Trojaner-Board
Seite 1 von 2 1 2
100 Beiträge dieses Themas auf einer Seite anzeigen

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   RKIT/Agent.483456 in C:\WINDOWS\system32 (https://www.trojaner-board.de/71818-rkit-agent-483456-c-windows-system32.html)

mika1 07.04.2009 17:22
RKIT/Agent.483456 in C:\WINDOWS\system32
 
Hi, hoffentlich stürzt mein PC nicht gleich wieder ab...
Hab heute neuen Arbeitsspeicher gekauft, dachte zuerst dass es
daran liegt, stimmt aber nicht.
Antivir hat gerade 2 Schädlinge gefunden:

RKIT/Agent.483856 in C:\WINDOWS\system32\drivers\kbdqrk.sys

und

TR/TDss.vix in C:\System Volume Information\_restore{9B0900B7-6293-436E-84D8-32C4B09BFC4F}\RP29\A0008786.sys

Seitdem stürz ich dauernd, ab, kann kaum ins Internet
und Antivir und Zonealarm schalten sich regelmäßig von alleine (!)
aus.. Noch nie erlebt..


Kann mir jemand helfen bitte ? :confused:

john.doe 07.04.2009 17:27
Hallo und :hallo:

GMER - Rootkit Detection
  • Lade Trallala von file-upload.net
  • Klick auf Download (rechts in der Mitte) und speichere es auf den Desktop
  • Doppelklick auf Trallala.exe
  • Der Reiter Rootkit oben ist schon angewählt
http://saved.im/mzaxndu2m2ni_vs/gmerzj1oo1.jpg
  • Drücke Scan, Der Vorgang kann je nach System 3 - 10min dauern
  • nach Beendigung des Scan, drücke "Copy"
  • nun kannst Du das Ergebnis hier einfügen. Sollte das Log zu lang sein, dann lade es bei einem Filehoster wie z.B. Materialordner hoch und poste den Link.
  • Sollte Gmer sagen "Gmer hasen´t found any System Modifikation", so hat Gmer keine Einträge gefunden.

ciao, andreas

RushHour777 07.04.2009 17:36
Hallo und wilkommen auf trojanerboard

bitte zuerst das abarbeiten http://www.trojaner-board.de/69886-a...-beachten.html
und die Ergebnisse hier reinstellen

mfg RushHour777

mika1 07.04.2009 20:02
hi, danke für die schnelle antwort.
pc läuft gerade etwas stabiler, AV/Zonealarm auch.
Soll ich jetzt der ersten oder zweiten Anweisung folgen?

ich mach einfach mal beides :daumenhoc

mika1 07.04.2009 20:09
hier die trallala ergebnisse
der rest dauert leider noch bisschen

http://www.materialordner.de/4qqRJxB6AmagQg3cSDvS7vRbsG9jW0KP.html

john.doe 07.04.2009 20:12
Das Log von Gmer (Trallala) ist nicht vollständig. Bitte nocheinmal hochladen.

ciao, andreas

mika1 07.04.2009 20:47
so jetzt

http://www.materialordner.de/LrudFr04VKdT0OtJFmVEOKk0Zd3D6adH.html

danke :)

john.doe 07.04.2009 21:21
1.) Deinstalliere Zonealarm.

2.) Anleitung Avenger (by swandog46)

Lade dir das Tool Hopsassa und speichere es auf dem Desktop:
  • Kopiere nun folgenden Text in das weiße Feld bei -> "input script here"
Code:
Drivers to delete:
ovfsthlwmitafwkpamrxlyapulnbefrprqxeow

Registry keys to delete:
HKLM\SYSTEM\ControlSet002\Services\ovfsthlwmitafwkpamrxlyapulnbefrprqxeow

Folders to delete:
C:\Program Files\Mozilla Firefox\extensions\{FA555011-84A3-4CBE-ADE6-6D30F05A4A89}

Files to delete:
C:\Program Files\Mozilla Firefox\extensions\{FA555011-84A3-4CBE-ADE6-6D30F05A4A89}
C:\WINDOWS\system32\drivers\ovfsthtrsmpnabpxdqyrblibvqpeqbjuyxmfjw.sys
C:\WINDOWS\system32\ovfsthbilofkicmothqowqbfuvkpgxxekeufxb.dll
C:\WINDOWS\system32\ovfsthxeajcbfmsgvjriflxfnvipurmpxvhjyd.dat
C:\WINDOWS\system32\ovfsthtsvyriedwvrxuofublfvsiwwmymnuojm.dll
C:\WINDOWS\system32\ovfsthuoccvsollqyrdgebqinnkcssmxlivqwi.dll
C:\WINDOWS\system32\ovfsthiexhwcbplxwgbwfykogxkfdgwoyprlav.dat
http://saved.im/mzi3ndg3nta0/aven.jpg
  • Schliesse nun alle Programme und Browser-Fenster
  • Um den Avenger zu starten klicke auf -> Execute
  • Dann bestätigen mit "Yes" das der Rechner neu startet
  • Nachdem das System neu gestartet ist, findest du einen Report vom Avenger unter -> C:\avenger.txt
  • Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.

3.) Poste ein neues Gmer-Log.

ciao, andreas

mika1 07.04.2009 21:22
lasse ccleaner laufen.
starte malwarebytes.
malwarebytes hängt sich im scan auf-
program not responding.
ändert sich auch nicht wenn man 30 minuten wartet.

john.doe 07.04.2009 21:26
Vergiss die anderen Programme, jetzt Avenger. Der Rootkit muss weg, der blockiert alle anderen Programme.

ciao, andreas

mika1 07.04.2009 22:09
hier die avenger-file: http://www.materialordner.de/PrJaFhLb5DzziKB424kLV3Uy7IzDfTBV.html

gmer läuft noch.

danke!

john.doe 07.04.2009 22:23
Code:
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "ovfsthlwmitafwkpamrxlyapulnbefrprqxeow" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet002\Services\ovfsthlwmitafwkpamrxlyapulnbefrprqxeow" deleted successfully.
Folder "C:\Program Files\Mozilla Firefox\extensions\{FA555011-84A3-4CBE-ADE6-6D30F05A4A89}" deleted successfully.

Error:  file "C:\Program Files\Mozilla Firefox\extensions\{FA555011-84A3-4CBE-ADE6-6D30F05A4A89}" not found!
Deletion of file "C:\Program Files\Mozilla Firefox\extensions\{FA555011-84A3-4CBE-ADE6-6D30F05A4A89}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\drivers\ovfsthtrsmpnabpxdqyrblibvqpeqbjuyxmfjw.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\ovfsthtrsmpnabpxdqyrblibvqpeqbjuyxmfjw.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\WINDOWS\system32\ovfsthbilofkicmothqowqbfuvkpgxxekeufxb.dll" deleted successfully.
File "C:\WINDOWS\system32\ovfsthxeajcbfmsgvjriflxfnvipurmpxvhjyd.dat" deleted successfully.
File "C:\WINDOWS\system32\ovfsthtsvyriedwvrxuofublfvsiwwmymnuojm.dll" deleted successfully.
File "C:\WINDOWS\system32\ovfsthuoccvsollqyrdgebqinnkcssmxlivqwi.dll" deleted successfully.
File "C:\WINDOWS\system32\ovfsthiexhwcbplxwgbwfykogxkfdgwoyprlav.dat" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

mika1 07.04.2009 22:33
ok sorry, war zu blöd daß hier in der richtigen Form
zu posten- kommt nicht mehr vor.

hier die gmer file!

http://www.materialordner.de/plZgvfYfsIipvfRHmJtvTzeALoO6fdj.html

john.doe 07.04.2009 22:40
Zitat:
ok sorry, war zu blöd daß hier in der richtigen Form zu posten
Kein Problem, beim Materialordner verschwinden sie nach einiger Zeit. Da es hier was neues ist, interessiert das vll einige.
Zitat:
hier die gmer file!
Gekillt.

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix
  • Lade dir das Tool hier herunter auf den Desktop -> KLICK
Das Programm jedoch noch nicht starten sondern zuerst folgendes tun:
  • Schliesse alle Anwendungen und Programme, vor allem deine Antiviren-Software und andere Hintergrundwächter, sowie deinen Internetbrowser.
    Vermeide es auch explizit während das Combofix läuft die Maus und Tastatur zu benutzen.
  • Starte nun die combofix.exe von deinem Desktop aus, bestätige die Warnmeldungen und lass dein System durchsuchen.
  • Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte abkopieren und in deinen Beitrag einfügen. Das log findest du außerdem unter: C:\ComboFix.txt.
Wichtiger Hinweis:
Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.
Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten.

ciao, andreas

mika1 07.04.2009 23:30
hab antivir irgendwie nicht ganz ausbekommen, im task manager kann ich
ihn nicht beenden. hoffe ich habe alles richtig gemacht

Code:
ComboFix 09-04-04.01 - Snitch Snitchovic 2009-04-08  0:23:25.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1023.694 [GMT 2:00]
Running from: c:\documents and settings\Snitch Snitchovic\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
.

(((((((((((((((((((((((((  Files Created from 2009-03-07 to 2009-04-07  )))))))))))))))))))))))))))))))
.

2009-04-07 21:49 . 2009-04-07 21:49        <DIR>        d--------        c:\program files\Malwarebytes' Anti-Malware
2009-04-07 21:49 . 2009-04-07 21:49        <DIR>        d--------        c:\documents and settings\Snitch Snitchovic\Application Data\Malwarebytes
2009-04-07 21:49 . 2009-04-07 21:49        <DIR>        d--------        c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-07 21:49 . 2009-04-06 15:32        38,496        --a------        c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-07 21:49 . 2009-04-06 15:32        15,504        --a------        c:\windows\system32\drivers\mbam.sys
2009-04-06 11:43 . 2009-04-06 11:43        <DIR>        d--------        c:\program files\Realtek AC97
2009-04-06 01:36 . 2009-04-07 15:44        <DIR>        d--------        c:\program files\SUPERAntiSpyware
2009-04-06 01:36 . 2009-04-06 01:36        <DIR>        d--------        c:\program files\Common Files\Wise Installation Wizard
2009-04-06 01:36 . 2009-04-06 01:36        <DIR>        d--------        c:\documents and settings\Snitch Snitchovic\Application Data\SUPERAntiSpyware.com
2009-04-06 01:36 . 2009-04-06 01:36        <DIR>        d--------        c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-06 00:56 . 2009-04-06 00:56        <DIR>        d--------        c:\documents and settings\All Users\Application Data\Soulseek
2009-04-06 00:55 . 2009-04-06 00:55        <DIR>        d--------        c:\program files\SoulseekNS
2009-04-02 01:23 . 2009-04-02 07:44        <DIR>        d--------        c:\program files\Google
2009-04-01 19:02 . 2009-04-01 19:02        <DIR>        d--------        c:\program files\JAM Software
2009-04-01 19:02 . 2009-04-01 19:02        <DIR>        d--------        c:\documents and settings\Snitch Snitchovic\Application Data\JAM Software
2009-04-01 03:06 . 2009-04-01 03:06        <DIR>        d--------        c:\windows\system32\KB905474
2009-04-01 03:06 . 2009-03-10 22:26        1,403,264        --a------        c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-01 03:06 . 2009-03-10 22:18        453,512        --a------        c:\windows\system32\KB905474\wgasetup.exe
2009-04-01 03:06 . 2009-02-09 18:51        12,490        --a------        c:\windows\system32\KB905474\wga_eula.txt
2009-03-31 23:27 . 2008-08-14 12:11        2,189,184        ---------        c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-31 23:27 . 2008-08-14 12:09        2,145,280        ---------        c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-31 23:27 . 2008-08-14 11:33        2,066,048        ---------        c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-31 23:27 . 2008-08-14 11:33        2,023,936        ---------        c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-31 23:27 . 2008-06-13 13:05        272,128        ---------        c:\windows\system32\drivers\bthport.sys
2009-03-31 23:27 . 2008-06-13 13:05        272,128        ---------        c:\windows\system32\dllcache\bthport.sys
2009-03-31 23:25 . 2008-09-04 19:15        1,106,944        ---------        c:\windows\system32\dllcache\msxml3.dll
2009-03-31 23:25 . 2008-10-15 18:34        337,408        ---------        c:\windows\system32\dllcache\netapi32.dll
2009-03-31 23:25 . 2008-10-03 12:02        247,326        ---------        c:\windows\system32\dllcache\strmdll.dll
2009-03-31 17:20 . 2009-04-01 03:06        <DIR>        d--h-----        c:\windows\$hf_mig$
2009-03-30 19:57 . 2009-04-06 23:24        281        --a------        c:\windows\BeatBox.INI
2009-03-30 15:39 . 2009-04-06 23:24        28        --a------        c:\windows\Robota.INI
2009-03-30 15:38 . 2009-03-30 15:38        <DIR>        d--------        c:\documents and settings\Snitch Snitchovic\Application Data\MAGIX
2009-03-30 15:38 . 2001-05-11 13:18        420,240        --a------        c:\windows\system32\mpg4c32.dll
2009-03-30 15:38 . 2001-05-16 17:54        309,616        --a------        c:\windows\system32\wmv8dmod.dll
2009-03-30 15:38 . 2001-03-26 04:41        245,760        --a------        c:\windows\system32\mp4sds32.ax
2009-03-30 15:36 . 2009-04-08 00:20        <DIR>        d--------        c:\documents and settings\All Users\Application Data\MAGIX
2009-03-30 15:32 . 2009-04-08 00:20        <DIR>        d--------        c:\program files\MAGIX
2009-03-30 15:32 . 2007-04-27 10:43        120,200        --a------        c:\windows\system32\DLLDEV32i.dll
2009-03-30 15:31 . 2009-04-08 00:20        <DIR>        d--------        c:\windows\system32\MAGIX
2009-03-30 15:31 . 2008-04-15 16:14        700,416        --a------        c:\windows\system32\mgxoschk.dll
2009-03-30 15:31 . 2009-03-30 15:41        5,937        --a------        c:\windows\mgxoschk.ini
2009-03-28 15:17 . 2009-03-28 15:17        <DIR>        d--------        c:\windows\Sun
2009-03-28 05:32 . 2009-03-28 05:32        <DIR>        d--------        c:\program files\Avira
2009-03-28 05:32 . 2009-03-28 05:32        <DIR>        d--------        c:\documents and settings\All Users\Application Data\Avira
2009-03-28 05:32 . 2009-02-13 12:31        55,640        --a------        c:\windows\system32\drivers\avgntflt.sys
2009-03-28 05:30 . 2009-03-28 05:30        <DIR>        d--------        c:\program files\Safer Networking
2009-03-28 05:29 . 2009-03-28 05:33        <DIR>        d--------        c:\program files\Spybot - Search & Destroy
2009-03-28 05:29 . 2009-04-07 18:03        <DIR>        d--------        c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-28 02:07 . 2009-03-28 02:07        <DIR>        d--------        c:\documents and settings\All Users\Application Data\MailFrontier
2009-03-28 02:07 . 2004-04-27 05:40        11,264        --a------        c:\windows\system32\SpOrder.dll
2009-03-28 02:07 . 2009-03-28 02:09        4,212        ---h-----        c:\windows\system32\zllictbl.dat
2009-03-28 02:05 . 2009-04-07 22:26        <DIR>        d--------        c:\windows\Internet Logs
2009-03-26 14:39 . 2009-04-02 13:21        <DIR>        d--------        c:\program files\SSS
2009-03-26 14:39 . 2005-04-14 02:00        322,560        --a------        c:\windows\SSSUn.EXE
2009-03-26 14:39 . 2009-03-26 14:39        1,191        -r-------        c:\windows\SimpleScreenshot_Uninstall.ins
2009-03-20 15:03 . 2009-03-20 15:03        <DIR>        d--------        c:\program files\Winamp
2009-03-20 15:03 . 2009-03-24 17:46        <DIR>        d--------        c:\documents and settings\Snitch Snitchovic\Application Data\Winamp
2009-03-19 16:29 . 2009-03-19 16:29        <DIR>        d--------        c:\documents and settings\All Users\Application Data\Symantec
2009-03-16 14:30 . 2009-03-30 03:04        <DIR>        d--------        c:\documents and settings\Snitch Snitchovic\Application Data\temp
2009-03-16 14:30 . 2009-03-16 14:30        <DIR>        dr-h-----        c:\documents and settings\Snitch Snitchovic\Application Data\SecuROM
2009-03-16 14:30 . 2009-03-16 14:30        107,888        --a------        c:\windows\system32\CmdLineExt.dll
2009-03-16 14:02 . 2009-03-16 14:02        27        --a------        c:\windows\system32\mcheck.mhf
2009-03-16 14:01 . 2009-03-16 14:01        <DIR>        d--------        c:\program files\SlySoft
2009-03-16 14:01 . 2008-12-16 14:12        40,072        --a------        c:\windows\system32\drivers\maploml.sys
2009-03-16 14:01 . 2008-12-16 14:13        38,536        --a------        c:\windows\system32\drivers\maplom.sys
2009-03-16 01:10 . 2009-03-16 01:10        <DIR>        d--------        c:\documents and settings\Snitch Snitchovic\Application Data\TuneUp Software
2009-03-16 01:09 . 2009-03-16 01:09        <DIR>        d--------        c:\documents and settings\All Users\Application Data\TuneUp Software
2009-03-15 22:14 . 2009-03-15 22:14        0        --a------        c:\windows\editor.INI
2009-03-15 14:59 . 2009-04-06 02:45        <DIR>        d--------        c:\program files\DAEMON Tools Lite
2009-03-15 14:58 . 2009-03-15 14:58        <DIR>        d--------        c:\documents and settings\Snitch Snitchovic\Application Data\DAEMON Tools
2009-03-15 13:54 . 2009-03-15 13:54        717,296        --a------        c:\windows\system32\drivers\sptd.sys
2009-03-15 01:39 . 2009-03-15 01:39        <DIR>        d--------        c:\program files\Bonjour
2009-03-15 01:23 . 2009-03-15 01:23        <DIR>        d--------        c:\program files\Common Files\Macrovision Shared
2009-03-15 01:21 . 2009-03-24 16:38        <DIR>        d--------        c:\program files\Common Files\Adobe
2009-03-14 18:56 . 2009-03-14 18:56        <DIR>        d--------        c:\documents and settings\Snitch Snitchovic\Application Data\DivX
2009-03-14 05:00 . 2009-03-14 05:01        <DIR>        d--------        c:\program files\DivX
2009-03-14 05:00 . 2009-03-14 05:00        <DIR>        d--------        c:\program files\Common Files\DivX Shared
2009-03-14 01:47 . 2009-03-14 03:50        <DIR>        d--------        c:\program files\Soulseek
2009-03-13 05:18 . 2009-03-13 05:22        <DIR>        d--------        c:\program files\AdVantage
2009-03-13 05:06 . 2009-03-13 05:06        <DIR>        d--------        c:\documents and settings\Snitch Snitchovic\Application Data\Kazaa Lite
2009-03-13 04:53 . 2009-03-13 05:07        <DIR>        d--------        c:\program files\K-Lite
2009-03-13 04:53 . 2009-03-13 04:53        <DIR>        d--------        C:\My Shared Folder
2009-03-13 04:53 . 1998-06-26 03:00        1,062,704        --a------        c:\windows\system32\MSCOMCTL.OCX
2009-03-13 04:53 . 1998-06-24 03:00        108,336        --a------        c:\windows\system32\MSWINSCK.OCX
2009-03-13 00:38 . 2009-03-16 01:00        <DIR>        d--------        c:\program files\uTorrent
2009-03-13 00:38 . 2009-04-06 11:16        <DIR>        d--------        c:\documents and settings\Snitch Snitchovic\Application Data\uTorrent
2009-03-13 00:14 . 2009-03-16 00:57        <DIR>        d--------        c:\program files\QIP Infium
2009-03-13 00:14 . 2009-03-13 00:14        <DIR>        d--------        c:\documents and settings\Snitch Snitchovic\Application Data\QIP
2009-03-13 00:11 . 2009-03-13 00:11        <DIR>        d--------        c:\program files\QIP
2009-03-12 23:42 . 2009-03-12 23:42        <DIR>        d--------        c:\documents and settings\Snitch Snitchovic\Application Data\vlc
2009-03-12 23:15 . 2008-04-14 04:09        142,592        --a------        c:\windows\system32\drivers\aec.sys
2009-03-12 23:15 . 2008-04-14 06:47        83,072        --a------        c:\windows\system32\drivers\wdmaud.sys
2009-03-12 23:15 . 2008-04-14 06:15        56,576        --a------        c:\windows\system32\drivers\swmidi.sys
2009-03-12 23:15 . 2008-04-14 06:15        52,864        --a------        c:\windows\system32\drivers\DMusic.sys
2009-03-12 23:15 . 2006-08-01 15:02        49,152        --a------        c:\windows\system32\ChCfg.exe
2009-03-12 23:15 . 2008-04-14 06:15        6,272        --a------        c:\windows\system32\drivers\splitter.sys
2009-03-12 23:14 . 2009-04-06 11:30        <DIR>        d--h-----        c:\program files\InstallShield Installation Information
2009-03-12 23:14 . 2009-04-06 02:46        <DIR>        d--------        c:\program files\Common Files\InstallShield
2009-03-12 22:40 . 2009-03-28 01:53        <DIR>        d--------        c:\documents and settings\All Users\Application Data\Norton
2009-03-12 22:39 . 2009-03-12 22:39        <DIR>        d--------        c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-12 22:35 . 2009-03-12 22:35        <DIR>        d--------        c:\program files\VideoLAN
2009-03-12 22:09 . 2009-03-12 22:09        410,984        --a------        c:\windows\system32\deploytk.dll

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-07 20:16        ---------        d-----w        c:\program files\CCleaner
2009-04-07 13:59        116,145        ----a-w        c:\windows\Internet Logs\vsmon_2nd_2009_04_07_15_53_50_small.dmp.zip
2009-04-07 13:34        112,099        ----a-w        c:\windows\Internet Logs\vsmon_2nd_2009_04_07_15_29_11_small.dmp.zip
2009-04-07 13:15        113,528        ----a-w        c:\windows\Internet Logs\vsmon_2nd_2009_04_07_15_08_14_small.dmp.zip
2009-04-06 02:12        ---------        d-----w        c:\program files\VistaExperience.org
2009-03-13 03:09        ---------        d-----w        c:\program files\Unlocker
2009-03-12 20:34        ---------        d-----w        c:\program files\Resource Hacker 3.4.0
2009-03-12 20:09        ---------        d-----w        c:\program files\Java
2009-03-12 19:47        ---------        d-----w        c:\program files\Styler
2009-03-12 19:46        ---------        d-----w        c:\documents and settings\Snitch Snitchovic\Application Data\Styler
2009-03-12 19:28        ---------        d-----w        c:\program files\Windows Media Connect 2
2009-03-12 19:27        ---------        d-----w        c:\program files\Alky for Applications
2009-03-12 19:25        ---------        d-----w        c:\program files\Common Files\Java
2009-03-12 19:22        ---------        d-----w        c:\program files\MSBuild
2009-03-12 19:21        ---------        d-----w        c:\program files\Reference Assemblies
2009-03-12 19:09        ---------        d-----w        c:\program files\LClock
2009-03-12 19:09        ---------        d-----w        c:\program files\Desktop
2009-03-12 19:08        ---------        d-----w        c:\program files\Microsoft PowerToys
2009-03-12 19:08        ---------        d-----w        c:\program files\HashTab Shell Extension
2009-02-09 11:13        1,846,784        ----a-w        c:\windows\system32\win32k.sys
2009-02-09 11:13        1,846,784        ------w        c:\windows\system32\dllcache\win32k.sys
2009-01-27 01:35        120,056        ------w        c:\windows\system32\pxcpyi64.exe
2009-01-27 01:35        118,520        ------w        c:\windows\system32\pxinsi64.exe
2009-01-27 01:34        90,112        ----a-w        c:\windows\system32\dpl100.dll
2009-01-27 01:34        823,296        ----a-w        c:\windows\system32\divx_xx0c.dll
2009-01-27 01:34        823,296        ----a-w        c:\windows\system32\divx_xx07.dll
2009-01-27 01:34        815,104        ----a-w        c:\windows\system32\divx_xx0a.dll
2009-01-27 01:34        802,816        ----a-w        c:\windows\system32\divx_xx11.dll
2009-01-27 01:34        684,032        ----a-w        c:\windows\system32\DivX.dll
2009-01-16 16:24        3,596,288        ------w        c:\windows\system32\dllcache\mshtml.dll
.

(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2008-12-21 c:\windows\system32\advpack.dll]

c:\documents and settings\Snitch Snitchovic\Start Menu\Programs\Startup\
Styler.lnk - c:\documents and settings\Snitch Snitchovic\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [2009-03-12 15086]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 03:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-07-24 17:02 490952 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-03-12 22:09 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2009-03-23 14:07 1830128 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2009-03-09 17:49 37888 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"CiSvc"=3 (0x3)
"helpsvc"=2 (0x2)
"ERSvc"=2 (0x2)
"wuauserv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-28 108289]
R3 MaplomL;MaplomL;c:\windows\system32\drivers\maploml.sys [2009-03-16 40072]
S2 gupdate1c9b32171f6d04;Google Update Service (gupdate1c9b32171f6d04);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-02 133104]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [2009-03-30 1527900]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-04-07 38496]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
Contents of the 'Scheduled Tasks' folder

2009-04-03 c:\windows\Tasks\1-Klick-Wartung.job
- c:\program files\TuneUp Utilities 2006\SystemOptimizer.exe []

2009-04-07 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-02 01:24]

2009-04-07 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-10 22:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Snitch Snitchovic\Application Data\Mozilla\Firefox\Profiles\vm6lje7l.default\
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-08 00:24:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-04-08  0:25:29
ComboFix-quarantined-files.txt  2009-04-07 22:25:27
ComboFix2.txt  2009-04-07 22:16:01

Pre-Run: 1.195.810.816 bytes free
Post-Run: 1,188,507,648 bytes free

235        --- E O F ---        2009-04-03 20:37:11


Alle Zeitangaben in WEZ +1. Es ist jetzt 01:38 Uhr.
Seite 1 von 2 1 2
100 Beiträge dieses Themas auf einer Seite anzeigen

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131