Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   online banking TAN s wurden abgefragt Trojaner (https://www.trojaner-board.de/94092-online-banking-tan-s-wurden-abgefragt-trojaner.html)

chaos2009 25.12.2010 01:12
online banking TAN s wurden abgefragt Trojaner
 
Hallo Leute,

ich habe folgendes Problem.
Beim online banking wurden von mir 20 Tans abgefragt.
Darauf habe ich mit anitvir einen suchlauf durchgeführt, welcher nix gefunden hat.
Jetzt habe ich hier im Forum gelesen und folgende Scans durchlaufen lassen.
Ich habe mir das Programm Malwarebytes herunter geladen und einen komplet Scanlaufen lassen mit folgendem Ergebnis.
Ich habe auch auf Entferne Auswahl geklickt und Windows Vista neu gestartet.
Siehe Anhnag Malwarebyte

Danach habe ich einen Scan mit dem OTL gemacht und folgende zwei Files als Ergebnis bekommen.
Siehe Anhang extras.txt und otl.txt

Was muss ich jetzt damit anfangen, welche Daten muss ich euch noch liefern damit ihr mir helfen könnt?
Vielen Dank schon im voraus für eure Hilfe
Super Forum und Super Anleitungen habt ihr hier.

Gruß chaos2009

cosinus 25.12.2010 02:09
mach bitte ein Log mit CF:

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix
  • Lade dir ComboFix hier herunter auf deinen Desktop. Benenne es beim Runterladen um in cofi.exe.
http://saved.im/mtm0nzyzmzd5/cofi.jpg
  • Schliesse alle Programme, vor allem dein Antivirenprogramm und andere Hintergrundwächter sowie deinen Internetbrowser.
  • Starte cofi.exe von deinem Desktop aus, bestätige die Warnmeldungen, führe die Updates durch (falls vorgeschlagen), installiere die Wiederherstellungskonsole (falls vorgeschlagen) und lass dein System durchsuchen.
    Vermeide es auch während Combofix läuft die Maus und Tastatur zu benutzen.
  • Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte kopieren ([Strg]a, [Strg]c) und in deinen Beitrag einfügen ([Strg]v). Die Datei findest du außerdem unter: C:\ComboFix.txt.
Wichtiger Hinweis:
Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

chaos2009 31.12.2010 13:42
hi cosinus

vielen dank für deine Hilfestellung ich habe es leider erst jetzt geschaft es durchzuführen.
Beim CCleaner wurden alle Fehler bereinigt.
Danach habe ich das Combofix laufen lassen und folgende Log-Datei bekommen.

Combofix Logfile:
Code:
ComboFix 10-12-30.03 - *** 31.12.2010  12:38:30.1.2 - x86
Microsoft® Windows Vista™ Home Premium  6.0.6000.0.1252.49.1031.18.2038.969 [GMT 1:00]
ausgeführt von:: c:\users\***\Desktop\cofi.exe
.

(((((((((((((((((((((((  Dateien erstellt von 2010-11-28 bis 2010-12-31  ))))))))))))))))))))))))))))))
.

2010-12-31 11:45 . 2010-12-31 11:46        --------        d-----w-        c:\users\***\AppData\Local\temp
2010-12-31 11:45 . 2010-12-31 11:45        --------        d-----w-        c:\users\Default\AppData\Local\temp
2010-12-31 11:08 . 2010-12-31 11:13        --------        d-----w-        c:\program files\CCleaner
2010-12-31 10:54 . 2010-11-10 04:33        6273872        ----a-w-        c:\programdata\Microsoft\Windows Defender\Definition Updates\{8E8D08C4-F51F-49EF-816A-CD9EC11A5052}\mpengine.dll
2010-12-24 19:41 . 2010-12-24 19:41        --------        d-----w-        c:\program files\7-Zip
2010-12-24 14:30 . 2010-12-24 14:30        --------        d-----w-        c:\users\***\AppData\Roaming\Malwarebytes
2010-12-24 14:29 . 2010-12-20 17:09        38224        ----a-w-        c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-24 14:29 . 2010-12-24 14:29        --------        d-----w-        c:\programdata\Malwarebytes
2010-12-24 14:29 . 2010-12-24 14:29        --------        d-----w-        c:\program files\Malwarebytes' Anti-Malware
2010-12-24 14:29 . 2010-12-20 17:08        20952        ----a-w-        c:\windows\system32\drivers\mbam.sys
2010-12-09 19:22 . 2010-12-09 19:23        --------        d-----w-        c:\program files\iTunes
2010-12-09 19:19 . 2010-12-09 19:19        159744        ----a-w-        c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2010-12-09 19:19 . 2010-12-09 19:19        159744        ----a-w-        c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2010-12-09 19:19 . 2010-12-09 19:19        159744        ----a-w-        c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2010-12-09 19:19 . 2010-12-09 19:19        159744        ----a-w-        c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2010-12-09 19:19 . 2010-12-09 19:19        159744        ----a-w-        c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2010-12-09 19:19 . 2010-12-09 19:19        159744        ----a-w-        c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2010-12-09 19:19 . 2010-12-09 19:19        159744        ----a-w-        c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2010-12-09 19:19 . 2010-12-09 19:19        --------        d-----w-        c:\program files\QuickTime
2010-12-09 19:12 . 2010-12-09 19:12        --------        d-----w-        c:\program files\Bonjour

.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 09:41 . 2009-10-03 14:57        222080        ------w-        c:\windows\system32\MpSigStub.exe
2010-10-07 11:23 . 2010-10-07 11:23        91424        ----a-w-        c:\windows\system32\dnssd.dll
2010-10-07 11:23 . 2010-10-07 11:23        75040        ----a-w-        c:\windows\system32\jdns_sd.dll
2010-10-07 11:23 . 2010-10-07 11:23        197920        ----a-w-        c:\windows\system32\dnssdX.dll
2010-10-07 11:23 . 2010-10-07 11:23        107808        ----a-w-        c:\windows\system32\dns-sd.exe
.

((((((((((((((((((((((((((((  Autostartpunkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883840]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-02-15 4390912]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 630784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-02-15 857648]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"TVBroadcast"="c:\program files\Sceneo\Bonavista\Services\ODSBC\ODSBCApp.exe" [2007-05-08 790016]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-11-15 151552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-06 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-06 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-06 138008]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-07-25 32768]
"HotkeyApp"="c:\program files\Launch Manager\HotkeyApp.exe" [2006-12-14 192512]
"LMgrOSD"="c:\program files\Launch Manager\OSD.exe" [2006-12-26 180224]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2006-11-09 86016]
"UVS10 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe" [2006-08-10 36864]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-16 220160]
"toolbar_eula_launcher"="c:\program files\GoogleEULA\EULALauncher.exe" [2007-02-09 16896]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-25 266497]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-12-04 665424]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2010-02-17 177472]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-17 421160]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]

c:\users\Annina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399003}"= "c:\program files\GbPlugin\gbiehcef.dll" [2008-03-05 341576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

R1 mailKmd;mailKmd; [x]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\ALDI Sued Foto Service\Common\Database\bin\fbserver.exe [2005-11-17 1527900]
R3 PDNMp50;PDNMp50 NDIS Protocol Driver;c:\windows\system32\drivers\PDNMp50.sys [2006-11-28 28224]
R3 PDNSp50;PDNSp50 NDIS Protocol Driver;c:\windows\system32\drivers\PDNSp50.sys [2006-11-28 27072]
S2 GbpSv;Gbp Service;c:\progra~1\GbPlugin\GbpSv.exe [2008-03-05 50760]
S2 GnabService;GnabService;c:\program files\common files\gnab\service\servicecontroller.exe [2007-04-13 36864]
S2 srvcPVR;Sceneo PVR Service;c:\program files\Sceneo\Bonavista\Services\PVR\PVRService.exe [2007-05-04 1600512]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2007-07-05 277504]
S3 WisLMSvc;WisLMSvc;c:\program files\Launch Manager\WisLMSvc.exe [2006-11-17 118784]

.
Inhalt des "geplante Tasks" Ordners

2010-12-31 c:\windows\Tasks\User_Feed_Synchronization-{D124B4E8-514D-4EBB-9597-5F704DA25B31}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.de/
mStart Page = hxxp://alice.aol.de
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-1170-17534-22/4
TCP: {422A2817-56AA-485B-9921-58EE0232FE4A} = 213.191.74.18 62.109.123.197
DPF: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} - hxxp://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2010-12-31 12:46
Windows 6.0.6000  NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GbpSv]
"ImagePath"="c:\progra~1\GbPlugin\GbpSv.exe"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'Explorer.exe'(1628)
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO800u.dll
.
Zeit der Fertigstellung: 2010-12-31  12:49:34
ComboFix-quarantined-files.txt  2010-12-31 11:49

Vor Suchlauf: 6.950.277.120 Bytes frei
Nach Suchlauf: 6.568.288.256 Bytes frei

- - End Of File - - 860C356A57BE896E9866CB08990E408A
--- --- ---


Danach ging ohne Neustart nichts mehr. Jetzt läuft der PC aber wieder zumindest was ich auf die schnelle getestet habe.

Was mache ich mit den Datein die der CCleaner bei der Registry Säuberung erstellt hat??

Vielen Dank nochmal für die Hilfe.
Gibt es noch was, was ich für meinen PC tun kann oder ist er jetzt wieder fit und trojaner frei?

lieben Gruß und herzlichen Dank
chaos2009

cosinus 01.01.2011 21:32
Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten.
GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus - die Online-Abfrage durch OSAM bitte überspringen.
Bei OSAM bitte darauf auch achten, dass Du das Log auch als *.log und nicht *.html oder so abspeicherst.


Downloade Dir danach bitte MBRCheck (by a_d_13) und speichere die Datei auf dem Desktop.
  • Doppelklick auf die MBRCheck.exe.
    Vista und Win7 User mit Rechtsklick "als Administrator starten"
  • Das Tool braucht nur einige Sekunden.
  • Danach solltest du eine MBRCheck_<Datum>_<Uhrzeit>.txt auf dem Desktop finden.
Poste mir bitte den Inhalt des .txt Dokumentes

chaos2009 01.01.2011 22:20
Hallo Arne,

danke für die promte Antwort.

Ich habe den GMER ausgeführt dabei ist mein PC abgestürzt und hat sich ausgeschalten. Ich habe ihn normal wieder starten lassen.
Das Programm hab ich nicht nochmals gestartet.
Ist das normal???

OSMA habe ich scannen lassen und folgende log file bekommen.

OSAM Logfile:
Code:
Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 22:10:29 on 01.01.2011

OS: Windows Vista Home Premium Edition (Build 6000), 32-bit
Default Browser: Apple Inc. Safari 4.0.4 (531.21.10)

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries


[AppInit DLLs]
-----( HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows )-----
"AppInit_DLLs" - "Google" - C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"ddbaccpl.cpl" - "DataDesign AG" - C:\Windows\system32\ddbaccpl.cpl
"ddbacctm.cpl" - "DataDesign AG" - C:\Windows\system32\ddbacctm.cpl
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"Nero BurnRights" - "Nero AG" - C:\Program Files\Nero\Nero 7\Nero Toolkit\NeroBurnRights.cpl
"QuickTime" - "Apple Inc." - C:\Program Files\QuickTime\QTSystem\QuickTime.cpl

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"avgio" (avgio) - "Avira GmbH" - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys
"avgntflt" (avgntflt) - "Avira GmbH" - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys
"avipbb" (avipbb) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avipbb.sys
"catchme" (catchme) - ? - C:\Users\Annina\AppData\Local\Temp\catchme.sys  (File not found)
"FssFltr" (fssfltr) - "Microsoft Corporation" - C:\Windows\System32\DRIVERS\fssfltr.sys
"Hotkey" (Hotkey) - ? - C:\Windows\system32\drivers\Hotkey.sys  (File found, but it contains no detailed information)
"IP in IP Tunnel Driver" (IpInIp) - ? - C:\Windows\System32\DRIVERS\ipinip.sys  (File not found)
"IPX Traffic Filter Driver" (NwlnkFlt) - ? - C:\Windows\System32\DRIVERS\nwlnkflt.sys  (File not found)
"IPX Traffic Forwarder Driver" (NwlnkFwd) - ? - C:\Windows\System32\DRIVERS\nwlnkfwd.sys  (File not found)
"IVI ASPI Shell" (Iviaspi) - "InterVideo, Inc." - C:\Windows\System32\drivers\iviaspi.sys
"mailKmd" (mailKmd) - ? - C:\Windows\system32\drivers\mailKmd.sys  (File not found)
"PDNMp50 NDIS Protocol Driver" (PDNMp50) - "Printing Communications Assoc., Inc. (PCAUSA)" - C:\Windows\system32\drivers\PDNMp50.sys
"PDNSp50 NDIS Protocol Driver" (PDNSp50) - "Printing Communications Assoc., Inc. (PCAUSA)" - C:\Windows\system32\drivers\PDNSp50.sys
"ssmdrv" (ssmdrv) - "AVIRA GmbH" - C:\Windows\System32\DRIVERS\ssmdrv.sys
"StarOpen" (StarOpen) - ? - C:\Windows\system32\drivers\StarOpen.sys  (File found, but it contains no detailed information)

[Explorer]
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{7D4D6379-F301-4311-BEBA-E26EB0561882} "NeroDigitalColumnHandler Class" - "Nero AG" - C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll
{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" - ? - C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll
-----( HKLM\Software\Classes\Protocols\Filter )-----
{807563E5-5146-11D5-A672-00B0D022E945} "Microsoft Office InfoPath XML Mime Filter" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
-----( HKLM\Software\Classes\Protocols\Handler )-----
{314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
{828030A1-22C1-4009-854F-8E305202313F} "livecall" - "Microsoft Corporation" - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
{0A9007C0-4076-11D3-8789-0000F8105754} "Microsoft Infotech Storage Protocol for IE 4.0" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
{828030A1-22C1-4009-854F-8E305202313F} "msnim" - "Microsoft Corporation" - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
{03C514A3-1EFB-4856-9F99-10D7BE1653C0} "Windows Live Mail HTML Asynchronous Pluggable Protocol Handler" - "Microsoft Corporation" - C:\Program Files\Windows Live\Mail\mailcomm.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks )-----
{E37CB5F0-51F5-4395-A808-5FA49E399003} "GbPluginObj Class" - "Caixa Economica Federal" - C:\Program Files\GbPlugin\gbiehcef.dll
{AEB6717E-7E19-11d0-97EE-00C04FD91972} "{AEB6717E-7E19-11d0-97EE-00C04FD91972}" - ? -  (File not found | COM-object registry key not found)
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{911051fa-c21c-4246-b470-070cd8df6dc4} ".cab or .zip files" - ? -  (File not found | COM-object registry key not found)
{23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - C:\Program Files\7-Zip\7-zip.dll
{1b24a030-9b20-49bc-97ac-1be4426f9e59} "ActiveDirectory Folder" - ? -  (File not found | COM-object registry key not found)
{34449847-FD14-4fc8-A75A-7432F5181EFB} "ActiveDirectory Folder" - ? -  (File not found | COM-object registry key not found)
{0563DB41-F538-4B37-A92D-4659049B7766} "CLSID_WLMCMimeFilter" - "Microsoft Corporation" - C:\Program Files\Windows Live\Mail\mailcomm.dll
{0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} "Contacts folder" - ? -  (File not found | COM-object registry key not found)
{2C2577C2-63A7-40e3-9B7F-586602617ECB} "Explorer Query Band" - ? -  (File not found | COM-object registry key not found)
{E37CB5F0-51F5-4395-A808-5FA49E399003} "GbPluginObj Class" - "Caixa Economica Federal" - C:\Program Files\GbPlugin\gbiehcef.dll
{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "iTunes" - "Apple Inc." - C:\Program Files\iTunes\iTunesMiniPlayer.dll
{00020d75-0000-0000-c000-000000000046} "lnkfile" - ? -  (File not found | COM-object registry key not found)
{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\msohevi.dll
{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C} "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\ONFILTER.DLL
{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
{B327765E-D724-4347-8B16-78AE18552FC3} "NeroDigitalIconHandler Class" - "Nero AG" - C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll
{7F1CF152-04F8-453A-B34C-E609530A9DC8} "NeroDigitalPropSheetHandler Class" - "Nero AG" - C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "OpenOffice.org Column Handler" - ? - C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll
{087B3AE3-E237-4467-B8DB-5A38AB959AC9} "OpenOffice.org Infotip Handler" - ? - C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll
{63542C48-9552-494A-84F7-73AA6A7C99C1} "OpenOffice.org Property Sheet Handler" - ? - C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll
{3B092F0C-7696-40E3-A80F-68D74DA84210} "OpenOffice.org Thumbnail Viewer" - ? - C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll
{C8494E42-ACDD-4739-B0FB-217361E4894F} "Sam Account Folder" - ? -  (File not found | COM-object registry key not found)
{E29F9716-5C08-4FCD-955A-119FDB5A522D} "Sam Account Folder" - ? -  (File not found | COM-object registry key not found)
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "Avira GmbH" - C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll
{DBD8E168-244D-448C-9922-25508950D1DC} "USIShellExt Class" - "Ulead Systems, Inc." - C:\Program Files\Common Files\Ulead Systems\DVD\USIShex.dll
{da67b8ad-e81b-4c70-9b91b417b5e33527} "Windows Search Shell Service" - ? -  (File not found | COM-object registry key not found)
{B41DB860-8EE4-11D2-9906-E49FADC173CA} "WinRAR" - "Alexander Roshal" - C:\Program Files\WinRAR\rarext.dll

[Internet Explorer]
-----( HKCU\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
"eBay - Der weltweite Online-Marktplatz" - ? - hxxp://rover.ebay.com/rover/1/707-1170-17534-22/4  (HTTP value)
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
<binary data> "&Google" - "Google Germany GmbH" - c:\program files\google\googletoolbar1.dll
<binary data> "&Windows Live Toolbar" - "Microsoft Corporation" - C:\Program Files\Windows Live\Toolbar\wltcore.dll
<binary data> "ITBar7Layout" - ? -  (File not found | COM-object registry key not found)
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
{AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} "IPSUploader4 Control" - "IP Labs GmbH - Germany" - C:\Windows\Downloaded Program Files\IPSUploader.ocx / hxxp://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_17" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} "Java Plug-in 1.6.0_17" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_17" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\npjpi160_17.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} "MUWebControl Class" - "Microsoft Corporation" - C:\Windows\system32\muweb.dll / hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183949065925
{D27CDB6E-AE6D-11CF-96B8-444553540000} "Shockwave Flash Object" - "Adobe Systems, Inc." - C:\Windows\system32\Macromed\Flash\Flash9e.ocx / hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} "{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}" - ? -  (File not found | COM-object registry key not found) / hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
{48E73304-E1D6-4330-914C-F5F514E3486C} "An OneNote senden" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
"eBay - Der weltweite Online-Marktplatz" - ? - hxxp://rover.ebay.com/rover/1/707-1170-17534-22/4  (HTTP value)
{5F7B1267-94A9-47F5-98DB-E99415F33AEC} "In Blog veröffentlichen" - "Microsoft Corporation" - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Research" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )-----
<binary data> "&Google" - "Google Germany GmbH" - c:\program files\google\googletoolbar1.dll
<binary data> "&Windows Live Toolbar" - "Microsoft Corporation" - C:\Program Files\Windows Live\Toolbar\wltcore.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "Adobe PDF Reader" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
{C41A1C0E-EA6C-11D4-B1B8-444553540003} "GbIehObj Class" - "Caixa Economica Federal" - C:\Program Files\GbPlugin\gbiehcef.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} "Google Toolbar Helper" - "Google Germany GmbH" - c:\program files\google\googletoolbar1.dll
{DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2ssv.dll
{6EBF7485-159F-4bff-A14F-B9E3AAC4465B} "Search Helper" - "Microsoft Corporation" - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} "Windows Live Anmelde-Hilfsprogramm" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} "Windows Live Toolbar Helper" - "Microsoft Corporation" - C:\Program Files\Windows Live\Toolbar\wltcore.dll
{5C255C8A-E604-49b4-9D64-90988571CECB} "{5C255C8A-E604-49b4-9D64-90988571CECB}" - ? -  (File not found | COM-object registry key not found)

[Logon]
-----( %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE  (Shortcut exists | File exists)
"desktop.ini" - ? - C:\Users\Annina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
"OpenOffice.org 2.4.lnk" - ? - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe  (Shortcut exists | File found, but it contains no detailed information | File exists)
-----( %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"desktop.ini" - ? - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
-----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )-----
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" - "Nero AG" - "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
"msnmsgr" - "Microsoft Corporation" - "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
-----( HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd )-----
"StartupPrograms" - ? - rdpclip  (File not found)
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"Adobe ARM" - "Adobe Systems Incorporated" - "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher" - "Adobe Systems Incorporated" - "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"AppleSyncNotifier" - "Apple Inc." - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"avgnt" - "Avira GmbH" - "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
"EEventManager" - "SEIKO EPSON CORPORATION" - C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
"Google Desktop Search" - "Google" - "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"HotkeyApp" - "Wistron" - "C:\Program Files\Launch Manager\HotkeyApp.exe"
"IAAnotif" - "Intel Corporation" - "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
"iTunesHelper" - "Apple Inc." - "C:\Program Files\iTunes\iTunesHelper.exe"
"LaunchAp" - ? - "C:\Program Files\Launch Manager\LaunchAp.exe"
"LMgrOSD" - "Wistron Corp." - "C:\Program Files\Launch Manager\OSD.exe"
"Malwarebytes' Anti-Malware (reboot)" - "Malwarebytes Corporation" - "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
"NeroFilterCheck" - "Nero AG" - C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
"QuickTime Task" - "Apple Inc." - "C:\Program Files\QuickTime\QTTask.exe" -atboottime
"SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Program Files\Java\jre6\bin\jusched.exe"
"toolbar_eula_launcher" - " " - C:\Program Files\GoogleEULA\EULALauncher.exe
"TVBroadcast" - "ODSoft multimedia" - C:\Program Files\Sceneo\Bonavista\Services\ODSBC\ODSBCApp.exe
"UVS10 Preload" - "Ulead Systems, Inc." - C:\Program Files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe
"Wbutton" - ? - "C:\Program Files\Launch Manager\Wbutton.exe"

[Print Monitors]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----
"Microsoft Document Imaging Writer Monitor" - "Microsoft Corporation" - C:\Windows\system32\mdimon.dll
"Send To Microsoft OneNote Monitor" - "Microsoft Corporation" - C:\Windows\system32\msonpmon.dll

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"AntiVir PersonalEdition Classic Guard" (AntiVirService) - "Avira GmbH" - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
"AntiVir PersonalEdition Classic Planer" (AntiVirScheduler) - "Avira GmbH" - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
"Apple Mobile Device" (Apple Mobile Device) - "Apple Inc." - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
"Dienst "Bonjour"" (Bonjour Service) - "Apple Inc." - C:\Program Files\Bonjour\mDNSResponder.exe
"Firebird Server - MAGIX Instance" (FirebirdServerMAGIXInstance) - "MAGIX®" - C:\Program Files\ALDI Sued Foto Service\Common\Database\bin\fbserver.exe
"Gbp Service" (GbpSv) - ? - C:\PROGRA~1\GbPlugin\GbpSv.exe  (Hidden registry entry, rootkit activity)
"GnabService" (GnabService) - "Empolis GmbH" - c:\program files\common files\gnab\service\servicecontroller.exe
"Google Updater Service" (gusvc) - "Google" - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
"GoogleDesktopManager" (GoogleDesktopManager) - "Google" - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
"Intel(R) Matrix Storage Event Monitor" (IAANTMON) - "Intel Corporation" - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
"iPod-Dienst" (iPod Service) - "Apple Inc." - C:\Program Files\iPod\bin\iPodService.exe
"IviRegMgr" (IviRegMgr) - "InterVideo" - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
"LightScribeService Direct Disc Labeling Service" (LightScribeService) - "Hewlett-Packard Company" - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
"Microsoft Office Diagnostics Service" (odserv) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
"NBService" (NBService) - "Nero AG" - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
"NMIndexingService" (NMIndexingService) - "Nero AG" - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
"Office Source Engine" (ose) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"Sceneo PVR Service" (srvcPVR) - "Buhl Data Service GmbH" - C:\Program Files\Sceneo\Bonavista\Services\PVR\PVRService.exe
"SeaPort" (SeaPort) - "Microsoft Corporation" - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
"Ulead Burning Helper" (UleadBurningHelper) - "Ulead Systems, Inc." - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
"Windows Live Family Safety-Dienst" (fsssvc) - "Microsoft Corporation" - C:\Program Files\Windows Live\Family Safety\fsssvc.exe
"WisLMSvc" (WisLMSvc) - "Wistron Corp." - C:\Program Files\Launch Manager\WisLMSvc.exe

[Winsock Providers]
-----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries )-----
"mdnsNSP" - "Apple Inc." - C:\Program Files\Bonjour\mdnsNSP.dll

===[ Logfile end ]=========================================[ Logfile end ]===
--- --- ---

If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru

chaos2009 01.01.2011 22:23
Hallo Arne

sorry dass es zwei Einträge werden konnte aber irgendwie nicht beide files posten.

Das ist jetzt das Dokument welches von MBRCheck erstellt wurde.

Vielen Dank für deine Hilfe ich hoffe ich bekomme mein System wieder gesund.
Die Anleitungen sind echt spitze.

Lieben Gruß
chaos2009

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: (build 6000), 32-bit
Base Board Manufacturer: MEDION
BIOS Manufacturer: Phoenix Technologies LTD
System Manufacturer: MEDION
System Product Name: WIM2160
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 148):
0x82000000 \SystemRoot\system32\ntoskrnl.exe
0x82395000 \SystemRoot\system32\hal.dll
0x806C6000 \SystemRoot\system32\kdcom.dll
0x80666000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8065D000 \SystemRoot\system32\PSHED.dll
0x80655000 \SystemRoot\system32\BOOTVID.dll
0x8061A000 \SystemRoot\system32\CLFS.SYS
0x80539000 \SystemRoot\system32\CI.dll
0x804BE000 \SystemRoot\system32\drivers\Wdf01000.sys
0x804B1000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8046E000 \SystemRoot\system32\drivers\acpi.sys
0x80465000 \SystemRoot\system32\drivers\WMILIB.SYS
0x8045D000 \SystemRoot\system32\drivers\msisadrv.sys
0x80438000 \SystemRoot\system32\drivers\pci.sys
0x80429000 \SystemRoot\system32\drivers\volmgr.sys
0x80426000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x8041C000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8040C000 \SystemRoot\System32\drivers\mountmgr.sys
0x80405000 \SystemRoot\system32\drivers\intelide.sys
0x82BF2000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x82BA8000 \SystemRoot\System32\drivers\volmgrx.sys
0x82AF0000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x82AE8000 \SystemRoot\system32\drivers\atapi.sys
0x82ACA000 \SystemRoot\system32\drivers\ataport.SYS
0x82A99000 \SystemRoot\system32\drivers\fltmgr.sys
0x82A89000 \SystemRoot\system32\drivers\fileinfo.sys
0x82985000 \SystemRoot\system32\drivers\ndis.sys
0x8295A000 \SystemRoot\system32\drivers\msrpc.sys
0x82921000 \SystemRoot\system32\drivers\NETIO.SYS
0x82819000 \SystemRoot\System32\Drivers\Ntfs.sys
0x87F96000 \SystemRoot\System32\Drivers\ksecdd.sys
0x87F60000 \SystemRoot\system32\drivers\volsnap.sys
0x82808000 \SystemRoot\system32\DRIVERS\uagp35.sys
0x82800000 \SystemRoot\System32\Drivers\spldr.sys
0x87F51000 \SystemRoot\System32\drivers\partmgr.sys
0x87F42000 \SystemRoot\System32\Drivers\mup.sys
0x87F1D000 \SystemRoot\System32\drivers\ecache.sys
0x87F0C000 \SystemRoot\system32\drivers\disk.sys
0x87EEB000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x87EE2000 \SystemRoot\system32\drivers\crcdisk.sys
0x88C26000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x87D22000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x88C18000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8B770000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x8BDFC000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x8B57B000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x88C0B000 \SystemRoot\System32\drivers\watchdog.sys
0x88CE6000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x88CCE000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
0x88C00000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8B53E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x88CC0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x88F50000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x88CB2000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x8B526000 \SystemRoot\system32\DRIVERS\sdbus.sys
0x8B518000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0x8B504000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0x8B4B3000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0x88C7C000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8B4A0000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8B495000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8B46A000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x88EE0000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8B45F000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x88EAF000 \SystemRoot\system32\drivers\iviaspi.sys
0x8B447000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x88DED000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0x8B41C000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8BDBC000 \SystemRoot\system32\DRIVERS\storport.sys
0x8B411000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8BDA5000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8B406000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8BD82000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x87D13000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8BD6F000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8BD53000 \SystemRoot\system32\DRIVERS\termdd.sys
0x88ED0000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8BD29000 \SystemRoot\system32\DRIVERS\ks.sys
0x8B622000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8BD62000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8BC15000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x88FD0000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8C618000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x8C5EB000 \SystemRoot\system32\drivers\portcls.sys
0x8C5C6000 \SystemRoot\system32\drivers\drmk.sys
0x8C4D6000 \SystemRoot\system32\DRIVERS\smserial.sys
0x8BC59000 \SystemRoot\system32\drivers\modem.sys
0x8B7DC000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x88CF8000 \SystemRoot\System32\Drivers\Null.SYS
0x88C88000 \SystemRoot\System32\Drivers\Beep.SYS
0x8C47A000 \SystemRoot\System32\drivers\vga.sys
0x8CFDF000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x88D4F000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x88D57000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8CFB4000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8CFA6000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8B7E5000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8CED1000 \SystemRoot\System32\drivers\tcpip.sys
0x8CEB8000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8CEA3000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8CE8F000 \SystemRoot\system32\DRIVERS\smb.sys
0x8CE48000 \SystemRoot\system32\drivers\afd.sys
0x8CE16000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8CE00000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8CDF2000 \SystemRoot\system32\DRIVERS\netbios.sys
0x88E3B000 \SystemRoot\System32\Drivers\StarOpen.SYS
0x8CDDF000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x88E41000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0x8CDA4000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8B62C000 \SystemRoot\system32\drivers\nsiproxy.sys
0x88EA6000 \SystemRoot\System32\Drivers\Hotkey.SYS
0x8CD8D000 \SystemRoot\System32\Drivers\dfsc.sys
0x8CD7C000 \SystemRoot\system32\DRIVERS\avipbb.sys
0x88EC6000 \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys
0x8CD14000 \SystemRoot\System32\Drivers\fastfat.SYS
0x8D259000 \SystemRoot\system32\DRIVERS\snp2uvc.sys
0x8BC66000 \SystemRoot\system32\DRIVERS\STREAM.SYS
0x8C465000 \SystemRoot\system32\DRIVERS\sncduvc.SYS
0x8B723000 \SystemRoot\system32\DRIVERS\RTL8187B.sys
0x8BC73000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8CC4C000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x96A00000 \SystemRoot\System32\win32k.sys
0x8B654000 \SystemRoot\System32\drivers\Dxapi.sys
0x8157E000 \SystemRoot\system32\DRIVERS\monitor.sys
0x96800000 \SystemRoot\System32\TSDDD.dll
0x96810000 \SystemRoot\System32\cdd.dll
0x8117C000 \SystemRoot\system32\drivers\luafv.sys
0x81362000 \SystemRoot\system32\drivers\spsys.sys
0x88F40000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x812F7000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x8B668000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x8121A000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x81839000 \SystemRoot\system32\drivers\HTTP.sys
0x819C5000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x81820000 \SystemRoot\system32\DRIVERS\bowser.sys
0x81991000 \SystemRoot\System32\drivers\mpsdrv.sys
0x81971000 \SystemRoot\system32\drivers\mrxdav.sys
0x81953000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x8191A000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x8100D000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x818F6000 \SystemRoot\System32\DRIVERS\srv2.sys
0x81BAF000 \SystemRoot\System32\DRIVERS\srv.sys
0x81B50000 \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys
0x90202000 \SystemRoot\system32\drivers\peauth.sys
0x8B618000 \SystemRoot\System32\Drivers\secdrv.SYS
0x81555000 \SystemRoot\System32\drivers\tcpipreg.sys
0x9014C000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x77280000 \Windows\System32\ntdll.dll

Processes (total 91):
0 System Idle Process
4 System
516 C:\Windows\System32\smss.exe
588 csrss.exe
632 C:\Windows\System32\wininit.exe
644 csrss.exe
680 C:\Windows\System32\services.exe
716 C:\Windows\System32\lsass.exe
728 C:\Windows\System32\lsm.exe
812 C:\Windows\System32\winlogon.exe
912 C:\Windows\System32\svchost.exe
968 C:\Windows\System32\svchost.exe
1004 C:\Windows\System32\svchost.exe
1092 C:\Windows\System32\svchost.exe
1132 C:\Windows\System32\svchost.exe
1152 C:\Windows\System32\svchost.exe
1228 C:\Windows\System32\audiodg.exe
1268 C:\Windows\System32\SLsvc.exe
1364 C:\Windows\System32\svchost.exe
1568 C:\Windows\System32\svchost.exe
1776 C:\Windows\System32\dwm.exe
1812 GbpSv.exe
1848 C:\Windows\explorer.exe
1928 C:\Windows\System32\spoolsv.exe
1952 C:\Windows\System32\taskeng.exe
1968 C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
1992 C:\Windows\System32\svchost.exe
864 C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
1428 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1576 C:\Program Files\Bonjour\mDNSResponder.exe
1692 C:\Program Files\Common Files\Gnab\Service\ServiceController.exe
1844 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
952 C:\Program Files\Medion\MEDIONbox\Program\GCS.exe
1320 C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
2056 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
2116 C:\Windows\System32\svchost.exe
2196 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
2232 C:\Program Files\Sceneo\Bonavista\Services\PVR\pvrservice.exe
2276 C:\Windows\System32\svchost.exe
2312 C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
2328 C:\Windows\System32\svchost.exe
2348 C:\Windows\System32\SearchIndexer.exe
3116 C:\Windows\System32\WerFault.exe
3388 C:\Windows\RtHDVCpl.exe
3420 C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
3560 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
3632 C:\Program Files\Sceneo\Bonavista\Services\ODSBC\ODSBCApp.exe
3656 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
3668 C:\Windows\System32\igfxtray.exe
3676 C:\Windows\System32\hkcmd.exe
3688 C:\Windows\System32\igfxpers.exe
3708 C:\Windows\System32\igfxsrvc.exe
3720 C:\Program Files\Launch Manager\LaunchAp.exe
3780 C:\Program Files\Launch Manager\HotkeyApp.exe
3796 C:\Program Files\Launch Manager\OSD.exe
3820 C:\Program Files\Launch Manager\WButton.exe
3904 C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
3952 C:\Program Files\Epson Software\Event Manager\EEventManager.exe
3968 C:\Program Files\Launch Manager\WisLMSvc.exe
4028 C:\Program Files\Java\jre6\bin\jusched.exe
4040 C:\Program Files\QuickTime\QTTask.exe
4048 C:\Program Files\iTunes\iTunesHelper.exe
4072 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
4080 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
4092 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
1332 C:\Windows\ehome\ehtray.exe
2108 C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
2608 WmiPrvSE.exe
2692 C:\Windows\ehome\ehmsas.exe
1452 C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
3036 C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
3324 C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
2820 C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
1416 C:\Program Files\Alice\Signup\AliceCnn.exe
3456 C:\Program Files\iPod\bin\iPodService.exe
4176 C:\Windows\System32\taskeng.exe
4640 C:\Program Files\Internet Explorer\ieuser.exe
5576 C:\Program Files\Internet Explorer\iexplore.exe
5644 C:\Program Files\Windows Live\Toolbar\wltuser.exe
5696 C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
4856 C:\Windows\System32\wuauclt.exe
5960 C:\Windows\System32\SearchProtocolHost.exe
2852 C:\Program Files\WinRAR\WinRAR.exe
4424 C:\Users\Annina\Desktop\osam_autorun_manager_5_0_portable\osam.exe
1432 C:\Windows\servicing\TrustedInstaller.exe
4324 C:\Windows\System32\notepad.exe
5652 C:\Windows\System32\SearchFilterHost.exe
4724 dllhost.exe
5600 dllhost.exe
5728 C:\Users\Annina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J40USN2I\MBRCheck[1].exe
6016 C:\Windows\System32\conime.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000001d`bfc6da00 (FAT32)

PhysicalDrive0 Model Number: WDCWD1600BEVS-22RST0, Rev: 04.01G04

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Done!

cosinus 02.01.2011 11:25
Zitat:
Das Programm hab ich nicht nochmals gestartet.
Ist das normal???
Ich hab doch in meinem Beitrag geschrieben, dass GMER abstürzen kann und du es 2x ausprobieren sollst!!

chaos2009 03.01.2011 16:04
hi arne,

sorry dass ich es nur einmal probiert habe aber für mich war ein blue screen bei vista nicht gleich ein Programm aufhänger von GMER.

Jetzt habe ich es mit folgendem Ergebnis nochmals erfolgreich laufen lassen.

GMER Logfile:
Code:
GMER 1.0.15.15530 - hxxp://www.gmer.net
Rootkit scan 2011-01-03 15:58:56
Windows 6.0.6000  Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD16 rev.04.0
Running: gmer.exe; Driver: C:\Users\***\AppData\Local\Temp\pwliqpod.sys


---- System - GMER 1.0.15 ----

SSDT            80D01DCC                                                                                                        ZwCreateThread
SSDT            80D01DB8                                                                                                        ZwOpenProcess
SSDT            80D01DBD                                                                                                        ZwOpenThread
SSDT            80D01DC7                                                                                                        ZwTerminateProcess
SSDT            80D01DC2                                                                                                        ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text          ntoskrnl.exe!_alloca_probe + 164                                                                                82055ED4 4 Bytes  [CC, 1D, D0, 80]
.text          ntoskrnl.exe!_alloca_probe + 334                                                                                820560A4 4 Bytes  [B8, 1D, D0, 80]
.text          ntoskrnl.exe!_alloca_probe + 350                                                                                820560C0 4 Bytes  [BD, 1D, D0, 80]
.text          ntoskrnl.exe!_alloca_probe + 574                                                                                820562E4 4 Bytes  [C7, 1D, D0, 80]
.text          ntoskrnl.exe!_alloca_probe + 5D4                                                                                82056344 4 Bytes  [C2, 1D, D0, 80]

---- User code sections - GMER 1.0.15 ----

.text          C:\Windows\system32\services.exe[680] kernel32.dll!FreeLibraryAndExitThread                                      77043A64 5 Bytes  JMP 1005AF90 C:\Program Files\GbPlugin\gbiehcef.dll (Gbieh Module/Caixa Economica Federal)
.text          C:\Windows\system32\services.exe[680] kernel32.dll!FreeLibrary                                                  77044597 5 Bytes  JMP 1005B260 C:\Program Files\GbPlugin\gbiehcef.dll (Gbieh Module/Caixa Economica Federal)

---- User IAT/EAT - GMER 1.0.15 ----

IAT            C:\Windows\system32\SearchProtocolHost.exe[3068] @ C:\Windows\system32\ole32.dll [USER32.dll!DialogBoxParamW]    [6C11D6EF] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT            C:\Windows\system32\SearchProtocolHost.exe[3068] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DialogBoxParamW]  [6C11D6EF] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT            C:\Windows\system32\SearchProtocolHost.exe[3068] @ C:\Windows\system32\SHELL32.dll [USER32.dll!DialogBoxParamW]  [6C11D6EF] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                                                                          Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                                                                          Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice  \FileSystem\fastfat \Fat                                                                                        fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service        C:\PROGRA~1\GbPlugin\GbpSv.exe (*** hidden *** )                                                                [AUTO] GbpSv                                                                                                  <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg            HKLM\SYSTEM\CurrentControlSet\Services\GbpSv@Type                                                                16
Reg            HKLM\SYSTEM\CurrentControlSet\Services\GbpSv@Start                                                              2
Reg            HKLM\SYSTEM\CurrentControlSet\Services\GbpSv@ErrorControl                                                        1
Reg            HKLM\SYSTEM\CurrentControlSet\Services\GbpSv@ImagePath                                                          C:\PROGRA~1\GbPlugin\GbpSv.exe
Reg            HKLM\SYSTEM\CurrentControlSet\Services\GbpSv@DisplayName                                                        Gbp Service
Reg            HKLM\SYSTEM\CurrentControlSet\Services\GbpSv@Group                                                              GbPlugin Group
Reg            HKLM\SYSTEM\CurrentControlSet\Services\GbpSv@ObjectName                                                          LocalSystem
Reg            HKLM\SYSTEM\CurrentControlSet\Services\GbpSv@Description                                                        Service for G-Buster Browser Defense
Reg            HKLM\SYSTEM\CurrentControlSet\Services\GbpSv\Security                                                           
Reg            HKLM\SYSTEM\CurrentControlSet\Services\GbpSv\Security@Security                                                  0x01 0x00 0x14 0x88 ...
Reg            HKLM\SYSTEM\ControlSet002\Services\GbpSv@Type                                                                    16
Reg            HKLM\SYSTEM\ControlSet002\Services\GbpSv@Start                                                                  2
Reg            HKLM\SYSTEM\ControlSet002\Services\GbpSv@ErrorControl                                                            1
Reg            HKLM\SYSTEM\ControlSet002\Services\GbpSv@ImagePath                                                              C:\PROGRA~1\GbPlugin\GbpSv.exe
Reg            HKLM\SYSTEM\ControlSet002\Services\GbpSv@DisplayName                                                            Gbp Service
Reg            HKLM\SYSTEM\ControlSet002\Services\GbpSv@Group                                                                  GbPlugin Group
Reg            HKLM\SYSTEM\ControlSet002\Services\GbpSv@ObjectName                                                              LocalSystem
Reg            HKLM\SYSTEM\ControlSet002\Services\GbpSv@Description                                                            Service for G-Buster Browser Defense
Reg            HKLM\SYSTEM\ControlSet002\Services\GbpSv\Security (not active ControlSet)                                       
Reg            HKLM\SYSTEM\ControlSet002\Services\GbpSv\Security@Security                                                      0x01 0x00 0x14 0x88 ...
Reg            HKLM\SOFTWARE\Classes\CLSID\{B6A930A0-A4F5-43A5-9B4E-6189A6C2B9E8}@c!s!f!`!j!`!m!`!\22!t!t!r!j!r!s!f!            19583823

---- Files - GMER 1.0.15 ----

File            C:\Users\***\AppData\Local\temp\lucene-a824f2462797a4786df05a335af8c8ed-write.lock                            0 bytes

---- EOF - GMER 1.0.15 ----
--- --- ---


Wie geht es jetzt weiter?
Vielen Dank für deine Hilfe
Lieben Gruß chaos2009

cosinus 03.01.2011 20:16
Bitte mal den Avenger anwenden:

1.) Lade Dir von hier Avenger:
Swandog46's Public Anti-Malware Tools (Download, linksseitig)

2.) Entpack das zip-Archiv, führe die Datei "avenger.exe" aus (unter Vista per Rechtsklick => als Administrator ausführen). Die Haken unten wie abgebildet setzen:

http://mitglied.lycos.de/efunction/tb123/avenger.png

3.) Kopiere Dir exakt die Zeilen aus dem folgenden Code-Feld:
Code:
Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\GbpSv
HKLM\SYSTEM\ControlSet002\Services\GbpSv
HKLM\SOFTWARE\Classes\CLSID\{B6A930A0-A4F5-43A5-9B4E-6189A6C2B9E8}

Folders to delete:
C:\PROGRA~1\GbPlugin
4.) Geh in "The Avenger" nun oben auf "Load Script", dort auf "Paste from Clipboard".

5.) Der Code-Text hier aus meinem Beitrag müsste nun unter "Input Script here" in "The Avenger" zu sehen sein.

6.) Falls dem so ist, klick unten rechts auf "Execute". Bestätige die nächste Abfrage mit "Ja", die Frage zu "Reboot now" (Neustart des Systems) ebenso.

7.) Nach dem Neustart erhältst Du ein LogFile von Avenger eingeblendet. Kopiere dessen Inhalt und poste ihn hier.

8.) Die Datei c:\avenger\backup.zip bei File-Upload.net hochladen und hier verlinken


Alle Zeitangaben in WEZ +1. Es ist jetzt 20:27 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19