| |
| |||||||
Log-Analyse und Auswertung: gema und bka trojaner entfernt, aber .....Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
14.03.2012, 01:00
| #1 |
 |  gema und bka trojaner entfernt, aber ..... Laptop Windows XP Service Pack 3 Hallo, ich habe mir am Wochenende den BKA und den Gema Trojaner eingefangen. Den Gema Trojaner konnte man halbwegs per Hand entfernen, aber dann war auf einmal der Task Manager gesperrt und ich konnte keine Software mehr installieren. Als habe ich Malwarebytes laufen lassen und einiges entfern. Task Manager geht wieder, aber ich bin mir nicht sicher, obe der Rechner ausber ist (siehe Anhang). Zur Sicherheit wollte ich dann Eure berühmten 3 Schritte durchführen. Defogger hat nichts gefunden. Wann darf ich wieder Re-enable drücken? DDS funktioniert nicht. Weder die eine, noch die andere Quelle. Es öffnet sich nur ein DOS-Fenster mit einigen Erläuterungen, so z.B., dass der Vorgang maximal drei Minuten dauert. Dann springt der Cursor eine Zeile tiefer und es erscheinen zwei Rautesymbole. Das war es dann. Kein PopUp, kein Scan, nichts. Also habe ich Schritt 3 ausgeführt und GMER laufen lassen. Log:GMER Logfile: Code:
ATTFilter GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-03-14 00:42:14
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-11 Hitachi_HTS722020K9SA00 rev.DC4OC54P
Running: 1jgl2gto.exe; Driver: C:\DOKUME~1\RMHCON~1\LOKALE~1\Temp\kwlcafod.sys
---- System - GMER 1.0.15 ----
SSDT F7AA6156 ZwCreateKey
SSDT F7AA614C ZwCreateThread
SSDT F7AA615B ZwDeleteKey
SSDT F7AA6165 ZwDeleteValueKey
SSDT F7AA616A ZwLoadKey
SSDT F7AA6138 ZwOpenProcess
SSDT F7AA613D ZwOpenThread
SSDT F7AA6174 ZwReplaceKey
SSDT F7AA616F ZwRestoreKey
SSDT F7AA6160 ZwSetValueKey
---- Kernel code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB97DE360, 0x3074E7, 0xE8000020]
.vmp2 C:\WINDOWS\system32\drivers\acedrv11.sys entry point in ".vmp2" section [0xB4B4169D]
---- User code sections - GMER 1.0.15 ----
.text C:\Programme\Motorola\SMSERIAL\sm56hlpr.exe[164] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01051642
.text C:\Programme\Motorola\SMSERIAL\sm56hlpr.exe[164] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0105152C
.text C:\Programme\Motorola\SMSERIAL\sm56hlpr.exe[164] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 01051871
.text C:\Programme\Motorola\SMSERIAL\sm56hlpr.exe[164] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 01051758
.text C:\Programme\Synaptics\SynTP\SynTPEnh.exe[180] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01501642
.text C:\Programme\Synaptics\SynTP\SynTPEnh.exe[180] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0150152C
.text C:\Programme\Synaptics\SynTP\SynTPEnh.exe[180] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 01501871
.text C:\Programme\Synaptics\SynTP\SynTPEnh.exe[180] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 01501758
.text C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[464] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01411642
.text C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[464] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0141152C
.text C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[464] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 01411871
.text C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe[464] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 01411758
.text C:\Programme\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[572] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FC1642
.text C:\Programme\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[572] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FC152C
.text C:\Programme\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[572] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 00FC1871
.text C:\Programme\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[572] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 00FC1758
.text C:\WINDOWS\BisonCam\InitDriverx86.exe[600] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01001642
.text C:\WINDOWS\BisonCam\InitDriverx86.exe[600] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0100152C
.text C:\WINDOWS\BisonCam\InitDriverx86.exe[600] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 01001871
.text C:\WINDOWS\BisonCam\InitDriverx86.exe[600] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 01001758
.text C:\Programme\Gemeinsame Dateien\Intel\WirelessCommon\iFrmewrk.exe[608] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 07271642
.text C:\Programme\Gemeinsame Dateien\Intel\WirelessCommon\iFrmewrk.exe[608] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0727152C
.text C:\Programme\Gemeinsame Dateien\Intel\WirelessCommon\iFrmewrk.exe[608] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 07271871
.text C:\Programme\Gemeinsame Dateien\Intel\WirelessCommon\iFrmewrk.exe[608] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 07271758
.text C:\Programme\Intel\WiFi\bin\ZCfgSvc.exe[660] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 07011642
.text C:\Programme\Intel\WiFi\bin\ZCfgSvc.exe[660] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0701152C
.text C:\Programme\Intel\WiFi\bin\ZCfgSvc.exe[660] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 07011871
.text C:\Programme\Intel\WiFi\bin\ZCfgSvc.exe[660] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 07011758
.text C:\Programme\Internet Explorer\iexplore.exe[1524] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011E1642
.text C:\Programme\Internet Explorer\iexplore.exe[1524] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011E152C
.text C:\Programme\Internet Explorer\iexplore.exe[1524] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 011E1871
.text C:\Programme\Internet Explorer\iexplore.exe[1524] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 011E1758
.text C:\Programme\Internet Explorer\iexplore.exe[1524] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 411954D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programme\Internet Explorer\iexplore.exe[1524] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 41269AD1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programme\Internet Explorer\iexplore.exe[1524] USER32.dll!CallNextHookEx 7E37B3C6 5 Bytes JMP 4125D10D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programme\Internet Explorer\iexplore.exe[1524] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 4126DB44 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programme\Internet Explorer\iexplore.exe[1524] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 411D464E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programme\Internet Explorer\iexplore.exe[1524] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 41365397 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programme\Internet Explorer\iexplore.exe[1524] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 413652C9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programme\Internet Explorer\iexplore.exe[1524] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 41365334 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programme\Internet Explorer\iexplore.exe[1524] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 4136519A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programme\Internet Explorer\iexplore.exe[1524] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 413651FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programme\Internet Explorer\iexplore.exe[1524] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 413653FA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programme\Internet Explorer\iexplore.exe[1524] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 4136525E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programme\Internet Explorer\iexplore.exe[1524] ole32.dll!CoCreateInstance 774CF1AC 5 Bytes JMP 4126DBA0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programme\Internet Explorer\iexplore.exe[1524] ole32.dll!OleLoadFromStream 774F981B 5 Bytes JMP 413656FF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programme\Internet Explorer\iexplore.exe[1524] WS2_32.dll!closesocket 71A13E2B 5 Bytes JMP 02518F70
.text C:\Programme\Internet Explorer\iexplore.exe[1524] WS2_32.dll!connect 71A14A07 5 Bytes JMP 02518CE0
.text C:\Programme\Internet Explorer\iexplore.exe[1524] WS2_32.dll!getpeername 71A20B68 5 Bytes JMP 02518F00
.text C:\WINDOWS\RTHDCPL.EXE[1660] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 053A1642
.text C:\WINDOWS\RTHDCPL.EXE[1660] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 053A152C
.text C:\WINDOWS\RTHDCPL.EXE[1660] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 053A1871
.text C:\WINDOWS\RTHDCPL.EXE[1660] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 053A1758
.text C:\WINDOWS\MHotkey.exe[2576] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01301642
.text C:\WINDOWS\MHotkey.exe[2576] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0130152C
.text C:\WINDOWS\MHotkey.exe[2576] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 01301871
.text C:\WINDOWS\MHotkey.exe[2576] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 01301758
.text C:\programme\real\realplayer\update\realsched.exe[2756] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01781642
.text C:\programme\real\realplayer\update\realsched.exe[2756] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0178152C
.text C:\programme\real\realplayer\update\realsched.exe[2756] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\programme\real\realplayer\update\realsched.exe[2756] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 01781871
.text C:\programme\real\realplayer\update\realsched.exe[2756] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 01781758
.text C:\Dokumente und Einstellungen\rmhconcepts\Lokale Einstellungen\Anwendungsdaten\Akamai\netsession_win.exe[2768] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03A61642
.text C:\Dokumente und Einstellungen\rmhconcepts\Lokale Einstellungen\Anwendungsdaten\Akamai\netsession_win.exe[2768] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03A6152C
.text C:\Dokumente und Einstellungen\rmhconcepts\Lokale Einstellungen\Anwendungsdaten\Akamai\netsession_win.exe[2768] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 03A61871
.text C:\Dokumente und Einstellungen\rmhconcepts\Lokale Einstellungen\Anwendungsdaten\Akamai\netsession_win.exe[2768] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 03A61758
.text C:\WINDOWS\BisonCam\BisonHK.exe[2844] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F41642
.text C:\WINDOWS\BisonCam\BisonHK.exe[2844] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F4152C
.text C:\WINDOWS\BisonCam\BisonHK.exe[2844] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 00F41871
.text C:\WINDOWS\BisonCam\BisonHK.exe[2844] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 00F41758
.text C:\WINDOWS\system32\wbem\unsecapp.exe[3256] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 017A1642
.text C:\WINDOWS\system32\wbem\unsecapp.exe[3256] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 017A152C
.text C:\WINDOWS\system32\wbem\unsecapp.exe[3256] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 017A1871
.text C:\WINDOWS\system32\wbem\unsecapp.exe[3256] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 017A1758
.text C:\WINDOWS\BisonCam\BsMnt.exe[3288] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01321642
.text C:\WINDOWS\BisonCam\BsMnt.exe[3288] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0132152C
.text C:\WINDOWS\BisonCam\BsMnt.exe[3288] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 01321871
.text C:\WINDOWS\BisonCam\BsMnt.exe[3288] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 01321758
.text C:\Programme\Internet Explorer\iexplore.exe[3476] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FC1642
.text C:\Programme\Internet Explorer\iexplore.exe[3476] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FC152C
.text C:\Programme\Internet Explorer\iexplore.exe[3476] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 00FC1871
.text C:\Programme\Internet Explorer\iexplore.exe[3476] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 00FC1758
.text C:\Programme\Internet Explorer\iexplore.exe[3476] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 411954D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programme\Internet Explorer\iexplore.exe[3476] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 4126DB44 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programme\Internet Explorer\iexplore.exe[3476] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 41365397 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programme\Internet Explorer\iexplore.exe[3476] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 413652C9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programme\Internet Explorer\iexplore.exe[3476] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 41365334 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programme\Internet Explorer\iexplore.exe[3476] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 4136519A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programme\Internet Explorer\iexplore.exe[3476] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 413651FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programme\Internet Explorer\iexplore.exe[3476] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 413653FA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programme\Internet Explorer\iexplore.exe[3476] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 4136525E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programme\Internet Explorer\iexplore.exe[3476] WS2_32.dll!closesocket 71A13E2B 5 Bytes JMP 016E8F70
.text C:\Programme\Internet Explorer\iexplore.exe[3476] WS2_32.dll!connect 71A14A07 5 Bytes JMP 016E8CE0
.text C:\Programme\Internet Explorer\iexplore.exe[3476] WS2_32.dll!getpeername 71A20B68 5 Bytes JMP 016E8F00
.text C:\WINDOWS\Explorer.EXE[3512] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E81642
.text C:\WINDOWS\Explorer.EXE[3512] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E8152C
.text C:\WINDOWS\Explorer.EXE[3512] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 00E81871
.text C:\WINDOWS\Explorer.EXE[3512] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 00E81758
.text C:\Dokumente und Einstellungen\rmhconcepts\Lokale Einstellungen\Anwendungsdaten\Akamai\netsession_win.exe[3576] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01991642
.text C:\Dokumente und Einstellungen\rmhconcepts\Lokale Einstellungen\Anwendungsdaten\Akamai\netsession_win.exe[3576] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0199152C
.text C:\Dokumente und Einstellungen\rmhconcepts\Lokale Einstellungen\Anwendungsdaten\Akamai\netsession_win.exe[3576] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 01991871
.text C:\Dokumente und Einstellungen\rmhconcepts\Lokale Einstellungen\Anwendungsdaten\Akamai\netsession_win.exe[3576] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 01991758
.text C:\WINDOWS\system32\ctfmon.exe[3664] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE1642
.text C:\WINDOWS\system32\ctfmon.exe[3664] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE152C
.text C:\WINDOWS\system32\ctfmon.exe[3664] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 00FE1871
.text C:\WINDOWS\system32\ctfmon.exe[3664] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 00FE1758
.text C:\Programme\Gemeinsame Dateien\LightScribe\LightScribeControlPanel.exe[3808] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 017D1642
.text C:\Programme\Gemeinsame Dateien\LightScribe\LightScribeControlPanel.exe[3808] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 017D152C
.text C:\Programme\Gemeinsame Dateien\LightScribe\LightScribeControlPanel.exe[3808] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 017D1871
.text C:\Programme\Gemeinsame Dateien\LightScribe\LightScribeControlPanel.exe[3808] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 017D1758
.text C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe[4024] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01081642
.text C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe[4024] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0108152C
.text C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe[4024] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 01081871
.text C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe[4024] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 01081758
.text C:\Programme\DivX\DivX Update\DivXUpdate.exe[4028] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 013A1642
.text C:\Programme\DivX\DivX Update\DivXUpdate.exe[4028] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 013A152C
.text C:\Programme\DivX\DivX Update\DivXUpdate.exe[4028] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 013A1871
.text C:\Programme\DivX\DivX Update\DivXUpdate.exe[4028] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 013A1758
.text C:\WINDOWS\system32\RUNDLL32.EXE[4036] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EE1642
.text C:\WINDOWS\system32\RUNDLL32.EXE[4036] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EE152C
.text C:\WINDOWS\system32\RUNDLL32.EXE[4036] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 00EE1871
.text C:\WINDOWS\system32\RUNDLL32.EXE[4036] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 00EE1758
.text C:\WINDOWS\CleGameKey\driver\ZClevoGKY.exe[4068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EF1642
.text C:\WINDOWS\CleGameKey\driver\ZClevoGKY.exe[4068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EF152C
.text C:\WINDOWS\CleGameKey\driver\ZClevoGKY.exe[4068] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 00EF1871
.text C:\WINDOWS\CleGameKey\driver\ZClevoGKY.exe[4068] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 00EF1758
.text C:\Programme\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4072] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 026F1642
.text C:\Programme\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4072] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 026F152C
.text C:\Programme\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4072] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 026F1871
.text C:\Programme\Nero\Nero 10\Nero BackItUp\NBAgent.exe[4072] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 026F1758
.text C:\Programme\iTunes\iTunesHelper.exe[4080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02D51642
.text C:\Programme\iTunes\iTunesHelper.exe[4080] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02D5152C
.text C:\Programme\iTunes\iTunesHelper.exe[4080] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 02D51871
.text C:\Programme\iTunes\iTunesHelper.exe[4080] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 02D51758
.text C:\Programme\Messenger\msmsgs.exe[4092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 018E1642
.text C:\Programme\Messenger\msmsgs.exe[4092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 018E152C
.text C:\Programme\Messenger\msmsgs.exe[4092] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 018E1871
.text C:\Programme\Messenger\msmsgs.exe[4092] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 018E1758
.text C:\Programme\Mozilla Firefox\firefox.exe[4944] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 01E65B60 C:\Programme\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Programme\Mozilla Firefox\firefox.exe[4944] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EA1642
.text C:\Programme\Mozilla Firefox\firefox.exe[4944] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EA152C
.text C:\Programme\Mozilla Firefox\firefox.exe[4944] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 00EA1871
.text C:\Programme\Mozilla Firefox\firefox.exe[4944] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 00EA1758
.text C:\Programme\Mozilla Firefox\firefox.exe[4944] WS2_32.dll!closesocket 71A13E2B 5 Bytes JMP 015E8F70
.text C:\Programme\Mozilla Firefox\firefox.exe[4944] WS2_32.dll!connect 71A14A07 5 Bytes JMP 015E8CE0
.text C:\Programme\Mozilla Firefox\firefox.exe[4944] WS2_32.dll!getpeername 71A20B68 5 Bytes JMP 015E8F00
.text C:\WINDOWS\system32\wuauclt.exe[5224] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01351642
.text C:\WINDOWS\system32\wuauclt.exe[5224] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0135152C
.text C:\WINDOWS\system32\wuauclt.exe[5224] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 01351871
.text C:\WINDOWS\system32\wuauclt.exe[5224] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 01351758
.text C:\Programme\Mozilla Firefox\plugin-container.exe[6216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01031642
.text C:\Programme\Mozilla Firefox\plugin-container.exe[6216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0103152C
.text C:\Programme\Mozilla Firefox\plugin-container.exe[6216] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 01031871
.text C:\Programme\Mozilla Firefox\plugin-container.exe[6216] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 01031758
.text C:\Programme\Mozilla Firefox\plugin-container.exe[6216] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 10450924 C:\Programme\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Programme\Mozilla Firefox\plugin-container.exe[6216] USER32.dll!TrackPopupMenu 7E3B531E 5 Bytes JMP 10450ECF C:\Programme\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Dokumente und Einstellungen\rmhconcepts\Eigene Dateien\Downloads\1jgl2gto.exe[9264] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F31642
.text C:\Dokumente und Einstellungen\rmhconcepts\Eigene Dateien\Downloads\1jgl2gto.exe[9264] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F3152C
.text C:\Dokumente und Einstellungen\rmhconcepts\Eigene Dateien\Downloads\1jgl2gto.exe[9264] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 00F31871
.text C:\Dokumente und Einstellungen\rmhconcepts\Eigene Dateien\Downloads\1jgl2gto.exe[9264] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 00F31758
.text C:\WINDOWS\system32\wscntfy.exe[9628] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E91642
.text C:\WINDOWS\system32\wscntfy.exe[9628] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E9152C
.text C:\WINDOWS\system32\wscntfy.exe[9628] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 00E91871
.text C:\WINDOWS\system32\wscntfy.exe[9628] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 00E91758
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x6B 0x65 0x49 0x6A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 390700803
Disk \Device\Harddisk0\DR0 PE file @ sector 390700825
---- EOF - GMER 1.0.15 ----
Ich habe eben noch einmal im Task Manager geschaut, welche Prozesse laufen und festgestellt, dass iexplore.exe (Internet Explorer?) läuft. Ich nutze aber firefox und weiß daher nicht, was das ist. Geändert von hoelschi (14.03.2012 um 01:19 Uhr) |
| Themen zu gema und bka trojaner entfernt, aber ..... |
| .dll, akamai, cursor, einstellungen, entfernen, explorer, firefox, gesperrt, getwindowinfo, iexplore.exe, internet, internet explorer, malicious win32:mbroot code, maximal, mozilla, nicht sicher, ntdll.dll, popup, registry, rundll, scan, sicherheit, software, system, temp, trojaner, windows, windows xp, wuauclt.exe, öffnet |
Baum-Darstellung