Trojaner DR/fake alert sj
 

Hallo zusammen..

Antivir hat einen Trojaner namens DR/Fake Alert.SJ gefunden, was soll ich jetzt tun?? Bitte um eure professionelle Hilfe..

Vielen Dank

Malwarebytes' Anti-Malware 1.41
Datenbank Version: 2854
Windows 5.1.2600 Service Pack 3

24.09.2009 15:55:48
mbam-log-2009-09-24 (15-55-45).txt

Scan-Methode: Vollständiger Scan (C:\|F:\|)
Durchsuchte Objekte: 321976
Laufzeit: 50 minute(s), 11 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 1
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CURRENT_USER\SOFTWARE\AntivirusDoktorNE (Rogue.AntivirusDoktor) -> No action taken.

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\System Volume Information\_restore{9BE1304A-CB87-4670-B381-3C2C5DA692A8}\RP170\A0066821.exe (Rogue.AntivirusDoktor) -> No action taken.

Achtung!:pfui: Du hast einen Rootkit auf deinem System:

S3 gAGP440p;gAGP440p; \??\C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\gAGP440p.sys


Diese Datei bitte bei Virus Total hier:
http://www.virustotal.com/de/
checken:
C:\WINDOWS\system32\drivers\aeww5shi.sys



Bitte dein System mit Antirootkit Scannern durchsuchen.

Einige Scans auf Dateien, Prozesse und Registryeinträge, die vor den meisten anderen Scannern versteckt werden (durch ein Rootkit). Während dieser Scans sollten:

* alle anderen Scanner gegen Viren, Spyware, usw deaktiviert sein
* keine Verbindung zu einem Netzwerk/Internet bestehen (WLAN nicht vergessen)
* nichts am Rechner getan werden

Sophos scannen lassen

* Lade dir den Rootkitescanner hier
Sophos Anti-Rootkit - Download - CHIP Online
herunter. Du bekommst eine Installationsdatei sarsfx.exe.
* Starte diese, akzeptiere die Lizenz und lass das Programm installieren, und starte den Scan mit "Start scan". Der Scan dauert einige Zeit, wenn er fertig ist poppt ein Fenster auf mit einer Zusammenfassung, klicke dort "Ok". Beende den Sophos Rootkitscanner, evtl. Fünde hier in den Thread notieren.


Panda Anti-Rootkit scannen lassen

* Lade das Panda Anti-Rootkit hier
Panda Antirootkit - Freeware - Download.CHIP.eu
herunter und installiere es.
* Schliesse alle Anwendungen, schliesse den Webbrowser, klicke alle Fensterchen aus.
* Beende alle Wächterprogramme und On-Demand-Scanner.
* Mache bitte nichts am Rechner.
* Starte das Programm mit einem Doppelklick auf die Datei PAVARK.exe
* Nach der Zustimmung zum Lizensabkommen startest du den Scan.
* Bitte das Programm nicht unterbrechen.

* Bitte evtl. Fünde erstmals nicht löschen, sondern hier im Thread angeben.

Sollten diese beiden ihn nicht finden und unschädlich machen, müssen wir härteres Geschütz auffahren.

vielen dank schon mal..

die datei gibt es nur leider nicht im driver Ordner.. was nun??

Dann handelt es sich hier um einen "Hidden Driver" also evtl. ebenfalls ein Rootkit.
Bitte unbedingt die vorgegebenen Rootkit Scans durchführen und Funde hier posten.

so habe jetzt mal mit sophos durchsucht hat mir folgendes ausgespuckt:

Area: Local hard drives
Description: Unknown hidden file
Location: C:\WINDOWS\system32\drivers\sptd.sys
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Panda Anti- Rootkit:

Items scanned: 5273

NO ROOTKITS HAVE BEEN FOUND :confused:

Die Ergebnisse von Panda?

Und ich habe mehr Arbeit für dich:)

Bitte diese Dateien bei Virus Total hochladen und Ergebnis mitteilen:

C:\WINDOWS\system32\javaws.exe
C:\WINDOWS\system32\javaw.exe
C:\WINDOWS\system32\java.exe

VirusTotal - Kostenloser online Viren- und Malwarescanner

Mache einen Scan mit dem Antirootkit Scanner "Rootrepeal"

Rootkitscan mit RootRepeal

* Lade dir den Scanner hier runter:
RootRepeal - RootRepeal - Rootkit Detector
, scrolle runter und downloade RootRepeal.zip.
* Trenne deinen Computer vom Internet
* Deaktiviere dein Firewall und Antivirenprogramm
* Entpacke die Datei auf Deinen Desktop.
* Doppelklicke die RootRepeal.exe, um den Scanner zu starten.
* Klicke auf den Reiter Report und dann auf den Button Scan.
* Mache einen Haken bei den folgenden Elementen und klicke Ok.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
.
* Im Anschluss wirst Du gefragt, welche Laufwerke gescannt werden sollen.
* Wähle C:\ und klicke wieder Ok.
* Der Suchlauf beginnt automatisch, es wird eine Weile dauern, bitte Geduld.
* Bitte wärend des Scans nicht am Computer arbeiten!
* Wenn der Suchlauf beendet ist, klicke auf Save Report.
* Speichere das Logfile als RootRepeal.txt auf dem Desktop.
* Kopiere den Inhalt hier in den Thread.

habe ich doch geschrieben.. nicht gefunden!!

warum denn die JAva Dateien durchsuchen??

vielen dank

Das bedeutet leider noch keine Entwarnung. Nicht alle Scanner finden, was sie finden sollten. "Rootrepeal" ist der beste und gründlichste von den Dreien...

Weil Java Dateien eigentlich im Ordner "Programme" laufen und nicht im Ordner Windows 32. Wenn sie in C:Prgramme sind, sind sie harmlos, wenn im Ordner Windows 32, kann es sich um Malware handeln.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/25 19:55
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAC63A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA64C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: giveio.sys
Image Path: giveio.sys
Address: 0xBA671000 Size: 1664 File Visible: No Signed: -
Status: -

Name: PCI_PNP3460
Image Path: \Driver\PCI_PNP3460
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: phooks.sys
Image Path: phooks.sys
Address: 0xBA328000 Size: 23552 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA86BD000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spec.sys
Image Path: spec.sys
Address: 0xB9EA6000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xBA5AE000 Size: 5248 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: F:\System Volume Information\_restore{9BE1304A-CB87-4670-B381-3C2C5DA692A8}\RP189\A0070920.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: F:\System Volume Information\_restore{9BE1304A-CB87-4670-B381-3C2C5DA692A8}\RP207\A0075638.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xba720e5e

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xba720e54

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xba720e63

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xba720e6d

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spec.sys" at address 0xb9ec5ca4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spec.sys" at address 0xb9ec6032

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xba720e72

#: 119 Function Name: NtOpenKey
Status: Hooked by "spec.sys" at address 0xb9ea70c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xba720e40

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xba720e45

#: 160 Function Name: NtQueryKey
Status: Hooked by "spec.sys" at address 0xb9ec610a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spec.sys" at address 0xb9ec5f8a

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xba720e7c

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xba720e77

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xba720e68

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xba720e4f

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8a6211f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8a6211f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a6211f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8a6211f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a6211f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a6211f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a6211f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8a6211f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a6211f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a6211f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a6211f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a6211f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a6211f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a6211f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a6211f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a6211f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8a6211f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a6211f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a6211f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a6211f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a6211f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8a6211f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a2f91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a2f91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a2f91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a2f91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a2f91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a2f91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a2f91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a2f91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a2f91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a2f91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a2f91f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8a6931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8a6931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8a6931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8a6931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a6931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a6931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a6931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a6931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8a6931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a6931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8a6931f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x8a1ff1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x8a1ff1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a1ff1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a1ff1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x8a1ff1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a1ff1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x8a1ff1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8a6231f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8a6231f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8a6231f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a6231f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a6231f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a6231f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a6231f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8a6231f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8a6231f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a6231f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8a6231f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8a21f500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8a21f500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a21f500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a21f500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8a21f500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8a21f500 Size: 121

Object: Hidden Code [Driver: akll30t2ࠅఊ祓譐LL蘨
, IRP_MJ_CREATE]
Process: System Address: 0x8a2a0500 Size: 121

Object: Hidden Code [Driver: akll30t2ࠅఊ祓譐LL蘨
, IRP_MJ_CLOSE]
Process: System Address: 0x8a2a0500 Size: 121

Object: Hidden Code [Driver: akll30t2ࠅఊ祓譐LL蘨
, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a2a0500 Size: 121

Object: Hidden Code [Driver: akll30t2ࠅఊ祓譐LL蘨
, IRP_MJ_POWER]
Process: System Address: 0x8a2a0500 Size: 121

Object: Hidden Code [Driver: akll30t2ࠅఊ祓譐LL蘨
, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a2a0500 Size: 121

Object: Hidden Code [Driver: akll30t2ࠅఊ祓譐LL蘨
, IRP_MJ_PNP]
Process: System Address: 0x8a2a0500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8a2f0500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8a2f0500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a2f0500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a2f0500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8a2f0500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a2f0500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8a2f0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x8a20b500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆찀ذ퇀ÿ, IRP_MJ_CREATE]
Process: System Address: 0x8a13f500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆찀ذ퇀ÿ, IRP_MJ_CLOSE]
Process: System Address: 0x8a13f500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆찀ذ퇀ÿ, IRP_MJ_READ]
Process: System Address: 0x8a13f500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆찀ذ퇀ÿ, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a13f500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆찀ذ퇀ÿ, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a13f500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆찀ذ퇀ÿ, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a13f500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆찀ذ퇀ÿ, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a13f500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆찀ذ퇀ÿ, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a13f500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆찀ذ퇀ÿ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a13f500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆찀ذ퇀ÿ, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a13f500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆찀ذ퇀ÿ, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a13f500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆찀ذ퇀ÿ, IRP_MJ_CLEANUP]
Process: System Address: 0x8a13f500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆찀ذ퇀ÿ, IRP_MJ_PNP]
Process: System Address: 0x8a13f500 Size: 121

==EOF==

und bei den Java Dateien wurde nichts gefunden!

Gut:) Ich möchte gerne, dass du zur Sicherheit noch ein Scan mit Gmer Anti rootkit machst:
Bitte halte dich genau an die Anleitung.


Rootkit Scan

Einige Scans auf Dateien, Prozesse und Registryeinträge, die vor den meisten anderen Scannern versteckt werden (durch ein Rootkit). Während dieser Scans sollten:

* alle anderen Scanner gegen Viren, Spyware, usw deaktiviert sein
* keine Verbindung zu einem Netzwerk/Internet bestehen (WLAN nicht vergessen)
* nichts am Rechner getan werden

*Den log mit "Save" auf dein Desktop spreichern und in den Thread kopieren
* ROTE EINTRÄGE bitte gesondert in den Thread kopieren

habe GMER ausgeführt!

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit quick scan 2009-09-27 13:30:23
Windows 5.1.2600 Service Pack 3
Running: nr6l3cqz.exe; Driver: C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\awnyqpog.sys


---- System - GMER 1.0.15 ----

SSDT spyh.sys ZwEnumerateKey [0xB9EC5CA4]
SSDT spyh.sys ZwEnumerateValueKey [0xB9EC6032]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A6931F8

---- EOF - GMER 1.0.15 ----


Vielen Dank für deine Hilfe!!