Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   Spätfolgen von Thinkpoint (https://www.trojaner-board.de/92310-spaetfolgen-thinkpoint.html)

Poldyxxx 29.10.2010 10:40
Spätfolgen von Thinkpoint
 
Hallo,
zuerst einmal möchte ich mich bei Euch bedanken, das Board hat mir bisher bei der Virenbekämpfung sehr viel geholfen.
Leider scheint aber noch nicht alles entfernt zu sein.
Ich habe mir diese Woche den Thinkpoint UND den Antimalware Doctor zeitgleich eingefangen. Die Auswirkung lasse ich mal weg, denn die wurden ja in anderen Threads schon geschildert.
Über den DOS Modus konnte ich Malwarebytes und Rkill starten. Mit dieser Kombination habe ich ca 10 Scans durchgeführt und jedes mal wurden neue andere Viren gefunden. Unter anderem auch ein Rootkit, dieser hat 2 neue Admin Benutzer angelegt, die es vorher nicht gab.
TDSS habe ich zum Schluß auch nochmal verwendet, da kam auch noch ein Treffer zum vorschein
Es ist zwar alles entfernt aber ich habe noch nicht wieder alle Rechte, denn ich kann z.b. keine Programme installieren.
Da kommt eine Meldung von Presetup, das ich nicht ausreichende Rechte hätte.
Könnt Ihr mir bitte bei dieser Sache mal persönlich helfen, denn jetzt komme ich nicht mehr weiter.
Logs von OTL und Mbam sind mit dabei, aber nur die letzten.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4986

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

29.10.2010 11:14:04
mbam-log-2010-10-29 (11-14-04).txt

Scan type: Quick scan
Objects scanned: 147788
Time elapsed: 5 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


OTL:

cosinus 31.10.2010 13:59
Zitat:
TDSS habe ich zum Schluß auch nochmal verwendet, da kam auch noch ein Treffer zum vorschein
Log bitte posten. Auch alle Malwarebytes Logfiles nachreichen, sofern es nochmehr davon gibt.

Poldyxxx 31.10.2010 19:28
Hier sind alle Logs von Malwarebytes die etwas gefunden haben und die beiden von TDSS kommen kurz danach.

Ich habe ein diesem Tag mehrere Updates von Malwarebytes gemacht und meistens wurde direkt danach noch was gefunden.
Ich habe inzwischen gemerkt, das mein Rechner stabil läuft. solange ich keine Verbindung zum Internet habe. Sobald es eine Verbindung gibt öffnen sich bei den Prozessen im Taskmanager mehrere Internet Explorer, die sind aber nicht sichtbar.

Poldyxxx 31.10.2010 19:30
Und die beiden TDSS Logs

cosinus 31.10.2010 19:36
Systemscan mit OTL

Lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
  • Doppelklick auf die OTL.exe
  • Vista User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen
  • Oben findest Du ein Kästchen mit Output. Wähle bitte Minimal Output
  • Unter Extra Registry, wähle bitte Use SafeList
  • Klicke nun auf Run Scan links oben
  • Wenn der Scan beendet wurde werden 2 Logfiles erstellt
  • Poste die Logfiles hier in den Thread.

Poldyxxx 01.11.2010 14:31
So, hier noch der aktuelle Log von OTL

cosinus 01.11.2010 18:17
Beende alle Programme, starte OTL und kopiere folgenden Text in die "Custom Scan/Fixes" Box (unten in OTL): (das ":OTL" muss mitkopiert werden!!!)

Code:
:OTL
O4 - HKCU..\Run: [ajndufhiad.exe] C:\ajndufhiad.exe\ajndufhiad.exe File not found
O4 - HKCU..\Run: [HPUnQURrtc] C:\DOKUME~1\User\LOKALE~1\Temp\sysedit.exe File not found
O32 - AutoRun File - [2002.12.31 13:00:00 | 000,000,112 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{2fe25c03-3114-11df-a103-0015c5ba2c51}\Shell - "" = AutoRun
O33 - MountPoints2\{2fe25c03-3114-11df-a103-0015c5ba2c51}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{2fe25c03-3114-11df-a103-0015c5ba2c51}\Shell\AutoRun\command - "" = E:\setup_vmc_lite.exe -- File not found
O33 - MountPoints2\{4635e439-76f5-11df-a12e-0018de707224}\Shell\AutoRun\command - "" = E:\InstallTomTomHOME.exe -- File not found
O33 - MountPoints2\{6ffe385a-1bda-11df-a0e2-0018de707224}\Shell\AutoRun\command - "" = E:\PowerSeller\NeuKunden.exe -- File not found
O33 - MountPoints2\{f3dabbf2-337d-11df-a104-001e101f305f}\Shell\AutoRun\command - "" = E:\setupSNK.exe -- File not found
O33 - MountPoints2\{ff708ad9-2f70-11df-a100-0018de707224}\Shell - "" = AutoRun
O33 - MountPoints2\{ff708ad9-2f70-11df-a100-0018de707224}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ff708ad9-2f70-11df-a100-0018de707224}\Shell\AutoRun\command - "" = E:\setup_vmc_lite.exe -- File not found
O33 - MountPoints2\{ff708ae0-2f70-11df-a100-0018de707224}\Shell - "" = AutoRun
O33 - MountPoints2\{ff708ae0-2f70-11df-a100-0018de707224}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ff708ae0-2f70-11df-a100-0018de707224}\Shell\AutoRun\command - "" = E:\setup_vmc_lite.exe -- File not found
[2010.10.29 09:32:24 | 000,000,000 | ---D | C] -- C:\tssdd
[2010.10.26 08:37:15 | 000,000,000 | -H-D | C] -- C:\Dokumente und Einstellungen\All Users\Dokumente\Server
[2010.11.01 14:25:21 | 000,765,952 | ---- | M] () -- C:\WINDOWS\System32\drivers\fwuwegd.sys
[2010.10.29 08:43:40 | 000,294,912 | ---- | M] () -- C:\Programme\71gybnqp.exe
[2010.10.29 07:55:10 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Prubuqug.dat
[2010.10.29 07:55:05 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Ovofuyutomob.bin
[2010.10.28 19:15:51 | 000,000,376 | ---- | M] () -- C:\WINDOWS\tasks\WebReg 20101028201550.job
[2010.10.27 15:42:29 | 000,471,642 | ---- | M] () -- C:\Programme\Load.exe
[2010.10.26 10:52:26 | 000,364,032 | ---- | M] () -- C:\Programme\rk.com
[2010.10.26 10:52:26 | 000,364,032 | ---- | M] () -- C:\Dokumente und Einstellungen\User\Desktop\rk.com
[2010.10.07 20:51:45 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
:Commands
[purity]
[resethosts]
[emptytemp]
Klick dann oben links auf den Button Fix!
Das Logfile müsste geöffnet werden, wenn Du nach dem Fixen auf ok klickst, poste das bitte. Evtl. wird der Rechner neu gestartet.

Poldyxxx 02.11.2010 10:50
So, hier das Textfile nach dem Fix mit OTL. Komischerweise konnte ich es als File nicht anhängen.

All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\ajndufhiad.exe deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\HPUnQURrtc deleted successfully.
File move failed. D:\AUTORUN.INF scheduled to be moved on reboot.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2fe25c03-3114-11df-a103-0015c5ba2c51}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2fe25c03-3114-11df-a103-0015c5ba2c51}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2fe25c03-3114-11df-a103-0015c5ba2c51}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2fe25c03-3114-11df-a103-0015c5ba2c51}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2fe25c03-3114-11df-a103-0015c5ba2c51}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2fe25c03-3114-11df-a103-0015c5ba2c51}\ not found.
File E:\setup_vmc_lite.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4635e439-76f5-11df-a12e-0018de707224}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4635e439-76f5-11df-a12e-0018de707224}\ not found.
File E:\InstallTomTomHOME.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6ffe385a-1bda-11df-a0e2-0018de707224}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6ffe385a-1bda-11df-a0e2-0018de707224}\ not found.
File E:\PowerSeller\NeuKunden.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f3dabbf2-337d-11df-a104-001e101f305f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f3dabbf2-337d-11df-a104-001e101f305f}\ not found.
File E:\setupSNK.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ff708ad9-2f70-11df-a100-0018de707224}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ff708ad9-2f70-11df-a100-0018de707224}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ff708ad9-2f70-11df-a100-0018de707224}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ff708ad9-2f70-11df-a100-0018de707224}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ff708ad9-2f70-11df-a100-0018de707224}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ff708ad9-2f70-11df-a100-0018de707224}\ not found.
File E:\setup_vmc_lite.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ff708ae0-2f70-11df-a100-0018de707224}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ff708ae0-2f70-11df-a100-0018de707224}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ff708ae0-2f70-11df-a100-0018de707224}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ff708ae0-2f70-11df-a100-0018de707224}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ff708ae0-2f70-11df-a100-0018de707224}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ff708ae0-2f70-11df-a100-0018de707224}\ not found.
File E:\setup_vmc_lite.exe not found.
C:\tssdd folder moved successfully.
Folder move failed. C:\Dokumente und Einstellungen\All Users\Dokumente\Server scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\drivers\fwuwegd.sys scheduled to be moved on reboot.
C:\Programme\71gybnqp.exe moved successfully.
C:\WINDOWS\Prubuqug.dat moved successfully.
C:\WINDOWS\Ovofuyutomob.bin moved successfully.
C:\WINDOWS\tasks\WebReg 20101028201550.job moved successfully.
C:\Programme\Load.exe moved successfully.
C:\Programme\rk.com moved successfully.
C:\Dokumente und Einstellungen\User\Desktop\rk.com moved successfully.
C:\WINDOWS\WMSysPr9.prx moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 15439689 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 3366 bytes

User: User
->Temp folder emptied: 274932134 bytes
->Temporary Internet Files folder emptied: 11314529 bytes
->Java cache emptied: 13 bytes
->FireFox cache emptied: 27787117 bytes
->Flash cache emptied: 893 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2244925 bytes
%systemroot%\System32 .tmp files removed: 2951 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 683056 bytes
RecycleBin emptied: 6410165 bytes

Total Files Cleaned = 323,00 mb


OTL by OldTimer - Version 3.2.17.1 log created on 11022010_103842

Files\Folders moved on Reboot...
File move failed. D:\AUTORUN.INF scheduled to be moved on reboot.
Folder move failed. C:\Dokumente und Einstellungen\All Users\Dokumente\Server scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\drivers\fwuwegd.sys scheduled to be moved on reboot.

Registry entries deleted on Reboot...

cosinus 02.11.2010 15:14
Dann bitte jetzt CF ausführen:

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix
  • Lade dir ComboFix hier herunter auf deinen Desktop. Benenne es beim Runterladen um in cofi.exe.
http://saved.im/mtm0nzyzmzd5/cofi.jpg
  • Schliesse alle Programme, vor allem dein Antivirenprogramm und andere Hintergrundwächter sowie deinen Internetbrowser.
  • Starte cofi.exe von deinem Desktop aus, bestätige die Warnmeldungen, führe die Updates durch (falls vorgeschlagen), installiere die Wiederherstellungskonsole (falls vorgeschlagen) und lass dein System durchsuchen.
    Vermeide es auch während Combofix läuft die Maus und Tastatur zu benutzen.
  • Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte kopieren ([Strg]a, [Strg]c) und in deinen Beitrag einfügen ([Strg]v). Die Datei findest du außerdem unter: C:\ComboFix.txt.
Wichtiger Hinweis:
Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Poldyxxx 02.11.2010 15:46
DIe CCleaner Anweisung habe ich komplett ausgeführt. Allerdings kann ich Combofix nicht ausführen. Ich habe es umbenannt, auf dem Desktop gespeichert und Viren Scanner und Firewall abgeschaltet.

Es kommte eine Meldung " Auf das angegebene Gerät, bzw den Pfad oder die Datei......Berechtigungen um auf das Element zugreifen zu können"

Die selbe Meldung , die ich seit ver Virus Infektion immer beim Installieren von anderen Programmen bekommen habe. Nach "Ok" kommt diese Meldung noch von ca 20 anderen Programmen.

cosinus 02.11.2010 15:50
Starte den Rechner neu und probier es bitte nochmal.

Poldyxxx 02.11.2010 15:57
Leider passiert auch nach einem Neustart dasselbe (Viren Scanner wieder ausgeschaltet)

cosinus 02.11.2010 16:05
Fraglich ob wir Dein System noch retten können, denn Du sagtest 20 andere Programme haben auch diesen Fehler :balla:

Bitte nun Logs mit GMER und OSAM erstellen und posten.
GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus


Downloade Dir danach bitte MBRCheck (by a_d_13) und speichere die Datei auf dem Desktop.
  • Doppelklick auf die MBRCheck.exe.
    Vista und Win7 User mit Rechtsklick "als Administrator starten"
  • Das Tool braucht nur eine Sekunde.
  • Danach solltest du eine MBRCheck_<Datum>_<Uhrzeit>.txt auf dem Desktop finden.
Poste mir bitte den Inhalt des .txt Dokumentes

Poldyxxx 02.11.2010 16:13
EIne Kleinigkeit muß ich korrigieren. Es sind insgesamt nur 4 Programme, die versuchen sich aber immer wieder zu öffnen, daher kam die Meldung so oft.

Es sind der Iexplorer, n.pif, hider.exe und nircmd.cfxxe (findet kein Programm zum öffnen)

cosinus 02.11.2010 20:00
Zumindest die nircmd wird von CF benutzt. Mach mal bitte die anderen Logs, CF läuft ja (noch) nicht bei Dir.

Poldyxxx 03.11.2010 10:54
GMER hat bei mir funktioniert, hat aber lange gedauert, deswegen kann ich die Logs erst heute schicken. OSAM ist zu groß das kommt mit der nächsten Nachricht

Poldyxxx 03.11.2010 11:07
Das eigentliche Log kam als Web File und konnte hier nicht hochgeladen werden und als Textfile war es zu groß, dahe habe ich den Text hier rein kopiert. Ist das ok so, oder soll ich das Textfile komprimieren, oder vom Web File Bildschirmfotos machen?

Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 21:29:03 on 02.11.2010
OS: Windows XP Professional Service Pack 3 (Build 2600)
Default Browser: Microsoft Corporation Internet Explorer 8.00.6001.18702

Scanner Settings
Rootkits detection (hidden registry)
Rootkits detection (hidden files)
Retrieve files information
Check Microsoft signatures

Filters
Trusted entries
Empty entries
Hidden registry entries (rootkit activity)
Exclusively opened files
Not found files
Files without detailed information
Existing files
Non-startable services
Non-startable drivers
Active entries
Disabled entries
Risk Name Publisher Full Path Status
Common
%SystemRoot%\Tasks
|| "WGASetup.job" "Microsoft Corporation" C:\WINDOWS\system32\KB905474\wgasetup.exe File exists
Control Panel Objects
%SystemRoot%\system32
|||||| "BCMWLCPL.CPL" "Dell Inc." C:\WINDOWS\system32\BCMWLCPL.CPL File exists
|||||| "infocardcpl.cpl" "Microsoft Corporation" C:\WINDOWS\system32\infocardcpl.cpl File exists
|||||| "javacpl.cpl" "Sun Microsystems, Inc." C:\WINDOWS\system32\javacpl.cpl File exists
|||||| "NicConfigSvc.cpl" "Dell Inc." C:\WINDOWS\system32\NicConfigSvc.cpl File exists
|||||| "nvcpl.cpl" "NVIDIA Corporation" C:\WINDOWS\system32\nvcpl.cpl File exists
|||||| "nvtuicpl.cpl" "NVIDIA Corporation" C:\WINDOWS\system32\nvtuicpl.cpl File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls
|||||| "Nero BurnRights" "Nero AG" C:\Programme\Nero\Nero8\Nero Toolkit\NeroBurnRights.cpl File exists
Drivers
HKLM\SYSTEM\CurrentControlSet\Services
|||||| "AFS2k" (AFS2K) "Oak Technology Inc." C:\WINDOWS\system32\drivers\AFS2K.sys File exists
"ageyykoc" (ageyykoc) C:\DOKUME~1\User\LOKALE~1\Temp\ageyykoc.sys Hidden registry entry, rootkit activity | File not found
|||||| "APPDRV" (APPDRV) "Dell Inc" C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS File exists
|||||| "Bytemobile Boot Time Load Driver" (BMLoad) "Bytemobile, Inc." C:\WINDOWS\System32\drivers\BMLoad.sys File exists
|||||| "Bytemobile Kernel Network Provider" (tcpipBM) "Bytemobile, Inc." C:\WINDOWS\system32\drivers\tcpipBM.sys File exists
"Changer" (Changer) C:\WINDOWS\system32\drivers\Changer.sys File not found
|||||| "Conexant Setup API" (UIUSys) "Conexant" C:\WINDOWS\System32\drivers\UIUSys.sys File exists
|||||| "DgiVecp" (DgiVecp) "Samsung Electronics Co., Ltd." C:\WINDOWS\system32\Drivers\DgiVecp.sys File exists
|||||| "drvmcdb" (drvmcdb) "Sonic Solutions" C:\WINDOWS\System32\drivers\drvmcdb.sys File exists
|||||| "drvnddm" (drvnddm) "Sonic Solutions" C:\WINDOWS\System32\drivers\drvnddm.sys File exists
"fwuwegd" (fwuwegd) "Windows (R) Codename Longhorn DDK provider" C:\WINDOWS\system32\drivers\fwuwegd.sys Hidden file | Hidden registry entry, rootkit activity
"i2omgmt" (i2omgmt) C:\WINDOWS\system32\drivers\i2omgmt.sys File not found
"lbrtfdc" (lbrtfdc) C:\WINDOWS\system32\drivers\lbrtfdc.sys File not found
"PCIDump" (PCIDump) C:\WINDOWS\system32\drivers\PCIDump.sys File not found
"PDCOMP" (PDCOMP) C:\WINDOWS\system32\drivers\PDCOMP.sys File not found
"PDFRAME" (PDFRAME) C:\WINDOWS\system32\drivers\PDFRAME.sys File not found
"PDRELI" (PDRELI) C:\WINDOWS\system32\drivers\PDRELI.sys File not found
"PDRFRAME" (PDRFRAME) C:\WINDOWS\system32\drivers\PDRFRAME.sys File not found
|||||| "PxHelp20" (PxHelp20) "Sonic Solutions" C:\WINDOWS\System32\Drivers\PxHelp20.sys File exists
|||||| "sscdbhk5" (sscdbhk5) "Sonic Solutions" C:\WINDOWS\System32\drivers\sscdbhk5.sys File exists
"SSPORT" (SSPORT) C:\WINDOWS\system32\Drivers\SSPORT.sys File not found
|||||| "ssrtln" (ssrtln) "Sonic Solutions" C:\WINDOWS\System32\drivers\ssrtln.sys File exists
|||||| "tfsnboio" (tfsnboio) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsnboio.sys File exists
|||||| "tfsncofs" (tfsncofs) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsncofs.sys File exists
|||||| "tfsndrct" (tfsndrct) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsndrct.sys File exists
"tfsndres" (tfsndres) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsndres.sys File exists
|||||| "tfsnifs" (tfsnifs) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsnifs.sys File exists
|||||| "tfsnopio" (tfsnopio) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsnopio.sys File exists
|||||| "tfsnpool" (tfsnpool) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsnpool.sys File exists
|||||| "tfsnudf" (tfsnudf) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsnudf.sys File exists
|||||| "tfsnudfa" (tfsnudfa) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsnudfa.sys File exists
"WDICA" (WDICA) C:\WINDOWS\system32\drivers\WDICA.sys File not found
Explorer
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
|||||| {89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" "Microsoft Corporation" c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install File exists
HKLM\Software\Classes\Folder\shellex\ColumnHandlers
|||||| {7D4D6379-F301-4311-BEBA-E26EB0561882} "NeroDigitalColumnHandler Class" "Nero AG" C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroDigitalExt.dll File exists
|||||| {F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" "Adobe Systems, Inc." C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll File exists
|||||| {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll File exists
HKLM\Software\Classes\Protocols\Filter
|||||| {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" "Microsoft Corporation" C:\WINDOWS\system32\mscoree.dll File exists
|||||| {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" "Microsoft Corporation" C:\WINDOWS\system32\mscoree.dll File exists
|||||| {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" "Microsoft Corporation" C:\WINDOWS\system32\mscoree.dll File exists
|||||| {807553E5-5146-11D5-A672-00B0D022E945} "text/xml" "Microsoft Corporation" C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL File exists
HKLM\Software\Classes\Protocols\Handler
|||||| {32505114-5902-49B2-880A-1F7738E5A384} "Data Page Plugable Protocal mso-offdap11 Handler" "Microsoft Corporation" C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\11\OWC11.DLL File exists
|||||| {3D9F03FA-7A94-11D3-BE81-0050048385D1} "Data Page Pluggable Protocol mso-offdap Handler" "Microsoft Corporation" C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\10\OWC10.DLL File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
|||||| {23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" "Igor Pavlov" C:\Programme\7-Zip\7-zip.dll File exists
{42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" deskpan.dll File not found
|||||| {1CDB2949-8F65-4355-8456-263E7C208A5D} "Desktop Explorer" "NVIDIA Corporation" C:\WINDOWS\system32\nvshell.dll File exists
|||||| {1E9B04FB-F9E5-4718-997B-B8DA88302A47} "Desktop Explorer Menu" "NVIDIA Corporation" C:\WINDOWS\system32\nvshell.dll File exists
|||||| {5CA3D70E-1895-11CF-8E15-001234567890} "DriveLetterAccess" "Sonic Solutions" C:\WINDOWS\system32\dla\tfswshx.dll File exists
{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" File not found | COM-object registry key not found
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" File not found | COM-object registry key not found
|||||| {42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" "Microsoft Corporation" C:\Programme\Microsoft Office\OFFICE11\msohev.dll File exists
|||||| {00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" "Microsoft Corporation" C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL File exists
|||||| {97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2} "NeroCoverEdLiveIcons Class" "Nero AG" C:\Programme\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll File exists
|||||| {B327765E-D724-4347-8B16-78AE18552FC3} "NeroDigitalIconHandler Class" "Nero AG" C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroDigitalExt.dll File exists
|||||| {7F1CF152-04F8-453A-B34C-E609530A9DC8} "NeroDigitalPropSheetHandler Class" "Nero AG" C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroDigitalExt.dll File exists
|||||| {1E9B04FB-F9E5-4718-997B-B8DA88302A48} "nView Desktop Context Menu" "NVIDIA Corporation" C:\WINDOWS\system32\nvshell.dll File exists
|||||| {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "OpenOffice.org Column Handler" C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll File exists
|||||| {087B3AE3-E237-4467-B8DB-5A38AB959AC9} "OpenOffice.org Infotip Handler" C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll File exists
|||||| {63542C48-9552-494A-84F7-73AA6A7C99C1} "OpenOffice.org Property Sheet Handler" C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll File exists
|||||| {3B092F0C-7696-40E3-A80F-68D74DA84210} "OpenOffice.org Thumbnail Viewer" C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll File exists
|||||| {A4DF5659-0801-4A60-9607-1C48695EFDA9} "Ordner HP Share-to-Web" "Hewlett-Packard" C:\Programme\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL File exists
|||||| {0006F045-0000-0000-C000-000000000046} "Outlook-Dateisymbolerweiterung" "Microsoft Corporation" C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL File exists
|||||| {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} "RealOne Player Context Menu Class" "RealNetworks, Inc." C:\Programme\Real\RealPlayer\rpshell.dll File exists
|||||| {DEE12703-6333-4D4E-8F34-738C4DCC2E04} "RecordNow! SendToExt" C:\Programme\Sonic\Sonic Solutions Product CD\RecordNow! Plus\shlext.dll File exists
|||||| {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" "Microsoft Corporation" c:\WINDOWS\system32\dfshim.dll File exists
{764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" File not found | COM-object registry key not found
|||||| {e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" "Microsoft Corporation" c:\WINDOWS\system32\dfshim.dll File exists
|||||| {BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Webordner" "Microsoft Corporation" C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL File exists
|||||| {B41DB860-8EE4-11D2-9906-E49FADC173CA} "WinRAR" C:\Programme\WinRAR\rarext.dll File exists
Internet Explorer
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
ITBar7Height "ITBar7Height" File not found | COM-object registry key not found
"ITBar7Layout" File not found | COM-object registry key not found
"ITBarLayout" File not found | COM-object registry key not found
"{D4027C7F-154A-4066-A1AD-4243D8127440}" File not found | COM-object registry key not found
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units
|||| {8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_04"
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab "Sun Microsystems, Inc." C:\Programme\Java\jre1.6.0_04\bin\npjpi160_04.dll File exists
|||| {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} "Java Plug-in 1.6.0_04"
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab "Sun Microsystems, Inc." C:\Programme\Java\jre1.6.0_04\bin\npjpi160_04.dll File exists
|||| {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_04"
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab "Sun Microsystems, Inc." C:\Programme\Java\jre1.6.0_04\bin\npjpi160_04.dll File exists
|||||| {D27CDB6E-AE6D-11CF-96B8-444553540000} "Shockwave Flash Object"
hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab "Adobe Systems, Inc." C:\WINDOWS\system32\Macromed\Flash\Flash10e.ocx File exists
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions
|||| {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} "ClsidExtension" "Sun Microsystems, Inc." C:\Programme\Java\jre1.6.0_04\bin\npjpi160_04.dll File exists
|||||| {53707962-6F74-2D53-2644-206D7942484F} "ClsidExtension" "Safer Networking Limited" C:\PROGRA~1\SPYBOT~1\SDHelper.dll File exists
|||| {FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Recherchieren" "Microsoft Corporation" C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
{F8495F2A-BB16-46C2-87EE-6439F2CC57E4} "{F8495F2A-BB16-46C2-87EE-6439F2CC57E4}" File not found | COM-object registry key not found
Logon
%AllUsersProfile%\Startmenü\Programme\Autostart
|||||| "desktop.ini" C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini File exists
%UserProfile%\Startmenü\Programme\Autostart
|||||| "desktop.ini" C:\Dokumente und Einstellungen\User\Startmenü\Programme\Autostart\desktop.ini File exists
|||| "OpenOffice.org 2.4.lnk" C:\Programme\OpenOffice.org 2.4\program\quickstart.exe Shortcut exists | File found, but it contains no detailed information | File exists
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|||||| "SpybotSD TeaTimer" "Safer-Networking Ltd." C:\Programme\Spybot - Search & Destroy\TeaTimer.exe File exists
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell" "Microsoft Corporation" C:\WINDOWS\Explorer.exe File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
|||| "Adobe ARM" "Adobe Systems Incorporated" "C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe" File exists
|||| "Adobe Reader Speed Launcher" "Adobe Systems Incorporated" "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" File exists
|||| "Broadcom Wireless Manager UI" "Dell Inc." C:\WINDOWS\system32\WLTRAY.exe File exists
|||| "Dell QuickSet" "Dell Inc" C:\Programme\Dell\QuickSet\quickset.exe File exists
|||||| "dla" "Sonic Solutions" C:\WINDOWS\system32\dla\tfswctrl.exe File exists
|||| "DVDLauncher" "CyberLink Corp." "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe" File exists
|||||| "IntelWireless" "Intel(R) Corporation" "C:\Programme\Gemeinsame Dateien\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray File exists
|||| "IntelZeroConfig" "Intel(R) Corporation" "C:\Programme\Intel\WiFi\bin\ZCfgSvc.exe" File exists
|||| "MobileConnect" "Vodafone" %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent File exists
|||| "nwiz" "NVIDIA Corporation" nwiz.exe /install File exists
|||| "Samsung PanelMgr" C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun File exists
|||| "Share-to-Web Namespace Daemon" "Hewlett-Packard" C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe File exists
|||| "SunJavaUpdateSched" "Sun Microsystems, Inc." "C:\Programme\Java\jre1.6.0_04\bin\jusched.exe" File exists
|||| "UpdateManager" "Sonic Solutions" "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r File exists
Network Providers
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
|||||| "Dell Wireless WLAN Card Logon Provider" "Dell Inc." C:\WINDOWS\System32\BCMLogon.dll File exists
|||||| "IntelNetProvCredMan" "Intel(R) Corporation" C:\WINDOWS\system32\netprovcredman.dll File exists
Print Monitors
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
|||||| "Microsoft Document Imaging Writer Monitor" "Microsoft Corporation" C:\WINDOWS\system32\mdimon.dll File exists
|||||| "PDFCreator" C:\WINDOWS\system32\pdfcmnnt.dll File found, but it contains no detailed information
Services
HKLM\SYSTEM\CurrentControlSet\Services
|||||| ".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) "Microsoft Corporation" C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe File exists
|||||| "ASP.NET State Service" (aspnet_state) "Microsoft Corporation" C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe File exists
|||||| "Dell Wireless WLAN Tray Service" (wltrysvc) C:\WINDOWS\System32\WLTRYSVC.EXE File found, but it contains no detailed information
|||||| "ForceWare IP service" (nSvcIp) "NVIDIA Corporation" C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe File exists
|||||| "ForceWare user log service" (nSvcLog) "NVIDIA Corporation" C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe File exists
"Forceware Web Interface" (ForcewareWebInterface) "C:\Programme\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice File not found
|||||| "Intel(R) PROSet/Wireless Event Log" (EvtEng) "Intel(R) Corporation" C:\Programme\Intel\WiFi\bin\EvtEng.exe File exists
|||||| "Intel(R) PROSet/Wireless Registry Service" (RegSrvc) "Intel(R) Corporation" C:\Programme\Gemeinsame Dateien\Intel\WirelessCommon\RegSrvc.exe File exists
"Intel(R) PROSet/Wireless SSO Service" (WLANKEEPER) "Intel(R) Corporation" C:\Programme\Intel\WiFi\bin\WLKeeper.exe File exists
|||||| "Intel(R) PROSet/Wireless WiFi Service" (S24EventMonitor) "Intel(R) Corporation" C:\Programme\Intel\WiFi\bin\S24EvMon.exe File exists
|||||| "Nero BackItUp Scheduler 3" (Nero BackItUp Scheduler 3) "Nero AG" C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe File exists
|||||| "NICCONFIGSVC" (NICCONFIGSVC) "Dell Inc." C:\Programme\Dell\QuickSet\NICCONFIGSVC.exe File exists
|||||| "NMIndexingService" (NMIndexingService) "Nero AG" C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe File exists
|||||| "Office Source Engine" (ose) "Microsoft Corporation" C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE File exists
|||||| "Vodafone Mobile Connect Service" (VMCService) "Vodafone" C:\Programme\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe File exists
|||||| "Windows CardSpace" (idsvc) "Microsoft Corporation" c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe File exists

cosinus 03.11.2010 13:52
Zitat:
"ageyykoc" (ageyykoc) C:\DOKUME~1\User\LOKALE~1\Temp\ageyykoc.sys Hidden registry entry, rootkit activity | File not found
"fwuwegd" (fwuwegd) "Windows (R) Codename Longhorn DDK provider" C:\WINDOWS\system32\drivers\fwuwegd.sys Hidden file | Hidden registry entry, rootkit activity
Bitte mit OSAM deaktivieren und löschen

Poldyxxx 03.11.2010 16:50
Hier die 2 logs, einmal vor dem Entfernen und einmal danach.

Das File "ageyykoc" wurde allerdings heute Morgen von Osam gar nicht mehr gefunden, , bei keinem der Durchläufe. Das andere wurde nach dem Löschen nicht mehr angezeigt.

OSAM Log vorher:
Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 15:17:12 on 03.11.2010
OS: Windows XP Professional Service Pack 3 (Build 2600)
Default Browser: Microsoft Corporation Internet Explorer 8.00.6001.18702

Scanner Settings
Rootkits detection (hidden registry)
Rootkits detection (hidden files)
Retrieve files information
Check Microsoft signatures

Filters
Trusted entries
Empty entries
Hidden registry entries (rootkit activity)
Exclusively opened files
Not found files
Files without detailed information
Existing files
Non-startable services
Non-startable drivers
Active entries
Disabled entries
Risk Name Publisher Full Path Status
Common
%SystemRoot%\Tasks
|| "WGASetup.job" "Microsoft Corporation" C:\WINDOWS\system32\KB905474\wgasetup.exe File exists
Control Panel Objects
%SystemRoot%\system32
|||||| "BCMWLCPL.CPL" "Dell Inc." C:\WINDOWS\system32\BCMWLCPL.CPL File exists
|||||| "infocardcpl.cpl" "Microsoft Corporation" C:\WINDOWS\system32\infocardcpl.cpl File exists
|||||| "javacpl.cpl" "Sun Microsystems, Inc." C:\WINDOWS\system32\javacpl.cpl File exists
|||||| "NicConfigSvc.cpl" "Dell Inc." C:\WINDOWS\system32\NicConfigSvc.cpl File exists
|||||| "nvcpl.cpl" "NVIDIA Corporation" C:\WINDOWS\system32\nvcpl.cpl File exists
|||||| "nvtuicpl.cpl" "NVIDIA Corporation" C:\WINDOWS\system32\nvtuicpl.cpl File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls
|||||| "Nero BurnRights" "Nero AG" C:\Programme\Nero\Nero8\Nero Toolkit\NeroBurnRights.cpl File exists
Drivers
HKLM\SYSTEM\CurrentControlSet\Services
|||||| "AFS2k" (AFS2K) "Oak Technology Inc." C:\WINDOWS\system32\drivers\AFS2K.sys File exists
|||||| "APPDRV" (APPDRV) "Dell Inc" C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS File exists
|||||| "Bytemobile Boot Time Load Driver" (BMLoad) "Bytemobile, Inc." C:\WINDOWS\System32\drivers\BMLoad.sys File exists
|||||| "Bytemobile Kernel Network Provider" (tcpipBM) "Bytemobile, Inc." C:\WINDOWS\system32\drivers\tcpipBM.sys File exists
"Changer" (Changer) C:\WINDOWS\system32\drivers\Changer.sys File not found
|||||| "Conexant Setup API" (UIUSys) "Conexant" C:\WINDOWS\System32\drivers\UIUSys.sys File exists
|||||| "DgiVecp" (DgiVecp) "Samsung Electronics Co., Ltd." C:\WINDOWS\system32\Drivers\DgiVecp.sys File exists
|||||| "drvmcdb" (drvmcdb) "Sonic Solutions" C:\WINDOWS\System32\drivers\drvmcdb.sys File exists
|||||| "drvnddm" (drvnddm) "Sonic Solutions" C:\WINDOWS\System32\drivers\drvnddm.sys File exists
"i2omgmt" (i2omgmt) C:\WINDOWS\system32\drivers\i2omgmt.sys File not found
"lbrtfdc" (lbrtfdc) C:\WINDOWS\system32\drivers\lbrtfdc.sys File not found
"PCIDump" (PCIDump) C:\WINDOWS\system32\drivers\PCIDump.sys File not found
"PDCOMP" (PDCOMP) C:\WINDOWS\system32\drivers\PDCOMP.sys File not found
"PDFRAME" (PDFRAME) C:\WINDOWS\system32\drivers\PDFRAME.sys File not found
"PDRELI" (PDRELI) C:\WINDOWS\system32\drivers\PDRELI.sys File not found
"PDRFRAME" (PDRFRAME) C:\WINDOWS\system32\drivers\PDRFRAME.sys File not found
|||||| "PxHelp20" (PxHelp20) "Sonic Solutions" C:\WINDOWS\System32\Drivers\PxHelp20.sys File exists
|||||| "sscdbhk5" (sscdbhk5) "Sonic Solutions" C:\WINDOWS\System32\drivers\sscdbhk5.sys File exists
"SSPORT" (SSPORT) C:\WINDOWS\system32\Drivers\SSPORT.sys File not found
|||||| "ssrtln" (ssrtln) "Sonic Solutions" C:\WINDOWS\System32\drivers\ssrtln.sys File exists
|||||| "tfsnboio" (tfsnboio) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsnboio.sys File exists
|||||| "tfsncofs" (tfsncofs) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsncofs.sys File exists
|||||| "tfsndrct" (tfsndrct) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsndrct.sys File exists
"tfsndres" (tfsndres) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsndres.sys File exists
|||||| "tfsnifs" (tfsnifs) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsnifs.sys File exists
|||||| "tfsnopio" (tfsnopio) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsnopio.sys File exists
|||||| "tfsnpool" (tfsnpool) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsnpool.sys File exists
|||||| "tfsnudf" (tfsnudf) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsnudf.sys File exists
|||||| "tfsnudfa" (tfsnudfa) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsnudfa.sys File exists
"WDICA" (WDICA) C:\WINDOWS\system32\drivers\WDICA.sys File not found
"fwuwegd" (fwuwegd) "Windows (R) Codename Longhorn DDK provider" C:\WINDOWS\system32\drivers\fwuwegd.sys Hidden file | Hidden registry entry, rootkit activity
Explorer
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
|||||| {89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" "Microsoft Corporation" c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install File exists
HKLM\Software\Classes\Folder\shellex\ColumnHandlers
|||||| {7D4D6379-F301-4311-BEBA-E26EB0561882} "NeroDigitalColumnHandler Class" "Nero AG" C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroDigitalExt.dll File exists
|||||| {F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" "Adobe Systems, Inc." C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll File exists
|||||| {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll File exists
HKLM\Software\Classes\Protocols\Filter
|||||| {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" "Microsoft Corporation" C:\WINDOWS\system32\mscoree.dll File exists
|||||| {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" "Microsoft Corporation" C:\WINDOWS\system32\mscoree.dll File exists
|||||| {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" "Microsoft Corporation" C:\WINDOWS\system32\mscoree.dll File exists
|||||| {807553E5-5146-11D5-A672-00B0D022E945} "text/xml" "Microsoft Corporation" C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL File exists
HKLM\Software\Classes\Protocols\Handler
|||||| {32505114-5902-49B2-880A-1F7738E5A384} "Data Page Plugable Protocal mso-offdap11 Handler" "Microsoft Corporation" C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\11\OWC11.DLL File exists
|||||| {3D9F03FA-7A94-11D3-BE81-0050048385D1} "Data Page Pluggable Protocol mso-offdap Handler" "Microsoft Corporation" C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\10\OWC10.DLL File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
|||||| {23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" "Igor Pavlov" C:\Programme\7-Zip\7-zip.dll File exists
{42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" deskpan.dll File not found
|||||| {1CDB2949-8F65-4355-8456-263E7C208A5D} "Desktop Explorer" "NVIDIA Corporation" C:\WINDOWS\system32\nvshell.dll File exists
|||||| {1E9B04FB-F9E5-4718-997B-B8DA88302A47} "Desktop Explorer Menu" "NVIDIA Corporation" C:\WINDOWS\system32\nvshell.dll File exists
|||||| {5CA3D70E-1895-11CF-8E15-001234567890} "DriveLetterAccess" "Sonic Solutions" C:\WINDOWS\system32\dla\tfswshx.dll File exists
{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" File not found | COM-object registry key not found
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" File not found | COM-object registry key not found
|||||| {42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" "Microsoft Corporation" C:\Programme\Microsoft Office\OFFICE11\msohev.dll File exists
|||||| {00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" "Microsoft Corporation" C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL File exists
|||||| {97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2} "NeroCoverEdLiveIcons Class" "Nero AG" C:\Programme\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll File exists
|||||| {B327765E-D724-4347-8B16-78AE18552FC3} "NeroDigitalIconHandler Class" "Nero AG" C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroDigitalExt.dll File exists
|||||| {7F1CF152-04F8-453A-B34C-E609530A9DC8} "NeroDigitalPropSheetHandler Class" "Nero AG" C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroDigitalExt.dll File exists
|||||| {1E9B04FB-F9E5-4718-997B-B8DA88302A48} "nView Desktop Context Menu" "NVIDIA Corporation" C:\WINDOWS\system32\nvshell.dll File exists
|||||| {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "OpenOffice.org Column Handler" C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll File exists
|||||| {087B3AE3-E237-4467-B8DB-5A38AB959AC9} "OpenOffice.org Infotip Handler" C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll File exists
|||||| {63542C48-9552-494A-84F7-73AA6A7C99C1} "OpenOffice.org Property Sheet Handler" C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll File exists
|||||| {3B092F0C-7696-40E3-A80F-68D74DA84210} "OpenOffice.org Thumbnail Viewer" C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll File exists
|||||| {A4DF5659-0801-4A60-9607-1C48695EFDA9} "Ordner HP Share-to-Web" "Hewlett-Packard" C:\Programme\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL File exists
|||||| {0006F045-0000-0000-C000-000000000046} "Outlook-Dateisymbolerweiterung" "Microsoft Corporation" C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL File exists
|||||| {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} "RealOne Player Context Menu Class" "RealNetworks, Inc." C:\Programme\Real\RealPlayer\rpshell.dll File exists
|||||| {DEE12703-6333-4D4E-8F34-738C4DCC2E04} "RecordNow! SendToExt" C:\Programme\Sonic\Sonic Solutions Product CD\RecordNow! Plus\shlext.dll File exists
|||||| {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" "Microsoft Corporation" c:\WINDOWS\system32\dfshim.dll File exists
{764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" File not found | COM-object registry key not found
|||||| {e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" "Microsoft Corporation" c:\WINDOWS\system32\dfshim.dll File exists
|||||| {BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Webordner" "Microsoft Corporation" C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL File exists
|||||| {B41DB860-8EE4-11D2-9906-E49FADC173CA} "WinRAR" C:\Programme\WinRAR\rarext.dll File exists
Internet Explorer
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
ITBar7Height "ITBar7Height" File not found | COM-object registry key not found
"ITBar7Layout" File not found | COM-object registry key not found
"ITBarLayout" File not found | COM-object registry key not found
"{D4027C7F-154A-4066-A1AD-4243D8127440}" File not found | COM-object registry key not found
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units
|||| {8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_04"
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab "Sun Microsystems, Inc." C:\Programme\Java\jre1.6.0_04\bin\npjpi160_04.dll File exists
|||| {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} "Java Plug-in 1.6.0_04"
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab "Sun Microsystems, Inc." C:\Programme\Java\jre1.6.0_04\bin\npjpi160_04.dll File exists
|||| {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_04"
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab "Sun Microsystems, Inc." C:\Programme\Java\jre1.6.0_04\bin\npjpi160_04.dll File exists
|||||| {D27CDB6E-AE6D-11CF-96B8-444553540000} "Shockwave Flash Object"
hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab "Adobe Systems, Inc." C:\WINDOWS\system32\Macromed\Flash\Flash10e.ocx File exists
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions
|||| {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} "ClsidExtension" "Sun Microsystems, Inc." C:\Programme\Java\jre1.6.0_04\bin\npjpi160_04.dll File exists
|||||| {53707962-6F74-2D53-2644-206D7942484F} "ClsidExtension" "Safer Networking Limited" C:\PROGRA~1\SPYBOT~1\SDHelper.dll File exists
|||| {FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Recherchieren" "Microsoft Corporation" C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
{F8495F2A-BB16-46C2-87EE-6439F2CC57E4} "{F8495F2A-BB16-46C2-87EE-6439F2CC57E4}" File not found | COM-object registry key not found
Logon
%AllUsersProfile%\Startmenü\Programme\Autostart
|||||| "desktop.ini" C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini File exists
%UserProfile%\Startmenü\Programme\Autostart
|||||| "desktop.ini" C:\Dokumente und Einstellungen\User\Startmenü\Programme\Autostart\desktop.ini File exists
|||| "OpenOffice.org 2.4.lnk" C:\Programme\OpenOffice.org 2.4\program\quickstart.exe Shortcut exists | File found, but it contains no detailed information | File exists
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|||||| "SpybotSD TeaTimer" "Safer-Networking Ltd." C:\Programme\Spybot - Search & Destroy\TeaTimer.exe File exists
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell" "Microsoft Corporation" C:\WINDOWS\Explorer.exe File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
|||| "Adobe ARM" "Adobe Systems Incorporated" "C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe" File exists
|||| "Adobe Reader Speed Launcher" "Adobe Systems Incorporated" "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" File exists
|||| "Broadcom Wireless Manager UI" "Dell Inc." C:\WINDOWS\system32\WLTRAY.exe File exists
|||| "Dell QuickSet" "Dell Inc" C:\Programme\Dell\QuickSet\quickset.exe File exists
|||||| "dla" "Sonic Solutions" C:\WINDOWS\system32\dla\tfswctrl.exe File exists
|||| "DVDLauncher" "CyberLink Corp." "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe" File exists
|||||| "IntelWireless" "Intel(R) Corporation" "C:\Programme\Gemeinsame Dateien\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray File exists
|||| "IntelZeroConfig" "Intel(R) Corporation" "C:\Programme\Intel\WiFi\bin\ZCfgSvc.exe" File exists
|||| "MobileConnect" "Vodafone" %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent File exists
|||| "nwiz" "NVIDIA Corporation" nwiz.exe /install File exists
|||| "Samsung PanelMgr" C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun File exists
|||| "Share-to-Web Namespace Daemon" "Hewlett-Packard" C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe File exists
|||| "SunJavaUpdateSched" "Sun Microsystems, Inc." "C:\Programme\Java\jre1.6.0_04\bin\jusched.exe" File exists
|||| "UpdateManager" "Sonic Solutions" "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r File exists
Network Providers
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
|||||| "Dell Wireless WLAN Card Logon Provider" "Dell Inc." C:\WINDOWS\System32\BCMLogon.dll File exists
|||||| "IntelNetProvCredMan" "Intel(R) Corporation" C:\WINDOWS\system32\netprovcredman.dll File exists
Print Monitors
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
|||||| "Microsoft Document Imaging Writer Monitor" "Microsoft Corporation" C:\WINDOWS\system32\mdimon.dll File exists
|||||| "PDFCreator" C:\WINDOWS\system32\pdfcmnnt.dll File found, but it contains no detailed information
Services
HKLM\SYSTEM\CurrentControlSet\Services
|||||| ".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) "Microsoft Corporation" C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe File exists
|||||| "ASP.NET State Service" (aspnet_state) "Microsoft Corporation" C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe File exists
|||||| "Dell Wireless WLAN Tray Service" (wltrysvc) C:\WINDOWS\System32\WLTRYSVC.EXE File found, but it contains no detailed information
|||||| "ForceWare IP service" (nSvcIp) "NVIDIA Corporation" C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe File exists
|||||| "ForceWare user log service" (nSvcLog) "NVIDIA Corporation" C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe File exists
"Forceware Web Interface" (ForcewareWebInterface) "C:\Programme\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice File not found
|||||| "Intel(R) PROSet/Wireless Event Log" (EvtEng) "Intel(R) Corporation" C:\Programme\Intel\WiFi\bin\EvtEng.exe File exists
|||||| "Intel(R) PROSet/Wireless Registry Service" (RegSrvc) "Intel(R) Corporation" C:\Programme\Gemeinsame Dateien\Intel\WirelessCommon\RegSrvc.exe File exists
"Intel(R) PROSet/Wireless SSO Service" (WLANKEEPER) "Intel(R) Corporation" C:\Programme\Intel\WiFi\bin\WLKeeper.exe File exists
|||||| "Intel(R) PROSet/Wireless WiFi Service" (S24EventMonitor) "Intel(R) Corporation" C:\Programme\Intel\WiFi\bin\S24EvMon.exe File exists
|||||| "Nero BackItUp Scheduler 3" (Nero BackItUp Scheduler 3) "Nero AG" C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe File exists
|||||| "NICCONFIGSVC" (NICCONFIGSVC) "Dell Inc." C:\Programme\Dell\QuickSet\NICCONFIGSVC.exe File exists
|||||| "NMIndexingService" (NMIndexingService) "Nero AG" C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe File exists
|||||| "Office Source Engine" (ose) "Microsoft Corporation" C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE File exists
|||||| "Vodafone Mobile Connect Service" (VMCService) "Vodafone" C:\Programme\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe File exists
|||||| "Windows CardSpace" (idsvc) "Microsoft Corporation" c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe File exists
|||||| "Windows Presentation Foundation Font Cache 3.0.0.0" (FontCache3.0.0.0) "Microsoft Corporation" c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe File exists
Winlogon
HKCU\Control Panel\IOProcs
"MVB" mvfs32.dll File not found
Winsock Providers
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
|||||| "BMI over [MSAFD Tcpip [RAW/IP]]" "Bytemobile, Inc." C:\WINDOWS\system32\bmnet.dll File exists
|||||| "BMI over [MSAFD Tcpip [TCP/IP]]" "Bytemobile, Inc." C:\WINDOWS\system32\bmnet.dll File exists
|||||| "BMI over [MSAFD Tcpip [UDP/IP]]" "Bytemobile, Inc." C:\WINDOWS\system32\bmnet.dll File exists
If You have questions or

cosinus 03.11.2010 19:14
Ich seh nur ein Log, wo der eine Eintrag noch vorhanden ist. Wird der noch von OSAM angezeigt?

Poldyxxx 03.11.2010 22:56
Komisch, dann wurde der 2. Log wohl nicht hochgeladen. Dann nach mal hier:

Dieser kam NACH der Löschung

Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 15:51:06 on 03.11.2010
OS: Windows XP Professional Service Pack 3 (Build 2600)
Default Browser: Microsoft Corporation Internet Explorer 8.00.6001.18702

Scanner Settings
Rootkits detection (hidden registry)
Rootkits detection (hidden files)
Retrieve files information
Check Microsoft signatures

Filters
Trusted entries
Empty entries
Hidden registry entries (rootkit activity)
Exclusively opened files
Not found files
Files without detailed information
Existing files
Non-startable services
Non-startable drivers
Active entries
Disabled entries
Risk Name Publisher Full Path Status
Common
%SystemRoot%\Tasks
|| "WGASetup.job" "Microsoft Corporation" C:\WINDOWS\system32\KB905474\wgasetup.exe File exists
Control Panel Objects
%SystemRoot%\system32
|||||| "BCMWLCPL.CPL" "Dell Inc." C:\WINDOWS\system32\BCMWLCPL.CPL File exists
|||||| "infocardcpl.cpl" "Microsoft Corporation" C:\WINDOWS\system32\infocardcpl.cpl File exists
|||||| "javacpl.cpl" "Sun Microsystems, Inc." C:\WINDOWS\system32\javacpl.cpl File exists
|||||| "NicConfigSvc.cpl" "Dell Inc." C:\WINDOWS\system32\NicConfigSvc.cpl File exists
|||||| "nvcpl.cpl" "NVIDIA Corporation" C:\WINDOWS\system32\nvcpl.cpl File exists
|||||| "nvtuicpl.cpl" "NVIDIA Corporation" C:\WINDOWS\system32\nvtuicpl.cpl File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls
|||||| "Nero BurnRights" "Nero AG" C:\Programme\Nero\Nero8\Nero Toolkit\NeroBurnRights.cpl File exists
Drivers
HKLM\SYSTEM\CurrentControlSet\Services
|||||| "AFS2k" (AFS2K) "Oak Technology Inc." C:\WINDOWS\system32\drivers\AFS2K.sys File exists
|||||| "APPDRV" (APPDRV) "Dell Inc" C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS File exists
|||||| "Bytemobile Boot Time Load Driver" (BMLoad) "Bytemobile, Inc." C:\WINDOWS\System32\drivers\BMLoad.sys File exists
|||||| "Bytemobile Kernel Network Provider" (tcpipBM) "Bytemobile, Inc." C:\WINDOWS\system32\drivers\tcpipBM.sys File exists
"Changer" (Changer) C:\WINDOWS\system32\drivers\Changer.sys File not found
|||||| "Conexant Setup API" (UIUSys) "Conexant" C:\WINDOWS\System32\drivers\UIUSys.sys File exists
|||||| "DgiVecp" (DgiVecp) "Samsung Electronics Co., Ltd." C:\WINDOWS\system32\Drivers\DgiVecp.sys File exists
|||||| "drvmcdb" (drvmcdb) "Sonic Solutions" C:\WINDOWS\System32\drivers\drvmcdb.sys File exists
|||||| "drvnddm" (drvnddm) "Sonic Solutions" C:\WINDOWS\System32\drivers\drvnddm.sys File exists
"i2omgmt" (i2omgmt) C:\WINDOWS\system32\drivers\i2omgmt.sys File not found
"lbrtfdc" (lbrtfdc) C:\WINDOWS\system32\drivers\lbrtfdc.sys File not found
"PCIDump" (PCIDump) C:\WINDOWS\system32\drivers\PCIDump.sys File not found
"PDCOMP" (PDCOMP) C:\WINDOWS\system32\drivers\PDCOMP.sys File not found
"PDFRAME" (PDFRAME) C:\WINDOWS\system32\drivers\PDFRAME.sys File not found
"PDRELI" (PDRELI) C:\WINDOWS\system32\drivers\PDRELI.sys File not found
"PDRFRAME" (PDRFRAME) C:\WINDOWS\system32\drivers\PDRFRAME.sys File not found
|||||| "PxHelp20" (PxHelp20) "Sonic Solutions" C:\WINDOWS\System32\Drivers\PxHelp20.sys File exists
|||||| "sscdbhk5" (sscdbhk5) "Sonic Solutions" C:\WINDOWS\System32\drivers\sscdbhk5.sys File exists
"SSPORT" (SSPORT) C:\WINDOWS\system32\Drivers\SSPORT.sys File not found
|||||| "ssrtln" (ssrtln) "Sonic Solutions" C:\WINDOWS\System32\drivers\ssrtln.sys File exists
|||||| "tfsnboio" (tfsnboio) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsnboio.sys File exists
|||||| "tfsncofs" (tfsncofs) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsncofs.sys File exists
|||||| "tfsndrct" (tfsndrct) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsndrct.sys File exists
"tfsndres" (tfsndres) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsndres.sys File exists
|||||| "tfsnifs" (tfsnifs) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsnifs.sys File exists
|||||| "tfsnopio" (tfsnopio) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsnopio.sys File exists
|||||| "tfsnpool" (tfsnpool) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsnpool.sys File exists
|||||| "tfsnudf" (tfsnudf) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsnudf.sys File exists
|||||| "tfsnudfa" (tfsnudfa) "Sonic Solutions" C:\WINDOWS\System32\dla\tfsnudfa.sys File exists
"WDICA" (WDICA) C:\WINDOWS\system32\drivers\WDICA.sys File not found
Explorer
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
|||||| {89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" "Microsoft Corporation" c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install File exists
HKLM\Software\Classes\Folder\shellex\ColumnHandlers
|||||| {7D4D6379-F301-4311-BEBA-E26EB0561882} "NeroDigitalColumnHandler Class" "Nero AG" C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroDigitalExt.dll File exists
|||||| {F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" "Adobe Systems, Inc." C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll File exists
|||||| {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll File exists
HKLM\Software\Classes\Protocols\Filter
|||||| {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" "Microsoft Corporation" C:\WINDOWS\system32\mscoree.dll File exists
|||||| {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" "Microsoft Corporation" C:\WINDOWS\system32\mscoree.dll File exists
|||||| {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" "Microsoft Corporation" C:\WINDOWS\system32\mscoree.dll File exists
|||||| {807553E5-5146-11D5-A672-00B0D022E945} "text/xml" "Microsoft Corporation" C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL File exists
HKLM\Software\Classes\Protocols\Handler
|||||| {32505114-5902-49B2-880A-1F7738E5A384} "Data Page Plugable Protocal mso-offdap11 Handler" "Microsoft Corporation" C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\11\OWC11.DLL File exists
|||||| {3D9F03FA-7A94-11D3-BE81-0050048385D1} "Data Page Pluggable Protocol mso-offdap Handler" "Microsoft Corporation" C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\10\OWC10.DLL File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
|||||| {23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" "Igor Pavlov" C:\Programme\7-Zip\7-zip.dll File exists
{42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" deskpan.dll File not found
|||||| {1CDB2949-8F65-4355-8456-263E7C208A5D} "Desktop Explorer" "NVIDIA Corporation" C:\WINDOWS\system32\nvshell.dll File exists
|||||| {1E9B04FB-F9E5-4718-997B-B8DA88302A47} "Desktop Explorer Menu" "NVIDIA Corporation" C:\WINDOWS\system32\nvshell.dll File exists
|||||| {5CA3D70E-1895-11CF-8E15-001234567890} "DriveLetterAccess" "Sonic Solutions" C:\WINDOWS\system32\dla\tfswshx.dll File exists
{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" File not found | COM-object registry key not found
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" File not found | COM-object registry key not found
|||||| {42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" "Microsoft Corporation" C:\Programme\Microsoft Office\OFFICE11\msohev.dll File exists
|||||| {00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" "Microsoft Corporation" C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL File exists
|||||| {97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2} "NeroCoverEdLiveIcons Class" "Nero AG" C:\Programme\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll File exists
|||||| {B327765E-D724-4347-8B16-78AE18552FC3} "NeroDigitalIconHandler Class" "Nero AG" C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroDigitalExt.dll File exists
|||||| {7F1CF152-04F8-453A-B34C-E609530A9DC8} "NeroDigitalPropSheetHandler Class" "Nero AG" C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroDigitalExt.dll File exists
|||||| {1E9B04FB-F9E5-4718-997B-B8DA88302A48} "nView Desktop Context Menu" "NVIDIA Corporation" C:\WINDOWS\system32\nvshell.dll File exists
|||||| {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "OpenOffice.org Column Handler" C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll File exists
|||||| {087B3AE3-E237-4467-B8DB-5A38AB959AC9} "OpenOffice.org Infotip Handler" C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll File exists
|||||| {63542C48-9552-494A-84F7-73AA6A7C99C1} "OpenOffice.org Property Sheet Handler" C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll File exists
|||||| {3B092F0C-7696-40E3-A80F-68D74DA84210} "OpenOffice.org Thumbnail Viewer" C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll File exists
|||||| {A4DF5659-0801-4A60-9607-1C48695EFDA9} "Ordner HP Share-to-Web" "Hewlett-Packard" C:\Programme\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL File exists
|||||| {0006F045-0000-0000-C000-000000000046} "Outlook-Dateisymbolerweiterung" "Microsoft Corporation" C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL File exists
|||||| {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} "RealOne Player Context Menu Class" "RealNetworks, Inc." C:\Programme\Real\RealPlayer\rpshell.dll File exists
|||||| {DEE12703-6333-4D4E-8F34-738C4DCC2E04} "RecordNow! SendToExt" C:\Programme\Sonic\Sonic Solutions Product CD\RecordNow! Plus\shlext.dll File exists
|||||| {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" "Microsoft Corporation" c:\WINDOWS\system32\dfshim.dll File exists
{764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" File not found | COM-object registry key not found
|||||| {e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" "Microsoft Corporation" c:\WINDOWS\system32\dfshim.dll File exists
|||||| {BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Webordner" "Microsoft Corporation" C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL File exists
|||||| {B41DB860-8EE4-11D2-9906-E49FADC173CA} "WinRAR" C:\Programme\WinRAR\rarext.dll File exists
Internet Explorer
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
ITBar7Height "ITBar7Height" File not found | COM-object registry key not found
"ITBar7Layout" File not found | COM-object registry key not found
"ITBarLayout" File not found | COM-object registry key not found
"{D4027C7F-154A-4066-A1AD-4243D8127440}" File not found | COM-object registry key not found
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units
|||| {8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_04"
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab "Sun Microsystems, Inc." C:\Programme\Java\jre1.6.0_04\bin\npjpi160_04.dll File exists
|||| {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} "Java Plug-in 1.6.0_04"
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab "Sun Microsystems, Inc." C:\Programme\Java\jre1.6.0_04\bin\npjpi160_04.dll File exists
|||| {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_04"
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab "Sun Microsystems, Inc." C:\Programme\Java\jre1.6.0_04\bin\npjpi160_04.dll File exists
|||||| {D27CDB6E-AE6D-11CF-96B8-444553540000} "Shockwave Flash Object"
hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab "Adobe Systems, Inc." C:\WINDOWS\system32\Macromed\Flash\Flash10e.ocx File exists
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions
|||| {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} "ClsidExtension" "Sun Microsystems, Inc." C:\Programme\Java\jre1.6.0_04\bin\npjpi160_04.dll File exists
|||||| {53707962-6F74-2D53-2644-206D7942484F} "ClsidExtension" "Safer Networking Limited" C:\PROGRA~1\SPYBOT~1\SDHelper.dll File exists
|||| {FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Recherchieren" "Microsoft Corporation" C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
{F8495F2A-BB16-46C2-87EE-6439F2CC57E4} "{F8495F2A-BB16-46C2-87EE-6439F2CC57E4}" File not found | COM-object registry key not found
Logon
%AllUsersProfile%\Startmenü\Programme\Autostart
|||||| "desktop.ini" C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini File exists
%UserProfile%\Startmenü\Programme\Autostart
|||||| "desktop.ini" C:\Dokumente und Einstellungen\User\Startmenü\Programme\Autostart\desktop.ini File exists
|||| "OpenOffice.org 2.4.lnk" C:\Programme\OpenOffice.org 2.4\program\quickstart.exe Shortcut exists | File found, but it contains no detailed information | File exists
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|||||| "SpybotSD TeaTimer" "Safer-Networking Ltd." C:\Programme\Spybot - Search & Destroy\TeaTimer.exe File exists
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell" "Microsoft Corporation" C:\WINDOWS\Explorer.exe File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
|||| "Adobe ARM" "Adobe Systems Incorporated" "C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe" File exists
|||| "Adobe Reader Speed Launcher" "Adobe Systems Incorporated" "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" File exists
|||| "Broadcom Wireless Manager UI" "Dell Inc." C:\WINDOWS\system32\WLTRAY.exe File exists
|||| "Dell QuickSet" "Dell Inc" C:\Programme\Dell\QuickSet\quickset.exe File exists
|||||| "dla" "Sonic Solutions" C:\WINDOWS\system32\dla\tfswctrl.exe File exists
|||| "DVDLauncher" "CyberLink Corp." "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe" File exists
|||||| "IntelWireless" "Intel(R) Corporation" "C:\Programme\Gemeinsame Dateien\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray File exists
|||| "IntelZeroConfig" "Intel(R) Corporation" "C:\Programme\Intel\WiFi\bin\ZCfgSvc.exe" File exists
|||| "MobileConnect" "Vodafone" %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent File exists
|||| "nwiz" "NVIDIA Corporation" nwiz.exe /install File exists
|||| "Samsung PanelMgr" C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun File exists
|||| "Share-to-Web Namespace Daemon" "Hewlett-Packard" C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe File exists
|||| "SunJavaUpdateSched" "Sun Microsystems, Inc." "C:\Programme\Java\jre1.6.0_04\bin\jusched.exe" File exists
|||| "UpdateManager" "Sonic Solutions" "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r File exists
Network Providers
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
|||||| "Dell Wireless WLAN Card Logon Provider" "Dell Inc." C:\WINDOWS\System32\BCMLogon.dll File exists
|||||| "IntelNetProvCredMan" "Intel(R) Corporation" C:\WINDOWS\system32\netprovcredman.dll File exists
Print Monitors
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
|||||| "Microsoft Document Imaging Writer Monitor" "Microsoft Corporation" C:\WINDOWS\system32\mdimon.dll File exists
|||||| "PDFCreator" C:\WINDOWS\system32\pdfcmnnt.dll File found, but it contains no detailed information
Services
HKLM\SYSTEM\CurrentControlSet\Services
|||||| ".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) "Microsoft Corporation" C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe File exists
|||||| "ASP.NET State Service" (aspnet_state) "Microsoft Corporation" C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe File exists
|||||| "Dell Wireless WLAN Tray Service" (wltrysvc) C:\WINDOWS\System32\WLTRYSVC.EXE File found, but it contains no detailed information
|||||| "ForceWare IP service" (nSvcIp) "NVIDIA Corporation" C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe File exists
|||||| "ForceWare user log service" (nSvcLog) "NVIDIA Corporation" C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe File exists
"Forceware Web Interface" (ForcewareWebInterface) "C:\Programme\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice File not found
|||||| "Intel(R) PROSet/Wireless Event Log" (EvtEng) "Intel(R) Corporation" C:\Programme\Intel\WiFi\bin\EvtEng.exe File exists
|||||| "Intel(R) PROSet/Wireless Registry Service" (RegSrvc) "Intel(R) Corporation" C:\Programme\Gemeinsame Dateien\Intel\WirelessCommon\RegSrvc.exe File exists
"Intel(R) PROSet/Wireless SSO Service" (WLANKEEPER) "Intel(R) Corporation" C:\Programme\Intel\WiFi\bin\WLKeeper.exe File exists
|||||| "Intel(R) PROSet/Wireless WiFi Service" (S24EventMonitor) "Intel(R) Corporation" C:\Programme\Intel\WiFi\bin\S24EvMon.exe File exists
|||||| "Nero BackItUp Scheduler 3" (Nero BackItUp Scheduler 3) "Nero AG" C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe File exists
|||||| "NICCONFIGSVC" (NICCONFIGSVC) "Dell Inc." C:\Programme\Dell\QuickSet\NICCONFIGSVC.exe File exists
|||||| "NMIndexingService" (NMIndexingService) "Nero AG" C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe File exists
|||||| "Office Source Engine" (ose) "Microsoft Corporation" C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE File exists
|||||| "Vodafone Mobile Connect Service" (VMCService) "Vodafone" C:\Programme\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe File exists
|||||| "Windows CardSpace" (idsvc) "Microsoft Corporation" c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe File exists
|||||| "Windows Presentation Foundation Font Cache 3.0.0.0" (FontCache3.0.0.0) "Microsoft Corporation" c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe File exists
Winlogon
HKCU\Control Panel\IOProcs
"MVB" mvfs32.dll File not found
Winsock Providers
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
|||||| "BMI over [MSAFD Tcpip [RAW/IP]]" "Bytemobile, Inc." C:\WINDOWS\system32\bmnet.dll File exists
|||||| "BMI over [MSAFD Tcpip [TCP/IP]]" "Bytemobile, Inc." C:\WINDOWS\system32\bmnet.dll File exists
|||||| "BMI over [MSAFD Tcpip [UDP/IP]]" "Bytemobile, Inc." C:\WINDOWS\system32\bmnet.dll File exists
If You have questions or want to get some help, You can visit hxxp://forum.online

cosinus 04.11.2010 18:15
Sieht ok aus. Mach bitte zur Kontrolle Vollscans mit Malwarebytes und SASW und poste die Logs.
Denk dran beide Tools zu updaten vor dem Scan!!

Poldyxxx 06.11.2010 12:31
Der Scan von Malwarebytes hat nichts mehr gefunden, aber der Scan von Superantispyware hatte gleich 9 Treffer. Allerdings weiss ich nicht ob die letzen 2 wirklich Trojaner sind. Das Mike Programm habe ich auch auf meinem anderen PC , das ist Software von meiner Arbeit. Allerdings wäre es nicht schlimm, wenn es entfernt wird. Das Update dafür kriege ich auch anders.


SUPERAntiSpyware Scan Log
hxxp://www.superantispyware.com

Generated 11/04/2010 at 09:57 PM

Application Version : 4.45.1000

Core Rules Database Version : 5767
Trace Rules Database Version: 3579

Scan type : Complete Scan
Total Scan Time : 01:41:47

Memory items scanned : 573
Memory threats detected : 0
Registry items scanned : 7496
Registry threats detected : 9
File items scanned : 137170
File threats detected : 2

Trojan.Agent/Gen-SSHNAS
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#DeviceDesc

Trojan.Agent/Gen-Cryptor[Egun]
C:\PROGRAMME\MATTHIES\MIKE\UPDATER\MIKEUPDATE.EXE

Trojan.Agent/Gen-FakeAV
C:\PROGRAMME\WINRAR\DEFAULT.SFX

cosinus 06.11.2010 16:31
Ein paar Überreste waren da noch.
Probier den Lauf mit combofix nochmal, lad cf neu als cofi.exe wieder runter, die alte vorher löschen.

Poldyxxx 06.11.2010 17:23
Soll ich die Reste mit Superantispyware VORHER löschen?

cosinus 06.11.2010 17:39
Ja bitte vorher löschen

Poldyxxx 08.11.2010 09:14
Ok, die Problemfälle habe ich alle aus der Quarantäne entfernt. Ich habe danach nochmal mit allen bisher genutzten Tools Scans vorgenommen, auch im abgesicherten Modus. Aber keiner hat was gefunden.
Folgende Symptone gibt es aber noch:
ComboFix geht immer noch nicht, genauso wie die installation von anderen Programmen, z.b. Antivir. Laut Meldung habe ich nicht ausreichende Berechtigung.
Wenn ich einen I.Explorer starte , öffnet sich nur ein Fenster , aber im Taskmanager sind 2 offen, wenn ich eins schliesse, geht das 2 auch zu.
Beim Herunterfahren habe ich eine Fehlermeldung von Apoint.exe und eine von SSMMgr.exe.
Gibt es eine Möglichkeit zu testen , ob mein User auch tatsächlich Adminrechte hat?

cosinus 08.11.2010 09:38
Hm also entweder ist da noch ein Rootkit am werkeln oder Dein Windows wurde zerlegt :D

Mach mal ein neues Log mit dem Kaspersky TDSS removing Tool

Poldyxxx 08.11.2010 10:01
Den TDSS hatte ich am Wochenende schon mal drüberlaufen lassen, der hat nichts gefunden . Hab es gerade nochmal wiederholt mit dem selben Resultat.
Am meisten irritiert mich, das immer 2 Browser aufgehen, wenn ich einen öffne.

TDSS Log

2010/11/08 09:58:14.0953 TDSS rootkit removing tool 2.4.5.1 Oct 26 2010 11:28:49
2010/11/08 09:58:14.0953 ================================================================================
2010/11/08 09:58:14.0953 SystemInfo:
2010/11/08 09:58:14.0953
2010/11/08 09:58:14.0953 OS Version: 5.1.2600 ServicePack: 3.0
2010/11/08 09:58:14.0953 Product type: Workstation
2010/11/08 09:58:14.0953 ComputerName: KJFH-D07EA92F3B
2010/11/08 09:58:14.0953 UserName: User
2010/11/08 09:58:14.0953 Windows directory: C:\WINDOWS
2010/11/08 09:58:14.0953 System windows directory: C:\WINDOWS
2010/11/08 09:58:14.0953 Processor architecture: Intel x86
2010/11/08 09:58:14.0953 Number of processors: 2
2010/11/08 09:58:14.0953 Page size: 0x1000
2010/11/08 09:58:14.0953 Boot type: Normal boot
2010/11/08 09:58:14.0953 ================================================================================
2010/11/08 09:58:15.0171 Initialize success
2010/11/08 09:58:20.0062 ================================================================================
2010/11/08 09:58:20.0062 Scan started
2010/11/08 09:58:20.0062 Mode: Manual;
2010/11/08 09:58:20.0062 ================================================================================
2010/11/08 09:58:21.0046 ACPI (ac407f1a62c3a300b4f2b5a9f1d55b2c) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/08 09:58:21.0093 ACPIEC (9e1ca3160dafb159ca14f83b1e317f75) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/11/08 09:58:21.0156 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/11/08 09:58:21.0203 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/11/08 09:58:21.0250 AFS2K (b34b1ab0a7690a0e2301fec6d17b2fc1) C:\WINDOWS\system32\drivers\AFS2K.sys
2010/11/08 09:58:21.0375 AmdK8 (22ad3ec1f0486c863d70cdd50b97761b) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2010/11/08 09:58:21.0437 ApfiltrService (090880e9bf20f928bc341f96d27c019e) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
2010/11/08 09:58:21.0500 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
2010/11/08 09:58:21.0562 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/11/08 09:58:21.0671 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/08 09:58:21.0703 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/08 09:58:21.0750 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/08 09:58:21.0796 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/08 09:58:21.0859 b57w2k (3a3a82ffd268bcfb7ae6a48cecf00ad9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2010/11/08 09:58:21.0937 BCM43XX (b89bcf0a25aeb3b47030ac83287f894a) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2010/11/08 09:58:22.0000 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/08 09:58:22.0046 BMLoad (d002033c1a37f6af51b5f0ba6d0211bc) C:\WINDOWS\system32\drivers\BMLoad.sys
2010/11/08 09:58:22.0109 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/08 09:58:22.0140 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/11/08 09:58:22.0218 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/11/08 09:58:22.0250 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/11/08 09:58:22.0312 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/11/08 09:58:22.0359 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/11/08 09:58:22.0562 DgiVecp (770471de2550820feeb7e5d24bf2e273) C:\WINDOWS\system32\Drivers\DgiVecp.sys
2010/11/08 09:58:22.0578 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/11/08 09:58:22.0656 dmboot (0dcfc8395a99fecbb1ef771cec7fe4ea) C:\WINDOWS\system32\drivers\dmboot.sys
2010/11/08 09:58:22.0734 dmio (53720ab12b48719d00e327da470a619a) C:\WINDOWS\system32\drivers\dmio.sys
2010/11/08 09:58:22.0750 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/11/08 09:58:22.0796 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/11/08 09:58:22.0843 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/11/08 09:58:22.0875 drvmcdb (b15f9e526ba511a48b1b1b8537815740) C:\WINDOWS\system32\drivers\drvmcdb.sys
2010/11/08 09:58:22.0906 drvnddm (fa4670cae95ae2bb857c68e535661145) C:\WINDOWS\system32\drivers\drvnddm.sys
2010/11/08 09:58:23.0000 ewusbnet (13d0f39d356e70f0a5e80d7771382245) C:\WINDOWS\system32\DRIVERS\ewusbnet.sys
2010/11/08 09:58:23.0062 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/11/08 09:58:23.0093 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/11/08 09:58:23.0125 Fips (b0678a548587c5f1967b0d70bacad6c1) C:\WINDOWS\system32\drivers\Fips.sys
2010/11/08 09:58:23.0140 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/11/08 09:58:23.0187 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/11/08 09:58:23.0234 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/11/08 09:58:23.0250 Ftdisk (8f1955ce42e1484714b542f341647778) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/11/08 09:58:23.0296 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2010/11/08 09:58:23.0328 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/11/08 09:58:23.0390 GTIPCI21 (ca835331825599b938e37525796d3549) C:\WINDOWS\system32\DRIVERS\gtipci21.sys
2010/11/08 09:58:23.0437 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/11/08 09:58:23.0484 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/11/08 09:58:23.0609 HSFHWICH (a84bbbdd125d370593004f6429f8445c) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
2010/11/08 09:58:23.0656 HSF_DPV (b678fa91cf4a1c19b462d8db04cd02ab) C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS
2010/11/08 09:58:23.0781 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/11/08 09:58:23.0859 hwdatacard (8adf5ef39e896a65beded878494ee2b6) C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys
2010/11/08 09:58:23.0921 hwusbfake (83026e41d9960430491432dbd6af969a) C:\WINDOWS\system32\DRIVERS\ewusbfake.sys
2010/11/08 09:58:24.0031 i8042prt (e283b97cfbeb86c1d86baed5f7846a92) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/11/08 09:58:24.0281 ialm (e8c7cc369c2fb657e0792af70df529e6) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2010/11/08 09:58:24.0578 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/11/08 09:58:24.0890 IntcAzAudAddService (a7d3a1b2cabdab81ead07c204adb7ce1) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/11/08 09:58:25.0062 IntelIde (69c4e3c9e67a1f103b94e14fdd5f3213) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/11/08 09:58:25.0109 intelppm (4c7d2750158ed6e7ad642d97bffae351) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/11/08 09:58:25.0140 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/11/08 09:58:25.0187 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/11/08 09:58:25.0234 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/11/08 09:58:25.0281 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/11/08 09:58:25.0296 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/11/08 09:58:25.0328 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
2010/11/08 09:58:25.0359 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/11/08 09:58:25.0421 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
2010/11/08 09:58:25.0468 isapnp (6dfb88f64135c525433e87648bda30de) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/08 09:58:25.0484 Kbdclass (1704d8c4c8807b889e43c649b478a452) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/08 09:58:25.0515 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/11/08 09:58:25.0562 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/11/08 09:58:25.0656 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/11/08 09:58:25.0703 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/11/08 09:58:25.0765 Modem (6fb74ebd4ec57a6f1781de3852cc3362) C:\WINDOWS\system32\drivers\Modem.sys
2010/11/08 09:58:25.0796 Mouclass (b24ce8005deab254c0251e15cb71d802) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/11/08 09:58:25.0843 mouhid (66a6f73c74e1791464160a7065ce711a) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/11/08 09:58:25.0875 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/11/08 09:58:25.0921 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/11/08 09:58:25.0968 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/11/08 09:58:26.0031 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/11/08 09:58:26.0062 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/11/08 09:58:26.0093 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/11/08 09:58:26.0125 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/11/08 09:58:26.0156 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/11/08 09:58:26.0203 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys
2010/11/08 09:58:26.0250 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/11/08 09:58:26.0296 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/11/08 09:58:26.0328 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/11/08 09:58:26.0375 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/11/08 09:58:26.0390 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/11/08 09:58:26.0421 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/11/08 09:58:26.0453 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/11/08 09:58:26.0468 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/11/08 09:58:26.0687 NETw5x32 (91f027c242d3ff6e5c09f92a0518297f) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
2010/11/08 09:58:26.0890 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/11/08 09:58:26.0953 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/11/08 09:58:26.0984 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/11/08 09:58:27.0031 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/11/08 09:58:27.0203 nv (eb2858f920b8135b807b5ccaa3ed73dc) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/11/08 09:58:27.0406 nvata (9eccd189a9554c30a0d18a429778c7ba) C:\WINDOWS\system32\DRIVERS\nvata.sys
2010/11/08 09:58:27.0437 NVENETFD (4d6f0d3fb17c1ba64942f415c73adcdb) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2010/11/08 09:58:27.0468 nvnetbus (921e63aa1e1a20302223d016acafb52b) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2010/11/08 09:58:27.0500 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/11/08 09:58:27.0515 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/11/08 09:58:27.0562 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/11/08 09:58:27.0625 Parport (f84785660305b9b903fb3bca8ba29837) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/11/08 09:58:27.0656 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/11/08 09:58:27.0703 ParVdm (c2bf987829099a3eaa2ca6a0a90ecb4f) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/11/08 09:58:27.0750 PCI (387e8dedc343aa2d1efbc30580273acd) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/11/08 09:58:27.0812 PCIIde (59ba86d9a61cbcf4df8e598c331f5b82) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/11/08 09:58:27.0828 Pcmcia (a2a966b77d61847d61a3051df87c8c97) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/11/08 09:58:28.0015 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/11/08 09:58:28.0046 Processor (2cb55427c58679f49ad600fccba76360) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/11/08 09:58:28.0078 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/11/08 09:58:28.0093 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/11/08 09:58:28.0156 PxHelp20 (30cbae0a34359f1cd19d1576245149ed) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/11/08 09:58:28.0281 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/11/08 09:58:28.0328 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2010/11/08 09:58:28.0375 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/11/08 09:58:28.0390 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/11/08 09:58:28.0421 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/11/08 09:58:28.0453 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/11/08 09:58:28.0484 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/11/08 09:58:28.0531 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/11/08 09:58:28.0562 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/11/08 09:58:28.0625 redbook (ed761d453856f795a7fe056e42c36365) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/11/08 09:58:28.0703 s24trans (96b4494d4734970f47c566e098c4f527) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2010/11/08 09:58:28.0812 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Programme\SUPERAntiSpyware\SASDIFSV.SYS
2010/11/08 09:58:28.0828 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Programme\SUPERAntiSpyware\SASKUTIL.SYS
2010/11/08 09:58:28.0890 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/11/08 09:58:28.0921 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/11/08 09:58:28.0953 Serial (cf24eb4f0412c82bcd1f4f35a025e31d) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/11/08 09:58:28.0984 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/11/08 09:58:29.0062 SMCIRDA (d03a4cdb1b089e3f6c23501339506e5e) C:\WINDOWS\system32\DRIVERS\smcirda.sys
2010/11/08 09:58:29.0125 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/11/08 09:58:29.0171 sr (50fa898f8c032796d3b1b9951bb5a90f) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/11/08 09:58:29.0218 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/11/08 09:58:29.0265 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
2010/11/08 09:58:29.0312 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
2010/11/08 09:58:29.0375 STAC97 (305cc42945a713347f978d78566113f3) C:\WINDOWS\system32\drivers\STAC97.sys
2010/11/08 09:58:29.0468 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINDOWS\system32\drivers\sthda.sys
2010/11/08 09:58:29.0531 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/11/08 09:58:29.0562 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/11/08 09:58:29.0703 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/11/08 09:58:29.0765 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/11/08 09:58:29.0812 tcpipBM (dcfeb82ca988598ceb8f83148616038e) C:\WINDOWS\system32\drivers\tcpipBM.sys
2010/11/08 09:58:29.0843 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/11/08 09:58:29.0875 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/11/08 09:58:29.0890 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/11/08 09:58:29.0953 tfsnboio (1d265cd2fb1673a0873bf8cec19ddc7f) C:\WINDOWS\system32\dla\tfsnboio.sys
2010/11/08 09:58:29.0968 tfsncofs (62e4901295e0467cac78e5b4b131ae5c) C:\WINDOWS\system32\dla\tfsncofs.sys
2010/11/08 09:58:29.0984 tfsndrct (a2f380f9252ab3464c859adf91eead9c) C:\WINDOWS\system32\dla\tfsndrct.sys
2010/11/08 09:58:30.0000 tfsndres (d4d66daff883ffecba6fba98627ccc70) C:\WINDOWS\system32\dla\tfsndres.sys
2010/11/08 09:58:30.0031 tfsnifs (9d644eb11fec9487450c4cfcd63a5df4) C:\WINDOWS\system32\dla\tfsnifs.sys
2010/11/08 09:58:30.0046 tfsnopio (e656af05c67edb7c0e9230a5df71ed1b) C:\WINDOWS\system32\dla\tfsnopio.sys
2010/11/08 09:58:30.0062 tfsnpool (64fccb9cce703ca507dffc3cebf6b2cb) C:\WINDOWS\system32\dla\tfsnpool.sys
2010/11/08 09:58:30.0093 tfsnudf (48bc9d8ab4e4b9bff70fb18e55cec3d6) C:\WINDOWS\system32\dla\tfsnudf.sys
2010/11/08 09:58:30.0109 tfsnudfa (79f60822224256b49bfc855da8d651d5) C:\WINDOWS\system32\dla\tfsnudfa.sys
2010/11/08 09:58:30.0187 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/11/08 09:58:30.0234 UIUSys (73edf3af56591834f070c3764a17f566) C:\WINDOWS\system32\drivers\UIUSys.sys
2010/11/08 09:58:30.0312 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/11/08 09:58:30.0359 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/11/08 09:58:30.0390 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/11/08 09:58:30.0421 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/11/08 09:58:30.0453 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/11/08 09:58:30.0468 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/11/08 09:58:30.0515 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/11/08 09:58:30.0546 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/11/08 09:58:30.0578 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/11/08 09:58:30.0593 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/11/08 09:58:30.0656 VolSnap (a5a712f4e880874a477af790b5186e1d) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/11/08 09:58:30.0703 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/11/08 09:58:30.0750 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/11/08 09:58:30.0812 winachsf (0c5b9cf1bdf998750d9c5eeb5f8c55ac) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/11/08 09:58:30.0921 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/11/08 09:58:31.0109 ================================================================================
2010/11/08 09:58:31.0109 Scan finished
2010/11/08 09:58:31.0109 ================================================================================

cosinus 08.11.2010 10:04
Mach mal einen Gegencheck mit dem TDSS-Tool von Norman => http://www.trojaner-board.de/82358-a...tml#post499990

Poldyxxx 08.11.2010 10:12
Das Tool hat auch nichts gefunden.

Ich habe damals, bevor ich mit eurem Board in Kontakt getreten bin, die beiden neuen Admin Profile einfach gelöscht, nachdem ich die Viren entfernt hatte. War das evtl. ein Fehler?

cosinus 08.11.2010 10:18
Nö das sollte eigentlich kein problem sein...
Mach nochmal bitte ein frisches Log mit GMER im abgesicherten Modus, das hatte letztens bei dem netbook meines Nachbarn den entscheidenden Hinweis gegeben.

Poldyxxx 08.11.2010 18:13
So, der Scan ist endlich fertig. Und im abgesicherten Modus hat GMER tatsächlich nochmal was gefunden.
Aber da gibt es was, das ich noch seltsam finde. NAch der Benutzung im abgesicherten Modus ist plötzlich wieder ein zusätzliches Admin Profil vorhanden. Bei mir ist der "USER" auch gleichzeitig der Admin, d.h. ich habe keine 2 Profile. Im abgesicherten Modus habe ich aber die Möglichkeit mich zwischen "USER" und "ADMIN" zu entscheiden und habe dann immer den Admin gewählt. Offensichtlich wurde nach jeder Benutzung des abgesicherten Modus ein neues Admin Profil erstellt.
Der von GMER gefundene Virus wurde letzte Woche schonmal gefunden, war aber plötzlich verschwunden bevor ich ihn löschen konnte. Siehe Beiträge Nummer 18 und 19.

GMER Logfile:
Code:
GMER 1.0.15.15477 - hxxp://www.gmer.net
Rootkit scan 2010-11-08 17:52:01
Windows 5.1.2600 Service Pack 3
Running: o6g6f142.exe; Driver: C:\DOKUME~1\ADMINI~1.KJF\LOKALE~1\Temp\ageyykoc.sys


---- User code sections - GMER 1.0.15 ----

.text  C:\WINDOWS\Explorer.EXE[832] kernel32.dll!CreateProcessInternalW  7C8197B0 5 Bytes  JMP 00B4866A

---- EOF - GMER 1.0.15 ----
--- --- ---

cosinus 09.11.2010 01:28
Ok....dann probier bitte nochmal combofix mit einer neuen cofi.exe aus.
Den Rest sehen wir dann...

Poldyxxx 09.11.2010 09:28
Kann ich mit GMER den Virus auch löschen? Bisher hat ihn kein anderes Programm gefunden.

Combofix läuft immer noch nicht.

Poldyxxx 09.11.2010 09:49
Nach einem Scan mit Malwarebytes ist auch der zweite Rootkit File wieder aufgetaucht, den ich schon mal gelöscht hatte. Könnte evtl. daran liegen, das ich mit dem verseuchten Laptop seit 2 Tagen wieder online bin, oder an der Admin Benutzung des abgesicherten Modus( neues Admin Profil)

cosinus 09.11.2010 14:33
Lösch mal mit GMER versuch es es mal. Wenn das aber auch nicht geht, seh ich nicht mehr viel Sinn weiterzumachen mit der Bereinigung...


Alle Zeitangaben in WEZ +1. Es ist jetzt 22:52 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19