iexplorer. exe bis zu 10mal im Tasmanager

Pygmalion

Hi,

vielen, vielen Dank dafür, dass du mir helfen willst.
Hier die geforderten Logs:

AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 24.09.2008 13:55:09
Database loaded: signatures - 188307, NN profile(s) - 2, microprograms of healing - 56, signature database released 23.09.2008 23:40
Heuristic microprograms loaded: 370
SPV microprograms loaded: 9
Digital signatures of system files loaded: 73357
Heuristic analyzer mode: Maximum heuristics level
Healing mode: disabled
Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE30->7C884FEC
Function kernel32.dll:LoadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->7C884F9C
Function kernel32.dll:LoadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->7C884FB0
Function kernel32.dll:LoadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->7C884FD8
Function kernel32.dll:LoadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEDB->7C884FC4
IAT modification detected: LoadLibraryA - 7C884F9C<>7C801D7B
IAT modification detected: GetProcAddress - 7C884FEC<>7C80AE30
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Function user32.dll:RegisterRawInputDevices (546) intercepted, method ProcAddressHijack.GetProcAddress ->7E3BCE0E->7EEA0080
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=083220)
Kernel ntoskrnl.exe found in memory at address 804D7000
SDT = 8055A220
KiST = 804E26A8 (284)
Function NtClose (19) intercepted (805678DD->B2E2A1E0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtConnectPort (1F) intercepted (805879EB->B2E282F0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtCreateKey (29) intercepted (8057065D->B2E1B750), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtCreateProcess (2F) intercepted (805B135A->B2E29F10), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtCreateProcessEx (30) intercepted (8057FC60->B2E2A080), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtCreateSection (32) intercepted (805652B3->B2E2AD00), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtCreateSymbolicLinkObject (34) intercepted (8059F509->B2E2A7B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtCreateThread (35) intercepted (8058E63F->B2E2B600), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtDeleteKey (3F) intercepted (805952BE->B2E1B860), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtDeleteValueKey (41) intercepted (80592D50->B2E1B8E0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtDuplicateObject (44) intercepted (805715E0->B2E2A380), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtEnumerateKey (47) intercepted (80570D64->B2E1B990), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtEnumerateValueKey (49) intercepted (8059066B->B2E1BA40), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtFlushKey (4F) intercepted (805DC590->B2E1BAF0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtInitializeRegistry (5C) intercepted (805A8064->B2E1BB70), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtLoadDriver (61) intercepted (805A3AF1->B2E27E50), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtLoadKey (62) intercepted (805AED5D->B2E1C590), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtLoadKey2 (63) intercepted (805AEB9A->B2E1BB90), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtNotifyChangeKey (6F) intercepted (8058A68D->B2E1BC70), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtOpenFile (74) intercepted (8056CD5B->F8555030), hook C:\WINDOWS\system32\Drivers\kl1.sys, driver recognized as trusted
Function NtOpenKey (77) intercepted (80568D59->B2E1BD50), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtOpenProcess (7A) intercepted (805717C7->B2E29D00), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtOpenSection (7D) intercepted (80570FD7->B2E2AB20), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtQueryKey (A0) intercepted (80570A6D->B2E1BE30), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtQueryMultipleValueKey (A1) intercepted (8064E320->B2E1BEE0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtQuerySystemInformation (AD) intercepted (8057BC36->B2E2B2B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtQueryValueKey (B1) intercepted (8056A1F1->B2E1BF90), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtReplaceKey (C1) intercepted (8064F0FA->B2E1C070), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtRequestWaitReplyPort (C8) intercepted (80576CE6->B2E28900), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtRestoreKey (CC) intercepted (8064EC91->B2E1C100), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtResumeThread (CE) intercepted (8058ECB2->B2E2B5B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSaveKey (CF) intercepted (8064ED92->B2E1C300), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSetContextThread (D5) intercepted (8062DCDF->B2E2B940), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSetInformationFile (E0) intercepted (8057494A->B2E2BF60), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSetInformationKey (E2) intercepted (8064DE83->B2E1C390), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSetSecurityObject (ED) intercepted (8059B19B->B2E26A10), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSetSystemInformation (F0) intercepted (805A7BDD->B2E2A9A0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSetValueKey (F7) intercepted (80572889->B2E1C430), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSuspendThread (FE) intercepted (805E045E->B2E2B560), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSystemDebugControl (FF) intercepted (80649CE3->B2E281B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtTerminateProcess (101) intercepted (805822E0->B2E2B150), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtUnloadKey (107) intercepted (8064D9FA->B2E1C550), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtWriteVirtualMemory (115) intercepted (8057E420->B2E2A240), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function FsRtlCheckLockForReadAccess (80512919) - machine code modification Method of JmpTo. jmp B2E2C380 \??\C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function IoIsOperationSynchronous (804E875A) - machine code modification Method of JmpTo. jmp B2E2C880 \??\C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Functions checked: 284, intercepted: 43, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking of IRP handlers
Checking - complete
2. Scanning memory
Number of processes found: 25
Analyzer: process under analysis is 1232 C:\WINDOWS\system32\svchost.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing ?
Analyzer: process under analysis is 1440 C:\WINDOWS\system32\svchost.exe
[ES]:Contains network functionality
[ES]:Listens on TCP ports !
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing ?
Analyzer: process under analysis is 1600 C:\WINDOWS\System32\svchost.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing ?
Analyzer: process under analysis is 1660 C:\WINDOWS\System32\svchost.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 1828 C:\WINDOWS\System32\svchost.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 880 C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1580 C:\WINDOWS\System32\svchost.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 3548 C:\Programme\Mozilla Firefox\firefox.exe
[ES]:Contains network functionality
[ES]:Loads RASAPI DLL - may use dialing ?
Analyzer: process under analysis is 2852 C:\PROGRA~1\Versatel\Versatel.exe
[ES]:Contains network functionality
[ES]:Trojan.PSW ?
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing ?
Number of modules loaded: 378
Scanning memory - complete
3. Scanning disks
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll --> Suspicion for Keylogger or Trojan DLL
C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll>>> Behavioural analysis
Behaviour typical for keyloggers not detected
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
Latent loading of libraries through AppInit_DLLs suspected: "C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Terminaldienste)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP-Suchdienst)
>> Services: potentially dangerous service allowed: Schedule (Taskplaner)
>> Services: potentially dangerous service allowed: RDSessMgr (Sitzungs-Manager für Remotedesktophilfe)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
Checking - complete
9. Troubleshooting wizard
>> Abnormal REG files association
>> Service termination timeout is out of admissible values
>> HDD autorun are allowed
>> Autorun from network drives are allowed
>> Removable media autorun are allowed
Checking - complete
Files scanned: 403, extracted from archives: 0, malicious software found 0, suspicions - 0
Scanning finished at 24.09.2008 13:55:48
Time of scanning: 00:00:42
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
System Analysis in progress
System Analysis - complete



Ohhhhhhh, wo ist denn der erste???? Ich habe ihn gespeichert...und nun ist er weg... Mache ihn nochmal. Momentchen.