Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   Virus:Win32/Alureon.H lässt sich nicht löschen, bzw. ist immer wieder da (https://www.trojaner-board.de/89011-virus-win32-alureon-h-laesst-loeschen-bzw-immer.html)

Torge_P 02.08.2010 12:26
Virus:Win32/Alureon.H lässt sich nicht löschen, bzw. ist immer wieder da
 
Hallo, leider hat es mich mit dem Virus: Win32/Alureon.H erwischt.

Ich habe bereits öfters versucht ihn mit Microsoft Security Essentials zu löschen. Aber leider ohne Erfolg.Auch das Tool zum.... Software von MS brachte nichts. Ich habe bereits auch einige Themen hier im Forum gelesen und auch einige Programme installiert, bzw. ausgeführt, leider noch ohne Erfolg.
http://www.trojaner-board.de/69886-a...-beachten.html

Ich nutze Win 7 als 32 Bit version. Aufgefallen ist es mir erst gestern, aber im nachhinein muss ich sagen, dass ich auch schon seit gut 4 Wochen keine Updates ziehen kann (dachte es wäre ein Fehler bei Microsoft:headbang: ).

Mir ist bewusst, dass es am sichersten wäre das System neu aufzusetzen, doch leider hab ich schon seit längerer Zeit (seit Februar) keine Sicherung mehr gemacht, daher würde ich gerne mit eurer Hilfe versuchen, dem Schädling den Gar auszumachen :snyper: .

Es wäre nett, wenn ihr mir noch mal kurz beschreiben könntet, wie ich meine Logfiles in so einem "Code-Kasten" posten kann. Hatte es irgendwo im Forum gelesen, aber die Seite finde ich leider nicht mehr.

Ich möchte mich schon mal für eure Hilfe im vorraus bedanken.

Gruß
Torge

Torge_P 02.08.2010 13:36
So, habs rausgefunden, wie es mit dem CodeFenster funktioniert. :D
Hier das erste Log, ich habe 60 Tage genommen, da ich nicht genau weiß, wie lange der Rechner infiziert ist.
HijackThis:
Code:
Logfile of random's system information tool 1.08 (written by random/random)
Run by Torge at 2010-08-02 13:27:16
Microsoft Windows 7 Professional 
System drive C: has 11 GB (21%) free of 51 GB
Total RAM: 3327 MB (65% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:27:25, on 02.08.2010
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Users\Torge\AppData\Local\Apps\2.0\1EJQM2Y1.ZL8\7MPGDLYE.8LD\frit..tion_8488884cfbcefd60_0002.0001_383382c5c60b72bd\fritzbox-usb-fernanschluss.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\explorer.exe
C:\Users\Torge\Desktop\RSIT.exe
C:\Program Files\trend micro\Torge.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID-Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [AVMUSBFernanschluss] C:\Users\Torge\AppData\Local\Apps\2.0\1EJQM2Y1.ZL8\7MPGDLYE.8LD\frit..tion_8488884cfbcefd60_0002.0001_383382c5c60b72bd\AVMAutoStart.exe
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [OpAgent] "OpAgent.exe" /agent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETZWERKDIENST')
O4 - Startup: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Acrobat - Schnellstart.lnk = ?
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: An vorhandene PDF-Datei anfügen - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: An vorhandenes PDF anfügen - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: In Adobe PDF konvertieren - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Linkziel an vorhandene PDF-Datei anhängen - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Linkziel in Adobe PDF konvertieren - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis OS Selector Reinstall Service (AcronisOSSReinstallSvc) - Unknown owner - C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe

--
End of file - 11630 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}]
Search Helper - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll [2009-05-19 137600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live ID-Anmelde-Hilfsprogramm - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18 403840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006-10-23 321120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-06-19 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10}]
Windows Live Toolbar Helper - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{21FA44EF-376D-4D53-9B0F-8A89D3229068} - &Windows Live Toolbar - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006-10-23 321120]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"=C:\Windows\KHALMNPR.EXE [2009-06-17 55824]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]
"LogitechQuickCamRibbon"=C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe [2009-10-14 2793304]
"Acrobat Assistant 8.0"=C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [2006-10-23 620152]
""= []
"VMware hqtray"=C:\Program Files\VMware\VMware Player\hqtray.exe [2010-01-22 64048]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2010-03-17 421888]
"BrMfcWnd"=C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2009-05-26 1159168]
"ControlCenter3"=C:\Program Files\Brother\ControlCenter3\brctrcen.exe [2008-12-24 114688]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-02-18 248040]
"DivXUpdate"=C:\Program Files\DivX\DivX Update\DivXUpdate.exe [2010-06-03 1144104]
"MSSE"=C:\Program Files\Microsoft Security Essentials\msseces.exe [2010-06-01 1093208]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2010-04-29 1090952]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-07-14 1173504]
"Skype"=C:\Program Files\Skype\\Phone\Skype.exe [2010-05-13 26192168]
"AVMUSBFernanschluss"=C:\Users\Torge\AppData\Local\Apps\2.0\1EJQM2Y1.ZL8\7MPGDLYE.8LD\frit..tion_8488884cfbcefd60_0002.0001_383382c5c60b72bd\AVMAutoStart.exe [2010-02-21 139264]
"SandboxieControl"=C:\Program Files\Sandboxie\SbieCtrl.exe [2009-12-01 389120]
"OpAgent"=OpAgent.exe /agent []

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Adobe Acrobat - Schnellstart.lnk - C:\Windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Users\Torge\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll [2009-07-20 72208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=5
"ConsentPromptBehaviorUser"=3
"EnableUIADesktopToggle"=0
"PromptOnSecureDesktop"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=255

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 2 months======

2010-08-02 12:54:07 ----A---- C:\Windows\system32\drivers\wfvoligm.sys
2010-08-02 02:48:24 ----A---- C:\Windows\system32\drivers\mbmqgubi.sys
2010-08-02 01:33:52 ----A---- C:\Windows\system32\drivers\relcjtxj.sys
2010-08-01 21:50:33 ----D---- C:\rsit
2010-08-01 21:50:33 ----D---- C:\Program Files\trend micro
2010-08-01 20:45:53 ----D---- C:\Users\Torge\AppData\Roaming\Malwarebytes
2010-08-01 20:45:37 ----A---- C:\Windows\system32\drivers\mbamswissarmy.sys
2010-08-01 20:45:35 ----D---- C:\ProgramData\Malwarebytes
2010-08-01 20:45:35 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-08-01 20:45:35 ----A---- C:\Windows\system32\drivers\mbam.sys
2010-08-01 20:38:30 ----D---- C:\Program Files\CCleaner
2010-08-01 20:31:59 ----A---- C:\Windows\system32\drivers\kzyioezg.sys
2010-08-01 19:57:01 ----A---- C:\Windows\system32\drivers\rucchpsf.sys
2010-08-01 19:29:22 ----A---- C:\Windows\system32\drivers\bhniaffv.sys
2010-08-01 19:04:24 ----A---- C:\Windows\system32\drivers\dgxexcsq.sys
2010-08-01 18:22:41 ----A---- C:\Windows\system32\drivers\xvhyecko.sys
2010-08-01 17:55:17 ----D---- C:\Windows\system32\MpEngineStore
2010-08-01 17:50:01 ----A---- C:\Windows\system32\drivers\riuhtcvy.sys
2010-08-01 17:22:54 ----D---- C:\ProgramData\Windows Genuine Advantage
2010-07-26 22:41:18 ----A---- C:\Windows\system32\drivers\kjmzewyd.sys
2010-07-25 02:12:08 ----A---- C:\Windows\system32\drivers\ATAPI.SYS
2010-07-17 09:56:48 ----D---- C:\ProgramData\SSScanAppDataDir
2010-07-17 09:55:59 ----D---- C:\ProgramData\MSScanAppDataDir
2010-07-15 07:07:55 ----D---- C:\Users\Torge\AppData\Roaming\FLEXnet
2010-07-15 07:06:23 ----D---- C:\ProgramData\TEMP
2010-07-15 07:05:54 ----D---- C:\Users\Torge\AppData\Roaming\Nuance
2010-07-15 07:04:51 ----D---- C:\ProgramData\ScanSoft
2010-07-15 07:03:12 ----D---- C:\Program Files\Nuance
2010-07-08 09:04:50 ----D---- C:\Program Files\Motherboard Monitor 5
2010-07-07 14:15:36 ----D---- C:\ProgramData\DivX
2010-06-23 20:21:19 ----A---- C:\Windows\system32\PresentationHostProxy.dll
2010-06-23 20:21:19 ----A---- C:\Windows\system32\PresentationHost.exe
2010-06-23 20:21:19 ----A---- C:\Windows\system32\netfxperf.dll
2010-06-23 20:21:19 ----A---- C:\Windows\system32\mscoree.dll
2010-06-23 20:21:19 ----A---- C:\Windows\system32\dfshim.dll
2010-06-23 05:09:37 ----A---- C:\Windows\system32\ntdll.dll
2010-06-23 05:09:36 ----A---- C:\Windows\system32\CPFilters.dll
2010-06-23 05:09:33 ----A---- C:\Windows\system32\msdri.dll
2010-06-19 17:02:23 ----D---- C:\Program Files\Common Files\Skype
2010-06-19 16:36:49 ----D---- C:\Program Files\Common Files\Java
2010-06-19 16:36:28 ----A---- C:\Windows\system32\javaws.exe
2010-06-19 16:36:28 ----A---- C:\Windows\system32\javaw.exe
2010-06-19 16:36:28 ----A---- C:\Windows\system32\java.exe
2010-06-19 16:36:28 ----A---- C:\Windows\system32\deployJava1.dll
2010-06-19 16:36:17 ----D---- C:\Program Files\Java
2010-06-11 12:31:17 ----A---- C:\Windows\system32\win32k.sys
2010-06-11 12:31:17 ----A---- C:\Windows\system32\asycfilt.dll
2010-06-11 12:31:16 ----A---- C:\Windows\system32\mshtml.dll
2010-06-11 12:31:14 ----A---- C:\Windows\system32\urlmon.dll
2010-06-11 12:31:14 ----A---- C:\Windows\system32\mstime.dll
2010-06-11 12:31:14 ----A---- C:\Windows\system32\ieframe.dll
2010-06-11 12:31:13 ----A---- C:\Windows\system32\wininet.dll
2010-06-11 12:31:13 ----A---- C:\Windows\system32\msfeedsbs.dll
2010-06-11 12:31:13 ----A---- C:\Windows\system32\jsproxy.dll
2010-06-11 12:31:13 ----A---- C:\Windows\system32\iedkcs32.dll
2010-06-11 12:31:08 ----A---- C:\Windows\system32\atmlib.dll
2010-06-11 12:31:08 ----A---- C:\Windows\system32\atmfd.dll
2010-06-08 16:15:31 ----D---- C:\Users\Torge\AppData\Roaming\TeamViewer
2010-06-08 16:14:32 ----D---- C:\Program Files\TeamViewer

======List of files/folders modified in the last 2 months======

2010-08-02 13:14:58 ----D---- C:\Windows\Temp
2010-08-02 12:54:07 ----D---- C:\Windows\system32\drivers
2010-08-02 12:43:53 ----D---- C:\Windows\Prefetch
2010-08-02 09:24:21 ----D---- C:\Windows\system32\config
2010-08-02 09:10:10 ----D---- C:\ProgramData\VMware
2010-08-02 09:10:07 ----D---- C:\ProgramData\NVIDIA
2010-08-02 02:44:59 ----SHD---- C:\System Volume Information
2010-08-02 02:07:16 ----D---- C:\Windows
2010-08-01 23:54:13 ----D---- C:\Windows\tracing
2010-08-01 21:50:33 ----RD---- C:\Program Files
2010-08-01 20:50:38 ----D---- C:\Windows\Minidump
2010-08-01 20:50:38 ----D---- C:\Windows\debug
2010-08-01 20:45:35 ----HD---- C:\ProgramData
2010-08-01 18:25:50 ----D---- C:\Users\Torge\AppData\Roaming\Skype
2010-08-01 17:55:17 ----D---- C:\Windows\System32
2010-08-01 16:00:40 ----D---- C:\Users\Torge\AppData\Roaming\skypePM
2010-07-28 08:45:31 ----D---- C:\Program Files\Mozilla Firefox
2010-07-26 16:59:59 ----D---- C:\Windows\system32\NDF
2010-07-22 12:48:43 ----D---- C:\Users\Torge\AppData\Roaming\VMware
2010-07-21 13:53:25 ----D---- C:\Program Files\Mozilla Thunderbird
2010-07-17 18:07:58 ----D---- C:\Windows\inf
2010-07-17 18:07:58 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-07-15 07:07:33 ----D---- C:\Users\Torge\AppData\Roaming\ScanSoft
2010-07-15 07:06:26 ----SHD---- C:\Windows\Installer
2010-07-15 07:05:23 ----D---- C:\Windows\winsxs
2010-07-15 07:03:12 ----D---- C:\ProgramData\FLEXnet
2010-07-15 06:07:56 ----D---- C:\ProgramData\ABBYY
2010-07-15 06:07:54 ----D---- C:\Program Files\Common Files
2010-07-15 06:06:52 ----D---- C:\Windows\system32\catroot2
2010-07-14 03:02:07 ----D---- C:\ProgramData\Microsoft Help
2010-07-13 14:09:19 ----A---- C:\Windows\BRWMARK.INI
2010-07-13 14:09:19 ----A---- C:\Windows\BRPP2KA.INI
2010-07-10 22:23:56 ----A---- C:\Windows\Sandboxie.ini
2010-07-10 08:18:16 ----D---- C:\Program Files\DivX
2010-07-10 08:17:42 ----D---- C:\Program Files\Common Files\PX Storage Engine
2010-07-08 12:05:59 ----D---- C:\Users\Torge\AppData\Roaming\DivX
2010-07-07 14:21:14 ----D---- C:\Program Files\Common Files\DivX Shared
2010-07-05 16:33:23 ----D---- C:\Program Files\NVIDIA Corporation
2010-07-02 12:39:06 ----A---- C:\Windows\system32\MRT.exe
2010-06-29 03:17:31 ----D---- C:\Windows\system32\catroot
2010-06-29 03:01:42 ----D---- C:\Program Files\Microsoft Security Essentials
2010-06-26 07:42:29 ----D---- C:\Windows\Microsoft.NET
2010-06-26 07:42:27 ----RSD---- C:\Windows\assembly
2010-06-26 03:09:19 ----D---- C:\Windows\system32\de-DE
2010-06-26 03:03:37 ----D---- C:\Windows\system32\en-US
2010-06-26 03:03:31 ----D---- C:\Program Files\Microsoft.NET
2010-06-24 19:24:31 ----D---- C:\Program Files\Paint.NET
2010-06-24 03:00:43 ----D---- C:\Windows\AppPatch
2010-06-23 19:41:22 ----D---- C:\Windows\ehome
2010-06-19 17:02:26 ----D---- C:\Windows\system32\Tasks
2010-06-12 03:22:33 ----D---- C:\Windows\system32\migration
2010-06-12 03:22:33 ----D---- C:\Program Files\Internet Explorer
2010-06-12 03:06:11 ----A---- C:\Windows\vbaddin.ini
2010-06-07 07:46:54 ----D---- C:\Program Files\Microsoft Silverlight
2010-06-05 03:01:15 ----SD---- C:\ProgramData\Microsoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 giveio;giveio; C:\Windows\system32\giveio.sys [2009-11-09 5248]
R0 hotcore3;hc3ServiceName; C:\Windows\system32\DRIVERS\hotcore3.sys [2009-08-31 40560]
R0 pciide;pciide; C:\Windows\system32\DRIVERS\pciide.sys [2009-07-14 12368]
R0 rdyboost;ReadyBoost; C:\Windows\System32\drivers\rdyboost.sys [2009-07-14 173648]
R0 snapman;Acronis Snapshots Manager; C:\Windows\system32\DRIVERS\snapman.sys [2010-05-08 114048]
R1 CSC;@%systemroot%\system32\cscsvc.dll,-202; C:\Windows\system32\drivers\csc.sys [2009-07-14 387584]
R1 MpFilter;Microsoft Malware Protection Driver; C:\Windows\system32\DRIVERS\MpFilter.sys [2010-03-25 151216]
R1 MpKsl1b9445b5;MpKsl1b9445b5; \??\C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{BFC4EC65-461F-467E-BAEB-CE74EE07A915}\MpKsl1b9445b5.sys [2010-08-02 28752]
R1 vpcnfltr;Virtual PC Network Filter Driver; C:\Windows\system32\DRIVERS\vpcnfltr.sys [2009-09-23 55040]
R1 vpcvmm;@%SystemRoot%\system32\drivers\vpcvmm.sys,-100; C:\Windows\system32\drivers\vpcvmm.sys [2009-09-23 294912]
R2 hcmon;VMware hcmon; \??\C:\Windows\system32\drivers\hcmon.sys [2010-01-22 32304]
R2 MarxDev1;MarxDev1; C:\Windows\system32\drivers\MarxDev1.sys [1999-08-11 11296]
R2 MarxDev2;MarxDev2; C:\Windows\system32\drivers\MarxDev2.sys [1999-08-11 11296]
R2 MarxDev3;MarxDev3; C:\Windows\system32\drivers\MarxDev3.sys [1999-08-11 11296]
R2 Parvdm;Parvdm; C:\Windows\system32\DRIVERS\parvdm.sys [2009-07-14 8704]
R2 vmci;VMware vmci; \??\C:\Windows\system32\Drivers\vmci.sys [2010-01-22 70704]
R2 VMnetBridge;VMware Bridge Protocol; C:\Windows\system32\DRIVERS\vmnetbridge.sys [2010-01-22 36400]
R2 VMnetuserif;VMware Network Application Interface; \??\C:\Windows\system32\drivers\vmnetuserif.sys [2010-01-22 26288]
R2 VMparport;VMware VMparport; \??\C:\Windows\system32\Drivers\VMparport.sys [2010-01-22 14896]
R2 vmx86;VMware vmx86; \??\C:\Windows\system32\Drivers\vmx86.sys [2010-01-22 854192]
R2 vstor2-ws60;Vstor2 WS60 Virtual Storage Driver; \??\C:\Program Files\VMware\VMware Player\vstor2-ws60.sys [2009-10-12 22448]
R3 avmaura;AVM USB-Fernanschluss; C:\Windows\system32\DRIVERS\avmaura.sys [2009-11-05 101248]
R3 L8042Kbd;Logitech SetPoint Keyboard Driver; C:\Windows\system32\DRIVERS\L8042Kbd.sys [2009-06-17 20240]
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:\Windows\system32\DRIVERS\LHidFilt.Sys [2009-06-17 35472]
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:\Windows\system32\DRIVERS\LMouFilt.Sys [2009-06-17 37392]
R3 LVPr2Mon;Logitech LVPr2Mon Driver; C:\Windows\system32\DRIVERS\LVPr2Mon.sys [2009-10-07 25752]
R3 LVUSBSta;Logitech USB Monitor Filter; C:\Windows\system32\drivers\lvusbsta.sys [2005-01-31 22016]
R3 MpNWMon;Microsoft Malware Protection Network Driver; C:\Windows\system32\DRIVERS\MpNWMon.sys [2010-03-25 42368]
R3 NVENETFD;NVIDIA nForce-Netzwerkcontrollertreiber; C:\Windows\system32\DRIVERS\nvm62x32.sys [2009-07-14 347264]
R3 Pei10Wdm;PEI10 Protokoll Treiber; C:\Windows\System32\Drivers\Pei10Wdm.sys [2002-08-15 35547]
R3 Pei16Wdm;PEI16 Protokoll Treiber; C:\Windows\System32\Drivers\Pei16Wdm.sys [2002-09-19 34683]
R3 PID_0928;Logitech QuickCam Express(PID_0928); C:\Windows\system32\DRIVERS\LV561AV.SYS [2005-01-31 211712]
R3 SbieDrv;SbieDrv; \??\C:\Program Files\Sandboxie\SbieDrv.sys [2009-12-01 119296]
R3 solo;TerraTec 128iPCI (WDM); C:\Windows\system32\drivers\solo.sys [2000-07-10 73873]
R3 vmkbd;VMware kbd; \??\C:\Windows\system32\drivers\VMkbd.sys [2010-01-22 23216]
R3 VMnetAdapter;VMware Virtual Ethernet Adapter Driver; C:\Windows\system32\DRIVERS\vmnetadapter.sys [2010-01-22 16560]
R3 vpcbus;Virtual PC-Hostbusdienst; C:\Windows\system32\DRIVERS\vpchbus.sys [2009-09-23 165376]
R3 vpcusb;USB-Virtualisierungsconnectordienst; C:\Windows\system32\DRIVERS\vpcusb.sys [2009-09-23 78336]
R3 WinDriver6;WinDriver6; C:\Windows\system32\drivers\windrvr6.sys [2009-05-14 195168]
S0 sptd;sptd; C:\Windows\System32\Drivers\sptd.sys [2010-07-03 639224]
S1 MpKsl23387da2;MpKsl23387da2; \??\C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{BFC4EC65-461F-467E-BAEB-CE74EE07A915}\MpKsl23387da2.sys []
S1 Uim_IM;UIM Drive Backup Image Plugin; C:\Windows\System32\Drivers\Uim_IM.sys [2008-06-28 130688]
S1 UimBus;Universal Image Mounter Controller; C:\Windows\system32\DRIVERS\UimBus.sys [2008-06-28 33072]
S3 aic78xx;aic78xx; C:\Windows\system32\DRIVERS\djsvs.sys [2009-07-14 70720]
S3 amdagp;AMD AGP Bus Filter Driver; C:\Windows\system32\DRIVERS\amdagp.sys [2009-07-14 53312]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2009-07-14 229888]
S3 fxtcqpog;fxtcqpog; \??\C:\Users\Torge\AppData\Local\Temp\fxtcqpog.sys []
S3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [2010-04-29 38224]
S3 RDPDR;Terminal Server Device Redirector Driver; C:\Windows\System32\drivers\rdpdr.sys [2009-07-14 133120]
S3 s3cap;s3cap; C:\Windows\system32\DRIVERS\vms3cap.sys [2009-07-14 5632]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver; C:\Windows\system32\DRIVERS\silabenm.sys [2008-07-15 17920]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver; C:\Windows\system32\DRIVERS\silabser.sys [2008-07-15 60544]
S3 sisagp;SIS AGP Bus Filter; C:\Windows\system32\DRIVERS\sisagp.sys [2009-07-14 52304]
S3 storvsc;storvsc; C:\Windows\system32\DRIVERS\storvsc.sys [2009-07-14 28224]
S3 usbscan;USB-Scannertreiber; C:\Windows\system32\DRIVERS\usbscan.sys [2009-07-14 35840]
S3 viaagp;VIA AGP Bus Filter; C:\Windows\system32\DRIVERS\viaagp.sys [2009-07-14 53328]
S3 ViaC7;VIA C7 Processor Driver; C:\Windows\system32\DRIVERS\viac7.sys [2009-07-14 52736]
S3 vmbus;@%SystemRoot%\system32\vmbusres.dll,-1000; C:\Windows\system32\DRIVERS\vmbus.sys [2009-07-14 175824]
S3 VMBusHID;VMBusHID; C:\Windows\system32\DRIVERS\VMBusHID.sys [2009-07-14 17920]
S3 vmusb;VMware USB Client Driver; C:\Windows\System32\Drivers\vmusb.sys [2010-01-22 31280]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2009-07-14 20992]
R2 LVPrcSrv;Process Monitor; C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2009-10-07 154136]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [2006-10-26 335872]
R2 MsMpSvc;Microsoft Antimalware Service; C:\Program Files\Microsoft Security Essentials\MsMpEng.exe [2010-03-25 17904]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2010-04-03 129640]
R2 SbieSvc;Sandboxie Service; C:\Program Files\Sandboxie\SbieSvc.exe [2009-12-01 66560]
R2 SeaPort;SeaPort; C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-05-19 240512]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service; C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-04-03 240232]
R2 TeamViewer5;TeamViewer 5; C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe [2010-04-16 173352]
R2 VMAuthdService;VMware Authorization Service; C:\Program Files\VMware\VMware Player\vmware-authd.exe [2010-01-22 113200]
R2 VMnetDHCP;VMware DHCP Service; C:\Windows\system32\vmnetdhcp.exe [2010-01-22 334384]
R2 VMUSBArbService;VMware USB Arbitration Service; C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-01-22 563760]
R2 VMware NAT Service;VMware NAT Service; C:\Windows\system32\vmnat.exe [2010-01-22 395824]
R2 wlidsvc;Windows Live ID Sign-in Assistant; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2009-08-18 1529728]
R3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2010-02-09 654848]
S2 AcronisOSSReinstallSvc;Acronis OS Selector Reinstall Service; C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe [2007-03-12 2232296]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2009-07-14 20992]
S3 LBTServ;Logitech Bluetooth Service; C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe [2009-07-20 121360]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 PeerDistSvc;@%SystemRoot%\system32\peerdistsvc.dll,-9000; C:\Windows\System32\svchost.exe [2009-07-14 20992]
S3 StorSvc;@%SystemRoot%\System32\StorSvc.dll,-100; C:\Windows\System32\svchost.exe [2009-07-14 20992]
S3 ufad-ws60;VMware Agent Service; C:\Program Files\VMware\VMware Player\vmware-ufad.exe [2009-10-12 191024]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2009-07-14 20992]
S3 WatAdminSvc;@%SystemRoot%\system32\Wat\WatUX.exe,-601; C:\Windows\system32\Wat\WatAdminSvc.exe [2010-04-14 1343400]

-----------------EOF-----------------

undoreal 02.08.2010 14:48
Poste mal bitte ein gmer log.

Torge_P 02.08.2010 15:10
Hallo, vielen Dank für deine schnelle Antwort.
Hier ist das Log:
Code:
GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-08-02 16:01:45
Windows 6.1.7600
Running: 6sis8mq9.exe; Driver: C:\Users\Torge\AppData\Local\Temp\fxtcqpog.sys


---- System - GMER 1.0.15 ----

INT 0x1F        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)  82C2AAF8
INT 0x37        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)  82C2A104
INT 0xC1        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)  82C2A3F4
INT 0xD1        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)  82C12634
INT 0xD2        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)  82C12898
INT 0xDF        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)  82C2A1DC
INT 0xE1        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)  82C2A958
INT 0xE3        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)  82C2A6F8
INT 0xFD        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)  82C2AF2C
INT 0xFE        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)  82C2B1A8

Code            88010B0C                                                                                  ZwTraceEvent
Code            88010B0B                                                                                  NtTraceEvent

---- Kernel code sections - GMER 1.0.15 ----

.text          ntkrnlpa.exe!NtTraceEvent                                                                82C79E34 5 Bytes  JMP 88010B10
.text          ntkrnlpa.exe!ZwSaveKeyEx + 13AD                                                          82C8A599 1 Byte  [06]
.text          ntkrnlpa.exe!KiDispatchInterrupt + 5A2                                                    82CAEF52 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE            ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 2                                                82EBC0E5 5 Bytes  JMP 88010CF0
PAGE            ntkrnlpa.exe!NtRequestWaitReplyPort + 2                                                  82EBDB0D 5 Bytes  JMP 88010C50
PAGE            ntkrnlpa.exe!NtRequestPort + 2                                                            82ED1D73 5 Bytes  JMP 88010BB0
.text          peauth.sys                                                                                9F2FCC9D 28 Bytes  [4F, 40, F2, ED, 9A, 21, AC, ...]
.text          peauth.sys                                                                                9F2FCCC1 28 Bytes  [4F, 40, F2, ED, 9A, 21, AC, ...]
PAGE            peauth.sys                                                                                9F302E20 35 Bytes  [A4, 9A, B3, 90, 2D, BD, 53, ...]
PAGE            peauth.sys                                                                                9F302E44 65 Bytes  [51, BB, 80, B4, C6, 15, 2D, ...]
PAGE            peauth.sys                                                                                9F30302C 102 Bytes  [07, B3, D1, FC, F9, A8, AC, ...]

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\volsnap \Device\HarddiskVolumeShadowCopy1                                        hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice  \Driver\volsnap \Device\HarddiskVolumeShadowCopy1                                        snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                                                  VMkbd.sys
AttachedDevice  \Driver\volsnap \Device\HarddiskVolumeShadowCopy2                                        hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice  \Driver\volsnap \Device\HarddiskVolumeShadowCopy2                                        snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                                                  VMkbd.sys
AttachedDevice  \Driver\volsnap \Device\HarddiskVolumeShadowCopy3                                        hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice  \Driver\volsnap \Device\HarddiskVolumeShadowCopy3                                        snapman.sys (Acronis Snapshot API/Acronis)

Device          \Driver\usbohci \Device\USBPDO-0                                                          hcmon.sys
Device          \Driver\usbehci \Device\USBPDO-1                                                          hcmon.sys
Device          \Driver\usbohci \Device\USBPDO-2                                                          hcmon.sys
Device          \Driver\usbehci \Device\USBPDO-3                                                          hcmon.sys
Device          \Driver\usbhub \Device\USBPDO-4                                                          hcmon.sys
Device          \Driver\usbhub \Device\USBPDO-5                                                          hcmon.sys

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                    fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                    hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                    snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                    fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                    hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                    snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3                                                    fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3                                                    hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3                                                    snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume4                                                    fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume4                                                    hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume4                                                    snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume5                                                    fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume5                                                    hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume5                                                    snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume6                                                    fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume6                                                    hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume6                                                    snapman.sys (Acronis Snapshot API/Acronis)

Device          \Driver\usbhub \Device\00000082                                                          hcmon.sys

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume7                                                    fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume7                                                    hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume7                                                    snapman.sys (Acronis Snapshot API/Acronis)

Device          \Driver\usbhub \Device\00000083                                                          hcmon.sys
Device          \Driver\usbhub \Device\00000084                                                          hcmon.sys
Device          \Driver\usbhub \Device\00000085                                                          hcmon.sys
Device          \Driver\ACPI_HAL \Device\0000006a                                                        halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device          \Driver\usbohci \Device\USBFDO-0                                                          hcmon.sys
Device          \Driver\usbehci \Device\USBFDO-1                                                          hcmon.sys
Device          \Driver\usbohci \Device\USBFDO-2                                                          hcmon.sys
Device          \Driver\usbehci \Device\USBFDO-3                                                          hcmon.sys

---- EOF - GMER 1.0.15 ----
Zwischenzeitlich habe ich in einem anderen Thema dieses Forums einen Link zu Combofix gesehen und habe das mal durchlaufen lassen, zuerst musste der Rechner neu gestartet werden, da Rootkit aktivitäten entdeckt wurden, dann ist es durchgelaufen und hat auch irgendetwas gelöscht.
Ich habe dann den Rechner neu gestartet und konnte auch MSE wieder aktualisieren (ohne, dass es mit einem Verbindungsfehler abbricht). Allerdings weiss ich natürlich nicht, ob jetzt alle Gefahren beseitigt sind. Ein schneller Suchdurchlauf mit dem MSE brachte keine Gefahren.
Hier das Log-file von Combofix:
Code:
ComboFix 10-08-01.02 - Torge 02.08.2010  15:12:51.1.2 - x86
Microsoft Windows 7 Professional  6.1.7600.0.1252.49.1031.18.3327.2345 [GMT 2:00]
ausgeführt von:: c:\users\Torge\Desktop\ComboFix.exe
 * Neuer Wiederherstellungspunkt wurde erstellt
.

((((((((((((((((((((((((((((((((((((  Weitere Löschungen  ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk

Infizierte Kopie von c:\windows\system32\drivers\nsiproxy.sys wurde gefunden und desinfiziert
Kopie von - Kitty had a snack :p wurde wiederhergestellt
.
(((((((((((((((((((((((  Dateien erstellt von 2010-07-02 bis 2010-08-02  ))))))))))))))))))))))))))))))
.

2010-08-02 13:21 . 2010-08-02 13:21        --------        d-----w-        c:\users\Torge\AppData\Local\temp
2010-08-02 13:21 . 2010-08-02 13:21        --------        d-----w-        c:\users\Default\AppData\Local\temp
2010-08-02 10:54 . 2010-08-02 10:54        16896        ----a-w-        c:\windows\system32\drivers\wfvoligm.sys
2010-08-02 00:48 . 2010-08-02 00:48        16896        ----a-w-        c:\windows\system32\drivers\mbmqgubi.sys
2010-08-01 23:33 . 2010-08-01 23:33        16896        ----a-w-        c:\windows\system32\drivers\relcjtxj.sys
2010-08-01 19:50 . 2010-08-02 11:27        --------        d-----w-        c:\program files\trend micro
2010-08-01 19:50 . 2010-08-01 19:50        --------        d-----w-        C:\rsit
2010-08-01 18:45 . 2010-08-01 18:45        --------        d-----w-        c:\users\Torge\AppData\Roaming\Malwarebytes
2010-08-01 18:45 . 2010-04-29 10:19        38224        ----a-w-        c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-01 18:45 . 2010-08-01 18:45        --------        d-----w-        c:\program files\Malwarebytes' Anti-Malware
2010-08-01 18:45 . 2010-08-01 18:45        --------        d-----w-        c:\programdata\Malwarebytes
2010-08-01 18:45 . 2010-04-29 10:19        20952        ----a-w-        c:\windows\system32\drivers\mbam.sys
2010-08-01 18:38 . 2010-08-01 18:38        --------        d-----w-        c:\program files\CCleaner
2010-08-01 18:31 . 2010-08-01 18:31        16896        ----a-w-        c:\windows\system32\drivers\kzyioezg.sys
2010-08-01 17:57 . 2010-08-01 17:57        16896        ----a-w-        c:\windows\system32\drivers\rucchpsf.sys
2010-08-01 17:29 . 2010-08-01 17:29        16896        ----a-w-        c:\windows\system32\drivers\bhniaffv.sys
2010-08-01 17:04 . 2010-08-01 17:04        16896        ----a-w-        c:\windows\system32\drivers\dgxexcsq.sys
2010-08-01 16:22 . 2010-08-01 16:22        16896        ----a-w-        c:\windows\system32\drivers\xvhyecko.sys
2010-08-01 15:55 . 2010-08-01 17:04        --------        d-----w-        c:\windows\system32\MpEngineStore
2010-08-01 15:50 . 2010-08-01 15:50        16896        ----a-w-        c:\windows\system32\drivers\riuhtcvy.sys
2010-07-26 20:41 . 2010-07-26 20:41        16896        ----a-w-        c:\windows\system32\drivers\kjmzewyd.sys
2010-07-25 00:12 . 2010-07-25 00:12        21584        ----a-w-        c:\windows\system32\drivers\ATAPI.SYS
2010-07-18 13:45 . 2010-06-29 22:13        52224        ----a-w-        c:\users\Torge\AppData\Roaming\Mozilla\Firefox\Profiles\pf4y4fmw.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
2010-07-18 13:45 . 2010-06-29 22:13        101376        ----a-w-        c:\users\Torge\AppData\Roaming\Mozilla\Firefox\Profiles\pf4y4fmw.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
2010-07-17 07:56 . 2010-07-17 07:56        --------        d-----w-        c:\programdata\SSScanAppDataDir
2010-07-17 07:55 . 2010-07-17 07:55        --------        d-----w-        c:\programdata\MSScanAppDataDir
2010-07-15 05:07 . 2010-07-15 05:07        --------        d-----w-        c:\users\Torge\AppData\Roaming\FLEXnet
2010-07-15 05:05 . 2010-07-15 05:05        --------        d-----w-        c:\users\Torge\AppData\Roaming\Nuance
2010-07-15 05:04 . 2010-07-15 05:05        --------        d-----w-        c:\programdata\ScanSoft
2010-07-15 05:03 . 2010-07-15 05:03        --------        d-----w-        c:\program files\Nuance
2010-07-10 06:18 . 2010-07-10 06:18        56765        ----a-w-        c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-07-10 06:18 . 2010-07-10 06:18        57715        ----a-w-        c:\programdata\DivX\Player\Uninstaller.exe
2010-07-10 06:17 . 2010-07-10 06:17        84054        ----a-w-        c:\programdata\DivX\TransferWizard\Uninstaller.exe
2010-07-10 06:17 . 2010-07-10 06:17        54153        ----a-w-        c:\programdata\DivX\DFXPlugin\Uninstaller.exe
2010-07-08 07:04 . 2010-07-15 04:14        --------        d-----w-        c:\program files\Motherboard Monitor 5
2010-07-07 12:21 . 2010-07-10 06:18        57344        ----a-w-        c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-07-07 12:21 . 2010-07-10 06:17        895256        ----a-w-        c:\programdata\DivX\Setup\DivXSetup.exe
2010-07-07 12:21 . 2010-07-10 06:17        1062184        ----a-w-        c:\programdata\DivX\Setup\Resource.dll
2010-07-07 12:21 . 2009-11-07 09:30        530704        ----a-w-        c:\programdata\DivX\DivX7\DivX Converter\DivXConverterUninstall.exe
2010-07-07 12:21 . 2009-11-07 09:30        530704        ----a-w-        c:\programdata\DivX\DivX7\DivX Plus DirectShow Filters\DivXDSFiltersUninstall.exe
2010-07-07 12:21 . 2010-07-07 12:21        56997        ----a-w-        c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-07-07 12:21 . 2010-07-07 12:21        53600        ----a-w-        c:\programdata\DivX\Update\Uninstaller.exe
2010-07-07 12:20 . 2010-07-07 12:20        57609        ----a-w-        c:\programdata\DivX\MFComponents\Uninstaller.exe
2010-07-07 12:20 . 2010-07-07 12:20        57054        ----a-w-        c:\programdata\DivX\DSDesktopComponents\Uninstaller.exe
2010-07-07 12:20 . 2010-07-07 12:20        54166        ----a-w-        c:\programdata\DivX\DSAVCDecoder\Uninstaller.exe
2010-07-07 12:20 . 2010-07-07 12:20        57532        ----a-w-        c:\programdata\DivX\DSASPDecoder\Uninstaller.exe
2010-07-07 12:20 . 2010-07-07 12:20        56458        ----a-w-        c:\programdata\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-07-07 12:20 . 2010-07-07 12:20        54174        ----a-w-        c:\programdata\DivX\DSAACDecoder\Uninstaller.exe
2010-07-07 12:20 . 2010-07-07 12:20        54128        ----a-w-        c:\programdata\DivX\Converter\Uninstaller.exe
2010-07-07 12:20 . 2010-07-07 12:20        54644        ----a-w-        c:\programdata\DivX\TranscodeEngine\Uninstaller.exe
2010-07-07 12:20 . 2010-07-07 12:20        54101        ----a-w-        c:\programdata\DivX\MPEG2Plugin\Uninstaller.exe
2010-07-07 12:20 . 2010-07-07 12:20        57409        ----a-w-        c:\programdata\DivX\ControlPanel\Uninstaller.exe
2010-07-07 12:20 . 2010-07-07 12:20        52963        ----a-w-        c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-07-07 12:19 . 2010-07-07 12:19        54073        ----a-w-        c:\programdata\DivX\Qt4.5\Uninstaller.exe
2010-07-07 12:19 . 2010-07-07 12:19        56969        ----a-w-        c:\programdata\DivX\ASPEncoder\Uninstaller.exe
2010-07-07 12:15 . 2010-07-10 06:18        --------        d-----w-        c:\programdata\DivX

.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-02 13:18 . 2009-07-14 08:47        661996        ----a-w-        c:\windows\system32\perfh007.dat
2010-08-02 13:18 . 2009-07-14 08:47        132654        ----a-w-        c:\windows\system32\perfc007.dat
2010-08-02 13:11 . 2010-02-22 20:06        --------        d-----w-        c:\programdata\VMware
2010-08-02 13:11 . 2009-09-20 14:56        --------        d-----w-        c:\programdata\NVIDIA
2010-08-01 16:25 . 2009-10-27 19:47        --------        d-----w-        c:\users\Torge\AppData\Roaming\Skype
2010-08-01 14:00 . 2009-10-27 19:54        --------        d-----w-        c:\users\Torge\AppData\Roaming\skypePM
2010-07-22 10:48 . 2010-02-22 20:11        --------        d-----w-        c:\users\Torge\AppData\Roaming\VMware
2010-07-21 11:53 . 2010-04-05 09:00        --------        d-----w-        c:\program files\Mozilla Thunderbird
2010-07-15 05:07 . 2010-04-19 18:50        --------        d-----w-        c:\users\Torge\AppData\Roaming\ScanSoft
2010-07-15 05:03 . 2009-09-20 13:25        --------        d-----w-        c:\programdata\FLEXnet
2010-07-15 04:07 . 2010-01-16 14:32        --------        d-----w-        c:\programdata\ABBYY
2010-07-14 01:02 . 2009-09-20 12:50        --------        d-----w-        c:\programdata\Microsoft Help
2010-07-10 06:18 . 2009-11-07 09:30        --------        d-----w-        c:\program files\DivX
2010-07-10 06:17 . 2009-11-07 09:30        --------        d-----w-        c:\program files\Common Files\PX Storage Engine
2010-07-08 10:05 . 2009-11-28 19:30        --------        d-----w-        c:\users\Torge\AppData\Roaming\DivX
2010-07-07 12:21 . 2009-11-07 09:30        --------        d-----w-        c:\program files\Common Files\DivX Shared
2010-07-05 14:33 . 2009-09-20 14:56        --------        d-----w-        c:\program files\NVIDIA Corporation
2010-07-03 05:27 . 2009-09-20 12:08        639224 begin_of_the_skype_highlighting**************08 639224******end_of_the_skype_highlighting        ----a-w-        c:\windows\system32\drivers\sptd.sys
2010-06-29 01:01 . 2009-11-01 10:07        --------        d-----w-        c:\program files\Microsoft Security Essentials
2010-06-26 01:03 . 2009-09-20 12:52        --------        d-----w-        c:\program files\Microsoft.NET
2010-06-24 17:24 . 2010-04-05 14:53        --------        d-----w-        c:\program files\Paint.NET
2010-06-19 15:02 . 2010-06-19 15:02        --------        d-----w-        c:\program files\Common Files\Skype
2010-06-19 14:36 . 2010-06-19 14:36        --------        d-----w-        c:\program files\Common Files\Java
2010-06-19 14:36 . 2010-06-19 14:36        411368        ----a-w-        c:\windows\system32\deployJava1.dll
2010-06-19 14:36 . 2010-06-19 14:36        --------        d-----w-        c:\program files\Java
2010-06-08 14:15 . 2010-06-08 14:15        --------        d-----w-        c:\users\Torge\AppData\Roaming\TeamViewer
2010-06-08 14:14 . 2010-06-08 14:14        --------        d-----w-        c:\program files\TeamViewer
2010-06-07 05:46 . 2009-11-01 10:02        --------        d-----w-        c:\program files\Microsoft Silverlight
2010-06-01 17:37 . 2009-10-03 08:08        221568        ------w-        c:\windows\system32\MpSigStub.exe
2010-05-27 07:24 . 2010-06-11 10:31        34304        ----a-w-        c:\windows\system32\atmlib.dll
2010-05-27 03:49 . 2010-06-11 10:31        293888        ----a-w-        c:\windows\system32\atmfd.dll
2010-05-21 05:18 . 2010-06-11 10:31        977920        ----a-w-        c:\windows\system32\wininet.dll
2010-05-13 13:45 . 2010-05-13 13:45        62138        ----a-w-        c:\users\Torge\ia_remove.sh9173.tmp
2010-05-09 09:14 . 2010-06-23 03:09        641536        ----a-w-        c:\windows\system32\CPFilters.dll
2010-05-09 09:14 . 2010-06-23 03:09        417792        ----a-w-        c:\windows\system32\msdri.dll
2010-05-08 14:26 . 2010-05-08 14:26        114048        ----a-w-        c:\windows\system32\drivers\snapman.sys
2009-06-10 21:26 . 2009-07-14 02:04        9633792        --sha-r-        c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42        396800        --sha-w-        c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((  Autostartpunkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-05-13 26192168]
"AVMUSBFernanschluss"="c:\users\Torge\AppData\Local\Apps\2.0\1EJQM2Y1.ZL8\7MPGDLYE.8LD\frit..tion_8488884cfbcefd60_0002.0001_383382c5c60b72bd\AVMAutoStart.exe" [2010-02-21 139264]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2009-12-01 389120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2010-01-22 64048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-05-26 1159168]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\users\Torge\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat - Schnellstart.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2010-2-9 295606]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-9-20 813584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 10:28        72208        ----a-w-        c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages        REG_MULTI_SZ          kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-07-03 639224]
R1 MpKsl23387da2;MpKsl23387da2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BFC4EC65-461F-467E-BAEB-CE74EE07A915}\MpKsl23387da2.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\DRIVERS\silabenm.sys [2008-07-15 17920]
R3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\DRIVERS\silabser.sys [2008-07-15 60544]
R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-14 1343400]
S0 hotcore3;hc3ServiceName;c:\windows\system32\DRIVERS\hotcore3.sys [2009-08-31 40560]
S2 MarxDev1;MarxDev1; [x]
S2 MarxDev2;MarxDev2; [x]
S2 MarxDev3;MarxDev3; [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-04-03 240232]
S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-04-16 173352]
S2 vmci;VMware vmci;c:\windows\system32\Drivers\vmci.sys [2010-01-22 70704]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-01-22 563760]
S3 avmaura;AVM USB-Fernanschluss;c:\windows\system32\DRIVERS\avmaura.sys [2009-11-05 101248]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-25 42368]
S3 Pei10Wdm;PEI10 Protokoll Treiber;c:\windows\system32\Drivers\Pei10Wdm.sys [2002-08-15 35547]
S3 Pei16Wdm;PEI16 Protokoll Treiber;c:\windows\system32\Drivers\Pei16Wdm.sys [2002-09-19 34683]
S3 solo;TerraTec 128iPCI (WDM);c:\windows\system32\drivers\solo.sys [2000-07-10 73873]

.
.
------- Zusätzlicher Suchlauf -------
.
IE: An vorhandene PDF-Datei anfügen - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: An vorhandenes PDF anfügen - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Auswahl in Adobe PDF konvertieren - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Auswahl in vorhandene PDF-Datei konvertieren - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: In Adobe PDF konvertieren - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Linkziel an vorhandene PDF-Datei anhängen - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Linkziel in Adobe PDF konvertieren - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Verknüpfungsziel in Adobe PDF konvertieren - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
FF - ProfilePath - c:\users\Torge\AppData\Roaming\Mozilla\Firefox\Profiles\pf4y4fmw.default\
FF - prefs.js: browser.startup.homepage - hxxp://de.forums.aeriagames.com/index.php?f=1
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\users\Torge\AppData\Roaming\Mozilla\Firefox\Profiles\pf4y4fmw.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\Torge\AppData\Roaming\Mozilla\Firefox\Profiles\pf4y4fmw.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Torge\AppData\Roaming\Mozilla\Firefox\Profiles\pf4y4fmw.default\extensions\DeviceDetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\windows\system32\Wat\npWatWeb.dll

---- FIREFOX Richtlinien ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type",                  5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size",  4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

HKCU-Run-OpAgent - OpAgent.exe
AddRemove-SLABCOMM&10C4&EA60 - c:\windows\system32\Silabs\DriverUninstaller.exe VCP CP210x Cardinal\SLABCOMM&10C4&EA60


.
Zeit der Fertigstellung: 2010-08-02  15:24:46
ComboFix-quarantined-files.txt  2010-08-02 13:24

Vor Suchlauf: 12 Verzeichnis(se), 10.537.422.848 Bytes frei
Nach Suchlauf: 17 Verzeichnis(se), 10.543.558.656 Bytes frei

- - End Of File - - 193C0AB3C1DF4A00EF938992AD692B2A
Vielen Dank schon mal für deine weitere Hilfe.
Erkennst du noch irgendwelche bedrohungen aus den Log-files?

undoreal 02.08.2010 15:47
Das nöchste mal machst du bitte nichts ohne ausdrückliche Emfpehlung, in Ordnung?
Stand bei der Combofix Anleitung nicht sogar bei: Nur auf ausdrückliche Empfehlung eines Helfers anwenden???

Überprüfe den Rechner bitte mit Malwarebytes und poste das log.

Auch ein Scan mit Hitman Pro kann nicht schaden. http://filepony.de/?q=hitman/

Poste jeweils die logs.

Torge_P 02.08.2010 16:18
Tschuldige bitte, warte in Zuckunft auf Empfehlungen von Euch.
Hier das Log von Malewarebytes, ich hatte gestern schon mal 2 Sachen damit gefunden. Die Logs sind dann weiter unten.
Aktuelle Log:
Code:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Datenbank Version: 4379

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

02.08.2010 17:11:15
mbam-log-2010-08-02 (17-11-15).txt

Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 140191
Laufzeit: 8 Minute(n), 2 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)
1.Log vom 1.8.:
Code:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Datenbank Version: 4378

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

01.08.2010 20:59:43
mbam-log-2010-08-01 (20-59-43).txt

Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 138694
Laufzeit: 10 Minute(n), 32 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 2
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4a7c84e2-e95c-43c6-8dd3-03abcd0eb60e} (Adware.SmartShopper) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)
2. Log vom 1.8. Alle danach waren ohne Fund:
Code:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Datenbank Version: 4378

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

01.08.2010 23:27:22
mbam-log-2010-08-01 (23-27-22).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|)
Durchsuchte Objekte: 276389
Laufzeit: 1 Stunde(n), 7 Minute(n), 13 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
E:\Download_Firefox\flashplayer.10.811.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
Ein Hitman Log kommt gleich ;)

Torge_P 02.08.2010 16:26
So, Hitman hat nur 2 Cookies gefunden und gelöscht:
Code:
- <Log computer="BUNNYEYE" scan="Normal" version="3.5.6.108" date="2010-08-02T17:20:13" timeSpentInSecs="186" filesProcessed="22869">
- <Item type="Repair" score="0.0" status="Deleted">
  <File path="C:\Users\Torge\AppData\Roaming\Microsoft\Windows\Cookies\torge@atdmt[1].txt" />
  </Item>
- <Item type="Repair" score="0.0" status="Deleted">
  <File path="C:\Users\Torge\AppData\Roaming\Microsoft\Windows\Cookies\torge@msnportal.112.2o7[1].txt" />
  </Item>
  </Log>
Wie sieht das weitere Vorgehen aus?
Gruß Torge

undoreal 02.08.2010 16:36
Joar, da sind noch ein paar Treiber die mir irgendwie nicht gefallen...

Die könntest du mal bei Virustotal hochladen:


Dateien Online überprüfen lassen:


* Lasse dir auch die versteckten Dateien anzeigen!

* Rufe die Seite Virustotal auf.

* Dort suche über den "Durchsuchen"-Button folgende Datei raus und lade sie durch Druck auf den "Senden der Datei"-Button hoch.

Zitat:
c:\windows\system32\drivers\kjmzewyd.sys
c:\windows\system32\drivers\riuhtcvy.sys
c:\windows\system32\drivers\xvhyecko.sys
c:\windows\system32\drivers\wfvoligm.sys
c:\windows\system32\drivers\mbmqgubi.sys
c:\windows\system32\drivers\relcjtxj.sys
c:\windows\system32\drivers\kzyioezg.sys
c:\windows\system32\drivers\rucchpsf.sys
c:\windows\system32\drivers\bhniaffv.sys
c:\windows\system32\drivers\dgxexcsq.sys
Lade nun nacheinander jede/alle Datei/Dateien hoch, und warte bis der Scan vorbei ist. (kann bis zu 2 Minuten dauern.)
* Sollte die Datei bereits analysiert worden sein so lasse sie unbedingt trotzdem nocheinmal analysieren!
* Poste im Anschluss das Ergebnis der Auswertung, alles abkopieren und in einen Beitrag einfügen.

Torge_P 02.08.2010 17:17
So endlich fertig. ;) Hier alle Ergebnisse untereinander:
Code:
c:\windows\system32\drivers\kjmzewyd.sys:
AhnLab-V3        2010.08.01.00        2010.07.31        -
AntiVir        8.2.4.32        2010.08.02        -
Antiy-AVL        2.0.3.7        2010.08.02        -
Authentium        5.2.0.5        2010.08.02        -
Avast        4.8.1351.0        2010.08.02        -
Avast5        5.0.332.0        2010.08.02        -
AVG        9.0.0.851        2010.08.02        -
BitDefender        7.2        2010.08.02        -
CAT-QuickHeal        11.00        2010.08.02        -
ClamAV        0.96.0.3-git        2010.08.02        -
Comodo        5620        2010.08.02        -
DrWeb        5.0.2.03300        2010.08.02        -
Emsisoft        5.0.0.34        2010.07.30        -
eSafe        7.0.17.0        2010.08.02        -
eTrust-Vet        36.1.7756        2010.08.02        -
F-Prot        4.6.1.107        2010.08.02        -
F-Secure        9.0.15370.0        2010.08.02        -
Fortinet        4.1.143.0        2010.08.02        -
GData        21        2010.08.02        -
Ikarus        T3.1.1.84.0        2010.08.02        -
Jiangmin        13.0.900        2010.08.01        -
Kaspersky        7.0.0.125        2010.08.02        -
McAfee        5.400.0.1158        2010.08.02        -
McAfee-GW-Edition        2010.1        2010.08.02        -
Microsoft        1.6004        2010.08.02        -
NOD32        5334        2010.08.02        -
Norman        6.05.11        2010.08.02        -
nProtect        2010-08-02.02        2010.08.02        -
Panda        10.0.2.7        2010.08.02        -
PCTools        7.0.3.5        2010.08.02        -
Prevx        3.0        2010.08.02        -
Rising        22.59.00.04        2010.08.02        -
Sophos        4.56.0        2010.08.02        -
Sunbelt        6674        2010.08.02        -
SUPERAntiSpyware        4.40.0.1006        2010.08.02        -
Symantec        20101.1.1.7        2010.08.02        -
TheHacker        6.5.2.1.328        2010.07.30        -
TrendMicro        9.120.0.1004        2010.08.02        -
TrendMicro-HouseCall        9.120.0.1004        2010.08.02        -
VBA32        3.12.12.7        2010.08.02        -
ViRobot        2010.7.31.3965        2010.08.02        -
VirusBuster        5.0.27.0        2010.08.02        -
weitere Informationen
File size: 16896 bytes
MD5...: e9a0a4d07e53d8fea2bb8387a3293c58
SHA1..: 5e1d618a19f93e1b5c71f6248189034fad879928
SHA256: 690cad6c4e35ecc1172a2e1fd3933df73158b3bf42cb21244269612a53de4d7a
ssdeep: 192:g1rJACF05FDWmonOqdZhXm6J1afZOOQCc7H6FgoXp+Cr9Tuw+nmWPsUWT:yV
GnWzOyZ5afZw7addrVjWPsUWT
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x7071
timedatestamp.....: 0x4a5bbf48 (Mon Jul 13 23:12:08 2009)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x254e 0x2600 6.27 f41e2cca9095702df2de9110ab2f9038
.rdata 0x4000 0x274 0x400 2.57 b6b73719f6a3eb4eda976143d7c74beb
.data 0x5000 0x48 0x200 0.24 312651a6f76490d97aff95c683a68247
PAGE 0x6000 0x22 0x200 0.45 32f7522e0b18964af7d21fdc59c8a5ab
INIT 0x7000 0x570 0x600 5.07 d6c50bc8a6fdbe6e991c15c66ccfc19b
.rsrc 0x8000 0x5b0 0x600 3.20 1463c13d11bb7248c95921d1d6fdfcb6
.reloc 0x9000 0x22e 0x400 3.57 5eca58d1f88318ec34fa262431d7c5dc

( 3 imports )
> ntoskrnl.exe: RtlInitUnicodeString, IoQueueWorkItem, IofCompleteRequest, IoAllocateWorkItem, IoReleaseCancelSpinLock, KefReleaseSpinLockFromDpcLevel, IoDeleteSymbolicLink, IoAcquireCancelSpinLock, IoCreateSymbolicLink, IoCreateDevice, KeTickCount, RtlUnwind, IoDeleteDevice, _allmul, memset, ExAllocatePoolWithQuotaTag, memcpy, MmUserProbeAddress, ExRaiseAccessViolation, ProbeForWrite, ExRaiseDatatypeMisalignment, IoFreeWorkItem, ExFreePoolWithTag, KeWaitForSingleObject, KeInitializeEvent, KefAcquireSpinLockAtDpcLevel, KeSetEvent, KeBugCheckEx
> HAL.dll: KfReleaseSpinLock, KfAcquireSpinLock
> NETIO.SYS: NsiSetAllParametersEx, NsiEnumerateObjectsAllPersistentParametersWithMask, NsiEnumerateObjectsAllParametersEx, NsiRegisterChangeNotificationEx, NsiSetParameterEx, NsiGetParameterEx, NsiDeregisterChangeNotificationEx, NsiGetModuleHandle, NsiGetAllPersistentParametersWithMask, NsiGetAllParametersEx, NsiSetAllPersistentParametersWithMask

( 0 exports )
RDS...: NSRL Reference Data Set
-
trid..: Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
pdfid.: -
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: NSI Proxy
original name: nsiproxy.sys
internal name: nsiproxy.sys
file version.: 6.1.7600.16385 (win7_rtm.090713-1255)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

c:\windows\system32\drivers\riuhtcvy.sys:
AhnLab-V3        2010.08.01.00        2010.07.31        -
AntiVir        8.2.4.32        2010.08.02        -
Antiy-AVL        2.0.3.7        2010.08.02        -
Authentium        5.2.0.5        2010.08.02        -
Avast        4.8.1351.0        2010.08.02        -
Avast5        5.0.332.0        2010.08.02        -
AVG        9.0.0.851        2010.08.02        -
BitDefender        7.2        2010.08.02        -
CAT-QuickHeal        11.00        2010.08.02        -
ClamAV        0.96.0.3-git        2010.08.02        -
Comodo        5620        2010.08.02        -
DrWeb        5.0.2.03300        2010.08.02        -
Emsisoft        5.0.0.34        2010.07.30        -
eSafe        7.0.17.0        2010.08.02        -
eTrust-Vet        36.1.7756        2010.08.02        -
F-Prot        4.6.1.107        2010.08.02        -
F-Secure        9.0.15370.0        2010.08.02        -
Fortinet        4.1.143.0        2010.08.02        -
GData        21        2010.08.02        -
Ikarus        T3.1.1.84.0        2010.08.02        -
Jiangmin        13.0.900        2010.08.01        -
Kaspersky        7.0.0.125        2010.08.02        -
McAfee        5.400.0.1158        2010.08.02        -
McAfee-GW-Edition        2010.1        2010.08.02        -
Microsoft        1.6004        2010.08.02        -
NOD32        5334        2010.08.02        -
Norman        6.05.11        2010.08.02        -
nProtect        2010-08-02.02        2010.08.02        -
Panda        10.0.2.7        2010.08.02        -
PCTools        7.0.3.5        2010.08.02        -
Prevx        3.0        2010.08.02        -
Rising        22.59.00.04        2010.08.02        -
Sophos        4.56.0        2010.08.02        -
Sunbelt        6674        2010.08.02        -
SUPERAntiSpyware        4.40.0.1006        2010.08.02        -
Symantec        20101.1.1.7        2010.08.02        -
TheHacker        6.5.2.1.328        2010.07.30        -
TrendMicro        9.120.0.1004        2010.08.02        -
TrendMicro-HouseCall        9.120.0.1004        2010.08.02        -
VBA32        3.12.12.7        2010.08.02        -
ViRobot        2010.7.31.3965        2010.08.02        -
VirusBuster        5.0.27.0        2010.08.02        -
weitere Informationen
File size: 16896 bytes
MD5...: e9a0a4d07e53d8fea2bb8387a3293c58
SHA1..: 5e1d618a19f93e1b5c71f6248189034fad879928
SHA256: 690cad6c4e35ecc1172a2e1fd3933df73158b3bf42cb21244269612a53de4d7a
ssdeep: 192:g1rJACF05FDWmonOqdZhXm6J1afZOOQCc7H6FgoXp+Cr9Tuw+nmWPsUWT:yV
GnWzOyZ5afZw7addrVjWPsUWT
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x7071
timedatestamp.....: 0x4a5bbf48 (Mon Jul 13 23:12:08 2009)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x254e 0x2600 6.27 f41e2cca9095702df2de9110ab2f9038
.rdata 0x4000 0x274 0x400 2.57 b6b73719f6a3eb4eda976143d7c74beb
.data 0x5000 0x48 0x200 0.24 312651a6f76490d97aff95c683a68247
PAGE 0x6000 0x22 0x200 0.45 32f7522e0b18964af7d21fdc59c8a5ab
INIT 0x7000 0x570 0x600 5.07 d6c50bc8a6fdbe6e991c15c66ccfc19b
.rsrc 0x8000 0x5b0 0x600 3.20 1463c13d11bb7248c95921d1d6fdfcb6
.reloc 0x9000 0x22e 0x400 3.57 5eca58d1f88318ec34fa262431d7c5dc

( 3 imports )
> ntoskrnl.exe: RtlInitUnicodeString, IoQueueWorkItem, IofCompleteRequest, IoAllocateWorkItem, IoReleaseCancelSpinLock, KefReleaseSpinLockFromDpcLevel, IoDeleteSymbolicLink, IoAcquireCancelSpinLock, IoCreateSymbolicLink, IoCreateDevice, KeTickCount, RtlUnwind, IoDeleteDevice, _allmul, memset, ExAllocatePoolWithQuotaTag, memcpy, MmUserProbeAddress, ExRaiseAccessViolation, ProbeForWrite, ExRaiseDatatypeMisalignment, IoFreeWorkItem, ExFreePoolWithTag, KeWaitForSingleObject, KeInitializeEvent, KefAcquireSpinLockAtDpcLevel, KeSetEvent, KeBugCheckEx
> HAL.dll: KfReleaseSpinLock, KfAcquireSpinLock
> NETIO.SYS: NsiSetAllParametersEx, NsiEnumerateObjectsAllPersistentParametersWithMask, NsiEnumerateObjectsAllParametersEx, NsiRegisterChangeNotificationEx, NsiSetParameterEx, NsiGetParameterEx, NsiDeregisterChangeNotificationEx, NsiGetModuleHandle, NsiGetAllPersistentParametersWithMask, NsiGetAllParametersEx, NsiSetAllPersistentParametersWithMask

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: NSI Proxy
original name: nsiproxy.sys
internal name: nsiproxy.sys
file version.: 6.1.7600.16385 (win7_rtm.090713-1255)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


c:\windows\system32\drivers\xvhyecko.sys:
AhnLab-V3        2010.08.01.00        2010.07.31        -
AntiVir        8.2.4.32        2010.08.02        -
Antiy-AVL        2.0.3.7        2010.08.02        -
Authentium        5.2.0.5        2010.08.02        -
Avast        4.8.1351.0        2010.08.02        -
Avast5        5.0.332.0        2010.08.02        -
AVG        9.0.0.851        2010.08.02        -
BitDefender        7.2        2010.08.02        -
CAT-QuickHeal        11.00        2010.08.02        -
ClamAV        0.96.0.3-git        2010.08.02        -
Comodo        5620        2010.08.02        -
DrWeb        5.0.2.03300        2010.08.02        -
Emsisoft        5.0.0.34        2010.07.30        -
eSafe        7.0.17.0        2010.08.02        -
eTrust-Vet        36.1.7756        2010.08.02        -
F-Prot        4.6.1.107        2010.08.02        -
F-Secure        9.0.15370.0        2010.08.02        -
Fortinet        4.1.143.0        2010.08.02        -
GData        21        2010.08.02        -
Ikarus        T3.1.1.84.0        2010.08.02        -
Jiangmin        13.0.900        2010.08.01        -
Kaspersky        7.0.0.125        2010.08.02        -
McAfee        5.400.0.1158        2010.08.02        -
McAfee-GW-Edition        2010.1        2010.08.02        -
Microsoft        1.6004        2010.08.02        -
NOD32        5334        2010.08.02        -
Norman        6.05.11        2010.08.02        -
nProtect        2010-08-02.02        2010.08.02        -
Panda        10.0.2.7        2010.08.02        -
PCTools        7.0.3.5        2010.08.02        -
Prevx        3.0        2010.08.02        -
Rising        22.59.00.04        2010.08.02        -
Sophos        4.56.0        2010.08.02        -
Sunbelt        6674        2010.08.02        -
SUPERAntiSpyware        4.40.0.1006        2010.08.02        -
Symantec        20101.1.1.7        2010.08.02        -
TheHacker        6.5.2.1.328        2010.07.30        -
TrendMicro        9.120.0.1004        2010.08.02        -
TrendMicro-HouseCall        9.120.0.1004        2010.08.02        -
VBA32        3.12.12.7        2010.08.02        -
ViRobot        2010.7.31.3965        2010.08.02        -
VirusBuster        5.0.27.0        2010.08.02        -
weitere Informationen
File size: 16896 bytes
MD5...: e9a0a4d07e53d8fea2bb8387a3293c58
SHA1..: 5e1d618a19f93e1b5c71f6248189034fad879928
SHA256: 690cad6c4e35ecc1172a2e1fd3933df73158b3bf42cb21244269612a53de4d7a
ssdeep: 192:g1rJACF05FDWmonOqdZhXm6J1afZOOQCc7H6FgoXp+Cr9Tuw+nmWPsUWT:yV
GnWzOyZ5afZw7addrVjWPsUWT
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x7071
timedatestamp.....: 0x4a5bbf48 (Mon Jul 13 23:12:08 2009)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x254e 0x2600 6.27 f41e2cca9095702df2de9110ab2f9038
.rdata 0x4000 0x274 0x400 2.57 b6b73719f6a3eb4eda976143d7c74beb
.data 0x5000 0x48 0x200 0.24 312651a6f76490d97aff95c683a68247
PAGE 0x6000 0x22 0x200 0.45 32f7522e0b18964af7d21fdc59c8a5ab
INIT 0x7000 0x570 0x600 5.07 d6c50bc8a6fdbe6e991c15c66ccfc19b
.rsrc 0x8000 0x5b0 0x600 3.20 1463c13d11bb7248c95921d1d6fdfcb6
.reloc 0x9000 0x22e 0x400 3.57 5eca58d1f88318ec34fa262431d7c5dc

( 3 imports )
> ntoskrnl.exe: RtlInitUnicodeString, IoQueueWorkItem, IofCompleteRequest, IoAllocateWorkItem, IoReleaseCancelSpinLock, KefReleaseSpinLockFromDpcLevel, IoDeleteSymbolicLink, IoAcquireCancelSpinLock, IoCreateSymbolicLink, IoCreateDevice, KeTickCount, RtlUnwind, IoDeleteDevice, _allmul, memset, ExAllocatePoolWithQuotaTag, memcpy, MmUserProbeAddress, ExRaiseAccessViolation, ProbeForWrite, ExRaiseDatatypeMisalignment, IoFreeWorkItem, ExFreePoolWithTag, KeWaitForSingleObject, KeInitializeEvent, KefAcquireSpinLockAtDpcLevel, KeSetEvent, KeBugCheckEx
> HAL.dll: KfReleaseSpinLock, KfAcquireSpinLock
> NETIO.SYS: NsiSetAllParametersEx, NsiEnumerateObjectsAllPersistentParametersWithMask, NsiEnumerateObjectsAllParametersEx, NsiRegisterChangeNotificationEx, NsiSetParameterEx, NsiGetParameterEx, NsiDeregisterChangeNotificationEx, NsiGetModuleHandle, NsiGetAllPersistentParametersWithMask, NsiGetAllParametersEx, NsiSetAllPersistentParametersWithMask

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: NSI Proxy
original name: nsiproxy.sys
internal name: nsiproxy.sys
file version.: 6.1.7600.16385 (win7_rtm.090713-1255)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


c:\windows\system32\drivers\wfvoligm.sys:
AhnLab-V3        2010.08.01.00        2010.07.31        -
AntiVir        8.2.4.32        2010.08.02        -
Antiy-AVL        2.0.3.7        2010.08.02        -
Authentium        5.2.0.5        2010.08.02        -
Avast        4.8.1351.0        2010.08.02        -
Avast5        5.0.332.0        2010.08.02        -
AVG        9.0.0.851        2010.08.02        -
BitDefender        7.2        2010.08.02        -
CAT-QuickHeal        11.00        2010.08.02        -
ClamAV        0.96.0.3-git        2010.08.02        -
Comodo        5620        2010.08.02        -
DrWeb        5.0.2.03300        2010.08.02        -
Emsisoft        5.0.0.34        2010.07.30        -
eSafe        7.0.17.0        2010.08.02        -
eTrust-Vet        36.1.7756        2010.08.02        -
F-Prot        4.6.1.107        2010.08.02        -
F-Secure        9.0.15370.0        2010.08.02        -
Fortinet        4.1.143.0        2010.08.02        -
GData        21        2010.08.02        -
Ikarus        T3.1.1.84.0        2010.08.02        -
Jiangmin        13.0.900        2010.08.01        -
Kaspersky        7.0.0.125        2010.08.02        -
McAfee        5.400.0.1158        2010.08.02        -
McAfee-GW-Edition        2010.1        2010.08.02        -
Microsoft        1.6004        2010.08.02        -
NOD32        5334        2010.08.02        -
Norman        6.05.11        2010.08.02        -
nProtect        2010-08-02.02        2010.08.02        -
Panda        10.0.2.7        2010.08.02        -
PCTools        7.0.3.5        2010.08.02        -
Prevx        3.0        2010.08.02        -
Rising        22.59.00.04        2010.08.02        -
Sophos        4.56.0        2010.08.02        -
Sunbelt        6674        2010.08.02        -
SUPERAntiSpyware        4.40.0.1006        2010.08.02        -
Symantec        20101.1.1.7        2010.08.02        -
TheHacker        6.5.2.1.328        2010.07.30        -
TrendMicro        9.120.0.1004        2010.08.02        -
TrendMicro-HouseCall        9.120.0.1004        2010.08.02        -
VBA32        3.12.12.7        2010.08.02        -
ViRobot        2010.7.31.3965        2010.08.02        -
VirusBuster        5.0.27.0        2010.08.02        -
weitere Informationen
File size: 16896 bytes
MD5...: e9a0a4d07e53d8fea2bb8387a3293c58
SHA1..: 5e1d618a19f93e1b5c71f6248189034fad879928
SHA256: 690cad6c4e35ecc1172a2e1fd3933df73158b3bf42cb21244269612a53de4d7a
ssdeep: 192:g1rJACF05FDWmonOqdZhXm6J1afZOOQCc7H6FgoXp+Cr9Tuw+nmWPsUWT:yV
GnWzOyZ5afZw7addrVjWPsUWT
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x7071
timedatestamp.....: 0x4a5bbf48 (Mon Jul 13 23:12:08 2009)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x254e 0x2600 6.27 f41e2cca9095702df2de9110ab2f9038
.rdata 0x4000 0x274 0x400 2.57 b6b73719f6a3eb4eda976143d7c74beb
.data 0x5000 0x48 0x200 0.24 312651a6f76490d97aff95c683a68247
PAGE 0x6000 0x22 0x200 0.45 32f7522e0b18964af7d21fdc59c8a5ab
INIT 0x7000 0x570 0x600 5.07 d6c50bc8a6fdbe6e991c15c66ccfc19b
.rsrc 0x8000 0x5b0 0x600 3.20 1463c13d11bb7248c95921d1d6fdfcb6
.reloc 0x9000 0x22e 0x400 3.57 5eca58d1f88318ec34fa262431d7c5dc

( 3 imports )
> ntoskrnl.exe: RtlInitUnicodeString, IoQueueWorkItem, IofCompleteRequest, IoAllocateWorkItem, IoReleaseCancelSpinLock, KefReleaseSpinLockFromDpcLevel, IoDeleteSymbolicLink, IoAcquireCancelSpinLock, IoCreateSymbolicLink, IoCreateDevice, KeTickCount, RtlUnwind, IoDeleteDevice, _allmul, memset, ExAllocatePoolWithQuotaTag, memcpy, MmUserProbeAddress, ExRaiseAccessViolation, ProbeForWrite, ExRaiseDatatypeMisalignment, IoFreeWorkItem, ExFreePoolWithTag, KeWaitForSingleObject, KeInitializeEvent, KefAcquireSpinLockAtDpcLevel, KeSetEvent, KeBugCheckEx
> HAL.dll: KfReleaseSpinLock, KfAcquireSpinLock
> NETIO.SYS: NsiSetAllParametersEx, NsiEnumerateObjectsAllPersistentParametersWithMask, NsiEnumerateObjectsAllParametersEx, NsiRegisterChangeNotificationEx, NsiSetParameterEx, NsiGetParameterEx, NsiDeregisterChangeNotificationEx, NsiGetModuleHandle, NsiGetAllPersistentParametersWithMask, NsiGetAllParametersEx, NsiSetAllPersistentParametersWithMask

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: NSI Proxy
original name: nsiproxy.sys
internal name: nsiproxy.sys
file version.: 6.1.7600.16385 (win7_rtm.090713-1255)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


c:\windows\system32\drivers\mbmqgubi.sys:
AhnLab-V3        2010.08.01.00        2010.07.31        -
AntiVir        8.2.4.32        2010.08.02        -
Antiy-AVL        2.0.3.7        2010.08.02        -
Authentium        5.2.0.5        2010.08.02        -
Avast        4.8.1351.0        2010.08.02        -
Avast5        5.0.332.0        2010.08.02        -
AVG        9.0.0.851        2010.08.02        -
BitDefender        7.2        2010.08.02        -
CAT-QuickHeal        11.00        2010.08.02        -
ClamAV        0.96.0.3-git        2010.08.02        -
Comodo        5620        2010.08.02        -
DrWeb        5.0.2.03300        2010.08.02        -
Emsisoft        5.0.0.34        2010.07.30        -
eSafe        7.0.17.0        2010.08.02        -
eTrust-Vet        36.1.7756        2010.08.02        -
F-Prot        4.6.1.107        2010.08.02        -
F-Secure        9.0.15370.0        2010.08.02        -
Fortinet        4.1.143.0        2010.08.02        -
GData        21        2010.08.02        -
Ikarus        T3.1.1.84.0        2010.08.02        -
Jiangmin        13.0.900        2010.08.01        -
Kaspersky        7.0.0.125        2010.08.02        -
McAfee        5.400.0.1158        2010.08.02        -
McAfee-GW-Edition        2010.1        2010.08.02        -
Microsoft        1.6004        2010.08.02        -
NOD32        5334        2010.08.02        -
Norman        6.05.11        2010.08.02        -
nProtect        2010-08-02.02        2010.08.02        -
Panda        10.0.2.7        2010.08.02        -
PCTools        7.0.3.5        2010.08.02        -
Prevx        3.0        2010.08.02        -
Rising        22.59.00.04        2010.08.02        -
Sophos        4.56.0        2010.08.02        -
Sunbelt        6674        2010.08.02        -
SUPERAntiSpyware        4.40.0.1006        2010.08.02        -
Symantec        20101.1.1.7        2010.08.02        -
TheHacker        6.5.2.1.328        2010.07.30        -
TrendMicro        9.120.0.1004        2010.08.02        -
TrendMicro-HouseCall        9.120.0.1004        2010.08.02        -
VBA32        3.12.12.7        2010.08.02        -
ViRobot        2010.7.31.3965        2010.08.02        -
VirusBuster        5.0.27.0        2010.08.02        -
weitere Informationen
File size: 16896 bytes
MD5...: e9a0a4d07e53d8fea2bb8387a3293c58
SHA1..: 5e1d618a19f93e1b5c71f6248189034fad879928
SHA256: 690cad6c4e35ecc1172a2e1fd3933df73158b3bf42cb21244269612a53de4d7a
ssdeep: 192:g1rJACF05FDWmonOqdZhXm6J1afZOOQCc7H6FgoXp+Cr9Tuw+nmWPsUWT:yV
GnWzOyZ5afZw7addrVjWPsUWT
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x7071
timedatestamp.....: 0x4a5bbf48 (Mon Jul 13 23:12:08 2009)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x254e 0x2600 6.27 f41e2cca9095702df2de9110ab2f9038
.rdata 0x4000 0x274 0x400 2.57 b6b73719f6a3eb4eda976143d7c74beb
.data 0x5000 0x48 0x200 0.24 312651a6f76490d97aff95c683a68247
PAGE 0x6000 0x22 0x200 0.45 32f7522e0b18964af7d21fdc59c8a5ab
INIT 0x7000 0x570 0x600 5.07 d6c50bc8a6fdbe6e991c15c66ccfc19b
.rsrc 0x8000 0x5b0 0x600 3.20 1463c13d11bb7248c95921d1d6fdfcb6
.reloc 0x9000 0x22e 0x400 3.57 5eca58d1f88318ec34fa262431d7c5dc

( 3 imports )
> ntoskrnl.exe: RtlInitUnicodeString, IoQueueWorkItem, IofCompleteRequest, IoAllocateWorkItem, IoReleaseCancelSpinLock, KefReleaseSpinLockFromDpcLevel, IoDeleteSymbolicLink, IoAcquireCancelSpinLock, IoCreateSymbolicLink, IoCreateDevice, KeTickCount, RtlUnwind, IoDeleteDevice, _allmul, memset, ExAllocatePoolWithQuotaTag, memcpy, MmUserProbeAddress, ExRaiseAccessViolation, ProbeForWrite, ExRaiseDatatypeMisalignment, IoFreeWorkItem, ExFreePoolWithTag, KeWaitForSingleObject, KeInitializeEvent, KefAcquireSpinLockAtDpcLevel, KeSetEvent, KeBugCheckEx
> HAL.dll: KfReleaseSpinLock, KfAcquireSpinLock
> NETIO.SYS: NsiSetAllParametersEx, NsiEnumerateObjectsAllPersistentParametersWithMask, NsiEnumerateObjectsAllParametersEx, NsiRegisterChangeNotificationEx, NsiSetParameterEx, NsiGetParameterEx, NsiDeregisterChangeNotificationEx, NsiGetModuleHandle, NsiGetAllPersistentParametersWithMask, NsiGetAllParametersEx, NsiSetAllPersistentParametersWithMask

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: NSI Proxy
original name: nsiproxy.sys
internal name: nsiproxy.sys
file version.: 6.1.7600.16385 (win7_rtm.090713-1255)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


c:\windows\system32\drivers\relcjtxj.sys:
AhnLab-V3        2010.08.01.00        2010.07.31        -
AntiVir        8.2.4.32        2010.08.02        -
Antiy-AVL        2.0.3.7        2010.08.02        -
Authentium        5.2.0.5        2010.08.02        -
Avast        4.8.1351.0        2010.08.02        -
Avast5        5.0.332.0        2010.08.02        -
AVG        9.0.0.851        2010.08.02        -
BitDefender        7.2        2010.08.02        -
CAT-QuickHeal        11.00        2010.08.02        -
ClamAV        0.96.0.3-git        2010.08.02        -
Comodo        5620        2010.08.02        -
DrWeb        5.0.2.03300        2010.08.02        -
Emsisoft        5.0.0.34        2010.07.30        -
eSafe        7.0.17.0        2010.08.02        -
eTrust-Vet        36.1.7756        2010.08.02        -
F-Prot        4.6.1.107        2010.08.02        -
F-Secure        9.0.15370.0        2010.08.02        -
Fortinet        4.1.143.0        2010.08.02        -
GData        21        2010.08.02        -
Ikarus        T3.1.1.84.0        2010.08.02        -
Jiangmin        13.0.900        2010.08.01        -
Kaspersky        7.0.0.125        2010.08.02        -
McAfee        5.400.0.1158        2010.08.02        -
McAfee-GW-Edition        2010.1        2010.08.02        -
Microsoft        1.6004        2010.08.02        -
NOD32        5334        2010.08.02        -
Norman        6.05.11        2010.08.02        -
nProtect        2010-08-02.02        2010.08.02        -
Panda        10.0.2.7        2010.08.02        -
PCTools        7.0.3.5        2010.08.02        -
Prevx        3.0        2010.08.02        -
Rising        22.59.00.04        2010.08.02        -
Sophos        4.56.0        2010.08.02        -
Sunbelt        6674        2010.08.02        -
SUPERAntiSpyware        4.40.0.1006        2010.08.02        -
Symantec        20101.1.1.7        2010.08.02        -
TheHacker        6.5.2.1.328        2010.07.30        -
TrendMicro        9.120.0.1004        2010.08.02        -
TrendMicro-HouseCall        9.120.0.1004        2010.08.02        -
VBA32        3.12.12.7        2010.08.02        -
ViRobot        2010.7.31.3965        2010.08.02        -
VirusBuster        5.0.27.0        2010.08.02        -
weitere Informationen
File size: 16896 bytes
MD5...: e9a0a4d07e53d8fea2bb8387a3293c58
SHA1..: 5e1d618a19f93e1b5c71f6248189034fad879928
SHA256: 690cad6c4e35ecc1172a2e1fd3933df73158b3bf42cb21244269612a53de4d7a
ssdeep: 192:g1rJACF05FDWmonOqdZhXm6J1afZOOQCc7H6FgoXp+Cr9Tuw+nmWPsUWT:yV
GnWzOyZ5afZw7addrVjWPsUWT
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x7071
timedatestamp.....: 0x4a5bbf48 (Mon Jul 13 23:12:08 2009)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x254e 0x2600 6.27 f41e2cca9095702df2de9110ab2f9038
.rdata 0x4000 0x274 0x400 2.57 b6b73719f6a3eb4eda976143d7c74beb
.data 0x5000 0x48 0x200 0.24 312651a6f76490d97aff95c683a68247
PAGE 0x6000 0x22 0x200 0.45 32f7522e0b18964af7d21fdc59c8a5ab
INIT 0x7000 0x570 0x600 5.07 d6c50bc8a6fdbe6e991c15c66ccfc19b
.rsrc 0x8000 0x5b0 0x600 3.20 1463c13d11bb7248c95921d1d6fdfcb6
.reloc 0x9000 0x22e 0x400 3.57 5eca58d1f88318ec34fa262431d7c5dc

( 3 imports )
> ntoskrnl.exe: RtlInitUnicodeString, IoQueueWorkItem, IofCompleteRequest, IoAllocateWorkItem, IoReleaseCancelSpinLock, KefReleaseSpinLockFromDpcLevel, IoDeleteSymbolicLink, IoAcquireCancelSpinLock, IoCreateSymbolicLink, IoCreateDevice, KeTickCount, RtlUnwind, IoDeleteDevice, _allmul, memset, ExAllocatePoolWithQuotaTag, memcpy, MmUserProbeAddress, ExRaiseAccessViolation, ProbeForWrite, ExRaiseDatatypeMisalignment, IoFreeWorkItem, ExFreePoolWithTag, KeWaitForSingleObject, KeInitializeEvent, KefAcquireSpinLockAtDpcLevel, KeSetEvent, KeBugCheckEx
> HAL.dll: KfReleaseSpinLock, KfAcquireSpinLock
> NETIO.SYS: NsiSetAllParametersEx, NsiEnumerateObjectsAllPersistentParametersWithMask, NsiEnumerateObjectsAllParametersEx, NsiRegisterChangeNotificationEx, NsiSetParameterEx, NsiGetParameterEx, NsiDeregisterChangeNotificationEx, NsiGetModuleHandle, NsiGetAllPersistentParametersWithMask, NsiGetAllParametersEx, NsiSetAllPersistentParametersWithMask

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: NSI Proxy
original name: nsiproxy.sys
internal name: nsiproxy.sys
file version.: 6.1.7600.16385 (win7_rtm.090713-1255)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


c:\windows\system32\drivers\kzyioezg.sys:
AhnLab-V3        2010.08.01.00        2010.07.31        -
AntiVir        8.2.4.32        2010.08.02        -
Antiy-AVL        2.0.3.7        2010.08.02        -
Authentium        5.2.0.5        2010.08.02        -
Avast        4.8.1351.0        2010.08.02        -
Avast5        5.0.332.0        2010.08.02        -
AVG        9.0.0.851        2010.08.02        -
BitDefender        7.2        2010.08.02        -
CAT-QuickHeal        11.00        2010.08.02        -
ClamAV        0.96.0.3-git        2010.08.02        -
Comodo        5620        2010.08.02        -
DrWeb        5.0.2.03300        2010.08.02        -
Emsisoft        5.0.0.34        2010.07.30        -
eSafe        7.0.17.0        2010.08.02        -
eTrust-Vet        36.1.7756        2010.08.02        -
F-Prot        4.6.1.107        2010.08.02        -
F-Secure        9.0.15370.0        2010.08.02        -
Fortinet        4.1.143.0        2010.08.02        -
GData        21        2010.08.02        -
Ikarus        T3.1.1.84.0        2010.08.02        -
Jiangmin        13.0.900        2010.08.01        -
Kaspersky        7.0.0.125        2010.08.02        -
McAfee        5.400.0.1158        2010.08.02        -
McAfee-GW-Edition        2010.1        2010.08.02        -
Microsoft        1.6004        2010.08.02        -
NOD32        5334        2010.08.02        -
Norman        6.05.11        2010.08.02        -
nProtect        2010-08-02.02        2010.08.02        -
Panda        10.0.2.7        2010.08.02        -
PCTools        7.0.3.5        2010.08.02        -
Prevx        3.0        2010.08.02        -
Rising        22.59.00.04        2010.08.02        -
Sophos        4.56.0        2010.08.02        -
Sunbelt        6674        2010.08.02        -
SUPERAntiSpyware        4.40.0.1006        2010.08.02        -
Symantec        20101.1.1.7        2010.08.02        -
TheHacker        6.5.2.1.328        2010.07.30        -
TrendMicro        9.120.0.1004        2010.08.02        -
TrendMicro-HouseCall        9.120.0.1004        2010.08.02        -
VBA32        3.12.12.7        2010.08.02        -
ViRobot        2010.7.31.3965        2010.08.02        -
VirusBuster        5.0.27.0        2010.08.02        -
weitere Informationen
File size: 16896 bytes
MD5...: e9a0a4d07e53d8fea2bb8387a3293c58
SHA1..: 5e1d618a19f93e1b5c71f6248189034fad879928
SHA256: 690cad6c4e35ecc1172a2e1fd3933df73158b3bf42cb21244269612a53de4d7a
ssdeep: 192:g1rJACF05FDWmonOqdZhXm6J1afZOOQCc7H6FgoXp+Cr9Tuw+nmWPsUWT:yV
GnWzOyZ5afZw7addrVjWPsUWT
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x7071
timedatestamp.....: 0x4a5bbf48 (Mon Jul 13 23:12:08 2009)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x254e 0x2600 6.27 f41e2cca9095702df2de9110ab2f9038
.rdata 0x4000 0x274 0x400 2.57 b6b73719f6a3eb4eda976143d7c74beb
.data 0x5000 0x48 0x200 0.24 312651a6f76490d97aff95c683a68247
PAGE 0x6000 0x22 0x200 0.45 32f7522e0b18964af7d21fdc59c8a5ab
INIT 0x7000 0x570 0x600 5.07 d6c50bc8a6fdbe6e991c15c66ccfc19b
.rsrc 0x8000 0x5b0 0x600 3.20 1463c13d11bb7248c95921d1d6fdfcb6
.reloc 0x9000 0x22e 0x400 3.57 5eca58d1f88318ec34fa262431d7c5dc

( 3 imports )
> ntoskrnl.exe: RtlInitUnicodeString, IoQueueWorkItem, IofCompleteRequest, IoAllocateWorkItem, IoReleaseCancelSpinLock, KefReleaseSpinLockFromDpcLevel, IoDeleteSymbolicLink, IoAcquireCancelSpinLock, IoCreateSymbolicLink, IoCreateDevice, KeTickCount, RtlUnwind, IoDeleteDevice, _allmul, memset, ExAllocatePoolWithQuotaTag, memcpy, MmUserProbeAddress, ExRaiseAccessViolation, ProbeForWrite, ExRaiseDatatypeMisalignment, IoFreeWorkItem, ExFreePoolWithTag, KeWaitForSingleObject, KeInitializeEvent, KefAcquireSpinLockAtDpcLevel, KeSetEvent, KeBugCheckEx
> HAL.dll: KfReleaseSpinLock, KfAcquireSpinLock
> NETIO.SYS: NsiSetAllParametersEx, NsiEnumerateObjectsAllPersistentParametersWithMask, NsiEnumerateObjectsAllParametersEx, NsiRegisterChangeNotificationEx, NsiSetParameterEx, NsiGetParameterEx, NsiDeregisterChangeNotificationEx, NsiGetModuleHandle, NsiGetAllPersistentParametersWithMask, NsiGetAllParametersEx, NsiSetAllPersistentParametersWithMask

( 0 exports )
RDS...: NSRL Reference Data Set
-
trid..: Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: NSI Proxy
original name: nsiproxy.sys
internal name: nsiproxy.sys
file version.: 6.1.7600.16385 (win7_rtm.090713-1255)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
pdfid.: -


c:\windows\system32\drivers\rucchpsf.sys:
AhnLab-V3        2010.08.01.00        2010.07.31        -
AntiVir        8.2.4.32        2010.08.02        -
Antiy-AVL        2.0.3.7        2010.08.02        -
Authentium        5.2.0.5        2010.08.02        -
Avast        4.8.1351.0        2010.08.02        -
Avast5        5.0.332.0        2010.08.02        -
BitDefender        7.2        2010.08.02        -
CAT-QuickHeal        11.00        2010.08.02        -
ClamAV        0.96.0.3-git        2010.08.02        -
Comodo        5620        2010.08.02        -
Emsisoft        5.0.0.34        2010.07.30        -
eSafe        7.0.17.0        2010.08.02        -
eTrust-Vet        36.1.7756        2010.08.02        -
F-Prot        4.6.1.107        2010.08.02        -
Fortinet        4.1.143.0        2010.08.02        -
GData        21        2010.08.02        -
Ikarus        T3.1.1.84.0        2010.08.02        -
Jiangmin        13.0.900        2010.08.01        -
Kaspersky        7.0.0.125        2010.08.02        -
McAfee        5.400.0.1158        2010.08.02        -
McAfee-GW-Edition        2010.1        2010.08.02        -
Microsoft        1.6004        2010.08.02        -
NOD32        5334        2010.08.02        -
Norman        6.05.11        2010.08.02        -
nProtect        2010-08-02.02        2010.08.02        -
Panda        10.0.2.7        2010.08.02        -
PCTools        7.0.3.5        2010.08.02        -
Prevx        3.0        2010.08.02        -
Rising        22.59.00.04        2010.08.02        -
Sophos        4.56.0        2010.08.02        -
Sunbelt        6674        2010.08.02        -
SUPERAntiSpyware        4.40.0.1006        2010.08.02        -
TheHacker        6.5.2.1.328        2010.07.30        -
TrendMicro        9.120.0.1004        2010.08.02        -
TrendMicro-HouseCall        9.120.0.1004        2010.08.02        -
VBA32        3.12.12.7        2010.08.02        -
ViRobot        2010.7.31.3965        2010.08.02        -
VirusBuster        5.0.27.0        2010.08.02        -
weitere Informationen
File size: 16896 bytes
MD5...: e9a0a4d07e53d8fea2bb8387a3293c58
SHA1..: 5e1d618a19f93e1b5c71f6248189034fad879928
SHA256: 690cad6c4e35ecc1172a2e1fd3933df73158b3bf42cb21244269612a53de4d7a
ssdeep: 192:g1rJACF05FDWmonOqdZhXm6J1afZOOQCc7H6FgoXp+Cr9Tuw+nmWPsUWT:yV
GnWzOyZ5afZw7addrVjWPsUWT
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x7071
timedatestamp.....: 0x4a5bbf48 (Mon Jul 13 23:12:08 2009)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x254e 0x2600 6.27 f41e2cca9095702df2de9110ab2f9038
.rdata 0x4000 0x274 0x400 2.57 b6b73719f6a3eb4eda976143d7c74beb
.data 0x5000 0x48 0x200 0.24 312651a6f76490d97aff95c683a68247
PAGE 0x6000 0x22 0x200 0.45 32f7522e0b18964af7d21fdc59c8a5ab
INIT 0x7000 0x570 0x600 5.07 d6c50bc8a6fdbe6e991c15c66ccfc19b
.rsrc 0x8000 0x5b0 0x600 3.20 1463c13d11bb7248c95921d1d6fdfcb6
.reloc 0x9000 0x22e 0x400 3.57 5eca58d1f88318ec34fa262431d7c5dc

( 3 imports )
> ntoskrnl.exe: RtlInitUnicodeString, IoQueueWorkItem, IofCompleteRequest, IoAllocateWorkItem, IoReleaseCancelSpinLock, KefReleaseSpinLockFromDpcLevel, IoDeleteSymbolicLink, IoAcquireCancelSpinLock, IoCreateSymbolicLink, IoCreateDevice, KeTickCount, RtlUnwind, IoDeleteDevice, _allmul, memset, ExAllocatePoolWithQuotaTag, memcpy, MmUserProbeAddress, ExRaiseAccessViolation, ProbeForWrite, ExRaiseDatatypeMisalignment, IoFreeWorkItem, ExFreePoolWithTag, KeWaitForSingleObject, KeInitializeEvent, KefAcquireSpinLockAtDpcLevel, KeSetEvent, KeBugCheckEx
> HAL.dll: KfReleaseSpinLock, KfAcquireSpinLock
> NETIO.SYS: NsiSetAllParametersEx, NsiEnumerateObjectsAllPersistentParametersWithMask, NsiEnumerateObjectsAllParametersEx, NsiRegisterChangeNotificationEx, NsiSetParameterEx, NsiGetParameterEx, NsiDeregisterChangeNotificationEx, NsiGetModuleHandle, NsiGetAllPersistentParametersWithMask, NsiGetAllParametersEx, NsiSetAllPersistentParametersWithMask

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: NSI Proxy
original name: nsiproxy.sys
internal name: nsiproxy.sys
file version.: 6.1.7600.16385 (win7_rtm.090713-1255)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


c:\windows\system32\drivers\bhniaffv.sys:
AhnLab-V3        2010.08.01.00        2010.07.31        -
AntiVir        8.2.4.32        2010.08.02        -
Antiy-AVL        2.0.3.7        2010.08.02        -
Authentium        5.2.0.5        2010.08.02        -
Avast        4.8.1351.0        2010.08.02        -
Avast5        5.0.332.0        2010.08.02        -
AVG        9.0.0.851        2010.08.02        -
BitDefender        7.2        2010.08.02        -
CAT-QuickHeal        11.00        2010.08.02        -
ClamAV        0.96.0.3-git        2010.08.02        -
Comodo        5620        2010.08.02        -
DrWeb        5.0.2.03300        2010.08.02        -
Emsisoft        5.0.0.34        2010.07.30        -
eSafe        7.0.17.0        2010.08.02        -
eTrust-Vet        36.1.7756        2010.08.02        -
F-Prot        4.6.1.107        2010.08.02        -
F-Secure        9.0.15370.0        2010.08.02        -
Fortinet        4.1.143.0        2010.08.02        -
GData        21        2010.08.02        -
Ikarus        T3.1.1.84.0        2010.08.02        -
Jiangmin        13.0.900        2010.08.01        -
Kaspersky        7.0.0.125        2010.08.02        -
McAfee        5.400.0.1158        2010.08.02        -
McAfee-GW-Edition        2010.1        2010.08.02        -
Microsoft        1.6004        2010.08.02        -
NOD32        5334        2010.08.02        -
Norman        6.05.11        2010.08.02        -
nProtect        2010-08-02.02        2010.08.02        -
Panda        10.0.2.7        2010.08.02        -
PCTools        7.0.3.5        2010.08.02        -
Prevx        3.0        2010.08.02        -
Rising        22.59.00.04        2010.08.02        -
Sophos        4.56.0        2010.08.02        -
Sunbelt        6674        2010.08.02        -
SUPERAntiSpyware        4.40.0.1006        2010.08.02        -
Symantec        20101.1.1.7        2010.08.02        -
TheHacker        6.5.2.1.328        2010.07.30        -
TrendMicro        9.120.0.1004        2010.08.02        -
TrendMicro-HouseCall        9.120.0.1004        2010.08.02        -
VBA32        3.12.12.7        2010.08.02        -
ViRobot        2010.7.31.3965        2010.08.02        -
VirusBuster        5.0.27.0        2010.08.02        -
weitere Informationen
File size: 16896 bytes
MD5...: e9a0a4d07e53d8fea2bb8387a3293c58
SHA1..: 5e1d618a19f93e1b5c71f6248189034fad879928
SHA256: 690cad6c4e35ecc1172a2e1fd3933df73158b3bf42cb21244269612a53de4d7a
ssdeep: 192:g1rJACF05FDWmonOqdZhXm6J1afZOOQCc7H6FgoXp+Cr9Tuw+nmWPsUWT:yV
GnWzOyZ5afZw7addrVjWPsUWT
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x7071
timedatestamp.....: 0x4a5bbf48 (Mon Jul 13 23:12:08 2009)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x254e 0x2600 6.27 f41e2cca9095702df2de9110ab2f9038
.rdata 0x4000 0x274 0x400 2.57 b6b73719f6a3eb4eda976143d7c74beb
.data 0x5000 0x48 0x200 0.24 312651a6f76490d97aff95c683a68247
PAGE 0x6000 0x22 0x200 0.45 32f7522e0b18964af7d21fdc59c8a5ab
INIT 0x7000 0x570 0x600 5.07 d6c50bc8a6fdbe6e991c15c66ccfc19b
.rsrc 0x8000 0x5b0 0x600 3.20 1463c13d11bb7248c95921d1d6fdfcb6
.reloc 0x9000 0x22e 0x400 3.57 5eca58d1f88318ec34fa262431d7c5dc

( 3 imports )
> ntoskrnl.exe: RtlInitUnicodeString, IoQueueWorkItem, IofCompleteRequest, IoAllocateWorkItem, IoReleaseCancelSpinLock, KefReleaseSpinLockFromDpcLevel, IoDeleteSymbolicLink, IoAcquireCancelSpinLock, IoCreateSymbolicLink, IoCreateDevice, KeTickCount, RtlUnwind, IoDeleteDevice, _allmul, memset, ExAllocatePoolWithQuotaTag, memcpy, MmUserProbeAddress, ExRaiseAccessViolation, ProbeForWrite, ExRaiseDatatypeMisalignment, IoFreeWorkItem, ExFreePoolWithTag, KeWaitForSingleObject, KeInitializeEvent, KefAcquireSpinLockAtDpcLevel, KeSetEvent, KeBugCheckEx
> HAL.dll: KfReleaseSpinLock, KfAcquireSpinLock
> NETIO.SYS: NsiSetAllParametersEx, NsiEnumerateObjectsAllPersistentParametersWithMask, NsiEnumerateObjectsAllParametersEx, NsiRegisterChangeNotificationEx, NsiSetParameterEx, NsiGetParameterEx, NsiDeregisterChangeNotificationEx, NsiGetModuleHandle, NsiGetAllPersistentParametersWithMask, NsiGetAllParametersEx, NsiSetAllPersistentParametersWithMask

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: NSI Proxy
original name: nsiproxy.sys
internal name: nsiproxy.sys
file version.: 6.1.7600.16385 (win7_rtm.090713-1255)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


c:\windows\system32\drivers\dgxexcsq.sys:
AhnLab-V3        2010.08.01.00        2010.07.31        -
AntiVir        8.2.4.32        2010.08.02        -
Antiy-AVL        2.0.3.7        2010.08.02        -
Authentium        5.2.0.5        2010.08.02        -
Avast        4.8.1351.0        2010.08.02        -
Avast5        5.0.332.0        2010.08.02        -
AVG        9.0.0.851        2010.08.02        -
BitDefender        7.2        2010.08.02        -
CAT-QuickHeal        11.00        2010.08.02        -
ClamAV        0.96.0.3-git        2010.08.02        -
Comodo        5620        2010.08.02        -
DrWeb        5.0.2.03300        2010.08.02        -
Emsisoft        5.0.0.34        2010.07.30        -
eSafe        7.0.17.0        2010.08.02        -
eTrust-Vet        36.1.7756        2010.08.02        -
F-Prot        4.6.1.107        2010.08.02        -
F-Secure        9.0.15370.0        2010.08.02        -
Fortinet        4.1.143.0        2010.08.02        -
GData        21        2010.08.02        -
Ikarus        T3.1.1.84.0        2010.08.02        -
Jiangmin        13.0.900        2010.08.01        -
Kaspersky        7.0.0.125        2010.08.02        -
McAfee        5.400.0.1158        2010.08.02        -
McAfee-GW-Edition        2010.1        2010.08.02        -
Microsoft        1.6004        2010.08.02        -
NOD32        5334        2010.08.02        -
Norman        6.05.11        2010.08.02        -
nProtect        2010-08-02.02        2010.08.02        -
Panda        10.0.2.7        2010.08.02        -
PCTools        7.0.3.5        2010.08.02        -
Prevx        3.0        2010.08.02        -
Rising        22.59.00.04        2010.08.02        -
Sophos        4.56.0        2010.08.02        -
Sunbelt        6674        2010.08.02        -
SUPERAntiSpyware        4.40.0.1006        2010.08.02        -
Symantec        20101.1.1.7        2010.08.02        -
TheHacker        6.5.2.1.328        2010.07.30        -
TrendMicro        9.120.0.1004        2010.08.02        -
TrendMicro-HouseCall        9.120.0.1004        2010.08.02        -
VBA32        3.12.12.7        2010.08.02        -
ViRobot        2010.7.31.3965        2010.08.02        -
VirusBuster        5.0.27.0        2010.08.02        -
weitere Informationen
File size: 16896 bytes
MD5...: e9a0a4d07e53d8fea2bb8387a3293c58
SHA1..: 5e1d618a19f93e1b5c71f6248189034fad879928
SHA256: 690cad6c4e35ecc1172a2e1fd3933df73158b3bf42cb21244269612a53de4d7a
ssdeep: 192:g1rJACF05FDWmonOqdZhXm6J1afZOOQCc7H6FgoXp+Cr9Tuw+nmWPsUWT:yV
GnWzOyZ5afZw7addrVjWPsUWT
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x7071
timedatestamp.....: 0x4a5bbf48 (Mon Jul 13 23:12:08 2009)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x254e 0x2600 6.27 f41e2cca9095702df2de9110ab2f9038
.rdata 0x4000 0x274 0x400 2.57 b6b73719f6a3eb4eda976143d7c74beb
.data 0x5000 0x48 0x200 0.24 312651a6f76490d97aff95c683a68247
PAGE 0x6000 0x22 0x200 0.45 32f7522e0b18964af7d21fdc59c8a5ab
INIT 0x7000 0x570 0x600 5.07 d6c50bc8a6fdbe6e991c15c66ccfc19b
.rsrc 0x8000 0x5b0 0x600 3.20 1463c13d11bb7248c95921d1d6fdfcb6
.reloc 0x9000 0x22e 0x400 3.57 5eca58d1f88318ec34fa262431d7c5dc

( 3 imports )
> ntoskrnl.exe: RtlInitUnicodeString, IoQueueWorkItem, IofCompleteRequest, IoAllocateWorkItem, IoReleaseCancelSpinLock, KefReleaseSpinLockFromDpcLevel, IoDeleteSymbolicLink, IoAcquireCancelSpinLock, IoCreateSymbolicLink, IoCreateDevice, KeTickCount, RtlUnwind, IoDeleteDevice, _allmul, memset, ExAllocatePoolWithQuotaTag, memcpy, MmUserProbeAddress, ExRaiseAccessViolation, ProbeForWrite, ExRaiseDatatypeMisalignment, IoFreeWorkItem, ExFreePoolWithTag, KeWaitForSingleObject, KeInitializeEvent, KefAcquireSpinLockAtDpcLevel, KeSetEvent, KeBugCheckEx
> HAL.dll: KfReleaseSpinLock, KfAcquireSpinLock
> NETIO.SYS: NsiSetAllParametersEx, NsiEnumerateObjectsAllPersistentParametersWithMask, NsiEnumerateObjectsAllParametersEx, NsiRegisterChangeNotificationEx, NsiSetParameterEx, NsiGetParameterEx, NsiDeregisterChangeNotificationEx, NsiGetModuleHandle, NsiGetAllPersistentParametersWithMask, NsiGetAllParametersEx, NsiSetAllPersistentParametersWithMask

( 0 exports )
RDS...: NSRL Reference Data Set
-
trid..: Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
pdfid.: -
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: NSI Proxy
original name: nsiproxy.sys
internal name: nsiproxy.sys
file version.: 6.1.7600.16385 (win7_rtm.090713-1255)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
Was mich wundert ist, dass der original Name nsiproxy.sys ist. :confused:

Wie gehts jetzt weiter?

Gruß Torge

undoreal 02.08.2010 17:19
Zitat:
Was mich wundert ist, dass der original Name nsiproxy.sys ist.
Was meinst du damit?

Da die Treiber alle blitzblank sind denke ich es haldelt sich um die MBMA Treiber oder so...

Dein Rechner scheint sauber zu sein.


Master Boot Record überprüfen:

Lade dir die mbr.exe von gmer auf den Desktop und führe die Datei mit Administrator-Rechten aus.

Poste das log!

Sollte ein MBR Rootkit gefunden worde sein, das wird im log durch den Ausdruck
Zitat:
MBR rootkit code detected !
indiziert und du musst du eine Bereinigung vornehmen.

Downloade dir dafür die mbr.bat.txt von BataAlexander und speichere sie neben der mbr.exe auf dem Desktop.
Ändere die Endung der mbr.txt.bat in mbr.bat Eine vernünftige Ordneransicht ist dafür nötig.
Dann führe die mbr.bat. durch einen Doppelklick aus.
Dabei muss sich die mbr.exe von gmer ebenfalls auf dem Desktop befinden!

Der MBR wird bereinigt und es erscheint ein log. Poste auch diese log!

Torge_P 02.08.2010 17:35
Anscheinend kein Fund:
Code:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, hxxp://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
Dann scheint mein Rechner jetzt wieder sauber, oder?

undoreal 02.08.2010 18:07
Jop, sieht so aus als wäre er wieder sauber.

Torge_P 02.08.2010 18:09
OK:huepp:

Vielen vielen Dank für deine Hilfe. Echt klasse Forum hier. Vielen Dank
Torge


Alle Zeitangaben in WEZ +1. Es ist jetzt 23:43 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131