bitte um hilfe alles versucht ohne erfolg

BBJAY~ · 25.03.2009, 14:05

schönen guten tag an alle ,
hab mal wieder ein dickes problem wie es scheint

also kurze beschreibung:
gestern morgen tip top der pc alles war ok.
hab ihn dann gestern abend wieder angemacht und er lief richtig langsam und ich konnte keine verbindung ins internet bekommen übrigens hab ne 18000 leitung. updates auf denn neusten stand hab jetzt die ganze nacht alles versucht :
ob mit regestry cleaner , avast,g-data 2010, malwarebytes, spyware doctor,tune up 2009,nun auch schon AVG free 8.5 alle auf dem neusten stand natürlich erst andere deinstalliert bevor neues anti vir drauf....
nun hab auch gleich ein HijackThis gemacht :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:57:47, on 25.03.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programme\ICQ6Toolbar\ICQ Service.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Programme\Olivetti\ANY_WAY\olMntrService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Windows Media Player\wmplayer.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Windows Live\Messenger\msnmsgr.exe
C:\Programme\ICQ6\ICQ.exe
C:\Programme\Windows Live\Messenger\usnsvc.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60341
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13165&gct=&gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60341
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60341
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13165&gct=&gc=1&q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=13165&gct=&gc=1&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programme\BitComet\tools\BitCometBHO_1.3.1.15.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programme\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programme\AVG\AVG8\avgtoolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programme\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Alles mit BitComet herunterladen - res://C:\Programme\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Alle &Videos mit BitComet herunterladen - res://C:\Programme\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Mit BitComet herunter&laden - res://C:\Programme\BitComet\BitComet.exe/AddLink.htm
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Programme\BitComet\tools\BitCometBHO_1.3.1.15.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F557} (Flatcast Viewer 5.0) - http://www.flatcast-data.com/data/objects/NpFv501.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ASP.NET-Zustandsdienst (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ICQ Service - Unknown owner - C:\Programme\ICQ6Toolbar\ICQ Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: olMntrService - Olivetti - C:\Programme\Olivetti\ANY_WAY\olMntrService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O24 - Desktop Component 0: (no name) - http://v.netlogstatic.com/v2.05/472//s/skins/love2/skinbg.jpg
O24 - Desktop Component 1: (no name) - http://stationbollywood.com/wp-content/uploads/2008/02/rani-mukherjee-007.jpg
O24 - Desktop Component 2: (no name) - http://internationalreporter.com/images/Rani_1.gif
O24 - Desktop Component 3: (no name) - http://www2.uol.com.br/bandasdegaragem/images/cds/capa1213422461.jpg
O24 - Desktop Component 4: (no name) - http://www.musik-base.de/images/fotogalerie/Fler-foto-11238.jpg
O24 - Desktop Component 5: (no name) - http://www.rapgen.com/bilder/Flerrueckt/Fler-4.Album-nr.3.png
O24 - Desktop Component 6: (no name) - http://www.rapgen.com/bilder/Flerrueckt/Fler-4.Album-nr.2.png
O24 - Desktop Component 7: (no name) - http://www.spielmit.com/myprofile/profileimages/images_de/NzY3NzEyOQ==1225173442.JPG
O24 - Desktop Component 8: (no name) - http://www.oneworldinternetcafe.com/betta/fullflare.jpg

--
End of file - 8625 bytes

hoffe ihr könnt mir helfen bin mit meinen latein am ende

Chris4You · 25.03.2009, 14:18

Hi,

Hijackthis, fixen:
öffne das HijackThis -- Button "scan" -- vor den nachfolgenden Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten
Beim fixen müssen alle Programme geschlossen sein!

Code:

ATTFilter

R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=13165&gct=&gc=1&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13165&gct=&gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13165&gct=&gc=1&q=

Dr. Web:
http://www.trojaner-board.de/59299-a...eb-cureit.html

Gmer:
http://www.trojaner-board.de/74908-a...t-scanner.html
Starte GMER und schaue, ob es schon was meldet. Macht es das, bitte alle Fragen mit "nein" beantworten, auf den Reiter "rootkit" gehen, wiederum die Frage mit "nein" beantworten und mit Hilfe von copy den Bericht in den Thread einfügen. Meldet es so nichts, gehe auf den Reiter Rootkit und mache einen Scan. ist dieser beendet, wähle Copy und füge den Bericht ein.

Noch ein neues HJ-Log mit den Logs der Tools posten...

chris

Ps.:
Die ganzen Desktopbilder sind gewollt?

Code:

ATTFilter

O24 - Desktop Component 0: (no name) - ht*p://v.netlogstatic.com/v2.05/472//s/skins/love2/skinbg.jpg
O24 - Desktop Component 1: (no name) - ht*p://stationbollywood.com/wp-content/uploads/2008/02/rani-mukherjee-007.jpg
O24 - Desktop Component 2: (no name) - ht*p://internationalreporter.com/images/Rani_1.gif
O24 - Desktop Component 3: (no name) - ht*p://www2.uol.com.br/bandasdegaragem/images/cds/capa1213422461.jpg
O24 - Desktop Component 4: (no name) - ht*p://www.musik-base.de/images/fotogalerie/Fler-foto-11238.jpg
O24 - Desktop Component 5: (no name) - ht*p://www.rapgen.com/bilder/Flerrueckt/Fler-4.Album-nr.3.png
O24 - Desktop Component 6: (no name) - ht*p://www.rapgen.com/bilder/Flerrueckt/Fler-4.Album-nr.2.png
O24 - Desktop Component 7: (no name) - ht*p://www.spielmit.com/myprofile/profileimages/images_de/NzY3NzEyOQ==1225173442 .JPG
O24 - Desktop Component 8: (no name) - ht*p://www.oneworldinternetcafe.com/betta/fullflare.jpg

Wenn nein, gleich mit HJ fixen...

BBJAY~ · 25.03.2009, 19:46

schönen guten abend, so erst einmal danke für die schnelle hilfe leider ohne erfolg glaube ich mal erst einmal Dr. Web hat nichts gefunden

so nun was hijack gescannt hat:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:42:53, on 25.03.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programme\ICQ6Toolbar\ICQ Service.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Olivetti\ANY_WAY\olMntrService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Programme\AVG\AVG8\avgcsrvx.exe
C:\Programme\Windows Live\Messenger\usnsvc.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60341
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60341
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60341
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programme\BitComet\tools\BitCometBHO_1.3.1.15.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programme\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programme\AVG\AVG8\avgtoolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programme\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Alles mit BitComet herunterladen - res://C:\Programme\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Alle &Videos mit BitComet herunterladen - res://C:\Programme\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Mit BitComet herunter&laden - res://C:\Programme\BitComet\BitComet.exe/AddLink.htm
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Programme\BitComet\tools\BitCometBHO_1.3.1.15.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F557} (Flatcast Viewer 5.0) - http://www.flatcast-data.com/data/objects/NpFv501.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ASP.NET-Zustandsdienst (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ICQ Service - Unknown owner - C:\Programme\ICQ6Toolbar\ICQ Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: olMntrService - Olivetti - C:\Programme\Olivetti\ANY_WAY\olMntrService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 6869 bytes

und nun von gmer:

GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-25 19:45:01
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT sprk.sys ZwCreateKey [0xF72870E0]
SSDT sprk.sys ZwEnumerateKey [0xF72A5CA2]
SSDT sprk.sys ZwEnumerateValueKey [0xF72A6030]
SSDT sprk.sys ZwOpenKey [0xF72870C0]
SSDT sprk.sys ZwQueryKey [0xF72A6108]
SSDT sprk.sys ZwQueryValueKey [0xF72A5F88]
SSDT sprk.sys ZwSetValueKey [0xF72A619A]

INT 0x62 ? 837F4BF8
INT 0x63 ? 8376DBF8
INT 0x73 ? 83860BF8
INT 0x83 ? 83860BF8
INT 0xB4 ? 8376DBF8

---- Kernel code sections - GMER 1.0.15 ----

? sprk.sys Das System kann die angegebene Datei nicht finden. !
.text USBPORT.SYS!DllUnload F705C8AC 5 Bytes JMP 8376D1D8
.text a6xz0whe.SYS F6932384 1 Byte [20]
.text a6xz0whe.SYS F6932384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text a6xz0whe.SYS F69323AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text a6xz0whe.SYS F69323C4 3 Bytes [00, 00, 00]
.text a6xz0whe.SYS F69323C9 1 Byte [00]
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7288040] sprk.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F728813C] sprk.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72880BE] sprk.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72887FC] sprk.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72886D2] sprk.sys
IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!KfAcquireSpinLock] 000000AD
IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!READ_PORT_UCHAR] 000000D4
IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!KeGetCurrentIrql] 000000A2
IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!KfRaiseIrql] 000000AF
IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!KfLowerIrql] 0000009C
IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!HalGetInterruptVector] 000000A4
IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!HalTranslateBusAddress] 00000072
IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!KeStallExecutionProcessor] 000000C0
IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!KfReleaseSpinLock] 000000B7
IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 000000FD
IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!READ_PORT_USHORT] 00000093
IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000026
IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[HAL.dll!WRITE_PORT_UCHAR] 00000036
IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[WMILIB.SYS!WmiSystemControl] 000000F7
IAT \SystemRoot\System32\Drivers\a6xz0whe.SYS[WMILIB.SYS!WmiCompleteRequest] 000000CC
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7298048] sprk.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8385F1F8

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)

Device \Driver\NetBT \Device\NetBT_Tcpip_{7C1DED49-9391-4150-8F64-05A4A264950A} 82D101F8
Device \Driver\usbohci \Device\USBPDO-0 8376B1F8
Device \Driver\usbehci \Device\USBPDO-1 837601F8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)

Device \Driver\PCI_PNP7986 \Device\00000057 sprk.sys
Device \Driver\Cdrom \Device\CdRom0 836D91F8
Device \Driver\Cdrom \Device\CdRom1 836D91F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 82D101F8
Device \Driver\NetBT \Device\NetbiosSmb 82D101F8
Device \Driver\sptd \Device\523172986 sprk.sys

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT-Kernel und -System/Microsoft Corporation)

Device \Driver\usbohci \Device\USBFDO-0 8376B1F8
Device \Driver\nvata \Device\NvAta0 838601F8
Device \Driver\usbehci \Device\USBFDO-1 837601F8
Device \Driver\nvata \Device\NvAta1 838601F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82D011F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 82D011F8
Device \Driver\Ftdisk \Device\FtControl 838611F8
Device \Driver\a6xz0whe \Device\Scsi\a6xz0whe1 837521F8
Device \Driver\a6xz0whe \Device\Scsi\a6xz0whe1Port4Path0Target0Lun0 837521F8
Device \FileSystem\Cdfs \Cdfs 82D061F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x49 0x62 0xA1 0xAD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x49 0x62 0xA1 0xAD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programme\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x02 0x75 0xBE 0x20 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x67 0x13 0x38 0x11 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x49 0x62 0xA1 0xAD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0E 0xB1 0x49 0xAE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCA 0x52 0xA4 0xD6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programme\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x02 0x75 0xBE 0x20 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xAC 0x39 0x1F 0x3F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xE5 0x8D 0x6A 0xDF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xE5 0x8D 0x6A 0xDF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xE5 0x8D 0x6A 0xDF ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0E 0xB1 0x49 0xAE ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCA 0x52 0xA4 0xD6 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programme\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x02 0x75 0xBE 0x20 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xAC 0x39 0x1F 0x3F ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xE5 0x8D 0x6A 0xDF ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xE5 0x8D 0x6A 0xDF ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xE5 0x8D 0x6A 0xDF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{76416OEM-0119-0128-6464-896836586011}
Reg HKLM\SOFTWARE\Classes\CLSID\{76416OEM-0119-0128-6464-896836586011}@12AED12 13242BE
Reg HKLM\SOFTWARE\Classes\CLSID\{76416OEM-0119-0128-6464-896836586011}\InprocServer32

---- EOF - GMER 1.0.15 ----

ich versteh zwar nicht was das alles da heißt aber hoffe jemand kann mir da weiter helfen, übrigens das mit denn descop fotos habe ich schon weg gemacht

lg

Chris4You · 27.03.2009, 08:38

Hi,

hmm, da ist ein Treiber drin der sich weit unten einhängt, aber von GMER nicht gefunden werden kann:

\System32\Drivers\a6xz0whe.SYS
Prüfe mal ob Du den findest unter:
c:\windows\System32\Drivers\a6xz0whe.SYS
und lasse ihn bei virustotal prüfen.

virustotal
Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen (oder gleich die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf "Send"... jetzt abwarten - dann mit der rechten Maustaste den Text markieren -> kopieren - einfügen
http://www.virustotal.com/flash/index_en.html

Dann haben wir noch sprk.sys, die aber u. U. zu Daemon-Tools gehören kann (setzt Du das ein?)

Malwarebytes Antimalware (MAM).
Anleitung&Download hier: http://www.trojaner-board.de/51187-malwarebytes-anti-malware.html
Fullscan und alles bereinigen lassen! Log posten.
Alternativer Download: http://filepony.de/download-malwarebytes_anti_malware/, http://www.gt500.org/malwarebytes/mbam.jsp

Silentrunner:
Ziparchive in ein Verzeichnis auspacken, mit Doppelklick starten, "ja" auswählen.
Die erstellte Datei findet sich im gleichen Verzeichnis wo das Script hinkopiert wurde, bitte in Editor laden und posten.
http://www.silentrunners.org/Silent%20Runners.zip

Avira-Antirootkit
Downloade Avira Antirootkit und Scanne dein system, poste das logfile.
http://dl.antivir.de/down/windows/antivir_rootkit.zip

chris

BBJAY~ · 27.03.2009, 20:56

huhu

also alles durch gearbeitet also System32\Drivers\a6xz0whe.SYS
ist nicht auf find bar

dann silent runner :

"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"(Default)" = "(empty string)" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AVG8_TRAY" = "C:\PROGRA~1\AVG\AVG8\avgtray.exe" ["AVG Technologies CZ, s.r.o."]
"WinampAgent" = "C:\Programme\Winamp\winampa.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture"
-> {HKLM...CLSID} = "BitComet Helper"
\InProcServer32\(Default) = "C:\Programme\BitComet\tools\BitCometBHO_1.3.1.15.dll" ["BitComet"]
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\(Default) = "WormRadar.com IESiteBlocker.NavFilter"
-> {HKLM...CLSID} = "AVG Safe Search"
\InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgssie.dll" ["AVG Technologies CZ, s.r.o."]
{A057A204-BACC-4D26-9990-79A187E2698E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AVG Security Toolbar"
\InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgtoolbar.dll" ["[[[COMPANYNAME]]]----------------------------"]
{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java(tm) Plug-In 2 SSV Helper"
\InProcServer32\(Default) = "C:\Programme\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."]
{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\(Default) = "JQSIEStartDetectorImpl"
-> {HKLM...CLSID} = "JQSIEStartDetectorImpl Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "Meine freigegebenen Ordner"
\InProcServer32\(Default) = "C:\Programme\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
"{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TUNEUP~2\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"
-> {HKLM...CLSID} = "TuneUp Theme Extension"
\InProcServer32\(Default) = "C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" [empty string]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG8 Shell Extension"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
<<!>> ("" [file not found]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> avgrsstarter\DLLName = "avgrsstx.dll" ["AVG Technologies CZ, s.r.o."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TUNEUP~2\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TUNEUP~2\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

Default executables:
--------------------

HKLM\SOFTWARE\Classes\.scr\(Default) = "scrfile"
<<!>> HKLM\SOFTWARE\Classes\scrfile\shell\open\command\(Default) = ""%1" %*" [file not found]

Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoLowDiskSpaceChecks" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoSimpleStartMenu" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideClock" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoTrayItemsDisplay" = (REG_DWORD) dword:0x00000000
{Hide the notification area}

"NoRecentDocsHistory" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"ClearRecentDocsOnExit" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoCDBurning" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoControlPanel" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoAutoUpdate" = (REG_DWORD) dword:0x00000000
{Windows Automatic Updates}

"NoSaveSettings" = (REG_DWORD) dword:0x00000000
{Don't save settings at exit}

"NoViewContextMenu" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoTrayContextMenu" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoStartMenuNetworkPlaces" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoNetworkConnections" = (REG_DWORD) dword:0x00000000
{Remove Network Connections from Start Menu}

"NoNetHood" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoUserNameInStartMenu" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoWindowsUpdate" = (REG_DWORD) dword:0x00000000
{Remove links and access to Windows Update}

"NoSetTaskbar" = (REG_DWORD) dword:0x00000000
{Prevent changes to Taskbar and Start Menu Settings}

"NoFind" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoRun" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoDesktop" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoSMConfigurePrograms" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoBandCustomize" = (REG_DWORD) dword:0x00000000
{Disable customizing browser toolbars}

"NoToolbarsCustomize" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoResolveTrack" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"NoDispSettingsPage" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoDispCPL" = (REG_DWORD) dword:0x00000000
{Remove Display in Control Panel}

"NoDispScrSavPage" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoDispAppearancePage" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoDispBackgroundPage" = (REG_DWORD) dword:0x00000000
{Hide Desktop tab}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{Prevent access to registry editing tools}

"DisableTaskMgr" = (REG_DWORD) dword:0x00000000
{Remove Task Manager}

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

"ProgramsTab" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Check_If_Default" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"CalendarContact" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Messaging" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Advanced" = (REG_DWORD) dword:0x00000000
{Disable changing Advanced page settings}

"AdvancedTab" = (REG_DWORD) dword:0x00000000
{Disable the Advanced page}

"ConnectionsTab" = (REG_DWORD) dword:0x00000000
{Disable the Connections page}

"Connection Settings" = (REG_DWORD) dword:0x00000000
{Disable changing connection settings}

"Proxy" = (REG_DWORD) dword:0x00000000
{Disable changing proxy settings}

"AutoConfig" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"ContentTab" = (REG_DWORD) dword:0x00000000
{Disable the Content page}

"CertifPub" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Ratings" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"CertifPers" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Profiles" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"PrivacyTab" = (REG_DWORD) dword:0x00000000
{Disable the Privacy page}

"Privacy Settings" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"SecurityTab" = (REG_DWORD) dword:0x00000000
{Disable the Security page}

"SecChangeSettings" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"SecAddSites" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"History" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HomePage" = (REG_DWORD) dword:0x00000000
{Disable changing home page settings}

"GeneralTab" = (REG_DWORD) dword:0x00000000
{Disable the General page}

"Cache" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Languages" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Accessibility" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Fonts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Colors" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\

"NoFavorites" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoTheaterMode" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoSelectDownloadDir" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

"ShutdownWithoutLogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Basra\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"

Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

ASHAshampoo_Burning_Studio_6_FREEBURNONARRIVAL\
"Provider" = "Ashampoo Burning Studio 6 FREE"
"InvokeProgID" = "Ashampoo.BurningStudio6FREE"
"InvokeVerb" = "autoplay-burn"
HKLM\SOFTWARE\Classes\Ashampoo.BurningStudio6FREE\shell\autoplay-burn\Command\(Default) = ""C:\Programme\Ashampoo\Ashampoo Burning Studio 6\burningstudio.exe" -autoplay -selectdrive "%l"" ["ashampoo Technology GmbH & Co. KG"]

ASHAshampoo_Burning_Studio_6_FREECOPYONARRIVAL\
"Provider" = "Ashampoo Burning Studio 6 FREE"
"InvokeProgID" = "Ashampoo.BurningStudio6FREE"
"InvokeVerb" = "autoplay-copy"
HKLM\SOFTWARE\Classes\Ashampoo.BurningStudio6FREE\shell\autoplay-copy\Command\(Default) = "C:\Programme\Ashampoo\Ashampoo Burning Studio 6\burningstudio.exe" -autoplay -selectdrive "%l" -copy" [file not found]

ASHAshampoo_Burning_Studio_6_FREERIPONARRIVAL\
"Provider" = "Ashampoo Burning Studio 6 FREE"
"InvokeProgID" = "Ashampoo.BurningStudio6FREE"
"InvokeVerb" = "autoplay-rip"
HKLM\SOFTWARE\Classes\Ashampoo.BurningStudio6FREE\shell\autoplay-rip\Command\(Default) = ""C:\Programme\Ashampoo\Ashampoo Burning Studio 6\burningstudio.exe" -autoplay -selectdrive "%l" -rip" ["ashampoo Technology GmbH & Co. KG"]

AVSDVDMovieOnArrival\
"Provider" = "AVS DVD Player"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithAVSDVDPlayer"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithAVSDVDPlayer\Command\(Default) = ""C:\Programme\AVSMedia\DVDPlayer\AVSDVDPlayer.EXE" "%L"" ["Online Media Technologies Ltd."]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

WinampMTPHandler\
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Programme\Winamp\winamp.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

WinampPlayMediaOnArrival\
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Programme\Winamp\winamp.exe" "%1"" ["Nullsoft"]
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = ""C:\Programme\Winamp\winamp.exe"" ["Nullsoft"]

Enabled Scheduled Tasks:
------------------------

"1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2008\OneClickStarter.exe /schedulestart" [null data]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 22
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{A057A204-BACC-4D26-9990-79A187E2698E}"
-> {HKLM...CLSID} = "AVG Security Toolbar"
\InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgtoolbar.dll" ["[[[COMPANYNAME]]]----------------------------"]
"{855F3B16-6D32-4FE6-8A56-BBB695989046}"
-> {HKLM...CLSID} = "ICQToolBar"
\InProcServer32\(Default) = "C:\Programme\ICQ6Toolbar\ICQToolBar.dll" ["ICQ"]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{A057A204-BACC-4D26-9990-79A187E2698E}" = (no title provided)
-> {HKLM...CLSID} = "AVG Security Toolbar"
\InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgtoolbar.dll" ["[[[COMPANYNAME]]]----------------------------"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\

{D18A0B52-D63C-4ED0-AFC6-C1E3DC1AF43A}\
"ButtonText" = "BitComet"
"Script" = "res://C:\Programme\BitComet\tools\BitCometBHO_1.3.1.15.dll/206" ["BitComet"]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{E59EB121-F339-4851-A3BA-FE49C35617C2}\
"ButtonText" = "ICQ6"
"MenuText" = "ICQ6"
"Exec" = "C:\Programme\ICQ6\ICQ.exe" ["ICQ, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{855F3B16-6D32-4fe6-8A56-BBB695989046}" = (no title provided)
-> {HKLM...CLSID} = "ICQToolBar"
\InProcServer32\(Default) = "C:\Programme\ICQ6Toolbar\ICQToolBar.dll" ["ICQ"]

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "Tabs" = "tbr:res?id=tabs&rep=1" [file not found]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG Free8 E-mail Scanner, avg8emc, "C:\PROGRA~1\AVG\AVG8\avgemc.exe" ["AVG Technologies CZ, s.r.o."]
AVG Free8 WatchDog, avg8wd, "C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe" ["AVG Technologies CZ, s.r.o."]
Java Quick Starter, JavaQuickStarterService, ""C:\Programme\Java\jre6\bin\jqs.exe" -service -config "C:\Programme\Java\jre6\lib\deploy\jqs\jqs.conf"" ["Sun Microsystems, Inc."]
olMntrService, olMntrService, "C:\Programme\Olivetti\ANY_WAY\olMntrService.exe" ["Olivetti"]
PnkBstrA, PnkBstrA, "C:\WINDOWS\system32\PnkBstrA.exe" [null data]
STI Simulator, STI Simulator, "C:\WINDOWS\System32\PAStiSvc.exe" [null data]
TuneUp Designerweiterung, UxTuneUp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]}
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]}
---------- (launch time: 2009-03-27 20:50:42)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 30 seconds, including 9 seconds for message boxes)

BBJAY~ · 27.03.2009, 20:57

Avira AntiRootkit Tool - Beta (1.0.1.17)

========================================================================================================
- Scan started Freitag, 27. März 2009 - 20:42:26
========================================================================================================

--------------------------------------------------------------------------------------------------------
Configuration:
--------------------------------------------------------------------------------------------------------
- [X] Scan files
- [X] Scan registry
- [X] Scan processes
- [ ] Fast scan
- Working disk total size : 74.53 GB
- Working disk free size : 28.85 GB (38 %)
--------------------------------------------------------------------------------------------------------

Results:
Hidden value : HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{76416OEM-0119-0128-6464-896836586011} -> 12aed12

--------------------------------------------------------------------------------------------------------
Files: 0/24277
Registry items: 1/457179
Processes: 0/33
Scan time: 00:03:17
--------------------------------------------------------------------------------------------------------
Active processes:
- wlqlsaun.exe (PID 3692) (Avira AntiRootkit Tool - Beta)
- iexplore.exe (PID 4032)
- System (PID 4)
- smss.exe (PID 640)
- csrss.exe (PID 688)
- winlogon.exe (PID 716)
- services.exe (PID 760)
- lsass.exe (PID 772)
- ati2evxx.exe (PID 940)
- svchost.exe (PID 960)
- svchost.exe (PID 1052)
- svchost.exe (PID 1164)
- svchost.exe (PID 1204)
- ati2evxx.exe (PID 1240)
- svchost.exe (PID 1404)
- svchost.exe (PID 1524)
- spoolsv.exe (PID 1700)
- avgwdsvc.exe (PID 428)
- explorer.exe (PID 524)
- avgrsx.exe (PID 608)
- avgnsx.exe (PID 616)
- jqs.exe (PID 888)
- olMntrService.exe (PID 1340)
- PnkBstrA.exe (PID 1364)
- PAStiSvc.exe (PID 1484)
- svchost.exe (PID 1504)
- avgemc.exe (PID 1820)
- avgtray.exe (PID 2000)
- avgcsrvx.exe (PID 1780)
- alg.exe (PID 2132)
- ALCFDRTM.EXE (PID 2380)
- iexplore.exe (PID 1376)
- avirarkd.exe (PID 3208)
========================================================================================================
- Scan finished Freitag, 27. März 2009 - 20:45:44
========================================================================================================
Avira AntiRootkit Tool - Beta (1.0.1.17)

========================================================================================================
- Scan started Freitag, 27. März 2009 - 20:47:54
========================================================================================================

--------------------------------------------------------------------------------------------------------
Configuration:
--------------------------------------------------------------------------------------------------------
- [X] Scan files
- [X] Scan registry
- [X] Scan processes
- [ ] Fast scan
- Working disk total size : 74.53 GB
- Working disk free size : 28.81 GB (38 %)
--------------------------------------------------------------------------------------------------------

Results:
Hidden value : HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{76416OEM-0119-0128-6464-896836586011} -> 12aed12

--------------------------------------------------------------------------------------------------------
Files: 0/24277
Registry items: 1/457290
Processes: 0/35
Scan time: 00:03:45
--------------------------------------------------------------------------------------------------------
Active processes:
- wlqlsaun.exe (PID 3692) (Avira AntiRootkit Tool - Beta)
- iexplore.exe (PID 4032)
- System (PID 4)
- smss.exe (PID 640)
- csrss.exe (PID 688)
- winlogon.exe (PID 716)
- services.exe (PID 760)
- lsass.exe (PID 772)
- ati2evxx.exe (PID 940)
- svchost.exe (PID 960)
- svchost.exe (PID 1052)
- svchost.exe (PID 1164)
- svchost.exe (PID 1204)
- ati2evxx.exe (PID 1240)
- svchost.exe (PID 1404)
- svchost.exe (PID 1524)
- spoolsv.exe (PID 1700)
- avgwdsvc.exe (PID 428)
- explorer.exe (PID 524)
- avgrsx.exe (PID 608)
- avgnsx.exe (PID 616)
- jqs.exe (PID 888)
- olMntrService.exe (PID 1340)
- PnkBstrA.exe (PID 1364)
- PAStiSvc.exe (PID 1484)
- svchost.exe (PID 1504)
- avgemc.exe (PID 1820)
- avgtray.exe (PID 2000)
- avgcsrvx.exe (PID 1780)
- alg.exe (PID 2132)
- ALCFDRTM.EXE (PID 2380)
- iexplore.exe (PID 1376)
- avirarkd.exe (PID 3208)
- wmiprvse.exe (PID 3680)
- wmiprvse.exe (PID 3656)
========================================================================================================
- Scan finished Freitag, 27. März 2009 - 20:51:40
========================================================================================================

Chris4You · 27.03.2009, 22:26

Hi,

nichts zu finden, was schmeisst MAM raus?
Ich muss mir noch was überlegen bzw. nachfragen, der Hiddenkey wird auch von Avira gefunden interessant wäre der Eintrag unter:
Reg HKLM\SOFTWARE\Classes\CLSID\{76416OEM-0119-0128-6464-896836586011}\InprocServer32
Unter dem Servereintrag liegt meist das Programm/Dll, da der Eintrag hidden ist, kommen wir da aber wahrscheinlich nicht so einfach hin...

Melde mich später wieder.....

chris

BBJAY~ · 28.03.2009, 09:11

guten morgen,
also komisch ist das der antivir rootkit mir gestern auf gefunden hat ich aber selber mit programm nichts löschen konnte. und das ich im sytsem32 denn treiner nicht manuel finden konnte obwohl ich versteckte sytsem datein mit angeklickt hatte.

mfg

BBJAY~ · 31.03.2009, 00:42

hat jemand in diesem fall rat? freue mich über jede hilfe

Kaos · 31.03.2009, 02:08

Zitat:

also komisch ist das der antivir rootkit mir gestern auf gefunden hat ich aber selber mit programm nichts löschen konnte. und das ich im sytsem32 denn treiner nicht manuel finden konnte obwohl ich versteckte sytsem datein mit angeklickt hatte.

Also ich weiss jetzt nicht genau was du meinst. Was hat Antivir-Rootkit wo gefunden?

Also die a6xz0whe.SYS sieht mir sehr nach Daemon-Tools aus. Dieser Treibername ändert sich bei jedem Neustart. Führe erneut ein Gmerscan aus und poste das Ergebnis.

Hast du einen Dell-PC?

Chris4You · 31.03.2009, 06:53

Hi,

Daemon-Tools könnte sein, allerdings gehen die Meinung da etwas auseinander...

Am einfachsten dürfte in diesem Fall sein, den Rechner von CD aus zu scannen (Boot-CD erstellen). Dazu zwei Varianten:

Antivir, Rescue-CD
http://www.avira.de/de/support/support_downloads.html
Dort bitte das Rescue System sowie das update
dazu runterladen. Beim Start der Anwendung leere CD in den Brenner,
CD brennen lassen. Zweite CD brennen mit dem ausgepackten Update.
Von CD booten (Einstellung im BIOS vornehmen)...
http://www.pcwelt.de/start/sicherheit/antivirus/news/149200/

G Data-Rettungs-CD, Größe ca. 110 MB:
http://www.gdata.de/typo3conf/ext/dam_frontend/pushfile.php?docID=826
Runterladen und dann auf CD brennen, von CD booten (im Bios die Bootreihenfolge umstellen, gilt auch für AVIRA)....

chris

Kaos · 31.03.2009, 15:27

Ob es die Daemon-Tools sind lässt sich recht leicht prüfen. Nach einem Gmerscan den Namen des gefundenen Treibers mit den Eintrag im Gerätemanager vergleichen. Unter (SCSI-und RAID-Controller). Sind die Namen identisch kann man sicher davon ausgehen, das es von Daemon-Tools kommt.

Aber das System von einer Rescue-CD zu scannen ist sowieso eine gute Idee.

BBJAY~ · 31.03.2009, 16:05

guten tag,
nein ist kein dell-pc ist ein AMD athlon(tm) 64 Prossesor 3800 +
2,41 GHZ und 768 arbeitsspeicher

erst einmla alle installierten programme :
Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 9 ActiveX
Ashampoo Burning Studio 6 FREE
ATI - Dienstprogramm zur Deinstallation der Software
ATI Catalyst Control Center
ATI Display Driver
ATI HYDRAVISION
ATI Problem Report Wizard
Avira AntiVir Personal - Free Antivirus
AVIVO Codecs
AVS DVD Player version 2.4
BitComet 1.09
CCleaner (remove only)
CD Bremse 1.48
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DVD Shrink 3.2 deutsch (DeCSS-frei)
HijackThis 2.0.2
ICQ Toolbar
ICQ6
Java(TM) 6 Update 12
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 6
LiveUpdate BVRP Software
MAGIX Fotos auf CD & DVD 8 deluxe Download-Version 8.0.2.2 (D)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Language Pack - DEU
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0 German Language Pack
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
mobile PhoneTools
Mozilla Firefox (3.0.7)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser
NVIDIA Drivers
NVIDIA PhysX v8.10.13
Realtek AC'97 Audio
Registry Mechanic 8.0
Star Wars Empire at War
Stargate Empire at War
Steinberg Cubase SX
Steinberg Cubase SX 3
SUPERAntiSpyware Free Edition
SyncroSoft Emu (Remove only)
Syncrosofts Lizenz Kontrolle
TuneUp Utilities 2008
UltraStar Deluxe
Veoh Player
Viewpoint Media Player
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3

gmer läuft grad noch durch kommt auch gleich

BBJAY~ · 31.03.2009, 16:07

so gmer :

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-03-31 17:06:44
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT F7AA3876 ZwCreateKey
SSDT F7AA386C ZwCreateThread
SSDT F7AA387B ZwDeleteKey
SSDT F7AA3885 ZwDeleteValueKey
SSDT sppq.sys ZwEnumerateKey [0xF72A5CA2]
SSDT sppq.sys ZwEnumerateValueKey [0xF72A6030]
SSDT F7AA388A ZwLoadKey
SSDT sppq.sys ZwOpenKey [0xF72870C0]
SSDT F7AA3858 ZwOpenProcess
SSDT F7AA385D ZwOpenThread
SSDT sppq.sys ZwQueryKey [0xF72A6108]
SSDT sppq.sys ZwQueryValueKey [0xF72A5F88]
SSDT F7AA3894 ZwReplaceKey
SSDT F7AA388F ZwRestoreKey
SSDT F7AA3880 ZwSetValueKey
SSDT F7AA3867 ZwTerminateProcess

INT 0x62 ? 837F4BF8
INT 0x63 ? 83767BF8
INT 0x73 ? 83860BF8
INT 0x83 ? 83860BF8
INT 0xB4 ? 83767BF8

---- Kernel code sections - GMER 1.0.15 ----

? sppq.sys Das System kann die angegebene Datei nicht finden. !
.text USBPORT.SYS!DllUnload F705C8AC 5 Bytes JMP 837671D8

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7288040] sppq.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F728813C] sppq.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72880BE] sppq.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72887FC] sppq.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72886D2] sppq.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7298048] sppq.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8385F1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{7C1DED49-9391-4150-8F64-05A4A264950A} 82D121F8
Device \Driver\usbohci \Device\USBPDO-0 836E71F8
Device \Driver\usbehci \Device\USBPDO-1 837161F8
Device \Driver\Cdrom \Device\CdRom0 8378D1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 82D121F8
Device \Driver\NetBT \Device\NetbiosSmb 82D121F8
Device \Driver\usbohci \Device\USBFDO-0 836E71F8
Device \Driver\usbehci \Device\USBFDO-1 837161F8
Device \Driver\nvata \Device\NvAta0 838601F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82D091F8
Device \Driver\nvata \Device\NvAta1 838601F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 82D091F8
Device \Driver\Ftdisk \Device\FtControl 838611F8
Device \FileSystem\Cdfs \Cdfs 82D041F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x49 0x62 0xA1 0xAD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x49 0x62 0xA1 0xAD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programme\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x02 0x75 0xBE 0x20 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x67 0x13 0x38 0x11 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x49 0x62 0xA1 0xAD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0E 0xB1 0x49 0xAE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x3E 0x5E 0x6D 0xD0 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0E 0xB1 0x49 0xAE ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCA 0x52 0xA4 0xD6 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programme\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x02 0x75 0xBE 0x20 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xAC 0x39 0x1F 0x3F ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xE5 0x8D 0x6A 0xDF ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xE5 0x8D 0x6A 0xDF ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xE5 0x8D 0x6A 0xDF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{76416OEM-0119-0128-6464-896836586011}
Reg HKLM\SOFTWARE\Classes\CLSID\{76416OEM-0119-0128-6464-896836586011}@12AED12 13242BE
Reg HKLM\SOFTWARE\Classes\CLSID\{76416OEM-0119-0128-6464-896836586011}\InprocServer32

---- EOF - GMER 1.0.15 ----

BBJAY~ · 31.03.2009, 16:10

übrigens ahbe ich vorm sclan deamontools deinstalliert

bitte um hilfe alles versucht ohne erfolg

Log-Analyse und Auswertung: bitte um hilfe alles versucht ohne erfolg