectVirtualMemory 77D44D34 5 Bytes JMP 00A1000A
.text C:\Windows\Explorer.EXE[912] ntdll.dll!NtWriteVirtualMemory 77D45674 5 Bytes JMP 00A2000A
.text C:\Windows\Explorer.EXE[912] ntdll.dll!KiUserExceptionDispatcher 77D45DC8 5 Bytes JMP 00A0000A
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\Explorer.EXE[912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74047817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7409A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7404BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7403F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [740475E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7403E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74078395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7404DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7403FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7403FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [740371CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [740CCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7406C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7403D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74036853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7403687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74042AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
Device \Device\Ide\IdeDeviceP5T0L0-5 -> \??\IDE#DiskSTM3500418AS____________________________CC37____#5&f90994&0&1.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001583380e60
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 F:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x61 0xF6 0x06 0x79 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xCD 0x1B 0x74 0x6F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x70 0xDF 0x9F 0xE3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x66 0x24 0x97 0x1F ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001583380e60 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 F:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x61 0xF6 0x06 0x79 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xCD 0x1B 0x74 0x6F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x70 0xDF 0x9F 0xE3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x66 0x24 0x97 0x1F ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{77CFC1A6-DCF5-29FA-5AD4-F5E22D8FD642}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{77CFC1A6-DCF5-29FA-5AD4-F5E22D8FD642}@galenbpoihgmdd 0x61 0x63 0x70 0x63 ...
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 976772912 (+255): rootkit-like behavior;
---- EOF - GMER 1.0.15 ----
Code:
ATTFilter Report of OSAM: Autorun Manager v5.0.11926.0 hxxp://www.online-solutions.ru/en/ Saved at 20:41:38 on 17.01.2011 OS: Windows Vista Business Edition Service Pack 2 (Build 6002), 32-bit Default Browser: SRWare SRWare Iron 8.0.555.0 Scanner Settings [x] Rootkits detection (hidden registry) [x] Rootkits detection (hidden files) [x] Retrieve files information [x] Check Microsoft signatures Filters [ ] Trusted entries [ ] Empty entries [x] Hidden registry entries (rootkit activity) [x] Exclusively opened files [x] Not found files [x] Files without detailed information [x] Existing files [ ] Non-startable services [ ] Non-startable drivers [x] Active entries [x] Disabled entries [Common] -----( %SystemRoot%\Tasks )----- "GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe "GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe "RegistryConvoy.job" - ? - F:\Program Files\Registry Convoy 2009\RegistryConvoy.exe (File not found) [Control Panel Objects] -----( %SystemRoot%\system32 )----- "DivXControlPanelApplet.cpl" - "DivX, Inc." - C:\Windows\system32\DivXControlPanelApplet.cpl -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )----- "Pando" - "Pando Networks" - C:\Program Files\Pando Networks\Media Booster\PMB.cpl "QuickTime" - "Apple Inc." - F:\Program Files\QuickTime\QTSystem\QuickTime.cpl [Drivers] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- "Acronis Snapshots Manager" (snapman) - "Acronis" - C:\Windows\System32\DRIVERS\snapman.sys "Acronis Try&Decide and Restore Points filter" (tdrpman) - "Acronis" - C:\Windows\System32\DRIVERS\tdrpman.sys "avgio" (avgio) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\avgio.sys "avgntflt" (avgntflt) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avgntflt.sys "avipbb" (avipbb) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avipbb.sys "awlcrpob" (awlcrpob) - ? - F:\Temp\awlcrpob.sys (Hidden registry entry, rootkit activity | File not found) "catchme" (catchme) - ? - F:\Temp\catchme.sys (File not found) "EagleNT" (EagleNT) - ? - C:\Windows\system32\drivers\EagleNT.sys (File not found) "FsUsbExDisk" (FsUsbExDisk) - ? - C:\Windows\system32\FsUsbExDisk.SYS (File found, but it contains no detailed information) "giveio" (giveio) - ? - C:\Windows\System32\giveio.sys (File found, but it contains no detailed information) "Hamachi Network Interface" (hamachi) - "LogMeIn, Inc." - C:\Windows\System32\DRIVERS\hamachi.sys "IOCBIOS" (IOCBIOS) - ? - C:\ProgramData\Intel\Extreme Tuning Utility\IOCbios\32bit\IOCBIOS.SYS "IP in IP Tunnel Driver" (IpInIp) - ? - C:\Windows\System32\DRIVERS\ipinip.sys (File not found) "IPX Traffic Filter Driver" (NwlnkFlt) - ? - C:\Windows\System32\DRIVERS\nwlnkflt.sys (File not found) "IPX Traffic Forwarder Driver" (NwlnkFwd) - ? - C:\Windows\System32\DRIVERS\nwlnkfwd.sys (File not found) "Nal Service " (NAL) - "Intel Corporation " - C:\Windows\system32\Drivers\iqvw32.sys "PCCS Mode Change Filter Driver" (pccsmcfd) - ? - C:\Windows\System32\DRIVERS\pccsmcfd.sys (File not found) "Performance Tools Driver 10.0" (VSPerfDrv100) - "Microsoft Corporation" - F:\Program Files\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\VSPerfDrv100.sys "speedfan" (speedfan) - "Windows (R) 2000 DDK provider" - C:\Windows\System32\speedfan.sys "ssmdrv" (ssmdrv) - "Avira GmbH" - C:\Windows\System32\DRIVERS\ssmdrv.sys "VBoxNetFlt Service" (VBoxNetFlt) - ? - C:\Windows\System32\DRIVERS\VBoxNetFlt.sys (File not found) "VirtualBox Host-Only Ethernet Adapter" (VBoxNetAdp) - "Oracle Corporation" - C:\Windows\System32\DRIVERS\VBoxNetAdp.sys [Explorer] -----( HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )----- {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} "DropboxExt" - ? - (File not found | COM-object registry key not found) {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} "DropboxExt" - ? - (File not found | COM-object registry key not found) {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} "DropboxExt" - ? - (File not found | COM-object registry key not found) {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} "DropboxExt" - ? - (File not found | COM-object registry key not found) -----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )----- {F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll {30351349-7B7D-4FCC-81B4-1E394CA267EB} "TortoiseSVN" - "hxxp://tortoisesvn.net" - F:\Program Files\TortoiseSVN\bin\TortoiseStub.dll -----( HKLM\Software\Classes\Protocols\Handler )----- {314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL {828030A1-22C1-4009-854F-8E305202313F} "livecall" - "Microsoft Corporation" - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL {0A9007C0-4076-11D3-8789-0000F8105754} "Microsoft Infotech Storage Protocol for IE 4.0" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll {828030A1-22C1-4009-854F-8E305202313F} "msnim" - "Microsoft Corporation" - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks )----- {AEB6717E-7E19-11d0-97EE-00C04FD91972} "{AEB6717E-7E19-11d0-97EE-00C04FD91972}" - ? - (File not found | COM-object registry key not found) -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )----- {911051fa-c21c-4246-b470-070cd8df6dc4} ".cab or .zip files" - ? - (File not found | COM-object registry key not found) {23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - F:\Program Files\7-Zip\7-zip.dll {C539A15A-3AF9-4c92-B771-50CB78F5C751} "Acronis True Image Shell Context Menu Extension" - "Acronis" - C:\Program Files\Acronis\TrueImageHome\tishell.dll {C539A15B-3AF9-4c92-B771-50CB78F5C751} "Acronis True Image Shell Extension" - "Acronis" - C:\Program Files\Acronis\TrueImageHome\tishell.dll {1b24a030-9b20-49bc-97ac-1be4426f9e59} "ActiveDirectory Folder" - ? - (File not found | COM-object registry key not found) {34449847-FD14-4fc8-A75A-7432F5181EFB} "ActiveDirectory Folder" - ? - (File not found | COM-object registry key not found) {0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} "Contacts folder" - ? - (File not found | COM-object registry key not found) {872A9397-E0D6-4e28-B64D-52B8D0A7EA35} "DisplayCplExt Class" - "Advanced Micro Devices, Inc." - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiamaxx.dll {2C2577C2-63A7-40e3-9B7F-586602617ECB} "Explorer Query Band" - ? - (File not found | COM-object registry key not found) {FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" - ? - (File not found | COM-object registry key not found) {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "iTunes" - "Apple Inc." - F:\Program Files\iTunes\iTunesMiniPlayer.dll {DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C} "KbLogiExt Class" - "Logitech, Inc." - D:\Treiber\Logitech\SetPointP\kbcplext.dll {00020d75-0000-0000-c000-000000000046} "lnkfile" - ? - (File not found | COM-object registry key not found) {C8494E42-ACDD-4739-B0FB-217361E4894F} "Sam Account Folder" - ? - (File not found | COM-object registry key not found) {E29F9716-5C08-4FCD-955A-119FDB5A522D} "Sam Account Folder" - ? - (File not found | COM-object registry key not found) {45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\shlext.dll {5E2121EE-0300-11D4-8D3B-444553540000} "SimpleShlExt Class" - "Advanced Micro Devices, Inc." - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll {C5994560-53D9-4125-87C9-F193FC689CB2} "TortoiseOverlays" - ? - (File not found | COM-object registry key not found) {C5994561-53D9-4125-87C9-F193FC689CB2} "TortoiseOverlays" - ? - (File not found | COM-object registry key not found) {C5994562-53D9-4125-87C9-F193FC689CB2} "TortoiseOverlays" - ? - (File not found | COM-object registry key not found) {C5994563-53D9-4125-87C9-F193FC689CB2} "TortoiseOverlays" - ? - (File not found | COM-object registry key not found) {C5994564-53D9-4125-87C9-F193FC689CB2} "TortoiseOverlays" - ? - (File not found | COM-object registry key not found) {C5994565-53D9-4125-87C9-F193FC689CB2} "TortoiseOverlays" - ? - (File not found | COM-object registry key not found) {C5994566-53D9-4125-87C9-F193FC689CB2} "TortoiseOverlays" - ? - (File not found | COM-object registry key not found) {C5994567-53D9-4125-87C9-F193FC689CB2} "TortoiseOverlays" - ? - (File not found | COM-object registry key not found) {C5994568-53D9-4125-87C9-F193FC689CB2} "TortoiseOverlays" - ? - (File not found | COM-object registry key not found) {30351346-7B7D-4FCC-81B4-1E394CA267EB} "TortoiseSVN" - "hxxp://tortoisesvn.net" - F:\Program Files\TortoiseSVN\bin\TortoiseStub.dll {30351347-7B7D-4FCC-81B4-1E394CA267EB} "TortoiseSVN" - "hxxp://tortoisesvn.net" - F:\Program Files\TortoiseSVN\bin\TortoiseStub.dll {30351348-7B7D-4FCC-81B4-1E394CA267EB} "TortoiseSVN" - "hxxp://tortoisesvn.net" - F:\Program Files\TortoiseSVN\bin\TortoiseStub.dll {30351349-7B7D-4FCC-81B4-1E394CA267EB} "TortoiseSVN" - "hxxp://tortoisesvn.net" - F:\Program Files\TortoiseSVN\bin\TortoiseStub.dll {3035134A-7B7D-4FCC-81B4-1E394CA267EB} "TortoiseSVN" - "hxxp://tortoisesvn.net" - F:\Program Files\TortoiseSVN\bin\TortoiseStub.dll {3035134B-7B7D-4FCC-81B4-1E394CA267EB} "TortoiseSVN" - "hxxp://tortoisesvn.net" - F:\Program Files\TortoiseSVN\bin\TortoiseStub.dll {3035134C-7B7D-4FCC-81B4-1E394CA267EB} "TortoiseSVN" - "hxxp://tortoisesvn.net" - F:\Program Files\TortoiseSVN\bin\TortoiseStub.dll {3035134D-7B7D-4FCC-81B4-1E394CA267EB} "TortoiseSVN" - "hxxp://tortoisesvn.net" - F:\Program Files\TortoiseSVN\bin\TortoiseStub.dll {3035134E-7B7D-4FCC-81B4-1E394CA267EB} "TortoiseSVN" - "hxxp://tortoisesvn.net" - F:\Program Files\TortoiseSVN\bin\TortoiseStub.dll {3035134F-7B7D-4FCC-81B4-1E394CA267EB} "TortoiseSVN" - "hxxp://tortoisesvn.net" - F:\Program Files\TortoiseSVN\bin\TortoiseStub.dll {30351350-7B7D-4FCC-81B4-1E394CA267EB} "TortoiseSVN" - "hxxp://tortoisesvn.net" - F:\Program Files\TortoiseSVN\bin\TortoiseStub.dll {da67b8ad-e81b-4c70-9b91b417b5e33527} "Windows Search Shell Service" - ? - (File not found | COM-object registry key not found) {B41DB860-8EE4-11D2-9906-E49FADC173CA} "WinRAR" - "Alexander Roshal" - F:\Program Files\WinRAR\rarext.dll {E0D79304-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing, S.L." - F:\Program Files\WinZip\wzshlstb.dll {E0D79305-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing, S.L." - F:\Program Files\WinZip\wzshlstb.dll {E0D79306-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing, S.L." - F:\Program Files\WinZip\wzshlstb.dll {E0D79307-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing, S.L." - F:\Program Files\WinZip\wzshlstb.dll Logitech Setpoint Extension "{B9B9F083-2B04-452A-8691-83694AC1037B}" - ? - (File not found | COM-object registry key not found) [Internet Explorer] -----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )----- ITBar7Height "ITBar7Height" - ? - (File not found | COM-object registry key not found) <binary data> "ITBar7Layout" - ? - (File not found | COM-object registry key not found) <binary data> "ITBarLayout" - ? - (File not found | COM-object registry key not found) -----( HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks )----- {EF99BD32-C1FB-11D2-892F-0090271D4F88} "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" - ? - (File not found | COM-object registry key not found) -----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )----- {8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_23" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} "Java Plug-in 1.6.0_23" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_23" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\npjpi160_23.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab {D27CDB6E-AE6D-11CF-96B8-444553540000} "Shockwave Flash Object" - "Adobe Systems, Inc." - C:\Windows\system32\Macromed\Flash\Flash10g.ocx / hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab {E2883E8F-472F-4FB0-9522-AC9BF37916A7} "{E2883E8F-472F-4FB0-9522-AC9BF37916A7}" - ? - (File not found | COM-object registry key not found) / hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )----- {53707962-6F74-2D53-2644-206D7942484F} "ClsidExtension" - "Safer Networking Limited" - C:\PROGRA~1\SPYBOT~1\SDHelper.dll "ICQ7" - "ICQ, LLC." - F:\Program Files\ICQ7.0\ICQ.exe -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension )----- "Location" - "InterTrust Technologies Corporation, Inc." - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )----- <binary data> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" - ? - (File not found | COM-object registry key not found) -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )----- {18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "Adobe PDF Reader" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll {DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2ssv.dll {DDA57003-0068-4ed2-9D32-4D1EC707D94D} "Microsoft Web Test Recorder 10.0 Helper" - "Microsoft Corporation" - F:\Program Files\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll {53707962-6F74-2D53-2644-206D7942484F} "Spybot-S&D IE Protection" - "Safer Networking Limited" - C:\PROGRA~1\SPYBOT~1\SDHelper.dll {9030D464-4C02-4ABF-8ECC-5164760863C6} "Windows Live ID Sign-in Helper" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll {02478D38-C3F9-4efb-9B51-7695ECA05670} "{02478D38-C3F9-4efb-9B51-7695ECA05670}" - ? - (File not found | COM-object registry key not found) {5C255C8A-E604-49b4-9D64-90988571CECB} "{5C255C8A-E604-49b4-9D64-90988571CECB}" - ? - (File not found | COM-object registry key not found) {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} "{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}" - ? - (File not found | COM-object registry key not found) [LSA Providers] -----( HKLM\SYSTEM\CurrentControlSet\Control\Lsa )----- "Authentication packages" - "Acronis" - C:\Windows\system32\relog_ap.dll [Logon] -----( %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup )----- "desktop.ini" - ? - C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini -----( %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup )----- "desktop.ini" - ? - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini -----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )----- "SpybotSD TeaTimer" - "Safer-Networking Ltd." - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe -----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon )----- "Userinit" - "Soluto" - C:\Program Files\Soluto\soluto.exe -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )----- "avgnt" - "Avira GmbH" - "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min "EvtMgr6" - "Logitech, Inc." - D:\Treiber\Logitech\SetPointP\SetPoint.exe "StartCCC" - "Advanced Micro Devices, Inc." - "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun "SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [Print Monitors] -----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )----- "Lexmark Enhanced TCP/IP Port" - " " - C:\Windows\system32\lmablmpm.dll [Services] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- "@C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe,-100" (WPFFontCache_v0400) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe "Apple Mobile Device" (Apple Mobile Device) - "Apple Inc." - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe "ASP.NET-Zustandsdienst" (aspnet_state) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe "Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (File is exclusively opened, access blocked) "Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\sched.exe "Dienst "Bonjour"" (Bonjour Service) - "Apple Inc." - C:\Program Files\Bonjour\mDNSResponder.exe "Google Update Service (gupdate)" (gupdate) - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe "InstallDriver Table Manager" (IDriverT) - "Macrovision Corporation" - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe "iPod-Dienst" (iPod Service) - "Apple Inc." - C:\Program Files\iPod\bin\iPodService.exe "lmab_device" (lmab_device) - " " - C:\Windows\system32\LMabcoms.exe "Microsoft .NET Framework NGEN v4.0.30319_X86" (clr_optimization_v4.0.30319_32) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe "Office Source Engine" (ose) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE "PnkBstrA" (PnkBstrA) - ? - C:\Windows\system32\PnkBstrA.exe (File found, but it contains no detailed information) "SmartSVN Status Cache" (statuscached) - ? - F:\Program Files\SmartSVN 6.5\bin\statuscached.exe (File found, but it contains no detailed information) "Soluto PCGenome Core Service" (SolutoService) - "Soluto" - C:\Program Files\Soluto\SolutoService.exe "Steam Client Service" (Steam Client Service) - "Valve Corporation" - C:\Program Files\Common Files\Steam\SteamService.exe "SwitchBoard" (SwitchBoard) - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe "TunngleService" (TunngleService) - "Tunngle.net GmbH" - F:\Program Files\Tunngle\TnglCtrl.exe "Windows Live ID Sign-in Assistant" (wlidsvc) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE "Windows Service Manager" (svchost32) - ? - C:\Windows\system32\drivers\svchost.exe /service (File not found) [Winsock Providers] -----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries )----- "mdnsNSP" - "Apple Inc." - C:\Program Files\Bonjour\mdnsNSP.dll ===[ Logfile end ]=========================================[ Logfile end ]=== If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru Code:
ATTFilter MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows Vista Business Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: Intel Corporation
BIOS Manufacturer: Intel Corp.
System Manufacturer:
System Product Name:
Logical Drives Mask: 0x0200006c
Kernel Drivers (total 148):
0x82403000 \SystemRoot\system32\ntkrnlpa.exe
0x827BC000 \SystemRoot\system32\hal.dll
0x86542000 \SystemRoot\system32\kdcom.dll
0x80412000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x80482000 \SystemRoot\system32\PSHED.dll
0x80493000 \SystemRoot\system32\BOOTVID.dll
0x8049B000 \SystemRoot\system32\CLFS.SYS
0x804DC000 \SystemRoot\system32\CI.dll
0x8060C000 \SystemRoot\system32\drivers\Wdf01000.sys
0x80688000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80695000 \SystemRoot\system32\drivers\acpi.sys
0x806DB000 \SystemRoot\system32\drivers\WMILIB.SYS
0x806E4000 \SystemRoot\system32\drivers\msisadrv.sys
0x806EC000 \SystemRoot\system32\drivers\pci.sys
0x80713000 \SystemRoot\System32\drivers\partmgr.sys
0x80722000 \SystemRoot\system32\drivers\volmgr.sys
0x80731000 \SystemRoot\System32\drivers\volmgrx.sys
0x8077B000 \SystemRoot\system32\drivers\pciide.sys
0x80782000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x80790000 \SystemRoot\System32\drivers\mountmgr.sys
0x807A0000 \SystemRoot\system32\drivers\atapi.sys
0x807A8000 \SystemRoot\system32\drivers\ataport.SYS
0x807C6000 \SystemRoot\system32\drivers\fltmgr.sys
0x805BC000 \SystemRoot\system32\drivers\fileinfo.sys
0x82A0C000 \SystemRoot\System32\Drivers\ksecdd.sys
0x82A7D000 \SystemRoot\system32\drivers\ndis.sys
0x82B88000 \SystemRoot\system32\drivers\msrpc.sys
0x82BB3000 \SystemRoot\system32\drivers\NETIO.SYS
0x82C06000 \SystemRoot\System32\drivers\tcpip.sys
0x82CF0000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x82D0B000 \SystemRoot\system32\DRIVERS\timntr.sys
0x82E02000 \SystemRoot\System32\Drivers\Ntfs.sys
0x82F12000 \SystemRoot\system32\drivers\volsnap.sys
0x82F4B000 \SystemRoot\system32\DRIVERS\tdrpman.sys
0x82FA4000 \SystemRoot\System32\Drivers\spldr.sys
0x82FAC000 \SystemRoot\system32\speedfan.sys
0x82FAE000 \SystemRoot\system32\DRIVERS\snapman.sys
0x82FCD000 \SystemRoot\System32\Drivers\mup.sys
0x82FDC000 \SystemRoot\system32\giveio.sys
0x82D76000 \SystemRoot\System32\drivers\ecache.sys
0x82FDD000 \SystemRoot\system32\drivers\disk.sys
0x82D9D000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x82FEE000 \SystemRoot\system32\drivers\crcdisk.sys
0x82DCB000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x82DD6000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8F20B000 \SystemRoot\system32\DRIVERS\atikmpag.sys
0x8F802000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x8FE7D000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8FF1E000 \SystemRoot\System32\drivers\watchdog.sys
0x8FF2A000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8FFB7000 \SystemRoot\system32\DRIVERS\e1y6032.sys
0x8FFF2000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8F248000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8F286000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8F295000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x8F2A5000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x8F2B3000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8F2CB000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x8F2D1000 \SystemRoot\system32\DRIVERS\intelsmb.sys
0x8F2DD000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x8F2E6000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8F315000 \SystemRoot\system32\DRIVERS\storport.sys
0x8F356000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8F361000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8F378000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8F383000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8F3A6000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8F3B5000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8F3C9000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x9020B000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0x90294000 \SystemRoot\system32\DRIVERS\termdd.sys
0x902A4000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x902AF000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x902BA000 \SystemRoot\system32\DRIVERS\swenum.sys
0x902BC000 \SystemRoot\system32\DRIVERS\ks.sys
0x902E6000 \SystemRoot\system32\drivers\WmBEnum.sys
0x902EA000 \SystemRoot\system32\drivers\WmXlCore.sys
0x902F9000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x90303000 \SystemRoot\system32\DRIVERS\umbus.sys
0x90310000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x90345000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x90356000 \SystemRoot\system32\drivers\AtihdLH3.sys
0x90372000 \SystemRoot\system32\drivers\portcls.sys
0x9039F000 \SystemRoot\system32\drivers\drmk.sys
0x9060B000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x90819000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x90822000 \SystemRoot\System32\Drivers\Null.SYS
0x90829000 \SystemRoot\System32\Drivers\Beep.SYS
0x90839000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x90840000 \SystemRoot\System32\drivers\vga.sys
0x9084C000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x9086D000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x90875000 \SystemRoot\system32\drivers\rdpencdd.sys
0x9087D000 \SystemRoot\System32\Drivers\Msfs.SYS
0x90888000 \SystemRoot\System32\Drivers\Npfs.SYS
0x90896000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x9089F000 \SystemRoot\system32\DRIVERS\tdx.sys
0x908B5000 \SystemRoot\system32\DRIVERS\smb.sys
0x908C9000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x908E0000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x908E2000 \SystemRoot\system32\drivers\afd.sys
0x9092A000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x90933000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x90943000 \SystemRoot\System32\DRIVERS\netbt.sys
0x90975000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x9097E000 \SystemRoot\system32\DRIVERS\pacer.sys
0x90994000 \SystemRoot\system32\DRIVERS\netbios.sys
0x909A2000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x909B5000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0x909BB000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x90600000 \SystemRoot\system32\drivers\nsiproxy.sys
0x90400000 \SystemRoot\system32\drivers\csc.sys
0x9045B000 \SystemRoot\System32\Drivers\dfsc.sys
0x90472000 \SystemRoot\system32\DRIVERS\avipbb.sys
0x90498000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
0x904A0000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x904A8000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
0x904B0000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0x98C60000 \SystemRoot\System32\win32k.sys
0x904BF000 \SystemRoot\System32\drivers\Dxapi.sys
0x904C9000 \SystemRoot\system32\DRIVERS\monitor.sys
0x98E80000 \SystemRoot\System32\TSDDD.dll
0x98EA0000 \SystemRoot\System32\cdd.dll
0x98EB0000 \SystemRoot\System32\ATMFD.DLL
0x904D8000 \SystemRoot\system32\drivers\luafv.sys
0x904F3000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0x90508000 \SystemRoot\system32\DRIVERS\tifsfilt.sys
0x90519000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x90529000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x9053C000 \SystemRoot\system32\drivers\spsys.sys
0xA060B000 \SystemRoot\system32\drivers\HTTP.sys
0xA0678000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xA0695000 \SystemRoot\system32\DRIVERS\bowser.sys
0xA06AE000 \SystemRoot\system32\drivers\mrxdav.sys
0xA06CF000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA06EE000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xA0727000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xA073F000 \SystemRoot\System32\DRIVERS\srv2.sys
0xA0766000 \SystemRoot\System32\DRIVERS\srv.sys
0xA07B2000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xA07D3000 \??\C:\ProgramData\Intel\Extreme Tuning Utility\IOCbios\32bit\IOCBIOS.SYS
0xA5A06000 \SystemRoot\system32\drivers\peauth.sys
0xA5AE4000 \SystemRoot\System32\Drivers\secdrv.SYS
0xA5AEE000 \SystemRoot\System32\drivers\tcpipreg.sys
0xA5AFA000 \SystemRoot\system32\DRIVERS\cdfs.sys
0xA5B10000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xA5B1A000 \??\F:\Temp\awlcrpob.sys
0x77CE0000 \Windows\System32\ntdll.dll
Processes (total 39):
0 System Idle Process
4 System
612 C:\Windows\System32\smss.exe
680 csrss.exe
744 csrss.exe
752 C:\Windows\System32\wininit.exe
792 C:\Windows\System32\winlogon.exe
828 C:\Windows\System32\services.exe
844 C:\Windows\System32\lsass.exe
852 C:\Windows\System32\lsm.exe
1004 C:\Windows\System32\svchost.exe
1100 C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
1124 C:\Windows\System32\svchost.exe
1224 C:\Windows\System32\svchost.exe
1252 C:\Windows\System32\svchost.exe
1368 C:\Windows\System32\audiodg.exe
1428 C:\Windows\System32\svchost.exe
1484 C:\Windows\System32\SLsvc.exe
1548 C:\Windows\System32\svchost.exe
1644 C:\Windows\System32\svchost.exe
1896 C:\Windows\System32\spoolsv.exe
1920 C:\Program Files\Avira\AntiVir Desktop\sched.exe
996 C:\Windows\System32\dwm.exe
912 C:\Windows\explorer.exe
2216 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2300 C:\Program Files\Bonjour\mDNSResponder.exe
2356 C:\Windows\System32\svchost.exe
2636 C:\Windows\System32\PnkBstrA.exe
2868 C:\Windows\System32\svchost.exe
2960 C:\Windows\System32\svchost.exe
3032 C:\Windows\System32\SearchIndexer.exe
3560 D:\Treiber\Logitech\SetPointP\SetPoint.exe
3556 C:\Program Files\Common Files\Logishrd\KHAL3\KHALMNPR.exe
2364 C:\Windows\System32\svchost.exe
1404 C:\Windows\System32\LMabcoms.exe
2108 C:\Windows\System32\notepad.exe
3812 C:\Windows\System32\SearchProtocolHost.exe
4028 C:\Windows\System32\SearchFilterHost.exe
2196 C:\Users\XXX\Desktop\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000007`53100000 (NTFS)
\\.\F: --> \\.\PhysicalDrive0 at offset 0x00000011`17100000 (NTFS)
\\.\G: --> \\.\PhysicalDrive0 at offset 0x0000006d`dd100000 (NTFS)
PhysicalDrive0 Model Number: STM3500418AS, Rev: CC37
Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979
Done!
|
|
17.01.2011, 21:02
| #14 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Hartnäckiger TR/ATRAPS.Gen und anderer Befall Hast Du noch andere Betriebssysteme außer Vista installiert? Wenn nicht: Schau mal hier => Vista Notfall/Recovery-CD 32-Bit - Dr. Windows Lad das iso runter, brenn es zB mit ImgBurn per Imagebrennfunktion auf eine CD und starte damit den Rechner (von dieser CD booten). Falls Du eine normale Vista-Installations-DVD hast, brauchst Du das o.g. Image nicht sondern kannst einfach von der Vista-DVD booten. Klick auf Computerreparaturoptionen, weiter, Eingabeaufforderung - die Konsole öffnet sich. Da bitte bootrec.exe /fixboot eintippen (mit enter bestätigen), dann bootrec.exe /fixmbr eintippen (mit enter bestätigen) - Rechner neustarten, CD vorher rausnehmen. Danach ein neues Log mit GMER machen.
__________________ Logfiles bitte immer in CODE-Tags posten |
|
17.01.2011, 21:51
| #15 |
| | Hartnäckiger TR/ATRAPS.Gen und anderer Befall Hat alles soweit gut geklappt und ich habe auch keine anderen Systeme installiert. Neuer GMER log: Code:
ATTFilter GMER 1.0.15.15530 - hxxp://www.gmer.net
Rootkit scan 2011-01-17 21:46:37
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP5T0L0-5 STM3500418AS rev.CC37
Running: g2m3e4r.exe; Driver: F:\Temp\awlcrpob.sys
---- Kernel code sections - GMER 1.0.15 ----
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90208000, 0x349D76, 0xE8000020]
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73F97817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73FEA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73F9BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73F8F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73F975E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73F8E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73FC8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73F9DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73F8FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73F8FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73F871CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7401CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73FBC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73F8D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73F86853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73F8687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3024] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73F92AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001583380e60
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 F:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x61 0xF6 0x06 0x79 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xCD 0x1B 0x74 0x6F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x70 0xDF 0x9F 0xE3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x66 0x24 0x97 0x1F ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001583380e60 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 F:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x61 0xF6 0x06 0x79 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xCD 0x1B 0x74 0x6F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x70 0xDF 0x9F 0xE3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x66 0x24 0x97 0x1F ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{77CFC1A6-DCF5-29FA-5AD4-F5E22D8FD642}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{77CFC1A6-DCF5-29FA-5AD4-F5E22D8FD642}@galenbpoihgmdd 0x61 0x63 0x70 0x63 ...
---- EOF - GMER 1.0.15 ----
|
|
| Themen zu Hartnäckiger TR/ATRAPS.Gen und anderer Befall |
| antivir, antivir guard, avg, avira, bho, bonjour, desktop, entfernen, fehler, firefox, google, hijack, hijackthis, internet, internet explorer, logfile, maßnahme, object, plug-in, registry, software, studio, svchost, svchost.exe, viren, virus, vista, visual studio, werbung |
Linear-Darstellung
