| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: shfaymzhlr.exeWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
| |
16.10.2007, 17:02
| #1 |
 |  shfaymzhlr.exe Hallo zusammen, ich hoffe ich Poste im richtigen Berreich. Seit einigen Tagen läuft dieses Prog im Hintergrund shfaymzhlr.exe. Es befindet sich im Ordner Win/System32. Ich kann es nicht zuordnen und bei google lande ich auch keinen Treffer. Habe es auch schon mit dem Security task Manager versucht, aber auch da kann mir keiner sagen was es ist. Vielen Dank schon mal für euere Antworten… Logfile of HijackThis v1.99.1 Scan saved at 17:58:31, on 16.10.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\AppCore\AppSvc32.exe C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\Explorer.EXE C:\Programme\FRITZ!DSL\IGDCTRL.EXE C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\nvraidservice.exe C:\Programme\Creative\Shared Files\Module Loader\DLLML.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe C:\WINDOWS\VM305_STI.EXE C:\WINDOWS\system32\ctfmon.exe C:\Programme\FRITZ!DSL\StCenter.exe C:\Programme\FRITZ!DSL\FwebProt.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Programme\Security Task Manager\TaskMan.exe C:\Programme\Internet Explorer\iexplore.exe C:\Programme\Microsoft Office\OFFICE11\WINWORD.EXE C:\Programme\WinRAR\WinRAR.exe C:\DOKUME~1\INr23I\LOKALE~1\Temp\Rar$EX00.875\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.5\NppBho.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_12\bin\ssv.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.5\UIBHO.dll O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Programme\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Programme\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Programme\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [amd_dc_opt] C:\Programme\AMD\Dual-Core Optimizer\amd_dc_opt.exe O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305) O4 - HKCU\..\Run: [shfaymzhlr] c:\windows\system32\shfaymzhlr.exe shfaymzhlr O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: FRITZ!DSL Protect.lnk = C:\Programme\FRITZ!DSL\FwebProt.exe O4 - Global Startup: FRITZ!DSL Startcenter.lnk = C:\Programme\FRITZ!DSL\StCenter.exe O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_12\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_12\bin\ssv.dll O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://germanhotstuff.spaces.live.com/PhotoUpload/MsnPUpld.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5-windows-i586.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Programme\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing) O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\VAScanner\comHost.exe O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Programme\Norton Internet Security\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing) O23 - Service: NBService - Nero AG - C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\AppCore\AppSvc32.exe |
|
16.10.2007, 19:14
| #2 |
| /// Helfer-Team    | shfaymzhlr.exe Hi,
__________________dann geh mal zu VirusTotal und lass dort die c:\windows\system32\shfaymzhlr.exe online scannen, Ergebnisse bitte komplett hierher kopieren. Gruß, Karl |
|
16.10.2007, 22:52
| #3 |
| | shfaymzhlr.exe Ich konnte die exe Datei nicht im Ordner System32 finden, dort ist nur eine shfaymzhlr.dat,
__________________shfaymzhlr_nav.dat und shfaymzhlr_navps.dat aufzufinden. Unter Windows/Preftech befindet sich diese Datei SHFAYMZHLR.EXE-0FFD8CC5.pf. Das Prog oder was es auch ist befindet sich im Systemstart, habe es dort aber deaktiviert. Ich bin nur etwas beunruhigt da sich seit einigen tagen beim öffnen des IE Fenster öffnen mit Viruswarnungen, dort werde ich aufgefordert den PC jetzt nach Viren zu durchsuchen. ..... Datei SHFAYMZHLR.EXE-0FFD8CC5.pf empfangen 2007.10.16 23:38:00 (CET) Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt Ergebnis: 0/32 (0%) Laden der Serverinformationen... Ihre Datei wartet momentan auf Position: ___. Geschätzte Startzeit is zwischen ___ und ___ . Dieses Fenster bis zum Abschluss des Scans nicht schließen. Der Scanner, welcher momentan Ihre Datei bearbeitet ist momentan gestoppt. Wir warten einige Sekunden um Ihr Ergebnis zu erstellen. Falls Sie längern als fünf Minuten warten, versenden Sie bitte die Datei erneut. Ihre Datei wird momentan von VirusTotal überprüft, Ergebnisse werden sofort nach der Generierung angezeigt. Filter Drucken der Ergebnisse Datei existiert nicht oder dessen Lebensdauer wurde überschritten Dienst momentan gestoppt. Ihre Datei befindet sich in der Warteschlange (position: ). Diese wird abgearbeitet, wenn der Dienst wieder startet. SIe können auf einen automatischen reload der homepage warten, oder ihre email in das untere formular eintragen. Klicken Sie auf "Anfragen", damit das System sie benachrichtigt wenn die Überprüfung abgeschlossen ist. Email: Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2007.10.17.0 2007.10.16 - AntiVir 7.6.0.23 2007.10.16 - Authentium 4.93.8 2007.10.16 - Avast 4.7.1051.0 2007.10.15 - AVG 7.5.0.488 2007.10.16 - BitDefender 7.2 2007.10.16 - CAT-QuickHeal 9.00 2007.10.16 - ClamAV 0.91.2 2007.10.16 - DrWeb 4.44.0.09170 2007.10.16 - eSafe 7.0.15.0 2007.10.15 - eTrust-Vet 31.2.5214 2007.10.16 - Ewido 4.0 2007.10.16 - FileAdvisor 1 2007.10.16 - Fortinet 3.11.0.0 2007.10.16 - F-Prot 4.3.2.48 2007.10.15 - F-Secure 6.70.13030.0 2007.10.16 - Ikarus T3.1.1.12 2007.10.16 - Kaspersky 7.0.0.125 2007.10.16 - McAfee 5142 2007.10.16 - Microsoft 1.2908 2007.10.16 - NOD32v2 2595 2007.10.16 - Norman 5.80.02 2007.10.16 - Panda 9.0.0.4 2007.10.16 - Prevx1 V2 2007.10.16 - Rising 19.45.12.00 2007.10.16 - Sophos 4.22.0 2007.10.16 - Sunbelt 2.2.907.0 2007.10.16 - Symantec 10 2007.10.16 - TheHacker 6.2.8.093 2007.10.16 - VBA32 3.12.2.4 2007.10.16 - VirusBuster 4.3.26:9 2007.10.16 - Webwasher-Gateway 6.6.1 2007.10.16 - weitere Informationen File size: 40236 bytes MD5: 3bf30ac9030bf7168572b452af63cfa6 SHA1: df0ddfcc7738ebe45c778a8e97cf5a120b5a32e4 .... Danke Dir für deine Hilfe |
|
17.10.2007, 00:50
| #4 |
| /// Helfer-Team | shfaymzhlr.exe Die PF-Datei ist harmlos, darin legt Windows nur Informationen ab, mit denen es in Zukunft Programme schneller starten kann, sind also Daten von Windows. Bei den anderen Dateinamen weiß ich aber schon, was los ist, Navipromo. Dass der O4-Eintrag sichtbar ist, deutet aber an, dass die Software eben nicht mehr läuft, normalerweise versteckt die den Eintrag mit einem Rootkit, aber wir werden sehen. Einige Scans auf Dateien, Prozesse und Registryeinträge, die vor den meisten anderen Scannern versteckt werden (durch ein sogenanntes Rootkit). Während dieser Scans soll(en):
Außerdem: Wir wollen uns mal den Inhalt einiger kritischer Verzeichnisse auf deinem System ansehen. Dazu arbeite bitte diese Anleitung ab. Scanner wieder einschalten, bevor Du ins Netz gehst! Nun alle Logs posten. |
|
17.10.2007, 06:02
| #5 |
| | shfaymzhlr.exe Also ich strate mal: GMER 1.0.13.12551 - http://www.gmer.net Rootkit scan 2007-10-17 06:24:47 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.13 ---- SSDT 876F98A8 ZwAlertResumeThread SSDT 876F83A8 ZwAlertThread SSDT 899A7838 ZwAllocateVirtualMemory SSDT 89B60A80 ZwConnectPort SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwCreateKey SSDT 87701710 ZwCreateMutant SSDT 8985A838 ZwCreateThread SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteKey SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteValueKey SSDT 8989A650 ZwFreeVirtualMemory SSDT 87700C10 ZwImpersonateAnonymousToken SSDT 89A480B0 ZwImpersonateThread SSDT 86E5E6F8 ZwMapViewOfSection SSDT 876E8C10 ZwOpenEvent SSDT 89847348 ZwOpenProcessToken SSDT 87754618 ZwOpenThreadToken SSDT 898F1008 ZwResumeThread SSDT 8770A3A8 ZwSetContextThread SSDT 876E7710 ZwSetInformationProcess SSDT 876F1C10 ZwSetInformationThread SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwSetValueKey SSDT 86E89628 ZwSuspendProcess SSDT 876F73A8 ZwSuspendThread SSDT 89A3DCD8 ZwTerminateProcess SSDT 876F2B18 ZwTerminateThread SSDT 899C2DC8 ZwUnmapViewOfSection SSDT 872C0690 ZwWriteVirtualMemory ---- Devices - GMER 1.0.13 ---- AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F745B1DE] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F745B1DE] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F745B454] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F745B1DE] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F744EF4C] fltMgr.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [ |
|
17.10.2007, 06:03
| #6 |
| | shfaymzhlr.exe A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [A9DED370] SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [A9DED370] SYMTDI.SYS AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F745B1DE] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F745B1DE] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F745B454] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F745B1DE] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F744EF4C] fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F744EF4C] fltMgr.sys ---- Registry - GMER 1.0.13 ---- Reg \Registry\USER\S-1-5-21-484763869-1454471165-839522115-1003\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY@?? 0x9F 0x35 0xCB 0x5F ... Reg \Registry\USER\S-1-5-21-484763869-1454471165-839522115-1003\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY@?? 0x41 0xE0 0x42 0x8C ... ---- Files - GMER 1.0.13 ---- ADS C:\Dokumente und Einstellungen\INr23I\Favoriten\Onlineshop\BitDefender Internet Security für 54,99 :favicon ---- EOF - GMER 1.0.13 ---- catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run BigDog305 = C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)???????????????????0?????????@?????????????? scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 |
|
17.10.2007, 06:04
| #7 |
| | shfaymzhlr.exe Dann noch Rootkid Reveal .... HKU\S-1-5-21-484763869-1454471165-839522115-1003\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY* 13.10.2007 22:20 0 bytes Key name contains embedded nulls (*) HKLM\SECURITY\Policy\Secrets\SAC* 31.08.2007 11:24 0 bytes Key name contains embedded nulls (*) HKLM\SECURITY\Policy\Secrets\SAI* 31.08.2007 11:24 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 17.10.2007 06:31 80 bytes Data mismatch between Windows API and raw hive data. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache\9482f4b4-e343-43b6-b170-9a65bc822c77 17.10.2007 06:28 0 bytes Hidden from Windows API. C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\SRTSP\SrtETmp\F38E0E5F.TMP 17.10.2007 06:42 0 bytes Hidden from Windows API. C:\Dokumente und Einstellungen\INr23I\Lokale Einstellungen\Temp\Rar$EX00.875\Eula.txt 28.07.2006 08:32 6.84 KB Visible in Windows API, but not in MFT or directory index. C:\Dokumente und Einstellungen\INr23I\Lokale Einstellungen\Temp\Rar$EX00.875\RootkitRevealer.chm 07.12.2005 15:19 99.77 KB Visible in Windows API, but not in MFT or directory index. C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\2007-10-17-1410.kc 17.10.2007 06:29 145.46 KB Visible in Windows API, but not in MFT or directory index. C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\2007-10-17-16ce.kc 17.10.2007 06:33 145.46 KB Hidden from Windows API. C:\Programme\Gemeinsame Dateien\Symantec Shared\VirusDefs\20071016.009\vscanmsx.dat 17.10.2007 06:35 2.02 KB Hidden from Windows API. C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 17.10.2007 06:32 64.00 KB Visible in Windows API, but not in MFT or directory index. |
|
| Themen zu shfaymzhlr.exe |
| ad-aware, adobe, bho, browser, dsl, excel, explorer, google, gservice, hijack, hijackthis, internet, internet explorer, internet security, monitor, nvidia, pdf, photoshop, programme, rundll, security, software, symantec, temp, unknown file in winsock lsp, usb, windows, windows xp |
Hybrid-Darstellung