|
Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten. GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus Anschließend den bootkit_remover herunterladen. Entpacke das Tool in einen eigenen Ordner auf dem Desktop und führe in diesem Ordner die Datei remove.exe aus. Wenn Du Windows Vista oder Windows 7 verwendest, musst Du die remover.exe über ein Rechtsklick => als Administrator ausführen Ein schwarzes Fenster wird sich öffnen und automatisch nach bösartigen Veränderungen im MBR suchen. Poste dann bitte, ob es Veränderungen gibt und wenn ja in welchem device. Am besten alles posten was die remover.exe ausgibt. |
möchte echt nicht nörgeln, aber wie bekomm ich meinen standardbenutzer wieder zum arbeiten? und wie schaut das log aus?^^ ach und osam kann ich nicht entpacken :/ |
Nimm zum Entpacken von OSAM WinRAR oder 7Zip. Um den anderen Benutzer kümmern wir uns später. |
ok osam log. gmer will noch nicht so recht.... ich hoff das log passt so. wenn dus anders willst grad sagen, bitte!! ich kanns dir z.b als pdf dran hängen, dann schauts übersichtlicher aus? danke für deine mühen - ich kanns gar nicht oft genug sagen... <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Report of OSAM: Autorun Manager v5.0.11926.0</title> <style type="text/css"> body { margin : 10px 10px 10px 20px; color : #000000; background-color : #fffbf0; font : 10pt Tahoma, Verdana, Arial, Helvetica, sans-serif; scrollbar-3dlight-color : #fffbf0; scrollbar-arrow-color : #000000; scrollbar-darkshadow-color: #000000; scrollbar-face-color : #fffbf0; scrollbar-highlight-color : #000000; scrollbar-shadow-color : #fffbf0; scrollbar-track-color : #fffbf0; } a:link { color: #e15616; } a:visited { color: #e15616; } a:hover { color: #e4743f; } a:active { color: #e4743f; } .header1 { font-size : 115%; font-weight: bold; margin-left: 0px; } table { border-collapse: collapse; border : 1px solid #000000; cellpadding : 0; cellspacing : 0; width : 90%; } td,th { font-size : 12px; color : #000000; background : #fffbf0; border : 1px solid #000000; text-align : left; vertical-align: top; padding : 2px 4px 2px 4px; } .cap { font-weight: bold; font-size : 10pt; padding : 2px 4px 2px 4px; border : 1px solid #000000; } .group { font-weight: bold; font-size : 10pt; padding : 2px 4px 2px 4px; text-align : center; } .reg { font-weight: bold; font-size : 10pt; border : 0px none; padding : 2px 4px 2px 4px; } .notfound { background-color: #B3DDFF; } .blocked { background-color: #FF96EB; } .nodetails { background-color: #FFFF75; } .trusted { background-color: #C8FFC8; } .rootkit { background-color: #FF8696; } td.rs { text-align: center; vertical-align: center; font-family: courier; } td.rs.rm { background: #F90424; title: "Malware"; } td.rs.ri { background: #F90424; title: "Infected"; color: #21F411; } td.rs.rw { background: #F90424; title: "Unwanted"; } td.rs.rs { background: #F90424; title: "Suspicious"; } td.rs.rt { background: #21F411; title: "Trusted"; } td.rs.rc { background: #21F411; title: "Checked"; } td.rs.ry { background: #21F411; title: "Up-to-You"; } td.rs.rr { background: #F6EB13; title: "Riskware"; } td.rs.ru { background: #D4D0C8; title: "Unknown"; } td.rs.rn { background: #FFFFFF; title: "Not checked"; } </style> </head> <body> <p><span class="header1">Report of OSAM: Autorun Manager v5.0.11926.0</span><br> <a href="hxxp://www.online-solutions.ru/en/" target="_blank">hxxp://www.online-solutions.ru/en/</a><br> Saved at 23:03:07 on 27.08.2010</p> <b>OS</b>: Windows Vista Home Premium Edition (Build 6000), 32-bit<br> <b>Default Browser</b>: Mozilla Corporation Firefox 3.6.8<br> <br><b>Scanner Settings</b><br> <input type="checkbox" disabled checked>Rootkits detection (hidden registry)<br> <input type="checkbox" disabled checked>Rootkits detection (hidden files)<br> <input type="checkbox" disabled checked>Retrieve files information<br> <input type="checkbox" disabled checked>Check Microsoft signatures<br> <br><b>Filters</b><br> <input type="checkbox" disabled>Trusted entries<br> <input type="checkbox" disabled>Empty entries<br> <input type="checkbox" disabled checked>Hidden registry entries (rootkit activity)<br> <input type="checkbox" disabled checked>Exclusively opened files<br> <input type="checkbox" disabled checked>Not found files<br> <input type="checkbox" disabled checked>Files without detailed information<br> <input type="checkbox" disabled checked>Existing files<br> <input type="checkbox" disabled>Non-startable services<br> <input type="checkbox" disabled>Non-startable drivers<br> <input type="checkbox" disabled checked>Active entries<br> <input type="checkbox" disabled checked>Disabled entries<br> <br> <table border="1" cellpadding="0" cellspacing="0"> <tr> <th class="cap" width="20"> </th> <th class="cap">Risk</th> <th class="cap">Name</th> <th class="cap">Publisher</th> <th class="cap">Full Path</th> <th class="cap">Status</th> </tr> <tr> <td class="group" colspan="6">Control Panel Objects</td> </tr> <tr> <td class="reg" colspan="6">HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>"Nero BurnRights"</td> <td>"Nero AG"</td> <td>C:\Program Files\Nero\Nero 7\Nero Toolkit\NeroBurnRights.cpl</td> <td>File exists</td> </tr> <tr> <td class="group" colspan="6">Drivers</td> </tr> <tr> <td class="reg" colspan="6">HKLM\SYSTEM\CurrentControlSet\Services</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>"avgntflt" (avgntflt)</td> <td>"Avira GmbH"</td> <td>C:\Windows\System32\DRIVERS\avgntflt.sys</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>"avipbb" (avipbb)</td> <td>"Avira GmbH"</td> <td>C:\Windows\System32\DRIVERS\avipbb.sys</td> <td>File exists</td> </tr> <tr> <td class="notfound"><input type="checkbox" disabled checked></td> <td class="rs rn"> </td> <td class="notfound">"catchme" (catchme)</td> <td class="notfound"></td> <td class="notfound">C:\Users\admin\AppData\Local\Temp\catchme.sys</td> <td class="notfound">File not found</td> </tr> <tr> <td class="nodetails"><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td class="nodetails">"Hotkey" (Hotkey)</td> <td class="nodetails"></td> <td class="nodetails">C:\Windows\system32\drivers\Hotkey.sys</td> <td class="nodetails">File found, but it contains no detailed information</td> </tr> <tr> <td class="notfound"><input type="checkbox" disabled checked></td> <td class="rs rn"> </td> <td class="notfound">"IP in IP Tunnel Driver" (IpInIp)</td> <td class="notfound"></td> <td class="notfound">C:\Windows\System32\DRIVERS\ipinip.sys</td> <td class="notfound">File not found</td> </tr> <tr> <td class="notfound"><input type="checkbox" disabled checked></td> <td class="rs rn"> </td> <td class="notfound">"IPX Traffic Filter Driver" (NwlnkFlt)</td> <td class="notfound"></td> <td class="notfound">C:\Windows\System32\DRIVERS\nwlnkflt.sys</td> <td class="notfound">File not found</td> </tr> <tr> <td class="notfound"><input type="checkbox" disabled checked></td> <td class="rs rn"> </td> <td class="notfound">"IPX Traffic Forwarder Driver" (NwlnkFwd)</td> <td class="notfound"></td> <td class="notfound">C:\Windows\System32\DRIVERS\nwlnkfwd.sys</td> <td class="notfound">File not found</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>"IVI ASPI Shell" (Iviaspi)</td> <td>"InterVideo, Inc."</td> <td>C:\Windows\System32\drivers\iviaspi.sys</td> <td>File exists</td> </tr> <tr> <td class="notfound"><input type="checkbox" disabled checked></td> <td class="rs rn"> </td> <td class="notfound">"mailKmd" (mailKmd)</td> <td class="notfound"></td> <td class="notfound">C:\Windows\system32\drivers\mailKmd.sys</td> <td class="notfound">File not found</td> </tr> <tr> <td class="rootkit"><input type="checkbox" disabled checked></td> <td class="rs rn"> </td> <td class="rootkit">"mbr" (mbr)</td> <td class="rootkit"></td> <td class="rootkit">C:\Users\admin\AppData\Local\Temp\mbr.sys</td> <td class="rootkit">Hidden registry entry, rootkit activity | File not found</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>"ssmdrv" (ssmdrv)</td> <td>"Avira GmbH"</td> <td>C:\Windows\System32\DRIVERS\ssmdrv.sys</td> <td>File exists</td> </tr> <tr> <td class="group" colspan="6">Explorer</td> </tr> <tr> <td class="reg" colspan="6">HKLM\Software\Classes\Folder\shellex\ColumnHandlers</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>{7D4D6379-F301-4311-BEBA-E26EB0561882} "NeroDigitalColumnHandler Class"</td> <td>"Nero AG"</td> <td>C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension"</td> <td>"Adobe Systems, Inc."</td> <td>C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll</td> <td>File exists</td> </tr> <tr> <td class="reg" colspan="6">HKLM\Software\Classes\Protocols\Filter</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>{807563E5-5146-11D5-A672-00B0D022E945} "Microsoft Office InfoPath XML Mime Filter"</td> <td>"Microsoft Corporation"</td> <td>C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL</td> <td>File exists</td> </tr> <tr> <td class="reg" colspan="6">HKLM\Software\Classes\Protocols\Handler</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>{314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class"</td> <td>"Microsoft Corporation"</td> <td>C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class"</td> <td>"Skype Technologies"</td> <td>C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs ry">|||| </td> <td>{828030A1-22C1-4009-854F-8E305202313F} "livecall"</td> <td>"Microsoft Corporation"</td> <td>C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>{0A9007C0-4076-11D3-8789-0000F8105754} "Microsoft Infotech Storage Protocol for IE 4.0"</td> <td>"Microsoft Corporation"</td> <td>C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs ry">|||| </td> <td>{828030A1-22C1-4009-854F-8E305202313F} "msnim"</td> <td>"Microsoft Corporation"</td> <td>C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL</td> <td>File exists</td> </tr> <tr> <td class="reg" colspan="6">HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks</td> </tr> <tr> <td class="notfound"><input type="checkbox" disabled checked></td> <td class="rs rn"> </td> <td class="notfound">{AEB6717E-7E19-11d0-97EE-00C04FD91972} "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"</td> <td class="notfound"></td> <td class="notfound"></td> <td class="notfound">File not found | COM-object registry key not found</td> </tr> <tr> <td class="reg" colspan="6">HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved</td> </tr> <tr> <td class="notfound"><input type="checkbox" disabled checked></td> <td class="rs rn"> </td> <td class="notfound">{911051fa-c21c-4246-b470-070cd8df6dc4} ".cab or .zip files"</td> <td class="notfound"></td> <td class="notfound"></td> <td class="notfound">File not found | COM-object registry key not found</td> </tr> <tr> <td class="notfound"><input type="checkbox" disabled checked></td> <td class="rs rn"> </td> <td class="notfound">{1b24a030-9b20-49bc-97ac-1be4426f9e59} "ActiveDirectory Folder"</td> <td class="notfound"></td> <td class="notfound"></td> <td class="notfound">File not found | COM-object registry key not found</td> </tr> <tr> <td class="notfound"><input type="checkbox" disabled checked></td> <td class="rs rn"> </td> <td class="notfound">{34449847-FD14-4fc8-A75A-7432F5181EFB} "ActiveDirectory Folder"</td> <td class="notfound"></td> <td class="notfound"></td> <td class="notfound">File not found | COM-object registry key not found</td> </tr> <tr> <td class="notfound"><input type="checkbox" disabled checked></td> <td class="rs rn"> </td> <td class="notfound">{0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} "Contacts folder"</td> <td class="notfound"></td> <td class="notfound"></td> <td class="notfound">File not found | COM-object registry key not found</td> </tr> <tr> <td class="notfound"><input type="checkbox" disabled checked></td> <td class="rs rn"> </td> <td class="notfound">{2C2577C2-63A7-40e3-9B7F-586602617ECB} "Explorer Query Band"</td> <td class="notfound"></td> <td class="notfound"></td> <td class="notfound">File not found | COM-object registry key not found</td> </tr> <tr> <td class="notfound"><input type="checkbox" disabled checked></td> <td class="rs rn"> </td> <td class="notfound">{00020d75-0000-0000-c000-000000000046} "lnkfile"</td> <td class="notfound"></td> <td class="notfound"></td> <td class="notfound">File not found | COM-object registry key not found</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} "Meine freigegebenen Ordner"</td> <td>"Microsoft Corporation"</td> <td>C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler"</td> <td>"Microsoft Corporation"</td> <td>C:\Program Files\Microsoft Office\Office12\msohevi.dll</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler"</td> <td>"Microsoft Corporation"</td> <td>C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C} "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"</td> <td>"Microsoft Corporation"</td> <td>C:\PROGRA~1\MICROS~3\Office12\ONFILTER.DLL</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler"</td> <td>"Microsoft Corporation"</td> <td>C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>{B327765E-D724-4347-8B16-78AE18552FC3} "NeroDigitalIconHandler Class"</td> <td>"Nero AG"</td> <td>C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>{7F1CF152-04F8-453A-B34C-E609530A9DC8} "NeroDigitalPropSheetHandler Class"</td> <td>"Nero AG"</td> <td>C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll</td> <td>File exists</td> </tr> <tr> <td class="notfound"><input type="checkbox" disabled checked></td> <td class="rs rn"> </td> <td class="notfound">{C8494E42-ACDD-4739-B0FB-217361E4894F} "Sam Account Folder"</td> <td class="notfound"></td> <td class="notfound"></td> <td class="notfound">File not found | COM-object registry key not found</td> </tr> <tr> <td class="notfound"><input type="checkbox" disabled checked></td> <td class="rs rn"> </td> <td class="notfound">{E29F9716-5C08-4FCD-955A-119FDB5A522D} "Sam Account Folder"</td> <td class="notfound"></td> <td class="notfound"></td> <td class="notfound">File not found | COM-object registry key not found</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>{45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning"</td> <td>"Avira GmbH"</td> <td>C:\Program Files\Avira\AntiVir Desktop\shlext.dll</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>{DBD8E168-244D-448C-9922-25508950D1DC} "USIShellExt Class"</td> <td>"Ulead Systems, Inc."</td> <td>C:\Program Files\Common Files\Ulead Systems\DVD\USIShex.dll</td> <td>File exists</td> </tr> <tr> <td class="notfound"><input type="checkbox" disabled checked></td> <td class="rs rn"> </td> <td class="notfound">{da67b8ad-e81b-4c70-9b91b417b5e33527} "Windows Search Shell Service"</td> <td class="notfound"></td> <td class="notfound"></td> <td class="notfound">File not found | COM-object registry key not found</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>{B41DB860-8EE4-11D2-9906-E49FADC173CA} "WinRAR"</td> <td>"Alexander Roshal"</td> <td>C:\Program Files\WinRAR\rarext.dll</td> <td>File exists</td> </tr> <tr> <td class="group" colspan="6">Internet Explorer</td> </tr> <tr> <td class="reg" colspan="6">HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units</td> </tr> <tr> <td class="notfound"><input type="checkbox" disabled checked></td> <td class="rs rn"> </td> <td class="notfound">{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} "{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}"<br>hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab</td> <td class="notfound"></td> <td class="notfound"></td> <td class="notfound">File not found | COM-object registry key not found</td> </tr> <tr> <td class="reg" colspan="6">HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs ry">|||| </td> <td>{48E73304-E1D6-4330-914C-F5F514E3486C} "An OneNote senden"</td> <td>"Microsoft Corporation"</td> <td>C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs ry">|||| </td> <td>{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Research"</td> <td>"Microsoft Corporation"</td> <td>C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL</td> <td>File exists</td> </tr> <tr> <td class="reg" colspan="6">HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "Adobe PDF Reader"</td> <td>"Adobe Systems Incorporated"</td> <td>C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll</td> <td>File exists</td> </tr> <tr> <td class="notfound"><input type="checkbox" disabled checked></td> <td class="rs rn"> </td> <td class="notfound">{7E853D72-626A-48EC-A868-BA8D5E23E045} "{7E853D72-626A-48EC-A868-BA8D5E23E045}"</td> <td class="notfound"></td> <td class="notfound"></td> <td class="notfound">File not found | COM-object registry key not found</td> </tr> <tr> <td class="group" colspan="6">Logon</td> </tr> <tr> <td class="reg" colspan="6">%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>"desktop.ini"</td> <td></td> <td>C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini</td> <td>File exists</td> </tr> <tr> <td class="reg" colspan="6">%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>"desktop.ini"</td> <td></td> <td>C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini</td> <td>File exists</td> </tr> <tr> <td class="reg" colspan="6">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd</td> </tr> <tr> <td class="notfound"><input type="checkbox" disabled checked></td> <td class="rs rn"> </td> <td class="notfound">"StartupPrograms"</td> <td class="notfound"></td> <td class="notfound">rdpclip</td> <td class="notfound">File not found</td> </tr> <tr> <td class="reg" colspan="6">HKLM\Software\Microsoft\Windows\CurrentVersion\Run</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>"avgnt"</td> <td>"Avira GmbH"</td> <td>"C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs ry">|||| </td> <td>"HotkeyApp"</td> <td>"Wistron"</td> <td>"C:\Program Files\Launch Manager\HotkeyApp.exe"</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs ry">|||| </td> <td>"IAAnotif"</td> <td>"Intel Corporation"</td> <td>"C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs ry">|||| </td> <td>"LaunchAp"</td> <td></td> <td>"C:\Program Files\Launch Manager\LaunchAp.exe"</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs ry">|||| </td> <td>"LMgrOSD"</td> <td>"Wistron Corp."</td> <td>"C:\Program Files\Launch Manager\OSD.exe"</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs ry">|||| </td> <td>"NeroFilterCheck"</td> <td>"Nero AG"</td> <td>C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs ry">|||| </td> <td>"Wbutton"</td> <td></td> <td>"C:\Program Files\Launch Manager\Wbutton.exe"</td> <td>File exists</td> </tr> <tr> <td class="group" colspan="6">Print Monitors</td> </tr> <tr> <td class="reg" colspan="6">HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>"Microsoft Document Imaging Writer Monitor"</td> <td>"Microsoft Corporation"</td> <td>C:\Windows\system32\mdimon.dll</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>"Send To Microsoft OneNote Monitor"</td> <td>"Microsoft Corporation"</td> <td>C:\Windows\system32\msonpmon.dll</td> <td>File exists</td> </tr> <tr> <td class="group" colspan="6">Services</td> </tr> <tr> <td class="reg" colspan="6">HKLM\SYSTEM\CurrentControlSet\Services</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>"Avira AntiVir Guard" (AntiVirService)</td> <td>"Avira GmbH"</td> <td>C:\Program Files\Avira\AntiVir Desktop\avguard.exe</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>"Avira AntiVir Planer" (AntiVirSchedulerService)</td> <td>"Avira GmbH"</td> <td>C:\Program Files\Avira\AntiVir Desktop\sched.exe</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>"Firebird Server - MAGIX Instance" (FirebirdServerMAGIXInstance)</td> <td>"MAGIX®"</td> <td>C:\Program Files\Hofer Foto Service\Common\Database\bin\fbserver.exe</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>"Intel(R) Matrix Storage Event Monitor" (IAANTMON)</td> <td>"Intel Corporation"</td> <td>C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>"IviRegMgr" (IviRegMgr)</td> <td>"InterVideo"</td> <td>C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>"LightScribeService Direct Disc Labeling Service" (LightScribeService)</td> <td>"Hewlett-Packard Company"</td> <td>C:\Program Files\Common Files\LightScribe\LSSrvc.exe</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs ry">|||| </td> <td>"Messenger USN Journal Reader-Service für freigegebene Ordner" (usnjsvc)</td> <td>"Microsoft Corporation"</td> <td>C:\Program Files\MSN Messenger\usnsvc.exe</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>"Microsoft Office Diagnostics Service" (odserv)</td> <td>"Microsoft Corporation"</td> <td>C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>"NBService" (NBService)</td> <td>"Nero AG"</td> <td>C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>"NMIndexingService" (NMIndexingService)</td> <td>"Nero AG"</td> <td>C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>"Office Source Engine" (ose)</td> <td>"Microsoft Corporation"</td> <td>C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>"Ulead Burning Helper" (UleadBurningHelper)</td> <td>"Ulead Systems, Inc."</td> <td>C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe</td> <td>File exists</td> </tr> <tr> <td><input type="checkbox" disabled checked></td> <td class="rs rt">||||||</td> <td>"WisLMSvc" (WisLMSvc)</td> <td>"Wistron Corp."</td> <td>C:\Program Files\Launch Manager\WisLMSvc.exe</td> <td>File exists</td> </tr> </table> <p>If You have questions or want to get some help, You can visit <a href="hxxp://forum.online-solutions.ru" target="_blank">hxxp://forum.online-solutions.ru</a></p> </body></html> |
Liste der Anhänge anzeigen (Anzahl: 1) und hier das bootkit log als anhang |
Nee OSAM hast Du falsch ausgeführt oder das falsche Log gepostet. Beachte bitte die Anleitung zu osam |
oh sorry. hatte es unter html gespeichert... hier also nochmal OSAM Logfile: Code: Report of OSAM: Autorun Manager v5.0.11926.0 |
Zitat:
|
gesagt getan.... hat wohl auch was von avvira gelöscht - jetzt funzt der guard nicht mehr :( und ich kann das "mailkmd" nicht "vom storage deleten"? was ist denn eigentlich das hier "catchme" (catchme) - ? - C:\Users\admin\AppData\Local\Temp\catchme.sys (File not found) "mbr" (mbr) - ? - C:\Users\admin\AppData\Local\Temp\mbr.sys (Hidden registry entry, rootkit activity | File not found) hier also der osam report (Success) HKLM\SYSTEM\CurrentControlSet\Services\AntiVirService Avira AntiVir Guard Avira GmbH C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved Shell Extension for Malware scanning Avira GmbH C:\Program Files\Avira\AntiVir Desktop\shlext.dll (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved Sam Account Folder (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved Explorer Query Band (Success) HKLM\SYSTEM\CurrentControlSet\Services\Iviaspi IVI ASPI Shell InterVideo, Inc. C:\Windows\System32\drivers\iviaspi.sys (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Run avgnt Avira GmbH C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved ActiveDirectory Folder (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved NeroDigitalPropSheetHandler Class Nero AG C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll (Success) HKLM\SYSTEM\CurrentControlSet\Services\IAANTMON Intel(R) Matrix Storage Event Monitor Intel Corporation C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe (Success) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49} An OneNote senden Microsoft Corporation C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls Nero BurnRights Nero AG C:\Program Files\Nero\Nero 7\Nero Toolkit\NeroBurnRights.cpl (Success) HKLM\Software\Classes\Protocols\Handler\skype4com IEProtocolHandler Class Skype Technologies C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved USIShellExt Class Ulead Systems, Inc. C:\Program Files\Common Files\Ulead Systems\DVD\USIShex.dll (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Run LMgrOSD Wistron Corp. C:\Program Files\Launch Manager\OSD.exe (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Run HotkeyApp Wistron C:\Program Files\Launch Manager\HotkeyApp.exe (Success) HKLM\SYSTEM\CurrentControlSet\Services\ssmdrv ssmdrv Avira GmbH C:\Windows\System32\DRIVERS\ssmdrv.sys (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Run IAAnotif Intel Corporation C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Success) HKLM\Software\Classes\Folder\shellex\ColumnHandlers\{7D4D6379-F301-4311-BEBA-E26EB0561882} NeroDigitalColumnHandler Class Nero AG C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll (Success) HKLM\SYSTEM\CurrentControlSet\Services\avgntflt avgntflt Avira GmbH C:\Windows\System32\DRIVERS\avgntflt.sys (Success) HKLM\Software\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627} PDF Shell Extension Adobe Systems, Inc. C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll (Success) HKLM\SYSTEM\CurrentControlSet\Services\NMIndexingService NMIndexingService Nero AG C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved Microsoft Office OneNote Namespace Extension for Windows Desktop Search Microsoft Corporation C:\PROGRA~1\MICROS~3\Office12\ONFILTER.DLL (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Run Wbutton C:\Program Files\Launch Manager\Wbutton.exe (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved Meine freigegebenen Ordner Microsoft Corporation C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll (Success) HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\Microsoft Document Imaging Writer Monitor Microsoft Document Imaging Writer Monitor Microsoft Corporation C:\Windows\system32\mdimon.dll (Success) HKLM\SYSTEM\CurrentControlSet\Services\WisLMSvc WisLMSvc Wistron Corp. C:\Program Files\Launch Manager\WisLMSvc.exe (Success) HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved NeroDigitalIconHandler Class Nero AG C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Run NeroFilterCheck Nero AG C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Success) HKLM\SYSTEM\CurrentControlSet\Services\ose Office Source Engine Microsoft Corporation C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Success) HKLM\SYSTEM\CurrentControlSet\Services\NwlnkFlt IPX Traffic Filter Driver C:\Windows\System32\DRIVERS\nwlnkflt.sys (Success) HKLM\SYSTEM\CurrentControlSet\Services\FirebirdServerMAGIXInstance Firebird Server - MAGIX Instance MAGIX® C:\Program Files\Hofer Foto Service\Common\Database\bin\fbserver.exe (Success) HKLM\Software\Classes\Protocols\Handler\livecall livecall Microsoft Corporation C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved Microsoft Office Metadata Handler Microsoft Corporation C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved Contacts folder (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved lnkfile (Success) HKLM\SYSTEM\CurrentControlSet\Services\IviRegMgr IviRegMgr InterVideo C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe (Success) HKLM\SYSTEM\CurrentControlSet\Services\NwlnkFwd IPX Traffic Forwarder Driver C:\Windows\System32\DRIVERS\nwlnkfwd.sys (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved Microsoft Office Thumbnail Handler Microsoft Corporation C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll (Success) HKLM\Software\Classes\Protocols\Filter\text/xml Microsoft Office InfoPath XML Mime Filter Microsoft Corporation C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved WinRAR Alexander Roshal C:\Program Files\WinRAR\rarext.dll (Success) HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd StartupPrograms rdpclip (Success) HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\Send To Microsoft OneNote Monitor Send To Microsoft OneNote Monitor Microsoft Corporation C:\Windows\system32\msonpmon.dll (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045} {7E853D72-626A-48EC-A868-BA8D5E23E045} (Success) HKLM\SYSTEM\CurrentControlSet\Services\NBService NBService Nero AG C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (Success) HKLM\SYSTEM\CurrentControlSet\Services\LightScribeService LightScribeService Direct Disc Labeling Service Hewlett-Packard Company C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Success) HKLM\SYSTEM\CurrentControlSet\Services\catchme catchme C:\Users\admin\AppData\Local\Temp\catchme.sys (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved ActiveDirectory Folder (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved Sam Account Folder (Success) HKLM\SYSTEM\CurrentControlSet\Services\UleadBurningHelper Ulead Burning Helper Ulead Systems, Inc. C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {AEB6717E-7E19-11d0-97EE-00C04FD91972} (Success) HKLM\Software\Classes\Protocols\Handler\ms-itss Microsoft Infotech Storage Protocol for IE 4.0 Microsoft Corporation C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} Adobe PDF Reader Adobe Systems Incorporated C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Run LaunchAp C:\Program Files\Launch Manager\LaunchAp.exe (Success) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263} Research Microsoft Corporation C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL (Success) C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup desktop.ini C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini (Success) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup desktop.ini C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini (Success) HKLM\Software\Classes\Protocols\Handler\ms-help HxProtocol Class Microsoft Corporation C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved .cab or .zip files (Success) HKLM\SYSTEM\CurrentControlSet\Services\IpInIp IP in IP Tunnel Driver C:\Windows\System32\DRIVERS\ipinip.sys (Success) HKLM\SYSTEM\CurrentControlSet\Services\Hotkey Hotkey C:\Windows\system32\drivers\Hotkey.sys (Success) HKLM\SYSTEM\CurrentControlSet\Services\odserv Microsoft Office Diagnostics Service Microsoft Corporation C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Success) HKLM\Software\Classes\Protocols\Handler\msnim msnim Microsoft Corporation C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved Microsoft Office HTML Icon Handler Microsoft Corporation C:\Program Files\Microsoft Office\Office12\msohevi.dll (Success) HKLM\SYSTEM\CurrentControlSet\Services\avipbb avipbb Avira GmbH C:\Windows\System32\DRIVERS\avipbb.sys (Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved Windows Search Shell Service (Success) HKLM\SYSTEM\CurrentControlSet\Services\usnjsvc Messenger USN Journal Reader-Service für freigegebene Ordner Microsoft Corporation C:\Program Files\MSN Messenger\usnsvc.exe (Success) HKLM\SYSTEM\CurrentControlSet\Services\AntiVirSchedulerService Avira AntiVir Planer Avira GmbH C:\Program Files\Avira\AntiVir Desktop\sched.exe |
Was hast Du da alles gelöscht?? Alle von Dir zitierten EInträge??? :eek: :stirn: |
die hats gelöscht als ich das was du mir geschrieben hast angekreiuzt habe, statt entfernt - ach scheiße bin sogar zum lesen zu blöd ... super. soll ich die systemwiederherstellung machen? - es gibt nen punkt von heute, wegen den updates.... |
Du solltest nur den Eintrag mit mailkmd wegmachen! :stirn: Probier die Systemwiederherstellung. |
ich weiß doch... könnt mich ja selbst auf den mond schiessen... systemwiederherstellung scheint geklppt zu haben.... hier das neueste osam log (geh ich richtig in der annahme, dass ich mailkmd wegmachen soll?) OSAM Logfile: Code: Report of OSAM: Autorun Manager v5.0.11926.0 |
Glück gehabt :D Diesmal bitte wirklich nur den mailkmd-Eintrag fixen mit OSAM |
oja... grooooßes Glück :crazy: also hier der report (Failed) Cannot find object seltsam oder? hab grad noch nen log gemacht, und das is es auch nicht mehr drinnen - gut oder schlecht? OSAM Logfile: Code: Report of OSAM: Autorun Manager v5.0.11926.0 |
| Alle Zeitangaben in WEZ +1. Es ist jetzt 01:45 Uhr. |
Copyright ©2000-2025, Trojaner-Board