Trojaner-Board - Keylogger

Trojaner-Board (https://www.trojaner-board.de/)

- Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)

- - Keylogger (https://www.trojaner-board.de/63247-keylogger.html)

Hallo,
ich hab mir vor kurzen einen keylogger eingefangen der leider auch schon seine wirkung gezeigt hat ...

ich habe vers. Virenscanner verwendet um ihn auswendig zu machen aber ohne erfolg...

das einzige was ich zu dem keylogger sagen kann ist ...
das er immer 2 exe'n erstellt
einmal in

C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\9YDYZ78D

name z.B. uu[1].exe hii[1].exe new[1].exe ...

und dann noch in
C:\WINDOWS\system32

name atlsystem*randomnummer*.exe z.B. atlsystem975723.exe

naja hier zum Hijack log ... es ist nichts besonderes zu erkennen meint nen Kumpel ...

Zitat:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:19:00, on 30.10.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Fighters\spywarefighter\SpywarefighterUser.exe
C:\Programme\Spyware Doctor\pctsTray.exe
C:\Programme\Stardock\ObjectDock\ObjectDock.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Programme\NetLimiter 2 Pro\nlsvc.exe
C:\Programme\Fighters\configservice.exe
C:\Programme\Spyware Doctor\pctsAuxs.exe
C:\Programme\Spyware Doctor\pctsSvc.exe
D:\Programme\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Fighters\licenseservice.exe
C:\Programme\Fighters\updateservice.exe
C:\Programme\Fighters\ScannerService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\alg.exe
c:\programme\fighters\spywarefighter\SPYWAREfighterTray.exe

O2 - BHO: MSUSER Class - {8D4D2F69-DF30-4471-988C-CC58545E86C8} - C:\WINDOWS\system32\SystemHper.dll
O4 - HKLM\..\Run: [SystemHelp] RUNDLL32.EXE C:\WINDOWS\system32\SystemHper.dll,Install
O4 - HKLM\..\Run: [spywarefighterguard] C:\Programme\Fighters\spywarefighter\SpywarefighterUser.exe
O4 - HKLM\..\Run: [ISTray] "C:\Programme\Spyware Doctor\pctsTray.exe"
O4 - Startup: Stardock ObjectDock.lnk = C:\Programme\Stardock\ObjectDock\ObjectDock.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - D:\Programme\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - D:\Programme\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: PTK License-FIGHTERS-18668899 - SPAMfighter - C:\Programme\Fighters\licenseservice.exe
O23 - Service: PTK Live Update-FIGHTERS-18668899 - SPAMfighter - C:\Programme\Fighters\updateservice.exe
O23 - Service: PTK Scanner-FIGHTERS-18668899 - SPAMfighter - C:\Programme\Fighters\ScannerService.exe
O23 - Service: PTK SharedAccess-FIGHTERS-18668899 - SPAMfighter - C:\Programme\Fighters\configservice.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp2004\WinStylerThemeSvc.exe

--
End of file - 3571 bytes

ich weiß nicht ob ich hijack falsch eingestellt oder verwendet hab ... wenn ja dann sagt bescheid ;)

Ich hoffe ihr könnt mir irgendwie helfen

Mfg Micha

hi Sep_Michi und :hallo:

Lade Random's System Information Tool (RSIT) von random/random herunter,
speichere es auf Deinem Desktop.
Starte mit Doppelklick die RSIT.exe.
Klicke auf Continue, um die Nutzungsbedingungen zu akzeptieren.
Wenn Du HijackThis nicht installiert hast, wird RSIT das für Dich herunterladen und installieren.
In dem Fall bitte auch die Nutzungsbedingungen von Trend Micro für HJT akzeptieren I accept.
Wenn Deine Firewall fragt, bitte RSIT erlauben, ins Netz zu gehen.
Der Scan startet automatisch, RSIT checkt nun einige wichtige System-Bereiche und produziert Logfiles als Analyse-Grundlage.
Wenn der Scan beendet ist, werden zwei Logfiles erstellt und in Deinem Editor geöffnet.
Bitte poste den Inhalt von C:\rsit\log.txt und C:\rsit\info.txt (<= minimiert) hier in den Thread.

geladen getan ... hier die resultate

http://filebeam.com/5fc91cbeff0ca58acef9640c48021db4
konte es nicht posten ... zu lang ;)

und danke für das willkommen :)

Edit ... hatte vergessen noch nen paar dinge im hintergrund zu schließen ... soll ich noch nen anderes log posten?

bitte psote die C:\RSIT\log.txt wenigstens hier, so kann ich sie besser kontrollieren, teile wenn nötig auf mehrere posts auf :).

ok wenn ich das darf mach ich das ;)

Zitat:

Logfile of random's system information tool 1.04 (written by random/random)
Run by Administrator at 2008-10-30 20:22:54
Microsoft Windows XP Professional Service Pack 2
System drive C: has 21 GB (53%) free of 40 GB
Total RAM: 2047 MB (70% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:22:55, on 30.10.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Fighters\spywarefighter\SpywarefighterUser.exe
C:\Programme\Stardock\ObjectDock\ObjectDock.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Programme\NetLimiter 2 Pro\nlsvc.exe
C:\Programme\Fighters\configservice.exe
D:\Programme\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Fighters\licenseservice.exe
C:\Programme\Fighters\updateservice.exe
C:\Programme\Fighters\ScannerService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
c:\programme\fighters\spywarefighter\SPYWAREfighterTray.exe
C:\Dokumente und Einstellungen\Administrator\Desktop\RSIT.exe
C:\Programme\Trend Micro\HijackThis\Administrator.exe

O2 - BHO: MSUSER Class - {8D4D2F69-DF30-4471-988C-CC58545E86C8} - C:\WINDOWS\system32\SystemHper.dll
O4 - HKLM\..\Run: [SystemHelp] RUNDLL32.EXE C:\WINDOWS\system32\SystemHper.dll,Install
O4 - HKLM\..\Run: [spywarefighterguard] C:\Programme\Fighters\spywarefighter\SpywarefighterUser.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Programme\Stardock\ObjectDock\ObjectDock.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - D:\Programme\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - D:\Programme\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: PTK License-FIGHTERS-18668899 - SPAMfighter - C:\Programme\Fighters\licenseservice.exe
O23 - Service: PTK Live Update-FIGHTERS-18668899 - SPAMfighter - C:\Programme\Fighters\updateservice.exe
O23 - Service: PTK Scanner-FIGHTERS-18668899 - SPAMfighter - C:\Programme\Fighters\ScannerService.exe
O23 - Service: PTK SharedAccess-FIGHTERS-18668899 - SPAMfighter - C:\Programme\Fighters\configservice.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp2004\WinStylerThemeSvc.exe

--
End of file - 3408 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8D4D2F69-DF30-4471-988C-CC58545E86C8}]
MSUSER Class - C:\WINDOWS\system32\SystemHper.dll [2008-10-30 65536]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SystemHelp"=C:\WINDOWS\system32\SystemHper.dll [2008-10-30 65536]
"spywarefighterguard"=C:\Programme\Fighters\spywarefighter\SpywarefighterUser.exe [2008-09-26 180872]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
c:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
D:\Programme\ICQ6\ICQ.exe [2008-09-01 173304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
D:\Games\Steam\Steam.exe [2008-03-28 1271032]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^Administrator^Startmenü^Programme^Autostart^hamachi.lnk]
D:\PROGRA~1\Hamachi\hamachi.exe [2008-04-15 624416]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mysql"=2
"NSCService"=3
"navapsvc"=2
"WebClient"=2
"mi-raysat_3dsmax9_32"=2

C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart
Stardock ObjectDock.lnk - C:\Programme\Stardock\ObjectDock\ObjectDock.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2008-05-12 139264]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\Programme\ICQLite\ICQLite.exe"="D:\Programme\ICQLite\ICQLite.exe:*:Enabled:ICQ Lite"
"C:\Programme\Sony Ericsson\Sony Ericsson Media Manager 1.0\MediaManager.exe"="C:\Programme\Sony Ericsson\Sony Ericsson Media Manager 1.0\MediaManager.exe:*:Enabled:Sony Ericsson Media Manager 1.0"
"C:\Programme\iTunes\iTunes.exe"="C:\Programme\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Programme\Joost\xulrunner\tvprunner.exe"="C:\Programme\Joost\xulrunner\tvprunner.exe:*:Enabled:tvprunner"
"D:\Programme\ICQ6\ICQ.exe"="D:\Programme\ICQ6\ICQ.exe:*:Enabled:ICQ6"
"C:\Programme\uTorrent\uTorrent.exe"="C:\Programme\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"D:\Programme\Autodesk\3ds Max 9\3dsmax.exe"="D:\Programme\Autodesk\3ds Max 9\3dsmax.exe:*:Enabled:Autodesk 3ds Max 9 32-bit"
"D:\Programme\Autodesk\Backburner\monitor.exe"="D:\Programme\Autodesk\Backburner\monitor.exe:*:Enabled:backburner 2.3 monitor"
"D:\Programme\Autodesk\Backburner\manager.exe"="D:\Programme\Autodesk\Backburner\manager.exe:*:Enabled:backburner 2.3 manager"
"D:\Programme\Autodesk\Backburner\server.exe"="D:\Programme\Autodesk\Backburner\server.exe:*:Enabled:backburner 2.3 server"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2008-10-30 20:12:31 ----D---- C:\rsit
2008-10-30 19:35:09 ----D---- C:\Programme\CCleaner
2008-10-30 16:54:26 ----D---- C:\Programme\Fighters
2008-10-30 16:54:26 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Fighters
2008-10-30 16:53:58 ----A---- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\install.txt
2008-10-29 15:16:43 ----A---- C:\WINDOWS\system32\SystemHper.dll.142234
2008-10-29 15:16:43 ----A---- C:\WINDOWS\system32\SystemHper.dll
2008-10-28 21:16:06 ----D---- C:\Programme\Tortun
2008-10-27 21:29:58 ----AD---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP
2008-10-27 21:29:53 ----D---- C:\Programme\Spyware Doctor
2008-10-27 21:29:53 ----D---- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\PC Tools
2008-10-27 21:16:12 ----D---- C:\!KillBox
2008-10-27 21:10:46 ----D---- C:\Programme\Trend Micro
2008-10-10 23:22:27 ----D---- C:\Programme\MediaCoder

======List of files/folders modified in the last 1 months======

2008-10-30 19:48:47 ----D---- C:\WINDOWS\system32
2008-10-30 19:48:12 ----D---- C:\WINDOWS\Temp
2008-10-30 19:42:37 ----D---- C:\Programme\Mozilla Firefox
2008-10-30 19:40:39 ----D---- C:\WINDOWS\Minidump
2008-10-30 19:40:39 ----D---- C:\WINDOWS\Debug
2008-10-30 19:40:39 ----D---- C:\WINDOWS
2008-10-30 19:35:09 ----RD---- C:\Programme
2008-10-30 19:31:03 ----D---- C:\WINDOWS\system32\CatRoot2
2008-10-30 19:18:29 ----D---- C:\WINDOWS\system32\drivers
2008-10-30 19:16:15 ----N---- C:\WINDOWS\SchedLgU.Txt
2008-10-30 17:02:33 ----D---- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\teamspeak2
2008-10-30 16:55:35 ----SHD---- C:\WINDOWS\Installer
2008-10-30 16:55:28 ----SHD---- C:\Config.Msi
2008-10-30 16:55:03 ----HD---- C:\WINDOWS\inf
2008-10-30 15:53:58 ----A---- C:\WINDOWS\NeroDigital.ini
2008-10-29 22:38:28 ----A---- C:\WINDOWS\winamp.ini
2008-10-27 21:34:51 ----D---- C:\WINDOWS\Prefetch
2008-10-27 21:31:01 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-10-27 21:25:14 ----RSH---- C:\boot.ini
2008-10-27 21:25:14 ----A---- C:\WINDOWS\win.ini
2008-10-27 21:25:14 ----A---- C:\WINDOWS\system.ini
2008-10-27 20:39:38 ----D---- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\OpenOffice.org2
2008-10-27 15:01:39 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Adobe
2008-10-27 15:01:39 ----D---- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Adobe
2008-10-27 14:49:09 ----D---- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Canon
2008-10-19 14:01:04 ----D---- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Hamachi

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD-Prozessortreiber; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-06-18 43520]
R1 avgio;avgio; \??\C:\Programme\Avira\AntiVir PersonalEdition Classic\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2008-07-18 75072]
R1 nltdi;nltdi; \??\C:\WINDOWS\system32\drivers\nltdi.sys []
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-11-08 21248]
R2 npkcrypt;npkcrypt; \??\D:\Games\Maple Story\npkcrypt.sys []
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2006-09-08 247296]
R3 AEAudio;AE Audio Service; C:\WINDOWS\system32\drivers\AEAudio.sys [2006-08-29 94080]
R3 Arp1394;1394-ARP-Clientprotokoll; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2007-06-13 2155520]
R3 avgntflt;avgntflt; \??\C:\Programme\Avira\AntiVir PersonalEdition Classic\avgntflt.sys []
R3 cmpci;C-Media PCI Audio Driver (WDM); C:\WINDOWS\system32\drivers\cmaudio.sys [2001-04-13 270536]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168]
R3 hamachi;Hamachi Network Interface; C:\WINDOWS\system32\DRIVERS\hamachi.sys [2008-04-15 25280]
R3 HdAudAddService;ATI Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\AtiHdAud.sys [2006-12-28 84992]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HidUsb;Microsoft HID Class-Treiber; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 IKFileSec;File Security Driver; C:\WINDOWS\system32\drivers\ikfilesec.sys [2008-08-25 40840]
R3 IKSysFlt;System Filter Driver; C:\WINDOWS\system32\drivers\iksysflt.sys [2008-08-25 66952]
R3 IKSysSec;System Security Driver; C:\WINDOWS\system32\drivers\iksyssec.sys [2008-08-25 81288]
R3 mouhid;Maus-HID-Treiber; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-18 12288]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-13 5810]
R3 NIC1394;1394-Netzwerktreiber; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 SenFiltService;SenFilt Service; C:\WINDOWS\system32\drivers\Senfilt.sys [2006-03-17 392960]
R3 usbehci;Miniporttreiber für erweiterten Microsoft USB 2.0-Hostcontroller; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2-aktivierter Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbohci;Miniporttreiber für Microsoft USB Open Host-Controller; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-03 17024]
R3 usbscan;USB-Scannertreiber; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
R3 Vfscan;Vfscan; C:\WINDOWS\system32\DRIVERS\vffilter.sys [2008-09-26 15496]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; C:\WINDOWS\system32\DRIVERS\yk51x86.sys [2006-05-23 245248]
S1 eeCtrl;Symantec Eraser Control driver; \??\C:\Programme\Gemeinsame Dateien\Symantec Shared\EENGINE\eeCtrl.sys []
S3 a5rgo5rz;a5rgo5rz; C:\WINDOWS\system32\drivers\a5rgo5rz.sys []
S3 Atiiosde;Atiiosde; C:\WINDOWS\system32\drivers\Atiiosde.sys []
S3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Programme\Gemeinsame Dateien\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
S3 hidgame;Microsoft HID-zu-Joystickanschlussaktivierung; C:\WINDOWS\system32\DRIVERS\hidgame.sys [2001-08-17 8576]
S3 ms_mpu401;Microsoft MPU-401 MIDI UART-Treiber; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
S3 Msi2mtnaap;Msi2mtnaap; C:\WINDOWS\system32\drivers\Msi2mtnaap.sys []
S3 s217bus;Sony Ericsson Device 217 driver (WDM); C:\WINDOWS\system32\DRIVERS\s217bus.sys [2007-11-02 83496]
S3 s217mdfl;Sony Ericsson Device 217 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\s217mdfl.sys [2007-11-02 15016]
S3 s217mdm;Sony Ericsson Device 217 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\s217mdm.sys [2007-11-02 109992]
S3 s217mgmt;Sony Ericsson Device 217 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\s217mgmt.sys [2007-11-02 103976]
S3 s217nd5;Sony Ericsson Device 217 USB Ethernet Emulation SEMC217 (NDIS); C:\WINDOWS\system32\DRIVERS\s217nd5.sys [2007-11-02 24872]
S3 s217obex;Sony Ericsson Device 217 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\s217obex.sys [2007-11-02 100008]
S3 s217unic;Sony Ericsson Device 217 USB Ethernet Emulation SEMC217 (WDM); C:\WINDOWS\system32\DRIVERS\s217unic.sys [2007-11-02 105896]
S3 SYMIDSCO;SYMIDSCO; \??\C:\PROGRA~1\GEMEIN~1\SYMANT~1\SymcData\idsdefs\20080729.001\symidsco.sys []
S3 usbaudio;USB-Audiotreiber (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-03 59264]
S3 usbccgp;Microsoft Standard-USB-Haupttreiber; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB-Druckerklasse; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 USBSTOR;USB-Massenspeichertreiber; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 XDva059;XDva059; \??\C:\WINDOWS\system32\XDva059.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirScheduler;Avira AntiVir Personal – Free Antivirus Planer; C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-10-23 68865]
R2 AntiVirService;Avira AntiVir Personal – Free Antivirus Guard; C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-10-23 151297]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-06-13 483328]
R2 nlsvc;NetLimiter; D:\Programme\NetLimiter 2 Pro\nlsvc.exe [2007-03-21 516096]
R2 PTK License-FIGHTERS-18668899;PTK License-FIGHTERS-18668899; C:\Programme\Fighters\licenseservice.exe [2008-09-26 283272]
R2 PTK Live Update-FIGHTERS-18668899;PTK Live Update-FIGHTERS-18668899; C:\Programme\Fighters\updateservice.exe [2008-09-26 307848]
R2 PTK Scanner-FIGHTERS-18668899;PTK Scanner-FIGHTERS-18668899; C:\Programme\Fighters\ScannerService.exe [2008-09-26 311944]
R2 PTK SharedAccess-FIGHTERS-18668899;PTK SharedAccess-FIGHTERS-18668899; C:\Programme\Fighters\configservice.exe [2008-09-26 139912]
S2 download02;Remote Access; C:\WINDOWS\System32\svchost.exe [2004-08-03 14336]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance; D:\Programme\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 1527900]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 iPod Service;iPod-Dienst; C:\Programme\iPod\bin\iPodService.exe [2008-03-30 504104]
S3 MSSQL$SONY_MEDIAMGR;MSSQL$SONY_MEDIAMGR; D:\Programme\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe [2002-12-17 7520337]
S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Programme\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2002-12-17 66112]
S3 ose;Office Source Engine; C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 sdAuxService;PC Tools Auxiliary Service; C:\Programme\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
S3 sdCoreService;PC Tools Security Service; C:\Programme\Spyware Doctor\pctsSvc.exe [2008-10-09 1079176]
S3 SQLAgent$SONY_MEDIAMGR;SQLAgent$SONY_MEDIAMGR; D:\Programme\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE [2002-12-17 311872]
S3 TUWinStylerThemeSvc;TuneUp WinStyler Theme Service; C:\Programme\TuneUp2004\WinStylerThemeSvc.exe [2004-03-02 112128]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2004-08-03 14336]
S4 Adobe LM Service;Adobe LM Service; C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-01-18 68096]
S4 Apache2.2;Apache2.2; D:\xampp\apache\bin\apache.exe [2007-03-05 16896]
S4 Apple Mobile Device;Apple Mobile Device; C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-02-18 110592]
S4 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2007-06-13 520192]
S4 Autodesk Licensing Service;Autodesk Licensing Service; C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe [2008-08-02 72704]
S4 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-03-28 654848]
S4 mi-raysat_3dsmax9_32;mental ray 3.5 Satellite (32-bit); D:\Programme\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe [2006-09-29 65536]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]
S4 ProtexisLicensing;ProtexisLicensing; C:\WINDOWS\system32\PSIService.exe [2007-06-05 177704]

-----------------EOF-----------------

und hier info

Zitat:

info.txt logfile of random's system information tool 1.04 2008-10-30 20:22:56

======Uninstall list======

-->MsiExec.exe /X{E9F81423-211E-46B6-9AE0-38568BC5CF6F}
-->MsiExec.exe /I{9A346205-EA92-4406-B1AB-50379DA3F057}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3D Button Creator Gold-->C:\WINDOWS\unvise32.exe D:\Programme\3D Button Creator Gold\uninstal.log
3dsmax ancillary install-->MsiExec.exe /I{7C8B5E63-821A-4DFB-BDFA-19854D88EC5C}
7-Zip 4.57-->"D:\Programme\7-Zip\Uninstall.exe"
Adobe Acrobat 6.0 Professional - English, Français, Deutsch-->MsiExec.exe /I{AC76BA86-1033-F400-7760-000000000001}
Adobe After Effects 6.0-->MsiExec.exe /I{1EC60864-A294-44BF-984A-3E8867D74EA2}
Adobe Common File Installer-->MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5102}
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop CS-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x7
Adobe Premiere Elements 4.0-->msiexec /I {3E2C691B-B7E6-4053-B5C3-94B8BC407E7A}
Adobe Premiere Elements 4.0-->MsiExec.exe /I{3E2C691B-B7E6-4053-B5C3-94B8BC407E7A}
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Mobile Device Support-->MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update-->MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
ATI - Dienstprogramm zur Deinstallation der Software-->C:\Programme\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x444e
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI Parental Control & Encoder-->MsiExec.exe /I{36CDA33B-909B-4719-97D1-C4B99309BDC7}
Audition-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{9DB52C99-EC51-4173-93C5-298769170CB0}\setup.exe" -l0x7 -removeonly
Autodesk 3ds Max 9 32-bit-->MsiExec.exe /I{E96D4088-AAC5-437F-9E39-EC0E387897B4}
Autodesk DWF Viewer 7-->MsiExec.exe /I{9A346205-EA92-4406-B1AB-50379DA3F057}
AUTODESK MAYA V8.5-->D:\Programme\AUTODESK MAYA V8.5\uninstall.exe
AutoIt v3.2.10.0-->D:\Programme\AutoIt3\Uninstall.exe
Avanquest update-->C:\Programme\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe -runfromtemp -l0x0007 -removeonly
Avira AntiVir Personal - Free Antivirus-->C:\Programme\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
AVIVO Codecs-->MsiExec.exe /X{C941F1F1-25B3-4DF5-83E6-888C51A1AAB6}
Backburner-->MsiExec.exe /I{3D347E6D-5A03-4342-B5BA-6A771885F379}
BPM-Studio 4 Demo-->MsiExec.exe /X{9CCB8F6D-33FC-4E79-8616-7BE5DF32A955}
BrainWave Generator-->C:\WINDOWS\IsUninst.exe -f"D:\Programme\BrainWave Generator\Uninst.isu"
Camtasia Studio 5-->MsiExec.exe /I{A5049F43-18B8-4984-9B98-FE701B0D2526}
CCleaner (remove only)-->"C:\Programme\CCleaner\uninst.exe"
Client Hack 1.9.2d-->C:\WINDOWS\iun6002.exe "D:\Games\World of Warcraft 1.9\irunin.ini"
Corel Paint Shop Pro Photo X2-->MsiExec.exe /X{64E72FB1-2343-4977-B4A8-262CD53D0BD3}
DiscJuggler-->D:\Programme\Padus\DiscJuggler\Uninstall.exe
DivX Content Uploader-->C:\Programme\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player-->C:\Programme\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DyynoPlayer 0.8.6e-->C:\Programme\Dyyno\Dyyno Player\uninstall.exe
Easy MP3 Sound Recorder version 3.11-->"D:\Programme\SoundRecorder\unins000.exe"
EuropeMapleStory-->MsiExec.exe /I{D17D8B97-F937-432F-88BD-382727D34441}
FBX Plugin 2006.08 for Max 9.0-->C:\Programme\Autodesk\FBX\FbxPlugins\2006.08\Max90\Uninstall.exe
FBX Plugin 2006.11.1 for Max 2008-->C:\Programme\Autodesk\FBX\FbxPlugins\2006.11.1\Max2008\Uninstall.exe
Firebird SQL Server - MAGIX Edition-->D:\Programme\MAGIX\Common\Database\unwise.exe
Fraps (remove only)-->"D:\Programme\Fraps\uninstall.exe"
Free Games Offer, Desktop Shortcut-->MsiExec.exe /X{31DABA20-10A1-4746-9D9F-57955B8DFF66}
Game Cam (Registered) v1.4.0.5-->MsiExec.exe /I{EBE7050B-7988-4BC3-BBFD-5C6828859483}
Glitchys MES 2.6-->"D:\Games\WoW-Modding Pack\Glitchy's Model Editing Suite\unins000.exe"
Google SketchUp 6-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{98736A65-3C79-49EC-B7E9-A3C77774B0E6}\setup.exe" -l0x7 -removeonly
Google SketchUp 6-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}\setup.exe" -l0x7 -removeonly
Grand Theft Auto San Andreas-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{086BADF8-9B1F-4E89-B207-2EDA520972D6}\setup.exe" -l0x7 -removeonly
Half-Life 2: Deathmatch-->"D:\Games\Steam\steam.exe" steam://uninstall/320
Half-Life 2: Lost Coast-->"D:\Games\Steam\steam.exe" steam://uninstall/340
Hamachi 1.0.2.5-->D:\Programme\Hamachi\uninstall.exe
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Programme\Trend Micro\HijackThis\HijackThis.exe" /uninstall
ICQ6-->"C:\Programme\InstallShield Installation Information\{60DE4033-9503-48D1-A483-7846BD217CA9}\setup.exe" -runfromtemp -l0x0009 -removeonly
iTunes-->MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java 3D 1.5.0-->MsiExec.exe /X{32A9C5B3-D166-4C6D-A11E-A54473150000}
Java 3D 1.5.1-->MsiExec.exe /X{32A9C5B3-D166-4C6D-A11E-A54473151000}
Java(TM) 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
JMB36X Raid Configurer-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}\setup.exe" -l0x7 -removeonly
Joe-->MsiExec.exe /X{36A1E3D6-288A-4EEE-A081-30D9808B2BE3}
Joost (tm) Beta 1.0.8-->C:\Programme\Joost\uninst.exe
Linren Sound Recorder-->D:\PROGRA~1\LINREN~1\UNWISE.EXE D:\PROGRA~1\LINREN~1\INSTALL.LOG
MAGIX Music Maker 2008 Producer Edition Trial 13.0.1.11 (D)-->D:\Programme\MAGIX\MusicMaker2008PEDownloadVersion\unwise.exe
MAGIX Music Maker Techno Edition 2 4.0.0.10 (D)-->D:\Programme\MAGIX\MusicMakerTechnoEdition2\instslct.exe
MAGIX Screenshare 4.3.6.1987 (D)-->D:\Programme\MAGIX\PCVisit\unwise.exe
Mangos 2.4.1 Server v3.0-->F:\WoW Server\uninstall.exe
Marvell Miniport Driver-->MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
MediaCoder 0.6.1-->C:\Programme\MediaCoder\uninst.exe
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - DEU-->MsiExec.exe /I{9309DD7E-EBFE-3C95-8B47-30D3A012F606}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0 Service Pack 1 Language Pack - DEU-->MsiExec.exe /I{A1071AEB-B0EF-3F5F-BC84-83A270EBE496}
Microsoft .NET Framework 3.0 Service Pack 1-->MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783}
Microsoft .NET Framework 3.5 Language Pack - DEU-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 Language Pack - deu\setup.exe
Microsoft .NET Framework 3.5 Language Pack - deu-->MsiExec.exe /I{1545207E-C6F3-31D7-9918-BDBB65075FBF}
Microsoft .NET Framework 3.5-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5\setup.exe
Microsoft .NET Framework 3.5-->MsiExec.exe /I{2FC099BD-AC9B-33EB-809C-D332E1B27C40}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110407-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)-->MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (3.0.3)-->C:\Programme\Mozilla Firefox\uninstall\helper.exe
MP3 Recorder Studio 5.9-->"D:\Programme\MP3 Recorder Studio\unins000.exe"
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
MyPhoneExplorer-->D:\Programme\MyPhoneExplorer\uninstall.exe
Nero 6 AudioPlugins-->MsiExec.exe /X{E65E137D-F81C-4F7E-9C61-DB618D72DD7A}
Nero 6 Ultra Edition-->C:\Programme\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Nero 6 VideoPlugins-->MsiExec.exe /X{B45F8388-9D26-438D-8C68-3F4E2FA0B577}
NeroVision Express 2-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
NeroVision Express Plugins-->MsiExec.exe /X{05D6AEBA-03FA-492E-9B10-412E4FF0E742}
NetLimiter 2 Pro (remove only)-->"D:\Programme\NetLimiter 2 Pro\nl2uninst.exe"
ObjectDock-->C:\PROGRA~1\Stardock\OBJECT~1\UNWISE.EXE C:\PROGRA~1\Stardock\OBJECT~1\INSTALL.LOG
OpenGL Extensions Viewer 3.0-->"D:\Programme\realtech VR\OpenGL Extensions Viewer 3.0\uninst.exe"
OpenOffice.org 2.4-->MsiExec.exe /I{CCD90636-D97D-4130-A44A-3AD4E63B9220}
Opera 9.26-->MsiExec.exe /X{FB706A00-C234-4716-AB1F-27DCB192C664}
PC Inspector File Recovery-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{0DD140D3-9563-481E-AA75-BA457CBDAEF2}\Setup.exe" -l0x7
PC Inspector smart recovery-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{C9A87D86-FDFD-418B-BF96-EF09320973B3}\Setup.exe" -l0x7
Phun beta 3.5-->"D:\Programme\Phun\unins000.exe"
PremiumSoft Navicat MySQL 7.2-->"D:\Programme\PremiumSoft\Navicat MySQL\unins000.exe"
QuickTime-->MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Remove Vista Customization Pack v3-->c:\windows\vcp_save\runme.bat
RollerCoaster Tycoon® 3-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\Setup.exe" -l0x9
save2pc Light 3.25-->"D:\Programme\FDRLab\save2pc\unins000.exe"
save2pc Pro 3.31-->"D:\Programme\FDRLab\save2pc\unins001.exe"
Sony Ericsson Media Manager 1.0-->MsiExec.exe /X{5C72622B-643D-4296-B57D-5D53D0C68509}
Sony Ericsson PC Suite 3.209.00-->C:\Programme\InstallShield Installation Information\{2FFE93F0-BB72-4E52-8761-354D1AAA9387}\Setup.exe -runfromtemp -l0x0007 -removeonly
Sony Media Manager 2.2-->MsiExec.exe /X{C9E129BC-27D3-436E-BAAC-4CE81E0962F1}
Sony Vegas 7.0-->MsiExec.exe /X{96965E6C-41DB-4E0A-BC65-D92381D51D2A}
SoundMAX-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x7 -removeonly
SPORE™ Labor Basisversion-->"C:\Programme\InstallShield Installation Information\{ECEE0279-785F-4CB3-9F28-E69813234BF8}\setup.exe" -runfromtemp -l0x0007 -removeonly
Spybot - Search & Destroy 1.3-->"C:\Programme\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 6.0-->C:\Programme\Spyware Doctor\unins000.exe /LOG
SPYWAREfighter-->"C:\Programme\Fighters\spywarefighter\Uninstall.exe" Remove
SPYWAREfighter-->MsiExec.exe /I{B940005A-1212-4E87-885B-1FF80B40D6F4}
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
StepMania (remove only)-->"D:\Games\StepMania\uninstall.exe"
SUPER © Version 2008.bld.33 (Sep 2, 2008)-->D:\PROGRA~1\ERIGHT~1\SUPER\Setup.exe /remove /q0
SWFPlayer-->D:\Programme\SWFPlayer\unins000.exe
TeamSpeak 2 RC2-->C:\Programme\Teamspeak2_RC2\unins000.exe
Text-To-Speech-Runtime-->MsiExec.exe /X{7B3F0113-E63C-4D6D-AF19-111A3165CCA2}
Tortun 0.8-->"C:\Programme\Tortun\unins000.exe"
TuneUp Utilities 2004-->MsiExec.exe /I{2C3738C9-56FA-410A-BCB5-79C5DFD238F0}
Universal Extractor 1.5-->"D:\Programme\Universal Extractor\unins000.exe"
VideoLAN VLC media player 0.8.6i-->D:\Programme\VideoLAN\VLC\uninstall.exe
Winamp (remove only)-->"C:\Programme\Winamp\UninstWA.exe"
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows-Treiberpaket - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)-->C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u C:\WINDOWS\system32\DRVSTORE\amdk8_87B606860B720724BEB5DCEB69E8628A61DE0A7E\amdk8.inf
WinRAR Archivierer-->C:\Programme\WinRAR\uninstall.exe
World of Warcraft Public Test-->C:\Programme\Gemeinsame Dateien\Blizzard Entertainment\Burning Crusade-PTR\Uninstall.exe
World of Warcraft-->C:\Programme\Gemeinsame Dateien\Blizzard Entertainment\WORLD OF WARCRAFT (2)\Uninstall.exe
Wrath of the Lich King - Alpha-->C:\Programme\Gemeinsame Dateien\Blizzard Entertainment\WORLD OF WARCRAFT (2)\Uninstall.exe
Wrath of the Lich King-Beta-->C:\Programme\Gemeinsame Dateien\Blizzard Entertainment\Wrath of the Lich King\Uninstall.exe
XAMPP 1.6.1-->"D:\xampp\uninstall.exe"
XML Paper Specification Shared Components Language Pack 1.0-->"C:\WINDOWS\$NtUninstallXPSEPSCLP$\spuninst\spuninst.exe"
ZU-ONLINE-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{D619E865-AE93-4785-BB20-F3072CE4E8C5}\setup.exe" -l0x9 -removeonly

=====HijackThis Backups=====

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://web.de/
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "D:\Programme\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://deutsch.eazel.com/index.php?rvs=hompag
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Programme\DAEMON Tools Lite\daemon.exe" -autorun
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe (file missing)
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKCU\..\Run: [StartXChar] C:\Programme\Xchar\Xchar Faces Client\Profiler.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Programme\Gemeinsame Dateien\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Programme\QuickTime\QTTask.exe" -atboottime
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Programme\Octoshape Streaming Services\Administrator\OctoshapeClient.exe" -inv:bootrun
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Programme\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKLM\..\Run: [Realtime Audio Engine] "mmrtkrnl.exe" /i
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O4 - Startup: Stardock ObjectDock.lnk = C:\Programme\Stardock\ObjectDock\ObjectDock.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Programme\OpenOffice.org 2.4\program\quickstart.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programme\ICQ6\ICQ.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - D:\Programme\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - D:\Programme\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programme\ICQ6\ICQ.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - D:\Programme\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Apache2.2 - Apache Software Foundation - D:\xampp\apache\bin\apache.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp2004\WinStylerThemeSvc.exe

======Security center information======

AV: Avira AntiVir PersonalEdition
FW: Norton Internet Worm Protection (disabled)

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Programme\ATI Technologies\ATI.ACE\Core-Static;C:\Programme\Microsoft SQL Server\80\Tools\Binn\;C:\Programme\Gemeinsame Dateien\Adobe\AGL;C:\Programme\Gemeinsame Dateien\Autodesk Shared\;D:\Programme\Universal Extractor\bin;D:\Programme\QuickTime\QTSystem\;D:\Programme\Autodesk\Backburner\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 67 Stepping 3, AuthenticAMD
"PROCESSOR_REVISION"=4303
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Programme\Java\jre1.6.0_05\lib\ext\QTJava.zip
"QTJAVA"=C:\Programme\Java\jre1.6.0_05\lib\ext\QTJava.zip

-----------------EOF-----------------

Malwarebytes' Anti-Malware

Lies dir die Entfernungsanleitung durch und lass alles entfernen was gefunden wurde:

Download von Malwarebytes' Anti-Malware

http://saved.im/ndc5njj4d2lr/entfernen.png
(nach dem scannen auf den Button klicken und Funde löschen lassen!)

Kaspersky - Onlinescanner

Dieser Scanner entfernt die Funde nicht, gibt aber einen guten Überblick über die vorhandene Malware.

---> hier herunterladen => Kaspersky Online-Scanner
=> Hinweise zu älteren Versionen beachten!
=> Voraussetzung: Internet Explorer 6.0 oder höher
=> die nötigen ActiveX-Steuerelemente installieren => Update der Signaturen => Weiter
=> Scan-Einstellungen => Standard wählen => OK => Link "Arbeitsplatz" anklicken
=> Scan beginnt automatisch => Untersuchung wurde abgeschlossen => Protokoll speichern als
=> Dateityp auf .txt umstellen => auf dem Desktop als Kaspersky.txt speichern => Log hier posten
=> Deinstallation => Systemsteuerung => Software => Kaspersky Online Scanner entfernen

und wenn du das nächste mal code-tags statt quote-tags nimmst, wird auch der post kürzer ;).

Code:

Malwarebytes' Anti-Malware 1.30

Datenbank Version: 1340

Windows 5.1.2600 Service Pack 2
 

30.10.2008 22:25:58

mbam-log-2008-10-30 (22-25-58).txt
 

Scan-Methode: Vollständiger Scan (C:\|D:\|)

Durchsuchte Objekte: 217259

Laufzeit: 1 hour(s), 46 minute(s), 1 second(s)
 

Infizierte Speicherprozesse: 0

Infizierte Speichermodule: 0

Infizierte Registrierungsschlüssel: 0

Infizierte Registrierungswerte: 0

Infizierte Dateiobjekte der Registrierung: 0

Infizierte Verzeichnisse: 0

Infizierte Dateien: 1
 

Infizierte Speicherprozesse:

(Keine bösartigen Objekte gefunden)
 

Infizierte Speichermodule:

(Keine bösartigen Objekte gefunden)
 

Infizierte Registrierungsschlüssel:

(Keine bösartigen Objekte gefunden)
 

Infizierte Registrierungswerte:

(Keine bösartigen Objekte gefunden)
 

Infizierte Dateiobjekte der Registrierung:

(Keine bösartigen Objekte gefunden)
 

Infizierte Verzeichnisse:

(Keine bösartigen Objekte gefunden)
 

Infizierte Dateien:

C:\WINDOWS\system32\cmdow.exe (Malware.Tool) -> Quarantined and deleted successfully.

so das ist bei Malwarebytes' Anti-Malware rausgekommen ...

Online Kaspersky geht bei mir nicht...

Poste bitte noch ein AVZ log.

Deaktiviere die Systemwiederherstellung auf allen Laufwerken. Nachdem die Bereinigung KOMPLETT beendet ist kann sie wieder aktiviert werden.
Räume mit cCleaner auf. (Punkt 1 & 2)
Deaktiviere den Wächter/On-Access-Modul (Echtzeit-Scanner) deines AntiViren Programmes und schließe alle AntiViren Programme komplett!
Downloade AVZ und speichere es in einen eigenen Ordner auf dem Desktop.
Entpacke es in diesem Ordner und starte die Anwendung durch einen Doppelklick auf die AVZ.exe.
Unter AVZGuard -> Enable AVZGuard wählen. => Der Wächter verhindert die Ausführung aller anderen Anwendungen und muss nach der Analyse unbedingt wieder deaktviert werden!!
Unter File -> Database Update Start drücken.
Unter AVZPM -> Install extended monitoring driver wählen. Der Treiber wird installiert.
Während des Scans sollte der Rechner weiterhin Verbindung mit dem Internet haben.
Im Hauptfenster den Start Button drücken.
Danach unter File -> System Analys, die Option Attach System Analysis log to ZIP anhaken und Start drücken. Wähle als Speicherort den von dir erstellten AVZ-Ordner.
Deaktiviere den AVZGuard!
Nachdem der Scan beendet ist lade die avz_sysinfo.zip bei Rapidshare hoch und poste den Download-Link.

http://rapidshare.com/files/159149078/avz_sysinfo.zip.html

Dateien Online überprüfen lassen:

* Lasse dir auch die versteckten Dateien anzeigen!

* Suche die Seite Virtustotal auf. Kopiere folgenden Dateipfad per copy and paste in das Eingabefeld neben dem "Durchsuchen"-Button. Klicke danach auf "Senden der Datei"!

* Alternativ kannst du dir die Datei natürlich auch über den "Durchsuchen"-Button selbst heraussuchen.

Zitat:

C:\WINDOWS\System32\Drivers\awusgh18.SYS
spyu.sys <-- musst du wie in meiner Signatur beschrieben wird suchen lassen!
C:\WINDOWS\system32\DRIVERS\vffilter.sys
C:\WINDOWS\system32\SystemHper.dll

Lade nun nacheinander jede/alle Datei/Dateien hoch, und warte bis der Scan vorbei ist. (kann bis zu 2 Minuten dauern.)
* Sollte die Datei bereits analysiert worden sein so lasse sie unbedingt trotzdem nocheinmal analysieren!
* Poste im Anschluss das Ergebnis der Auswertung, alles abkopieren und in einen Beitrag einfügen.

Code:

SystemHper.dll
 

Status: Laden ...  Wartend  Warten  Überprüfung  Beendet  Nicht gefunden  Gestoppt

Ergebnis: 5/36 (13.89%)
 
 Antivirus  Version  letzte aktualisierung  Ergebnis
AhnLab-V3 2008.10.30.1 2008.10.31 -
AntiVir 7.9.0.10 2008.10.30 -
Authentium 5.1.0.4 2008.10.31 -
Avast 4.8.1248.0 2008.10.30 -
AVG 8.0.0.161 2008.10.30 -
BitDefender 7.2 2008.10.31 DeepScan:Generic.PWS.WoW.49CB567E
CAT-QuickHeal 9.50 2008.10.31 -
ClamAV 0.93.1 2008.10.31 -
DrWeb 4.44.0.09170 2008.10.31 -
eSafe 7.0.17.0 2008.10.30 -
eTrust-Vet 31.6.6184 2008.10.31 -
Ewido 4.0 2008.10.30 -
F-Prot 4.4.4.56 2008.10.30 -
F-Secure 8.0.14332.0 2008.10.31 Trojan-GameThief.Win32.WOW.cjl
Fortinet 3.117.0.0 2008.10.31 -
GData 19 2008.10.31 DeepScan:Generic.PWS.WoW.49CB567E
Ikarus T3.1.1.44.0 2008.10.31 -
K7AntiVirus 7.10.512 2008.10.30 -
Kaspersky 7.0.0.125 2008.10.31 Trojan-GameThief.Win32.WOW.cjl
McAfee 5419 2008.10.31 -
Microsoft 1.4005 2008.10.31 -
NOD32 3571 2008.10.30 -
Norman 5.80.02 2008.10.30 -
Panda 9.0.0.4 2008.10.30 -
PCTools 4.4.2.0 2008.10.30 -
Prevx1 V2 2008.10.31 -
Rising 21.01.41.00 2008.10.31 -
SecureWeb-Gateway 6.7.6 2008.10.31 Trojan.LooksLike.Thief.Wow
Sophos 4.35.0 2008.10.31 -
Sunbelt 3.1.1767.2 2008.10.31 -
Symantec 10 2008.10.31 -
TheHacker 6.3.1.1.135 2008.10.31 -
TrendMicro 8.700.0.1004 2008.10.31 -
VBA32 3.12.8.9 2008.10.30 -
ViRobot 2008.10.31.1446 2008.10.31 -
VirusBuster 4.5.11.0 2008.10.30 -


weitere Informationen

File size: 65536 bytes

MD5...: 22c77205746fe6e9e138c4a8a3db5d78

SHA1..: 7a0de47c4086eccd297f375f496b2f51a48d8dcf

SHA256: cdf9c5a58991c3c7c5d800c4e888ae5c60ab286f936114095c9ee6fd8cb5191e

SHA512: ef67f19d103a33dc22c9893f8859ec1450da6cadf76619a24414d55e9aac3a60

528ab13fff3a13c55c16aed68081497f40fcda28600d31896bd5947820912aab

PEiD..: Armadillo v1.xx - v2.xx

TrID..: File type identification

DirectShow filter (58.3%)

Windows OCX File (35.7%)

Win32 Executable Generic (2.4%)

Win32 Dynamic Link Library (generic) (2.1%)

Generic Win/DOS Executable (0.5%)

PEInfo: PE Structure information
 

( base data )

entrypointaddress.: 0x1000676d

timedatestamp.....: 0x49087d34 (Wed Oct 29 15:11:48 2008)

machinetype.......: 0x14c (I386)
 

( 6 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x8958 0x9000 6.47 60ade7613e4c7fa0ffd1e2eb6443bb83

.rdata 0xa000 0x1bb6 0x2000 4.87 c0605fe8ec1b2fd48929d2dda15718cd

.data 0xc000 0x36c0 0x1000 2.76 336d63525f6b797033a5ec8ea7a36812

WOWCLin 0x10000 0x6 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110

.rsrc 0x11000 0xdd8 0x1000 3.92 17067222c34268e8e6fd78fea04846ac

.reloc 0x12000 0x6e2 0x1000 3.18 5f82f09c97dec101067a758f75f300bd
 

( 11 imports )

> KERNEL32.dll: InterlockedIncrement, EnterCriticalSection, InterlockedDecrement, lstrlenW, GetShortPathNameW, GetModuleHandleW, GetModuleFileNameW, MultiByteToWideChar, SizeofResource, LoadResource, FindResourceW, LeaveCriticalSection, LoadLibraryExW, lstrcmpiW, lstrcpynW, HeapDestroy, lstrcpyW, lstrcatW, DeleteFileA, WinExec, GetBinaryTypeA, GetTickCount, GetTempPathA, DeleteCriticalSection, InitializeCriticalSection, GetLocalTime, DisableThreadLibraryCalls, GetCurrentThreadId, lstrlenA, LoadLibraryW, GetProcAddress, WideCharToMultiByte, FreeLibrary, GetModuleHandleA, GetModuleFileNameA, CreateThread, Sleep, GetCurrentProcess, GetLastError, CloseHandle

> USER32.dll: UnhookWindowsHookEx, SetWindowsHookExW, CallNextHookEx, CharNextW, GetMessageW, PostThreadMessageW, SetForegroundWindow, FindWindowA, FindWindowExA, FindWindowExW, GetClassNameA, SendMessageA, PostMessageW, CharLowerA

> ADVAPI32.dll: LookupPrivilegeValueW, OpenProcessToken, RegCloseKey, RegSetValueExA, RegCreateKeyA, RegQueryValueExW, RegOpenKeyExA, RegDeleteKeyW, RegCreateKeyExW, RegDeleteValueW, RegOpenKeyExW, RegEnumKeyExW, RegSetValueExW, RegQueryInfoKeyW, RegEnumValueW, AdjustTokenPrivileges

> SHELL32.dll: ShellExecuteA

> ole32.dll: CoTaskMemFree, CoTaskMemAlloc, CoTaskMemRealloc, CoCreateInstance, CoInitialize

> OLEAUT32.dll: -, -, -, -, -, -, -, -, -

> OLEACC.dll: GetStateTextA, GetRoleTextA, WindowFromAccessibleObject, AccessibleObjectFromWindow

> MSVCRT.dll: strchr, strncmp, fclose, fwrite, rename, _access, wcslen, wcscmp, _initterm, _adjust_fdiv, _stricmp, memcmp, realloc, malloc, calloc, free, __2@YAPAXI@Z, __3@YAXPAX@Z, _purecall, atoi, strcat, swprintf, getchar, wprintf, strcmp, _splitpath, fopen, fgets, strstr, memcpy, strcpy, sprintf, strlen, memset

> WS2_32.dll: -, -, -, -, -, -, -, -, -

> NETAPI32.dll: Netbios

> WININET.dll: InternetOpenA, InternetReadFile, InternetOpenUrlA, InternetCloseHandle
 

( 6 exports )

DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer, GetVer, Install

Code:

vffilter.sys
 

Laden ...  Wartend  Warten  Überprüfung  Beendet  Nicht gefunden  Gestoppt

Ergebnis: 0/36 (0%)
 
 Antivirus  Version  letzte aktualisierung  Ergebnis
AhnLab-V3 2008.10.30.1 2008.10.31 -
AntiVir 7.9.0.10 2008.10.30 -
Authentium 5.1.0.4 2008.10.31 -
Avast 4.8.1248.0 2008.10.30 -
AVG 8.0.0.161 2008.10.30 -
BitDefender 7.2 2008.10.31 -
CAT-QuickHeal 9.50 2008.10.31 -
ClamAV 0.93.1 2008.10.31 -
DrWeb 4.44.0.09170 2008.10.31 -
eSafe 7.0.17.0 2008.10.30 -
eTrust-Vet 31.6.6184 2008.10.31 -
Ewido 4.0 2008.10.30 -
F-Prot 4.4.4.56 2008.10.30 -
F-Secure 8.0.14332.0 2008.10.31 -
Fortinet 3.117.0.0 2008.10.31 -
GData 19 2008.10.31 -
Ikarus T3.1.1.44.0 2008.10.31 -
K7AntiVirus 7.10.512 2008.10.30 -
Kaspersky 7.0.0.125 2008.10.31 -
McAfee 5419 2008.10.31 -
Microsoft 1.4005 2008.10.31 -
NOD32 3571 2008.10.30 -
Norman 5.80.02 2008.10.30 -
Panda 9.0.0.4 2008.10.30 -
PCTools 4.4.2.0 2008.10.30 -
Prevx1 V2 2008.10.31 -
Rising 21.01.41.00 2008.10.31 -
SecureWeb-Gateway 6.7.6 2008.10.31 -
Sophos 4.35.0 2008.10.31 -
Sunbelt 3.1.1767.2 2008.10.31 -
Symantec 10 2008.10.31 -
TheHacker 6.3.1.1.135 2008.10.31 -
TrendMicro 8.700.0.1004 2008.10.31 -
VBA32 3.12.8.9 2008.10.30 -
ViRobot 2008.10.31.1446 2008.10.31 -
VirusBuster 4.5.11.0 2008.10.30 -


weitere Informationen

File size: 15496 bytes

MD5...: a133d96958e9d155cd638a3cb4eddfea

SHA1..: 26ef08e66e5e501e402ac83ad790bd6fa72c247a

SHA256: 5bb52fc1d2c7381e6e7f84e32673ac11648ec6492a93e8f9e5a458a9c71d4506

SHA512: 3490f0d32a2e70bdc058e238a4371da8574922bde92648ccd6e73d709eb737cb

01341fab0d2894a71f8ae4bbab722e25b63764a31ee30e1c612733d93a359fae

PEiD..: -

TrID..: File type identification

Win32 Executable Generic (58.4%)

Clipper DOS Executable (13.8%)

Generic Win/DOS Executable (13.7%)

DOS Executable Generic (13.7%)

VXD Driver (0.2%)

PEInfo: PE Structure information
 

( base data )

entrypointaddress.: 0x1244a

timedatestamp.....: 0x4701e8ad (Tue Oct 02 06:43:57 2007)

machinetype.......: 0x14c (I386)
 

( 5 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x480 0xac4 0xb00 5.74 cf9b15e3e50518402c00b2f216ee3d4b

.rdata 0xf80 0x1e6 0x200 3.79 f8f84ea85f8aa0e09fe90c61112ada03

.data 0x1180 0x1048 0x1080 0.02 ffff936550ccfeca0905c4cb85800370

INIT 0x2200 0x63c 0x680 5.55 b140668c9249eca8b19f97c7ac6dde6c

.reloc 0x2880 0x102 0x180 4.29 c239a6303cea4b6eeabedc8ebde6e5a1
 

( 3 imports )

> ntoskrnl.exe: KeBugCheckEx, KeTickCount, KeInitializeSpinLock, IoGetCurrentProcess, IoThreadToProcess, ExFreePoolWithTag, ExAllocatePoolWithTag, DbgPrint, RtlInitUnicodeString

> HAL.dll: KeAcquireInStackQueuedSpinLock, KeReleaseInStackQueuedSpinLock

> FLTMGR.SYS: FltStartFiltering, FltCloseClientPort, FltGetStreamHandleContext, FltIsDirectory, FltCancelFileOpen, FltAllocateContext, FltSetStreamHandleContext, FltReleaseContext, FltGetFileNameInformation, FltParseFileNameInformation, FltSendMessage, FltReleaseFileNameInformation, FltRegisterFilter, FltUnregisterFilter, FltCloseCommunicationPort, FltFreeSecurityDescriptor, FltCreateCommunicationPort, FltBuildDefaultSecurityDescriptor
 

( 0 exports )

und

C:\WINDOWS\System32\Drivers\awusgh18.SYS
sowie
spyu.sys
konnten nicht gefunden werden ...
spyu.sys hab ich wie beschrieben gesucht ...aber nichts

Zitat:

C:\WINDOWS\System32\Drivers\awusgh18.SYS

Die Datei muss da sein. Wenn du sie nicht findest bedeutet das nichts gutes..

GMER - Rootkit Detection

Lade Gmer von hier
entpacke es auf den Dektop
Dopperlklicke die gmer.exe
Der Reiter Rootkit oben ist schon angewählt

http://saved.im/mzaxndu2m2ni_vs/gmerzj1oo1.jpg

Drücke Scan, Der Vorgang kann je nach System 3 - 10min dauern
nach Beendigung des Scan, drücke "Copy"
nun kannst Du das Ergebnis hier posten
Sollte Gmer sagen "Gmer hasen´t found any System Modifikation", so hat Gmer keine Einträge gefunden.

Anleitung Avenger (by swandog46)

Lade dir das Tool Avenger und speichere es auf dem Desktop:

Doppelklick auf das Avenger-Symbol http://saved.im/mzi3ntr4adf5/trert.jpg

Kopiere nun folgenden Text in das weiße Feld bei -> "input script here"

Code:

Files to delete:

C:\WINDOWS\system32\SystemHper.dll

C:\WINDOWS\System32\Drivers\awusgh18.SYS

http://saved.im/mzi3ndg3nta0/aven.jpg

Schliesse nun alle Programme und Browser-Fenster

Um den Avenger zu starten klicke auf -> Execute
Dann bestätigen mit "Yes" das der Rechner neu startet

Nachdem das System neu gestartet ist, findest du einen Report vom Avenger unter -> C:\avenger.txt

Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix

Lade dir das Tool hier herunter auf den Desktop -> KLICK

Das Programm jedoch noch nicht starten sondern zuerst folgendes tun:

Schliesse alle Anwendungen und Programme, vor allem deine Antiviren-Software und andere Hintergrundwächter, sowie deinen Internetbrowser.
Vermeide es auch explizit während das Combofix läuft die Maus und Tastatur zu benutzen.

Dann folgende Anleitung durchlesen und abarbeiten -> CCleaner Systembereinigung

Starte nun die combofix.exe von deinem Desktop aus, bestätige die Warnmeldungen und lass dein System durchsuchen.

Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte abkopieren und in deinen Beitrag einfügen. Das log findest du außerdem unter: C:\ComboFix.txt.

Wichtiger Hinweis:

Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten.

Code:

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2008-10-31 10:36:47

Windows 5.1.2600 Service Pack 2
 
 

---- System - GMER 1.0.14 ----
 

SSDT            a347bus.sys (Plug and Play BIOS Extension/ )                                                                     ZwClose [0xF7254028]

SSDT            a347bus.sys (Plug and Play BIOS Extension/ )                                                                     ZwCreateKey [0xF7253FE0]

SSDT            a347bus.sys (Plug and Play BIOS Extension/ )                                                                     ZwCreatePagingFile [0xF7247B00]

SSDT            F7B562AC                                                                                                         ZwCreateThread

SSDT            a347bus.sys (Plug and Play BIOS Extension/ )                                                                     ZwEnumerateKey [0xF72485DC]

SSDT            a347bus.sys (Plug and Play BIOS Extension/ )                                                                     ZwEnumerateValueKey [0xF7254120]

SSDT            a347bus.sys (Plug and Play BIOS Extension/ )                                                                     ZwOpenFile [0xF7247B40]

SSDT            a347bus.sys (Plug and Play BIOS Extension/ )                                                                     ZwOpenKey [0xF7253FA4]

SSDT            F7B56298                                                                                                         ZwOpenProcess

SSDT            F7B5629D                                                                                                         ZwOpenThread

SSDT            a347bus.sys (Plug and Play BIOS Extension/ )                                                                     ZwQueryKey [0xF72485FC]

SSDT            a347bus.sys (Plug and Play BIOS Extension/ )                                                                     ZwQueryValueKey [0xF7254076]

SSDT            a347bus.sys (Plug and Play BIOS Extension/ )                                                                     ZwSetSystemPowerState [0xF7253550]

SSDT            spzv.sys                                                                                                         ZwSetValueKey [0xF72A619A]

SSDT            F7B562A7                                                                                                         ZwTerminateProcess

SSDT            F7B562A2                                                                                                         ZwWriteVirtualMemory
 

INT 0x63        ?                                                                                                                89E77BF8

INT 0x63        ?                                                                                                                897C7F00

INT 0x63        ?                                                                                                                897C7F00

INT 0x63        ?                                                                                                                89E77BF8

INT 0x73        ?                                                                                                                89E74BF8

INT 0x73        ?                                                                                                                89E74BF8

INT 0x73        ?                                                                                                                89E74BF8

INT 0x82        ?                                                                                                                89E74BF8

INT 0x84        ?                                                                                                                897C7F00

INT 0xB4        ?                                                                                                                897C7F00

INT 0xB4        ?                                                                                                                897C7F00
 

---- Kernel code sections - GMER 1.0.14 ----
 

?               spzv.sys                                                                                                         Das System kann die angegebene Datei nicht finden. !

.text           USBPORT.SYS!DllUnload                                                                                            F668562C 5 Bytes  JMP 897C74E0 

.text           aenvxh8g.SYS                                                                                                     F6556384 1 Byte  [ 20 ]

.text           aenvxh8g.SYS                                                                                                     F6556386 35 Bytes  [ 00, 68, 00, 00, 00, 00, 00, ... ]

.text           aenvxh8g.SYS                                                                                                     F65563AA 24 Bytes  [ 00, 00, 20, 00, 00, E0, 00, ... ]

.text           aenvxh8g.SYS                                                                                                     F65563C4 3 Bytes  [ 00, 00, 00 ]

.text           aenvxh8g.SYS                                                                                                     F65563C9 1 Byte  [ 00 ]

.text           ...                                                                                                              

?               C:\WINDOWS\System32\Drivers\aenvxh8g.SYS                                                                         Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.
 

---- Kernel IAT/EAT - GMER 1.0.14 ----
 

IAT             \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR]                                               [F7298048] spzv.sys
 

---- Devices - GMER 1.0.14 ----
 

Device          \FileSystem\Ntfs \Ntfs                                                                                           89E721F8
 

AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                         nltdi.sys (NetLimiter Driver/Locktime Software)
 

Device          \Driver\NetBT \Device\NetBT_Tcpip_{A468793C-07AC-4397-A8BE-65D5DEB85F42}                                         8992B500

Device          \Driver\usbohci \Device\USBPDO-0                                                                                 8984A500

Device          \Driver\PCI_PNP4736 \Device\00000051                                                                             spzv.sys

Device          \Driver\NetBT \Device\NetBT_Tcpip_{450A4E0E-EDAE-494E-A4CF-627528DC0720}                                         8992B500

Device          \Driver\dmio \Device\DmControl\DmIoDaemon                                                                        89E051F8

Device          \Driver\dmio \Device\DmControl\DmConfig                                                                          89E051F8

Device          \Driver\dmio \Device\DmControl\DmPnP                                                                             89E051F8

Device          \Driver\dmio \Device\DmControl\DmInfo                                                                            89E051F8

Device          \Driver\usbohci \Device\USBPDO-1                                                                                 8984A500

Device          \Driver\usbohci \Device\USBPDO-2                                                                                 8984A500

Device          \Driver\usbohci \Device\USBPDO-3                                                                                 8984A500

Device          \Driver\usbohci \Device\USBPDO-4                                                                                 8984A500
 

AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                        nltdi.sys (NetLimiter Driver/Locktime Software)
 

Device          \Driver\usbehci \Device\USBPDO-5                                                                                 89865500

Device          \Driver\Ftdisk \Device\HarddiskVolume1                                                                           89E751F8

Device          \Driver\Ftdisk \Device\HarddiskVolume2                                                                           89E751F8

Device          \Driver\Cdrom \Device\CdRom0                                                                                     8997A008

Device          \FileSystem\Rdbss \Device\FsWrap                                                                                 89C4FDD8

Device          \Driver\Cdrom \Device\CdRom1                                                                                     8997A008

Device          \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3                                                                      89985210

Device          \Driver\atapi \Device\Ide\IdePort0                                                                               89985210

Device          \Driver\atapi \Device\Ide\IdePort1                                                                               89985210

Device          \Driver\atapi \Device\Ide\IdePort2                                                                               89985210

Device          \Driver\atapi \Device\Ide\IdePort3                                                                               89985210

Device          \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e                                                                      89985210

Device          \Driver\sptd \Device\1364237236                                                                                  spzv.sys

Device          \Driver\NetBT \Device\NetBt_Wins_Export                                                                          8992B500

Device          \Driver\NetBT \Device\NetbiosSmb                                                                                 8992B500

Device          \FileSystem\Srv \Device\LanmanServer                                                                             89920798
 

AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                        nltdi.sys (NetLimiter Driver/Locktime Software)

AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                      nltdi.sys (NetLimiter Driver/Locktime Software)
 

Device          \Driver\usbohci \Device\USBFDO-0                                                                                 8984A500

Device          \Driver\usbohci \Device\USBFDO-1                                                                                 8984A500

Device          \FileSystem\MRxSmb \Device\LanmanDatagramReceiver                                                                89941500

Device          \FileSystem\MRxSmb \Device\LanmanDatagramReceiver                                                                89C46B38

Device          \Driver\usbohci \Device\USBFDO-2                                                                                 8984A500

Device          \FileSystem\MRxSmb \Device\LanmanRedirector                                                                      89941500

Device          \FileSystem\MRxSmb \Device\LanmanRedirector                                                                      89C46B38

Device          \Driver\usbohci \Device\USBFDO-3                                                                                 8984A500

Device          \FileSystem\Npfs \Device\NamedPipe                                                                               89C4FCC8

Device          \Driver\usbohci \Device\USBFDO-4                                                                                 8984A500

Device          \Driver\Ftdisk \Device\FtControl                                                                                 89E751F8

Device          \FileSystem\Msfs \Device\Mailslot                                                                                89ABEE00

Device          \Driver\usbehci \Device\USBFDO-5                                                                                 89865500

Device          \Driver\aenvxh8g \Device\Scsi\aenvxh8g1Port5Path0Target0Lun0                                                     89BF91C8

Device          \Driver\a347scsi \Device\Scsi\a347scsi1                                                                          89E041F8

Device          \Driver\JRAID \Device\Scsi\JRAID1                                                                                89E731F8

Device          \Driver\aenvxh8g \Device\Scsi\aenvxh8g1                                                                          89BF91C8

Device          \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer                                                               89C26700

Device          \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer                                                                89C26700

Device          \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer                                                                    89C26700

Device          \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer                                                                 89C26700

Device          \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer                                                                89C26700

Device          \FileSystem\Cdfs \Cdfs                                                                                           897C0500

Device          \FileSystem\Cdfs \Cdfs                                                                                           89A04170
 

---- Modules - GMER 1.0.14 ----
 

Module          _________                                                                                                        F71A9000-F71C1000 (98304 bytes)
 

---- Registry - GMER 1.0.14 ----
 

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1                                                               771343423

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2                                                               285507792

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0                                                               1

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4                                 

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                              D:\Programme\DAEMON Tools Lite\

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                              0

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                           0xF7 0x57 0x7A 0xE9 ...

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001                        

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                     0x20 0x01 0x00 0x00 ...

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                  0xE7 0xB2 0x77 0xDA ...

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40                  

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh            0x7F 0x95 0x00 0x3E ...

Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4                                     

Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                  D:\Programme\DAEMON Tools Lite\

Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                  0

Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                               0xF7 0x57 0x7A 0xE9 ...

Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001                            

Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                         0x20 0x01 0x00 0x00 ...

Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                      0xE7 0xB2 0x77 0xDA ...

Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40                      

Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                0x7F 0x95 0x00 0x3E ...

Reg             HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}@DisplayName      Alcohol 120%

Reg             HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6@ProductName                            Alcohol 120%

Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CDC8EC6A-9B94-8C90-B578-50CC96908A5B}  
 

---- EOF - GMER 1.0.14 ----

Code:

Logfile of The Avenger Version 2.0, (c) by Swandog46

http://swandog46.geekstogo.com
 

Platform:  Windows XP
 

*******************
 

Script file opened successfully.

Script file read successfully.
 

Backups directory opened successfully at C:\Avenger
 

*******************
 

Beginning to process script file:
 

Rootkit scan active.

No rootkits found!
 

File "C:\WINDOWS\system32\SystemHper.dll" deleted successfully.
 

Error:  file "C:\WINDOWS\System32\Drivers\awusgh18.SYS" not found!

Deletion of file "C:\WINDOWS\System32\Drivers\awusgh18.SYS" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

  --> the object does not exist
 
 

Completed script processing.
 

*******************
 

Finished!  Terminate.

rest folgt

hat nicht mehr oben gepasst ;)

Code:

ComboFix 08-10-30.12 - Administrator 2008-10-31 10:47:25.1 - NTFSx86

ausgeführt von:: C:\Dokumente und Einstellungen\Administrator\Desktop\ComboFix.exe

.
 

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))

.
 

C:\Dokumente und Einstellungen\Administrator\Favoriten\Games.url

C:\Dokumente und Einstellungen\Administrator\Favoriten\Videos.url

C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Videos.url

C:\WINDOWS\system32\sysdm.exe
 

.

(((((((((((((((((((((((   Dateien erstellt von 2008-09-28 bis 2008-10-31  ))))))))))))))))))))))))))))))

.
 

2008-10-31 10:29 . 2008-10-31 10:29        250        --a------        C:\WINDOWS\gmer.ini

2008-10-30 23:01 . 2008-10-30 23:01        11,264        --a------        C:\WINDOWS\system32\drivers\uzmymjk3.sys

2008-10-30 20:38 . 2008-10-30 20:38        <DIR>        d--------        C:\Programme\Malwarebytes' Anti-Malware

2008-10-30 20:38 . 2008-10-30 20:38        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes

2008-10-30 20:38 . 2008-10-30 20:38        <DIR>        d--------        C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Malwarebytes

2008-10-30 20:38 . 2008-10-22 16:10        38,496        --a------        C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-10-30 20:38 . 2008-10-22 16:10        15,504        --a------        C:\WINDOWS\system32\drivers\mbam.sys

2008-10-30 20:19 . 2008-10-30 20:19        13,123        --a------        C:\rsit.rar

2008-10-30 20:12 . 2008-10-30 20:22        <DIR>        d--------        C:\rsit

2008-10-30 19:35 . 2008-10-30 19:35        <DIR>        d--------        C:\Programme\CCleaner

2008-10-30 16:54 . 2008-10-30 16:54        <DIR>        d--------        C:\Programme\Fighters

2008-10-30 16:54 . 2008-10-30 16:54        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Fighters

2008-10-29 15:16 . 2008-10-29 15:16        65,536        --a------        C:\WINDOWS\system32\SystemHper.dll.142234

2008-10-28 21:16 . 2008-10-28 21:16        <DIR>        d--------        C:\Programme\Tortun

2008-10-27 21:29 . 2008-10-30 19:44        <DIR>        d--------        C:\Programme\Spyware Doctor

2008-10-27 21:29 . 2008-10-30 20:22        <DIR>        d-a------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP

2008-10-27 21:29 . 2008-10-27 21:29        <DIR>        d--------        C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\PC Tools

2008-10-27 21:29 . 2008-08-25 12:36        81,288        --a------        C:\WINDOWS\system32\drivers\iksyssec.sys

2008-10-27 21:29 . 2008-08-25 12:36        66,952        --a------        C:\WINDOWS\system32\drivers\iksysflt.sys

2008-10-27 21:29 . 2008-08-25 12:36        40,840        --a------        C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-10-27 21:29 . 2008-06-02 16:19        29,576        --a------        C:\WINDOWS\system32\drivers\kcom.sys

2008-10-27 21:16 . 2008-10-27 21:16        <DIR>        d--------        C:\!KillBox

2008-10-27 21:10 . 2008-10-27 21:10        <DIR>        d--------        C:\Programme\Trend Micro

2008-10-25 17:04 . 2008-10-25 17:04        21        --a------        C:\WINDOWS\download1

2008-10-10 23:22 . 2008-10-10 23:23        <DIR>        d--------        C:\Programme\MediaCoder

2008-09-29 20:38 . 2008-09-29 20:38        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Blizzard

2008-09-26 16:33 . 2008-09-26 16:33        15,496        --a------        C:\WINDOWS\system32\drivers\vffilter.sys

2008-09-24 16:36 . 2006-09-12 11:46        227,328        -r-hs----        C:\WINDOWS\system32\ac3DX.ax

2008-09-24 16:36 . 2008-03-16 13:30        216,064        -r-hs----        C:\WINDOWS\system32\nbDX.dll

2008-09-24 16:36 . 2006-01-12 23:23        123,904        -r-hs----        C:\WINDOWS\system32\AVCDX.ax

2008-09-24 16:36 . 2003-11-20 23:00        54,784        -r-hs----        C:\WINDOWS\system32\RLAPEDec.ax

2008-09-24 16:36 . 2004-04-26 23:00        37,888        -r-hs----        C:\WINDOWS\system32\RLMPCDec.ax

2008-09-24 16:36 . 2007-02-21 11:47        31,232        -r-hs----        C:\WINDOWS\system32\msfDX.dll

2008-09-08 17:11 . 2008-10-27 20:39        <DIR>        d--------        C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\OpenOffice.org2

2008-09-08 17:09 . 2008-09-08 17:09        <DIR>        d--------        C:\Programme\OpenOffice.org 2.4

2008-09-02 13:20 . 2008-09-02 13:20        1,067,520        --a------        C:\Dokumente und Einstellungen\Administrator\Profiler_update.exe
 

.

((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-30 16:02        ---------        d-----w        C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\teamspeak2

2008-10-27 13:49        ---------        d-----w        C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Canon

2008-10-26 11:39        2,672        --sha-w        C:\WINDOWS\system32\KGyGaAvL.sys

2008-10-19 13:01        ---------        d-----w        C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Hamachi

2008-09-29 19:57        ---------        d-----w        C:\Programme\Gemeinsame Dateien\Blizzard Entertainment

2008-09-20 14:08        ---------        d-----w        C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\AdobeUM

2006-05-03 09:06        163,328        --sha-r        C:\WINDOWS\system32\flvDX.dll

2007-02-21 10:47        31,232        --sh--r        C:\WINDOWS\system32\msfDX.dll

2008-03-16 12:30        216,064        --sh--r        C:\WINDOWS\system32\nbDX.dll

.
 

------- Sigcheck -------
 

2004-08-21 05:14  359040  09eb23a4567bdd56d9580a059e616e23        C:\WINDOWS\system32\drivers\tcpip.sys
 

2004-08-03 23:57  4921344  e8535cd4313dbaf191ba7945665126c3        C:\WINDOWS\explorer.exe

2004-08-03 23:57  1035264  22fe1be02eadde1632e478e4125639e0        C:\WINDOWS\VCP_SAVE\explorer.exe

.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))

.

.

*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.

REGEDIT4
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"spywarefighterguard"="C:\Programme\Fighters\spywarefighter\SpywarefighterUser.exe" [2008-09-26 180872]
 

C:\Dokumente und Einstellungen\Administrator\Startmen\Programme\Autostart\

Stardock ObjectDock.lnk - C:\Programme\Stardock\ObjectDock\ObjectDock.exe [2008-01-18 3450608]
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.I420"= i420vfw.dll
 

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Administrator^Startmenü^Programme^Autostart^hamachi.lnk]

path=C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart\hamachi.lnk

backup=C:\WINDOWS\pss\hamachi.lnkStartup
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]

--a------ 2008-09-01 16:08 173304 D:\Programme\ICQ6\ICQ.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

--a------ 2008-03-28 14:21 1271032 D:\Games\Steam\Steam.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"mysql"=2 (0x2)

"NSCService"=3 (0x3)

"navapsvc"=2 (0x2)

"WebClient"=2 (0x2)

"mi-raysat_3dsmax9_32"=2 (0x2)
 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001
 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programme\\Sony Ericsson\\Sony Ericsson Media Manager 1.0\\MediaManager.exe"=

"C:\\Programme\\iTunes\\iTunes.exe"=

"C:\\Programme\\Joost\\xulrunner\\tvprunner.exe"=

"D:\\Programme\\ICQ6\\ICQ.exe"=

"C:\\Programme\\uTorrent\\uTorrent.exe"=

"D:\\Programme\\Autodesk\\3ds Max 9\\3dsmax.exe"=

"D:\\Programme\\Autodesk\\Backburner\\monitor.exe"=

"D:\\Programme\\Autodesk\\Backburner\\manager.exe"=

"D:\\Programme\\Autodesk\\Backburner\\server.exe"=
 

R1 nltdi;nltdi;C:\WINDOWS\system32\drivers\nltdi.sys [2007-04-23 82200]

R1 uzmymjk3;AVZ-RK Kernel Driver;C:\WINDOWS\system32\Drivers\uzmymjk3.sys [2008-10-30 11264]

R2 PTK License-FIGHTERS-18668899;PTK License-FIGHTERS-18668899;C:\Programme\Fighters\licenseservice.exe [2008-09-26 283272]

R2 PTK Live Update-FIGHTERS-18668899;PTK Live Update-FIGHTERS-18668899;C:\Programme\Fighters\updateservice.exe [2008-09-26 307848]

R2 PTK SharedAccess-FIGHTERS-18668899;PTK SharedAccess-FIGHTERS-18668899;C:\Programme\Fighters\configservice.exe [2008-09-26 139912]

R3 Vfscan;Vfscan;C:\WINDOWS\system32\DRIVERS\vffilter.sys [2008-09-26 15496]

S2 download02;Remote Access;C:\WINDOWS\System32\svchost.exe [2004-08-03 14336]

S2 PTK Scanner-FIGHTERS-18668899;PTK Scanner-FIGHTERS-18668899;C:\Programme\Fighters\ScannerService.exe [2008-09-26 311944]

S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;D:\Programme\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 1527900]

S3 s217bus;Sony Ericsson Device 217 driver (WDM);C:\WINDOWS\system32\DRIVERS\s217bus.sys [2007-11-02 83496]

S3 s217mdfl;Sony Ericsson Device 217 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s217mdfl.sys [2007-11-02 15016]

S3 s217mdm;Sony Ericsson Device 217 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s217mdm.sys [2007-11-02 109992]

S3 s217mgmt;Sony Ericsson Device 217 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s217mgmt.sys [2007-11-02 103976]

S3 s217nd5;Sony Ericsson Device 217 USB Ethernet Emulation SEMC217 (NDIS);C:\WINDOWS\system32\DRIVERS\s217nd5.sys [2007-11-02 24872]

S3 s217obex;Sony Ericsson Device 217 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s217obex.sys [2007-11-02 100008]

S3 s217unic;Sony Ericsson Device 217 USB Ethernet Emulation SEMC217 (WDM);C:\WINDOWS\system32\DRIVERS\s217unic.sys [2007-11-02 105896]

S3 XDva059;XDva059;C:\WINDOWS\system32\XDva059.sys [ ]

S4 Apache2.2;Apache2.2;D:\xampp\apache\bin\apache.exe [2007-03-05 16896]
 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs

download02
 

*Newly Created Service* - PROCEXP90

.

- - - - Entfernte verwaiste Registrierungseinträge - - - -
 

MSConfigStartUp-ccApp - c:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
 
 

.

------- Zusätzlicher Suchlauf -------

.

FireFox -: Profile - C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Mozilla\Firefox\Profiles\okba55f8.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.de/firefox?client=firefox-a&rls=org.mozilla:de:official

FF -: plugin - C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Mozilla\plugins\npoctoshape.dll

FF -: plugin - C:\Programme\Adobe\Acrobat 6.0\Acrobat\browser\nppdf32.dll

FF -: plugin - C:\Programme\DivX\DivX Content Uploader\npUpload.dll

FF -: plugin - C:\Programme\Dyyno\Dyyno Player\npvlc.dll

FF -: plugin - C:\Programme\iTunes\Mozilla Plugins\npitunes.dll

FF -: plugin - C:\Programme\Mozilla Firefox\plugins\npDyyno.dll

FF -: plugin - C:\Programme\Mozilla Firefox\plugins\npJoostPlugin.dll

FF -: plugin - C:\Programme\Octoshape Streaming Services\Administrator\octoprogram-L03-NMS0806260_SUA_000\npoctoshape.dll

FF -: plugin - C:\Programme\Octoshape Streaming Services\Administrator\octoprogram-L03-NMS0810164_SUA_000\npoctoshape.dll

FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

FF -: plugin - D:\Programme\QuickTime\Plugins\npqtplugin.dll

FF -: plugin - D:\Programme\QuickTime\Plugins\npqtplugin2.dll

FF -: plugin - D:\Programme\QuickTime\Plugins\npqtplugin3.dll

FF -: plugin - D:\Programme\QuickTime\Plugins\npqtplugin4.dll

FF -: plugin - D:\Programme\QuickTime\Plugins\npqtplugin5.dll

FF -: plugin - D:\Programme\QuickTime\Plugins\npqtplugin6.dll

FF -: plugin - D:\Programme\QuickTime\Plugins\npqtplugin7.dll

.
 

**************************************************************************
 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-31 10:48:21

Windows 5.1.2600 Service Pack 2 NTFS
 

Scanne versteckte Prozesse...
 

Scanne versteckte Autostarteinträge...
 

Scanne versteckte Dateien...
 

Scan erfolgreich abgeschlossen

versteckte Dateien: 0
 

**************************************************************************

.

Zeit der Fertigstellung: 2008-10-31 10:49:10

ComboFix-quarantined-files.txt  2008-10-31 09:49:05
 

Vor Suchlauf: 19 Verzeichnis(se), 21.983.014.912 Bytes frei

Nach Suchlauf: 19 Verzeichnis(se), 24,491,184,128 Bytes frei
 

WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
 

176