Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Internet Speed halbiert nach teilweiser entfernung von TrojanDownloader:Win32/Small.gen!I (https://www.trojaner-board.de/104924-internet-speed-halbiert-teilweiser-entfernung-trojandownloader-win32-small-gen-i.html)

ausdemFF 22.11.2011 15:02

Sorry, war ein weilchen nicht zuhause. Hier das Osam Log:

OSAM Logfile:
Code:

Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 14:27:35 on 22.11.2011

OS: Windows 7 Ultimate Edition Service Pack 1 (Build 7601), 32-bit
Default Browser: Mozilla Corporation Firefox 8.0

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries


[Boot Execute]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Session Manager )-----
"BootExecute" - ? - sdnclean.exe  (File not found)

[Common]
-----( %SystemRoot%\Tasks )-----
"GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe
"GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe

[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"DDBACCPL.CPL" - "DataDesign AG" - C:\Windows\system32\DDBACCPL.CPL
"DDBACCTM.CPL" - "DataDesign AG" - C:\Windows\system32\DDBACCTM.CPL
"FlashPlayerCPLApp.cpl" - "Adobe Systems Incorporated" - C:\Windows\system32\FlashPlayerCPLApp.cpl
"M-AudioConectivControlPanelApplet.cpl" - "Avid Technology, Inc." - C:\Windows\system32\M-AudioConectivControlPanelApplet.cpl
"nvCpl.cpl" - "NVIDIA Corporation" - C:\Windows\system32\nvCpl.cpl
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"mlcfg32.cpl" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~4\Office14\MLCFG32.CPL
"QuickTime" - "Apple Inc." - C:\Program Files\QuickTime\QTSystem\QuickTime.cpl

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"@%SystemRoot%\system32\drivers\tsusbhub.sys,-1" (tsusbhub) - ? - C:\Windows\System32\drivers\tsusbhub.sys  (File not found)
"avfwot" (avfwot) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avfwot.sys
"avgntflt" (avgntflt) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avgntflt.sys
"avipbb" (avipbb) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avipbb.sys
"avkmgr" (avkmgr) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avkmgr.sys
"catchme" (catchme) - ? - C:\Users\MARCEL~1\AppData\Local\Temp\catchme.sys  (File not found)
"ElbyCDIO Driver" (ElbyCDIO) - "Elaborate Bytes AG" - C:\Windows\System32\Drivers\ElbyCDIO.sys
"epmntdrv" (epmntdrv) - ? - C:\Windows\system32\epmntdrv.sys  (File found, but it contains no detailed information)
"EuGdiDrv" (EuGdiDrv) - ? - C:\Windows\system32\EuGdiDrv.sys  (File found, but it contains no detailed information)
"MBAMSwissArmy" (MBAMSwissArmy) - ? - C:\Windows\system32\drivers\mbamswissarmy.sys  (File not found)
"MSI_MSIBIOS_010507" (MSI_MSIBIOS_010507) - ? - C:\Program Files\MSI\Live Update 5\msibios32_100507.sys  (File not found)
"NTIOLib_1_0_4" (NTIOLib_1_0_4) - ? - C:\Program Files\MSI\Live Update 5\NTIOLib.sys  (File not found)
"NVR0Dev" (NVR0Dev) - "NVIDIA Corp." - C:\Windows\nvoclock.sys
"NVR0FLASHDev" (NVR0FLASHDev) - "NVidia Corp." - C:\Windows\nvflash.sys
"ssmdrv" (ssmdrv) - "Avira GmbH" - C:\Windows\System32\DRIVERS\ssmdrv.sys
"Synth3dVsc" (Synth3dVsc) - ? - C:\Windows\System32\drivers\synth3dvsc.sys  (File not found)
"VGPU" (VGPU) - ? - C:\Windows\System32\drivers\rdvgkmd.sys  (File not found)

[Explorer]
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
-----( HKLM\Software\Classes\Protocols\Filter )-----
{807573E5-5146-11D5-A672-00B0D022E945} "Microsoft Office InfoPath XML Mime Filter" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
-----( HKLM\Software\Classes\Protocols\Handler )-----
{314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks )-----
{B5A7F190-DDA6-4420-B3BA-52453494E6CD} "Groove GFS Stub Execution Hook" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - C:\Program Files\7-Zip\7-zip.dll
{3D60EDA7-9AB4-4DA8-864C-D9B5F2E7281D} "Arbeitsbereiche" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL
{D66DC78C-4F61-447F-942B-3FB6980118CF} "CInfoTipShellExt Class" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office14\VISSHE.DLL
{99FD978C-D287-4F50-827F-B2C658EDA8E7} "Groove Explorer Icon Overlay 1 (GFS Unread Stub)" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL
{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} "Groove Explorer Icon Overlay 2 (GFS Stub)" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL
{920E6DB1-9907-4370-B3A0-BAFC03D81399} "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL
{16F3DD56-1AF5-4347-846D-7C10C4192619} "Groove Explorer Icon Overlay 3 (GFS Folder)" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL
{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} "Groove Explorer Icon Overlay 4 (GFS Unread Mark)" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL
{2A541AE1-5BF6-4665-A8A3-CFA9672E4291} "Groove Folder Synchronization" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} "Groove GFS Browser Helper" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL
{6C467336-8281-4E60-8204-430CED96822D} "Groove GFS Context Menu Handler" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL
{B5A7F190-DDA6-4420-B3BA-52453494E6CD} "Groove GFS Stub Execution Hook" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL
{A449600E-1DC6-4232-B948-9BD794D62056} "Groove GFS Stub Icon Handler" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL
{387E725D-DC16-4D76-B310-2C93ED4752A0} "Groove XML Icon Handler" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL
{506F4668-F13E-4AA1-BB04-B43203AB3CC0} "ImageExtractorShellExt Class" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office14\VISSHE.DLL
{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office14\msohevi.dll
{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll
{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll
{0875DCB6-C686-4243-9432-ADCCF0B9F2D7} "Microsoft OneNote Namespace Extension for Windows Desktop Search" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office14\ONFILTER.DLL
{00020D75-0000-0000-C000-000000000046} "Microsoft Outlook" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~4\Office14\MLSHEXT.DLL
{0006F045-0000-0000-C000-000000000046} "Outlook File Icon Extension" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office14\OLKFSTUB.DLL

[Internet Explorer]
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_29" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} "Java Plug-in 1.6.0_29" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_29" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\npjpi160_29.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
{48E73304-E1D6-4330-914C-F5F514E3486C} "An OneNote senden" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
"BitComet" - ? - res://C:\Program Files\BitComet\tools\BitCometBHO_1.5.4.11.dll/206  (File not found)
{FFFDC614-B694-4AE6-AB38-5D6374584B52} "Verknüpfte &OneNote-Notizen" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "Adobe PDF Reader" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} "Groove GFS Browser Helper" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL
{DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2ssv.dll
{B4F3A835-0E21-4959-BA22-42B3008E02FF} "Office Document Cache Handler" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~4\Office14\URLREDIR.DLL

[Logon]
-----( %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"desktop.ini" - ? - C:\Users\Marcel Fink\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
-----( %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"desktop.ini" - ? - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
-----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )-----
"ncid.Net" - "Gerhard Junker" - C:\Program Files\ncid.Net\ncid.Net.exe
"NVIDIA nTune" - "NVIDIA" - "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" resetprofile
"Pidgin" - "The Pidgin developer community" - "C:\Program Files\Pidgin\pidgin.exe"
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"avgnt" - "Avira Operations GmbH & Co. KG" - "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
"BCSSync" - "Microsoft Corporation" - "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
"IntelliPoint" - "Microsoft Corporation" - "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
"M-Audio Taskbar Icon" - "Avid Technology, Inc." - C:\Windows\system32\M-AudioTaskBarIcon.exe
"SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
"VirtualCloneDrive" - "Elaborate Bytes AG" - "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"Apple Mobile Device" (Apple Mobile Device) - "Apple Inc." - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
"Avira Browser Schutz" (AntiVirWebService) - "Avira Operations GmbH & Co. KG" - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
"Avira Echtzeit Scanner" (AntiVirService) - "Avira Operations GmbH & Co. KG" - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
"Avira Email Schutz" (AntiVirMailService) - "Avira Operations GmbH & Co. KG" - C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
"Avira FireWall" (AntiVirFirewallService) - "Avira Operations GmbH & Co. KG" - C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe
"Avira Planer" (AntiVirSchedulerService) - "Avira Operations GmbH & Co. KG" - C:\Program Files\Avira\AntiVir Desktop\sched.exe
"BitComet Disk Boost Service" (BITCOMET_HELPER_SERVICE) - "www.BitComet.com" - C:\Program Files\BitComet\tools\BitCometService.exe
"Dienst "Bonjour"" (Bonjour Service) - "Apple Inc." - C:\Program Files\Bonjour\mDNSResponder.exe
"FABS - Helping agent for MAGIX media database" (Fabs) - "MAGIX AG" - C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe
"Firebird Server - MAGIX Instance" (FirebirdServerMAGIXInstance) - "MAGIX®" - C:\Program Files\Common Files\MAGIX Services\Database\bin\fbserver.exe
"FLEXnet Licensing Service" (FLEXnet Licensing Service) - "Acresso Software Inc." - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
"Google Update-Dienst (gupdate)" (gupdate) - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe
"Google Update-Dienst (gupdatem)" (gupdatem) - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe
"Google Updater Service" (gusvc) - "Google" - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
"iPod-Dienst" (iPod Service) - "Apple Inc." - C:\Program Files\iPod\bin\iPodService.exe
"Microsoft .NET Framework NGEN v4.0.30319_X86" (clr_optimization_v4.0.30319_32) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
"Microsoft SharePoint Workspace Audit Service" (Microsoft SharePoint Workspace Audit Service) - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office14\GROOVE.EXE
"NVIDIA Display Driver Service" (nvsvc) - "NVIDIA Corporation" - C:\Windows\system32\nvvsvc.exe
"NVIDIA Stereoscopic 3D Driver Service" (Stereo Service) - "NVIDIA Corporation" - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
"NVIDIA Update Service Daemon" (nvUpdatusService) - "NVIDIA Corporation" - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
"Office  Source Engine" (ose) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"Office Software Protection Platform" (osppsvc) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"Performance Service" (nTuneService) - "NVIDIA" - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
"SQL Server (JTLWAWI)" (MSSQL$JTLWAWI) - "Microsoft Corporation" - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
"SQL Server VSS Writer" (SQLWriter) - "Microsoft Corporation" - C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
"SQL Server-Browser" (SQLBrowser) - "Microsoft Corporation" - C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
"TeamViewer 6" (TeamViewer6) - "TeamViewer GmbH" - C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
"TVersityMediaServer" (TVersityMediaServer) - ? - C:\ProgramData\TVersity\Media Server\MediaServer.exe  (File found, but it contains no detailed information)
"Update Center Service" (UpdateCenterService) - "NVIDIA" - C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe

[Winlogon]
-----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )-----
"ScCertProp" - ? - wlnotify.dll  (File not found)

[Winsock Providers]
-----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries )-----
"mdnsNSP" - "Apple Inc." - C:\Program Files\Bonjour\mdnsNSP.dll
-----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries )-----
"AVSDA" - "Avira Operations GmbH & Co. KG" - C:\Program Files\Avira\AntiVir Desktop\avsda.dll

===[ Logfile end ]=========================================[ Logfile end ]===

--- --- ---
If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru
[/CODE]

Und das aswMBR log:

Code:

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-11-22 14:28:01
-----------------------------
14:28:01.924    OS Version: Windows 6.1.7601 Service Pack 1
14:28:01.924    Number of processors: 1 586 0x602
14:28:01.925    ComputerName: MARCELFINK-PC  UserName: Marcel Fink
14:28:17.166    Initialize success
14:29:53.205    AVAST engine defs: 11112200
14:30:06.160    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-5
14:30:06.162    Disk 0 Vendor: MAXTOR_STM3250310AS 4.AAA Size: 238475MB BusType: 3
14:30:06.165    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-3
14:30:06.168    Disk 1 Vendor: ST380020A 3.39 Size: 76319MB BusType: 3
14:30:08.221    Disk 0 MBR read successfully
14:30:08.224    Disk 0 MBR scan
14:30:08.254    Disk 0 Windows 7 default MBR code
14:30:08.258    Disk 0 scanning sectors +488392520
14:30:08.316    Disk 0 scanning C:\Windows\system32\drivers
14:30:23.354    Service scanning
14:30:24.413    Modules scanning
14:30:29.855    Disk 0 trace - called modules:
14:30:29.863    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
14:30:29.869    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86157030]
14:30:29.874    3 CLASSPNP.SYS[8b3b759e] -> nt!IofCallDriver -> [0x85c7e918]
14:30:29.878    5 ACPI.sys[8ae353d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T1L0-5[0x8609c030]
14:30:31.017    AVAST engine scan C:\Windows
14:30:38.824    AVAST engine scan C:\Windows\system32
14:32:39.940    AVAST engine scan C:\Windows\system32\drivers
14:32:49.150    AVAST engine scan C:\Users\Marcel Fink
14:46:48.119    AVAST engine scan C:\ProgramData
14:48:27.147    Scan finished successfully
15:00:37.963    Disk 0 MBR has been saved successfully to "C:\Users\Marcel Fink\Documents\MBR.dat"
15:00:37.969    The log file has been saved successfully to "C:\Users\Marcel Fink\Documents\aswMBR.txt"

:)

cosinus 22.11.2011 17:30

Was ist mit GMER?

ausdemFF 22.11.2011 20:37

der hat ca. 2h gescannt und ist dann hängen geblieben. Ich musste neustarten. Soll ichs nochmal Probieren?

cosinus 22.11.2011 20:54

Ja einmal noch.

ausdemFF 22.11.2011 22:07

Hui, jetzt gings voll Fix :)

[CODE]
GMER Logfile:
Code:

GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2011-11-22 22:06:46
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-5 MAXTOR_STM3250310AS rev.4.AAA
Running: l1mtzr72.exe; Driver: C:\Users\MARCEL~1\AppData\Local\Temp\kwliaaow.sys


---- System - GMER 1.0.15 ----

SSDT            90CE8ABE                                                                                                                            ZwCreateSection
SSDT            90CE8A96                                                                                                                            ZwCreateSymbolicLinkObject
SSDT            90CE8A9B                                                                                                                            ZwLoadDriver
SSDT            90CE8A91                                                                                                                            ZwOpenSection
SSDT            90CE8AC8                                                                                                                            ZwRequestWaitReplyPort
SSDT            90CE8AC3                                                                                                                            ZwSetContextThread
SSDT            90CE8ACD                                                                                                                            ZwSetSecurityObject
SSDT            90CE8AA0                                                                                                                            ZwSetSystemInformation
SSDT            90CE8AD2                                                                                                                            ZwSystemDebugControl
SSDT            90CE8A5F                                                                                                                            ZwTerminateProcess
SSDT            90CE8A5A                                                                                                                            ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text          ntkrnlpa.exe!ZwSaveKey + 13D1                                                                                                      82C7B349 1 Byte  [06]
.text          ntkrnlpa.exe!KiDispatchInterrupt + 5A2                                                                                              82CB4D52 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text          ntkrnlpa.exe!KeRemoveQueueEx + 11F7                                                                                                82CBBEAC 4 Bytes  [BE, 8A, CE, 90]
.text          ntkrnlpa.exe!KeRemoveQueueEx + 11FF                                                                                                82CBBEB4 4 Bytes  [96, 8A, CE, 90] {XCHG ESI, EAX; MOV CL, DH; NOP }
.text          ntkrnlpa.exe!KeRemoveQueueEx + 1313                                                                                                82CBBFC8 4 Bytes  [9B, 8A, CE, 90] {WAIT ; MOV CL, DH; NOP }
.text          ntkrnlpa.exe!KeRemoveQueueEx + 13AF                                                                                                82CBC064 4 Bytes  [91, 8A, CE, 90] {XCHG ECX, EAX; MOV CL, DH; NOP }
.text          ntkrnlpa.exe!KeRemoveQueueEx + 1553                                                                                                82CBC208 4 Bytes  [C8, 8A, CE, 90] {ENTER 0xce8a, 0x90}
.text          ...                                                                                                                               

---- User IAT/EAT - GMER 1.0.15 ----

IAT            C:\Windows\Explorer.EXE[2328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc]                                                    [746C2437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[2328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup]                                                [746A5600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[2328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown]                                              [746A56BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[2328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree]                                                      [746C24B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[2328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics]                                            [746B8514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[2328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage]                                              [746B4CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[2328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth]                                            [746B506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[2328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight]                                            [746B5144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[2328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP]                                  [746B6671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[2328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC]                                            [746B826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[2328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode]                                        [746B87BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[2328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode]                                      [746B901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[2328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI]                                            [746BE1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[2328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage]                                                [746B4BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\tdx \Device\Tcp                                                                                                            avfwot.sys (TDI filtering kernel driver/Avira GmbH)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device          \Driver\ACPI_HAL \Device\00000058                                                                                                  halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3                                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume4                                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume5                                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume6                                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume7                                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume8                                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume9                                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\tdx \Device\Udp                                                                                                            avfwot.sys (TDI filtering kernel driver/Avira GmbH)
AttachedDevice  \Driver\tdx \Device\RawIp                                                                                                          avfwot.sys (TDI filtering kernel driver/Avira GmbH)
AttachedDevice  \FileSystem\fastfat \Fat                                                                                                            fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg            HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{721F34D6-177E-0B5A-100D-6F2E2FB2D6A9}                   
Reg            HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{721F34D6-177E-0B5A-100D-6F2E2FB2D6A9}@hagdjmlmbgfojoff    0x6A 0x61 0x61 0x63 ...
Reg            HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{721F34D6-177E-0B5A-100D-6F2E2FB2D6A9}@iamcdoknakfgojhdhg  0x6A 0x61 0x61 0x63 ...
Reg            HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A225EC91-5397-517E-C9B1-973E71617067}                   
Reg            HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A225EC91-5397-517E-C9B1-973E71617067}@iaecmhkjhjfchkkjhp  0x6B 0x61 0x69 0x64 ...
Reg            HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A225EC91-5397-517E-C9B1-973E71617067}@hakbgomlhamfaklm    0x6B 0x61 0x69 0x64 ...

---- EOF - GMER 1.0.15 ----

--- --- ---

cosinus 22.11.2011 23:11

Sieht ok aus. Mach bitte zur Kontrolle Vollscans mit Malwarebytes und SASW und poste die Logs.
Denk dran beide Tools zu updaten vor dem Scan!!


Anschließend über den OnlineScanner von ESET eine zusätzliche Meinung zu holen ist auch nicht verkehrt:


ESET Online Scanner

  • Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
  • Lade und starte Eset Online Scanner
  • Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
  • Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
  • Klicke auf Starten.
  • Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
  • Klicke am Ende des Suchlaufs auf Fertig stellen.
  • Schließe das Fenster von ESET.
  • Explorer öffnen.
  • C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
  • Logfile hier posten.
  • Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
  • Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset



Alle Zeitangaben in WEZ +1. Es ist jetzt 03:11 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19