Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung
Infiziert?

Infiziert?


Log-Analyse und Auswertung: Infiziert?

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML

Antwort
Seite 2 von 6 1 2 34 Letzte »
Alt 15.07.2009, 22:04   #16
der_gizmo
 
Infiziert? - Standard

Infiziert?


Das kam bei GMER heraus:

Code:
ATTFilter
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-15 23:00:43
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT      BAFA977E                                                                                                                                        ZwCreateKey
SSDT      BAFA9774                                                                                                                                        ZwCreateThread
SSDT      BAFA9783                                                                                                                                        ZwDeleteKey
SSDT      BAFA978D                                                                                                                                        ZwDeleteValueKey
SSDT      sprs.sys                                                                                                                                        ZwEnumerateKey [0xBA6C6CA2]
SSDT      sprs.sys                                                                                                                                        ZwEnumerateValueKey [0xBA6C7030]
SSDT      BAFA9792                                                                                                                                        ZwLoadKey
SSDT      sprs.sys                                                                                                                                        ZwOpenKey [0xBA6A80C0]
SSDT      BAFA9760                                                                                                                                        ZwOpenProcess
SSDT      BAFA9765                                                                                                                                        ZwOpenThread
SSDT      sprs.sys                                                                                                                                        ZwQueryKey [0xBA6C7108]
SSDT      sprs.sys                                                                                                                                        ZwQueryValueKey [0xBA6C6F88]
SSDT      BAFA979C                                                                                                                                        ZwReplaceKey
SSDT      BAFA9797                                                                                                                                        ZwRestoreKey
SSDT      BAFA9788                                                                                                                                        ZwSetValueKey
SSDT      BAFA976F                                                                                                                                        ZwTerminateProcess

INT 0x62  ?                                                                                                                                               8A613BF8
INT 0x63  ?                                                                                                                                               8A613BF8
INT 0x63  ?                                                                                                                                               8A613BF8
INT 0x63  ?                                                                                                                                               8A306BF8
INT 0x73  ?                                                                                                                                               8A5A5BF8
INT 0x73  ?                                                                                                                                               8A5A5BF8
INT 0x83  ?                                                                                                                                               8A306BF8
INT 0xA4  ?                                                                                                                                               8A306BF8
INT 0xB4  ?                                                                                                                                               8A306BF8

Code      8A0B8FD8                                                                                                                                        ZwFlushInstructionCache
Code      8A0B8E26                                                                                                                                        IofCallDriver
Code      88A32386                                                                                                                                        IofCompleteRequest
Code      8A0B90B5                                                                                                                                        ZwSaveKey
Code      8A0B918D                                                                                                                                        ZwSaveKeyEx

---- Kernel code sections - GMER 1.0.15 ----

.text     ntkrnlpa.exe!IofCallDriver                                                                                                                      804EF1A6 5 Bytes  JMP 8A0B8E2B 
.text     ntkrnlpa.exe!IofCompleteRequest                                                                                                                 804EF236 5 Bytes  JMP 88A3238B 
.text     ntkrnlpa.exe!ZwSaveKey                                                                                                                          80500D68 5 Bytes  JMP 8A0B90BA 
.text     ntkrnlpa.exe!ZwSaveKeyEx                                                                                                                        80500D7C 5 Bytes  JMP 8A0B9192 
PAGE      ntkrnlpa.exe!ZwFlushInstructionCache                                                                                                            805B6812 5 Bytes  JMP 8A0B8FDC 
?         sprs.sys                                                                                                                                        Das System kann die angegebene Datei nicht finden. !
.text     USBPORT.SYS!DllUnload                                                                                                                           B9A388AC 5 Bytes  JMP 8A3061D8 

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT       atapi.sys[HAL.dll!READ_PORT_UCHAR]                                                                                                              [BA6A9040] sprs.sys
IAT       atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT]                                                                                                      [BA6A913C] sprs.sys
IAT       atapi.sys[HAL.dll!READ_PORT_USHORT]                                                                                                             [BA6A90BE] sprs.sys
IAT       atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                                                                                     [BA6A97FC] sprs.sys
IAT       atapi.sys[HAL.dll!WRITE_PORT_UCHAR]                                                                                                             [BA6A96D2] sprs.sys

---- Devices - GMER 1.0.15 ----

Device    \FileSystem\Ntfs \Ntfs                                                                                                                          8A5A11F8
Device    \Driver\NetBT \Device\NetBT_Tcpip_{2833BB1A-0A93-49A6-A6B6-03EA4ACA14FF}                                                                        8A37B500
Device    \Driver\usbuhci \Device\USBPDO-0                                                                                                                8A304500
Device    \Driver\usbuhci \Device\USBPDO-1                                                                                                                8A304500
Device    \Driver\usbuhci \Device\USBPDO-2                                                                                                                8A304500
Device    \Driver\usbuhci \Device\USBPDO-3                                                                                                                8A304500
Device    \Driver\NetBT \Device\NetBT_Tcpip_{3ABE492C-1F38-465D-BD23-F6074506C18A}                                                                        8A37B500
Device    \Driver\usbehci \Device\USBPDO-4                                                                                                                8A323500
Device    \Driver\Ftdisk \Device\HarddiskVolume1                                                                                                          8A5A31F8
Device    \Driver\Ftdisk \Device\HarddiskVolume2                                                                                                          8A5A31F8
Device    \Driver\Cdrom \Device\CdRom1                                                                                                                    8A258430
Device    \Driver\usbstor \Device\00000080                                                                                                                8A0CC1F8
Device    \Driver\usbstor \Device\00000081                                                                                                                8A0CC1F8
Device    \Driver\usbstor \Device\00000082                                                                                                                8A0CC1F8
Device    \Driver\NetBT \Device\NetBt_Wins_Export                                                                                                         8A37B500
Device    \Driver\PCI_PNP8880 \Device\0000004b                                                                                                            sprs.sys
Device    \Driver\NetBT \Device\NetbiosSmb                                                                                                                8A37B500
Device    \Driver\usbuhci \Device\USBFDO-0                                                                                                                8A304500
Device    \Driver\usbuhci \Device\USBFDO-1                                                                                                                8A304500
Device    \FileSystem\MRxSmb \Device\LanmanDatagramReceiver                                                                                               89F78500
Device    \Driver\usbstor \Device\0000007b                                                                                                                8A0CC1F8
Device    \Driver\usbuhci \Device\USBFDO-2                                                                                                                8A304500
Device    \FileSystem\MRxSmb \Device\LanmanRedirector                                                                                                     89F78500
Device    \Driver\usbuhci \Device\USBFDO-3                                                                                                                8A304500
Device    \Driver\usbehci \Device\USBFDO-4                                                                                                                8A323500
Device    \Driver\Ftdisk \Device\FtControl                                                                                                                8A5A31F8
Device    \Driver\usbstor \Device\0000007f                                                                                                                8A0CC1F8
Device    \Driver\sptd \Device\2065586380                                                                                                                 sprs.sys
Device    \Driver\agvko7uw \Device\Scsi\agvko7uw1Port5Path0Target0Lun0                                                                                    8A2401F8
Device    \Driver\agvko7uw \Device\Scsi\agvko7uw1                                                                                                         8A2401F8
Device    \Driver\JRAID \Device\Scsi\JRAID1                                                                                                               8A5A21F8
Device    \FileSystem\Cdfs \Cdfs                                                                                                                          8A0CB1F8

---- Registry - GMER 1.0.15 ----

Reg       HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4253CC67-8266-6CC7-E300-0AFF8DB0ABBD}                                 
Reg       HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4253CC67-8266-6CC7-E300-0AFF8DB0ABBD}@oaekjkbfbepihimmfanddhhpkpmmmg  0x64 0x61 0x64 0x69 ...
Reg       HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4253CC67-8266-6CC7-E300-0AFF8DB0ABBD}@oailjhhlcmlbmnhbkmoclnfonplpan  0x6A 0x61 0x64 0x69 ...
Reg       HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4253CC67-8266-6CC7-E300-0AFF8DB0ABBD}@nacipnbaldjcfbiifafcoeinhgmo    0x6A 0x61 0x64 0x69 ...

---- Disk sectors - GMER 1.0.15 ----

Disk      \Device\Harddisk0\DR0                                                                                                                           sector 01: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 02: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 03: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 04: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 05: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 06: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 07: rootkit-like behavior; copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 08: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 09: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 10: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 11: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 12: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 13: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 14: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 15: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 16: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 17: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 18: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 19: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 20: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 21: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 22: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 23: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 24: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 25: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 26: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 27: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 28: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 29: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 30: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 31: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 32: rootkit-like behavior; copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 33: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 34: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 35: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 36: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 37: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 38: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 39: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 40: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 41: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 42: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 43: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 44: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 45: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 46: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 47: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 48: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 49: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 50: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 51: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 52: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 53: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 54: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 55: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 56: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 57: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 58: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 59: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 60: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 61: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 62: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                           sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

Alt 15.07.2009, 22:10   #17
john.doe
 
Infiziert? - Standard

Infiziert?


Dann schau mal, mit wem du es zu tun hast => ThreatExpert Report: Packed.Win32.Tdss.w, Trojan.Win32.Alureon..

Rootkitscan mit RootRepeal
  • Gehe hierhin, scrolle runter und downloade RootRepeal.zip.
  • Entpacke die Datei auf Deinen Desktop.
  • Doppelklicke die RootRepeal.exe, um den Scanner zu starten.
  • Klicke auf den Reiter Report und dann auf den Button Scan.
  • Mache einen Haken bei den folgenden Elementen und klicke Ok.
    .
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    .
  • Im Anschluss wirst Du gefragt, welche Laufwerke gescannt werden sollen.
  • Wähle C:\ und klicke wieder Ok.
  • Der Suchlauf beginnt automatisch, es wird eine Weile dauern, bitte Geduld.
  • Wenn der Suchlauf beendet ist, klicke auf Save Report.
  • Speichere das Logfile als RootRepeal.txt auf dem Desktop.
  • Kopiere den Inhalt hier in den Thread.

ciao, andreas

Edit: Poste bitte auch noch den ersten Teil von Info.txt, ich brauche deine Softwareliste.
__________________

__________________
Alt 15.07.2009, 22:18   #18
der_gizmo
 
Infiziert? - Standard

Infiziert?


Info Teil 1.1:

Code:
ATTFilter
======Uninstall list======

-->"C:\Programme\Creative\Sound Blaster X-Fi\Program\SETUP.EXE" /S /U /W /L:GER
-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x7 
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x7  /remove
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{0E5AA361-4B16-4282-B639-9E5B2B6A2EC8}\setup.exe" -l0x7 
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{0E5AA361-4B16-4282-B639-9E5B2B6A2EC8}\setup.exe" -l0x7  /remove
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x7 
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x7  /remove
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{32903944-19A2-418C-901D-4BBAF4C55ABA}\setup.exe" -l0x7 
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{32903944-19A2-418C-901D-4BBAF4C55ABA}\setup.exe" -l0x7  /remove
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{4D8AA0B4-E890-4BF7-A9D1-8E63027E76D3}\setup.exe" -l0x7 
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{4D8AA0B4-E890-4BF7-A9D1-8E63027E76D3}\setup.exe" -l0x7  /remove
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x7 
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{6BF90A01-FA3F-42B9-A071-7D744409967E}\setup.exe" -l0x7 
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{6BF90A01-FA3F-42B9-A071-7D744409967E}\setup.exe" -l0x7  /remove
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x7 
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x7  /remove
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x7 
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x7  /remove
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{8A3F2ADE-DEF2-4A50-866A-6B9357B5590F}\setup.exe" -l0x7 
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{8A3F2ADE-DEF2-4A50-866A-6B9357B5590F}\setup.exe" -l0x7  /remove
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x7 
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{B8DA9EB2-DBEF-4F0A-B90A-45B77D9E65B2}\setup.exe" -l0x7 
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{B8DA9EB2-DBEF-4F0A-B90A-45B77D9E65B2}\setup.exe" -l0x7  /remove
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x7 
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x7  /remove
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->msiexec /qb /x {C86E7C99-E4AD-79C7-375B-1AEF9A91EC2B}
Acrobat.com-->MsiExec.exe /I{C86E7C99-E4AD-79C7-375B-1AEF9A91EC2B}
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe After Effects CS4 Presets-->MsiExec.exe /I{44E240EC-2224-4078-A88B-2CEE0D3016EF}
Adobe After Effects CS4 Third Party Content-->MsiExec.exe /I{67A9747A-E1F5-4E9A-81CC-12B5D5B81B6E}
Adobe After Effects CS4-->MsiExec.exe /I{45EC816C-0771-4C14-AE6D-72D1B578F4C8}
Adobe AIR-->c:\Programme\Gemeinsame Dateien\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}
Adobe Anchor Service CS4-->MsiExec.exe /I{1618734A-3957-4ADD-8199-F973763109A8}
Adobe Asset Services CS4-->MsiExec.exe /I{B9F4561A-924D-4510-A85A-BB0960C338CB}
Adobe Bridge CS4-->MsiExec.exe /I{83877DB1-8B77-45BC-AB43-2BAC22E093E0}
Adobe CMaps CS4-->MsiExec.exe /I{94D398EB-D2FD-4FD1-B8C4-592635E8A191}
Adobe Color - Photoshop Specific CS4-->MsiExec.exe /I{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}
Adobe Color EU Extra Settings CS4-->MsiExec.exe /I{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}
Adobe Color JA Extra Settings CS4-->MsiExec.exe /I{0D6013AB-A0C7-41DC-973C-E93129C9A29F}
Adobe Color NA Recommended Settings CS4-->MsiExec.exe /I{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}
Adobe Color Video Profiles AE CS4-->MsiExec.exe /I{B15381DD-FF97-4FCD-A881-ED4DB0975500}
Adobe Color Video Profiles CS CS4-->MsiExec.exe /I{63C24A08-70F3-4C8E-B9FB-9F21A903801D}
Adobe Contribute CS4-->MsiExec.exe /I{A6EC82A0-1414-475D-8AFD-469089F3080D}
Adobe Creative Suite 4 Master Collection-->C:\Programme\Gemeinsame Dateien\Adobe\Installers\b2d6abde968e6f277ddbfd501383e02\Setup.exe --uninstall=1
Adobe Creative Suite 4 Master Collection-->MsiExec.exe /I{61D6891E-E822-4448-9F9A-0AAAAEB6AF6C}
Adobe CS4 American English Speech Analysis Models-->MsiExec.exe /I{297190A1-4B0D-4CD6-8B9F-3907F15C3FD8}
Adobe CSI CS4-->MsiExec.exe /I{0F723FC1-7606-4867-866C-CE80AD292DAF}
Adobe Default Language CS4-->MsiExec.exe /I{C52E3EC1-048C-45E1-8D53-10B0C6509683}
Adobe Device Central CS4-->MsiExec.exe /I{67F0E67A-8E93-4C2C-B29D-47C48262738A}
Adobe Dreamweaver CS4-->MsiExec.exe /I{30C8AA56-4088-426F-91D1-0EDFD3A25678}
Adobe Drive CS4-->MsiExec.exe /I{16E16F01-2E2D-4248-A42F-76261C147B6C}
Adobe Dynamiclink Support-->MsiExec.exe /I{60DB5894-B5A1-4B62-B0F3-669A22C0EE5D}
Adobe Encore CS4 Codecs-->MsiExec.exe /I{FB2A5FCC-B81B-48C2-A009-7804694D83E9}
Adobe Encore CS4-->MsiExec.exe /I{5EAD5443-7194-46CC-A055-428E6ABB1BAF}
Adobe ExtendScript Toolkit CS4-->MsiExec.exe /I{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}
Adobe Extension Manager CS4-->MsiExec.exe /I{054EFA56-2AC1-48F4-A883-0AB89874B972}
Adobe Fireworks CS4-->MsiExec.exe /I{428FDF9F-E010-4C4C-A8BB-156960AFCA1C}
Adobe Flash CS4 Extension - Flash Lite STI en-->MsiExec.exe /I{793D1D88-6141-43DE-BE58-59BCE31B4090}
Adobe Flash CS4 STI-en-->MsiExec.exe /I{2168245A-B5AD-40D8-A641-48E3E070B5B6}
Adobe Flash CS4-->MsiExec.exe /I{F6E99614-F042-4459-82B7-8B38B2601356}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->MsiExec.exe /X{03DEEAD2-F3B7-45BF-9006-A25D015F00D2}
Adobe Fonts All-->MsiExec.exe /I{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}
Adobe Illustrator CS4-->MsiExec.exe /I{87532CAB-7932-4F84-8937-823337622807}
Adobe InDesign CS4 Application Feature Set Files (Roman)-->MsiExec.exe /I{2BAF2B96-7560-48B4-87D4-10178DDBE217}
Adobe InDesign CS4 Common Base Files-->MsiExec.exe /I{7CC7BDD5-6F10-4724-96A1-EAC7D9F2831C}
Adobe InDesign CS4 Icon Handler-->MsiExec.exe /I{1E04CB54-AF4E-4AC3-B4B7-C0A160BE57F1}
Adobe InDesign CS4-->MsiExec.exe /I{1DCA3EAA-6EB5-4563-A970-EA14D75037BA}
Adobe Linguistics CS4-->MsiExec.exe /I{931AB7EA-3656-4BB7-864D-022B09E3DD67}
Adobe Media Encoder CS4 Additional Exporter-->MsiExec.exe /I{BE9CEAAA-F069-4331-BF2F-8D350F6504F4}
Adobe Media Encoder CS4 Dolby-->MsiExec.exe /I{EE353798-E875-42E0-B58D-7E6696182EA8}
Adobe Media Encoder CS4 Exporter-->MsiExec.exe /I{561968FD-56A1-49FD-9ED0-F55482C7C5BC}
Adobe Media Encoder CS4 Importer-->MsiExec.exe /I{8186FF34-D389-4B7E-9A2F-C197585BCFBD}
Adobe Media Encoder CS4-->MsiExec.exe /I{DEB90B8E-0DCB-48CE-B90E-8842A2BD643E}
Adobe Media Player-->msiexec /qb /x {39F6E2B4-CFE8-C30A-66E8-489651F0F34C}
Adobe Media Player-->MsiExec.exe /I{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}
Adobe MotionPicture Color Files CS4-->MsiExec.exe /I{B05DE7B7-0B40-4411-BD4B-222CAE2D8F15}
Adobe OnLocation CS4-->MsiExec.exe /I{7406DF60-016D-476B-A2C7-55D997592047}
Adobe Output Module-->MsiExec.exe /I{BB4E33EC-8181-4685-96F7-8554293DEC6A}
Adobe PDF Library Files CS4-->MsiExec.exe /I{F93C84A6-0DC6-42AF-89FA-776F7C377353}
Adobe Photoshop CS4 Support-->MsiExec.exe /I{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}
Adobe Photoshop CS4-->MsiExec.exe /I{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}
Adobe Premiere Pro CS4 Functional Content-->MsiExec.exe /I{B169BC97-B8AA-4ACA-9CF2-9D0FF5BABDF7}
Adobe Premiere Pro CS4 Third Party Content-->MsiExec.exe /I{C938BE91-3BB5-4B84-9EF6-88F0505D0038}
Adobe Premiere Pro CS4-->MsiExec.exe /I{D499F8DE-3F31-4900-9157-61061613704B}
Adobe Reader 9.1 - Deutsch-->MsiExec.exe /I{AC76BA86-7AD7-1031-7B44-A91000000001}
Adobe Search for Help-->MsiExec.exe /I{F0E64E2E-3A60-40D8-A55D-92F6831875DA}
Adobe Service Manager Extension-->MsiExec.exe /I{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}
Adobe Setup-->MsiExec.exe /I{E8EE9410-8AC4-4F43-A626-DDECA75C79F3}
Adobe SGM CS4-->MsiExec.exe /I{15BF7AAF-846C-4A6D-80E1-5D1FC7FB461B}
Adobe SING CS4-->MsiExec.exe /I{4A52555C-032A-4083-BDD9-6A85ABFB39A8}
Adobe Soundbooth CS4 Codecs-->MsiExec.exe /I{52232EF4-CC12-4C21-ABCF-ADB79618302D}
Adobe Soundbooth CS4-->MsiExec.exe /I{14F70205-1940-4000-88C7-BE799A6B2CAD}
Adobe Type Support CS4-->MsiExec.exe /I{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}
Adobe Update Manager CS4-->MsiExec.exe /I{05308C4E-7285-4066-BAE3-6B50DA6ED755}
Adobe Version Cue CS4 Server-->MsiExec.exe /I{1B7C06E1-4888-47A6-992A-0990B9683486}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}
Adobe XMP Panels CS4-->MsiExec.exe /I{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}
Adobe® Photoshop® Album Starter Edition 3.0-->MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
__________________
Alt 15.07.2009, 22:20   #19
der_gizmo
 
Infiziert? - Standard

Infiziert?


Info Teil 1.2

Code:
ATTFilter
AdobeColorCommonSetCMYK-->MsiExec.exe /I{68243FF8-83CA-466B-B2B8-9F99DA5479C4}
AdobeColorCommonSetRGB-->MsiExec.exe /I{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}
Age of Empires III-->C:\PROGRA~1\GEMEIN~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{A8CF5C37-8EC5-4C33-BB4A-87F468B77D45} 
AirPlus G-->C:\PROGRA~1\GEMEIN~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{0EA44599-1E9D-4517-A088-9588A9FAB211} /l1031 
ANIO Service-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}\Setup.exe" 
ANIWZCS2 Service-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{4C590030-7469-453E-8589-D15DA9D03F52}\Setup.exe" 
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Ask Toolbar-->rundll32 C:\PROGRA~1\AskSBar\bar\1.bin\AskSBar.dll,O 
Audacity 1.2.6-->"C:\Programme\Audacity\unins000.exe"
Avira AntiVir Personal - Free Antivirus-->C:\Programme\Avira\AntiVir Desktop\setup.exe /REMOVE
BitComet FLV Converter 1.0-->C:\Programme\BitComet FLV Converter\uninst.exe
Camera RAW Plug-In for EPSON Creativity Suite-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{93EA9C3E-BDFD-4309-A605-9B5BBC0CCEFD}\SETUP.EXE" -l0x7 UNINST
CD Audio Reader Filter (remove only)-->"C:\Programme\CD Audio Reader Filter\uninstall.exe"
CDBurnerXP-->"C:\Programme\CDBurnerXP\unins000.exe"
CodecInstaller 2.10.2-->C:\Programme\JockerSoft\CodecInstaller\uninst.exe
Connect-->MsiExec.exe /I{B29AD377-CC12-490A-A480-1452337C618D}
Creative MediaSource-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}\SETUP.EXE" -l0x7  /remove
Creative-Systeminformationen-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x7  /remove
DAEMON Tools Toolbar-->C:\Programme\DAEMON Tools Toolbar\uninst.exe
DC-Bass Source 1.1.1-->"C:\Programme\DSP-worx\DC-Bass Source\Uninstall.exe"
DirectVobSub (remove only)-->"C:\Programme\DirectVobSub\uninstall.exe"
Disc2Phone-->MsiExec.exe /I{FFAB5ABB-8AAB-42E2-847F-1743E51E01E9}
DScaler 5 Mpeg Decoders-->"C:\Programme\DScaler5\unins000.exe"
EPSON Attach To Email-->C:\Programme\Gemeinsame Dateien\InstallShield\Driver\8\Intel 32\IDriver.exe /M{20C45B32-5AB6-46A4-94EF-58950CAF05E5} /l1033 ADDREMOVEDLG
EPSON Easy Photo Print-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{3D78F2A2-C893-4ABD-B5FE-AD7011837755}\SETUP.EXE" -l0x7 UNINST
EPSON File Manager-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{2EB81825-E9EE-44F4-8F51-1240C3898DC6}\Setup.exe" -l0x7 UNINST
EPSON Print CD-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}\SETUP.EXE" -l0x7 -SYSTEM
EPSON Scan Assistant-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}\Setup.exe" -l0x7 -u
EPSON Stylus Photo R285_290 Handbuch-->C:\Programme\EPSON\TPMANUAL\ESPR285_290\DEU\USE_G\DOCUNINS.EXE
EPSON Web-To-Page-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}\SETUP.EXE" -l0x7 -anything
EPSON-Drucker-Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EVGA Display Driver-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{BEF3EFE7-5159-436D-9BF0-CCC633179EB4}\setup.exe" -l0x7  -removeonly
ffdshow [rev 1685] [2007-12-06]-->"C:\Programme\ffdshow\unins000.exe"
Firebird SQL Server - MAGIX Edition-->C:\Programme\MAGIX\Common\Database\unwise.exe
Free YouTube to iPod Converter version 3.1-->"C:\Programme\DVDVideoSoft\Free YouTube to iPod Converter\unins000.exe"
Free YouTube to Mp3 Converter version 3.1-->"C:\Programme\DVDVideoSoft\Free YouTube to Mp3 Converter\unins000.exe"
FrostWire 4.17.2-->C:\Programme\FrostWire\Uninstall.exe
FUSSBALL MANAGER 09-->C:\Programme\EA SPORTS\FUSSBALL MANAGER 09\eauninstall.exe
Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\programme\google\googletoolbar1.dll"
Gorilla 2-->C:\Programme\Gorilla 2\uninstall.exe
Haali Media Splitter-->"C:\Programme\Haali\MatroskaSplitter\uninstall.exe"
Hamachi 1.0.3.0-->C:\Programme\Hamachi\uninstall.exe
Heroes of Might and Magic V-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{20071984-5EB1-4881-8EDB-082532ACEC6D}\setup.exe" -l0x7 
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Programme\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix für Windows XP (KB942288-v3)-->"C:\WINDOWS\$NtUninstallKB942288-v3$\spuninst\spuninst.exe"
Hotfix für Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
ICQ Toolbar-->C:\Programme\ICQ6Toolbar\ICQUnToolbar.exe
ICQ6.5-->"C:\Programme\InstallShield Installation Information\{60DE4033-9503-48D1-A483-7846BD217CA9}\setup.exe" -runfromtemp -l0x0009 -removeonly
Intel(R) PRO Network Connections Drivers-->Prounstl.exe
Jasc Paint Shop Pro 9-->MsiExec.exe /I{F843C6A3-224D-4615-94F8-3C461BD9AEA0}
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java(TM) 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
JRAID-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}\Setup.exe" -l0x7  -removeonly
kuler-->MsiExec.exe /I{098727E1-775A-4450-B573-3F441F1CA243}
MAGIX Music Maker 14 Producer Edition Trial 13.0.2.1 (US)-->C:\Programme\MAGIX\MusicMaker14PE_Download_version\unwise.exe
MAGIX Screenshare 4.3.6.1987 (US)-->C:\Programme\MAGIX\PCVisit\unwise.exe
Malwarebytes' Anti-Malware-->"C:\Programme\Malwarebytes' Anti-Malware\unins000.exe"
Media Go-->MsiExec.exe /X{C9C13822-A638-4331-99A3-4498A5901693}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - DEU-->MsiExec.exe /I{9309DD7E-EBFE-3C95-8B47-30D3A012F606}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0 Service Pack 1 Language Pack - DEU-->MsiExec.exe /I{A1071AEB-B0EF-3F5F-BC84-83A270EBE496}
Microsoft .NET Framework 3.0 Service Pack 1-->MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783}
Microsoft .NET Framework 3.5 Language Pack - DEU-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 Language Pack - deu\setup.exe
Microsoft .NET Framework 3.5 Language Pack - deu-->MsiExec.exe /I{1545207E-C6F3-31D7-9918-BDBB65075FBF}
Microsoft .NET Framework 3.5-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5\setup.exe
Microsoft .NET Framework 3.5-->MsiExec.exe /I{2FC099BD-AC9B-33EB-809C-D332E1B27C40}
Microsoft .NET Framework 4 Client Profile Beta 1-->C:\WINDOWS\Microsoft.NET\Framework\v4.0.20506\SetupCache\Microsoft .NET Framework 4 Client Profile Beta 1\Setup.exe /repair /x86
Microsoft .NET Framework 4 Client Profile Beta 1-->MsiExec.exe /X{1DF6A8F6-5048-323F-8758-DA533CE0F07E}
Microsoft .NET Framework 4 Extended Beta 1-->C:\WINDOWS\Microsoft.NET\Framework\v4.0.20506\SetupCache\Microsoft .NET Framework 4 Extended Beta 1\Setup.exe /repair /x86
Microsoft .NET Framework 4 Extended Beta 1-->MsiExec.exe /X{19BD09BF-3BBD-3663-A5ED-50B6B2B07E45}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Visual C++ 2010  Beta 1 x86 Redistributable - 10.0.20506-->MsiExec.exe /X{FC92E32F-6AD6-38E7-AC11-83B639CEACD8}
MONOGRAM AMR Splitter/Decoder (remove only)-->"C:\Programme\MONOGRAM AMR SplitterDecoder\uninstall.exe"
Mozilla Firefox (3.0.11)-->C:\Programme\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6.0 Parser-->MsiExec.exe /I{AEB9948B-4FF2-47C9-990E-47014492A0FE}
OpenOffice.org Installer 1.0-->MsiExec.exe /X{E728E952-DD4F-4BCD-A5C8-40FBFEFF91FE}
OpenSource Flash Video Splitter (remove only)-->"C:\Programme\OpenSource Flash Video Splitter\uninstall.exe"
OTiCardReader -->C:\Programme\CardReader2.0\AdvDrvIns.exe -u "C:\Programme\CardReader2.0"
PartyPoker-->"C:\Programme\PartyGaming\PartyPoker\Uninstall.exe" "C:\Programme\PartyGaming\PartyPoker\install.log"
PDF Settings CS4-->MsiExec.exe /I{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}
Photoshop Camera Raw-->MsiExec.exe /I{CC75AB5C-2110-4A7F-AF52-708680D22FE8}
Pixel Bender Toolkit-->MsiExec.exe /I{43509E18-076E-40FE-AF38-CA5ED400A5A9}
QIP 8080 Jeak-Edition-->C:\Programme\QIP\uninstall.exe
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
Real Alternative 1.9.0-->"C:\Programme\Real Alternative\unins000.exe"
RealMedia (remove only)-->"C:\Programme\RealMedia\uninstall.exe"
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x7  -removeonly
Rise Of Legends-->C:\PROGRA~1\GEMEIN~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{CADDE354-C78C-46CB-A006-E2B178EFC271} 
SHOUTcast Source (remove only)-->"C:\Programme\SHOUTcast Source\uninstall.exe"
Sicherheitsupdate für Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Sicherheitsupdate für Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB969897)-->"C:\WINDOWS\$NtUninstallKB969897$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Skype™ 3.8-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Songbird 0.7.0 (20080819)-->"C:\Programme\Songbird\Songbird-Uninstall.exe"
Sony Ericsson PC Suite 5.007.01-->"C:\Programme\InstallShield Installation Information\{2FFE93F0-BB72-4E52-8761-354D1AAA9387}\ISAdmin.exe" -runfromtemp -l0x0009 -removeonly
Sony Ericsson PC Suite-->MsiExec.exe /I{FE6397C1-CECA-4EC3-B064-42AED7676898}
Sound Blaster X-Fi-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{18F11181-EA1A-42AE-AF89-4867C7F7A6FA}\SETUP.EXE" -l0x7  /remove
Suite Shared Configuration CS4-->MsiExec.exe /I{842B4B72-9E8F-4962-B3C1-1C422A5C4434}
TeamSpeak 2 RC2-->C:\Programme\Teamspeak2_RC2\unins000.exe
Text-To-Speech-Runtime-->MsiExec.exe /X{7B3F0113-E63C-4D6D-AF19-111A3165CCA2}
Uninstall 1.0.0.1-->"C:\Programme\Gemeinsame Dateien\DVDVideoSoft\unins000.exe"
Update für Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update für Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update für Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update für Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Vuze-->C:\Programme\Vuze\uninstall.exe
Winamp-->"C:\Programme\Winamp\UninstWA.exe"
Windows Media Format 11 runtime-->"C:\Programme\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR-->C:\Programme\WinRAR\uninstall.exe
XML Paper Specification Shared Components Language Pack 1.0-->"C:\WINDOWS\$NtUninstallXPSEPSCLP$\spuninst\spuninst.exe"
Zoom Player (remove only)-->"C:\Programme\Zoom Player\uninstall.exe"

Alt 15.07.2009, 22:27   #20
der_gizmo
 
Infiziert? - Standard

Infiziert?


HIer kamen mehrere Fehlermeldungen, zum einen diese hier:

Could not read the boot sector. Try adjusting the Disk Acces Level in the OPtions dialog.
Diese kam mehrfach.
Desweiteren kam noch eine weitere, nach der der Scan beendet war. Ich wieß nun nicht, ob der Scan aufgrund dieser Fehlermeldung (den Inhalt kann ich leider nicht wiedergeben, da ich zunächst annahm, es wäre wieder die obige Fehelermeldung.) beendet wurde, oder, ob er schon abgeschlossen war.

Das Ergebnis lautet wiefolgt:

Code:
ATTFilter
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:			2009/07/15 23:22
Program Version:		Version 1.3.2.0
Windows Version:		Windows XP SP3
==================================================

Drivers
-------------------
Name: aujasnkj.sys
Image Path: C:\DOKUME~1\kwam\LOKALE~1\Temp\aujasnkj.sys
Address: 0xAB366000	Size: 81664	File Visible: No	Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB2FEA000	Size: 98304	File Visible: No	Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADC6000	Size: 8192	File Visible: No	Signed: -
Status: -

Name: ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys
Image Path: C:\WINDOWS\system32\drivers\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys
Address: 0xB325D000	Size: 192512	File Visible: -	Signed: -
Status: Hidden from the Windows API!

Name: PCI_PNP8880
Image Path: \Driver\PCI_PNP8880
Address: 0x00000000	Size: 0	File Visible: No	Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAB39A000	Size: 49152	File Visible: No	Signed: -
Status: -

Name: sprs.sys
Image Path: sprs.sys
Address: 0xBA6A7000	Size: 1048576	File Visible: No	Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000	Size: 0	File Visible: No	Signed: -
Status: -

SSDT
-------------------
#: 041	Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xbafa977e

#: 053	Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xbafa9774

#: 063	Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xbafa9783

#: 065	Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xbafa978d

#: 071	Function Name: NtEnumerateKey
Status: Hooked by "sprs.sys" at address 0xba6c6ca2

#: 073	Function Name: NtEnumerateValueKey
Status: Hooked by "sprs.sys" at address 0xba6c7030

#: 098	Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xbafa9792

#: 119	Function Name: NtOpenKey
Status: Hooked by "sprs.sys" at address 0xba6a80c0

#: 122	Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xbafa9760

#: 128	Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xbafa9765

#: 160	Function Name: NtQueryKey
Status: Hooked by "sprs.sys" at address 0xba6c7108

#: 177	Function Name: NtQueryValueKey
Status: Hooked by "sprs.sys" at address 0xba6c6f88

#: 193	Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xbafa979c

#: 204	Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xbafa9797

#: 247	Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xbafa9788

#: 257	Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xbafa976f

Stealth Objects
-------------------
Object: Hidden Module [Name: ESQULcrlbgpsvaxtvndqqnxxoquvgvupxtvyk.dll]
Process: svchost.exe (PID: 1060)	Address: 0x10000000	Address: 57344

Object: Hidden Module [Name: ESQULjwoaypplxqliosrhdgapirxxdnowqyin.dll]
Process: firefox.exe (PID: 3016)	Address: 0x10000000	Address: 241664

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System	Address: 0x8a258430	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System	Address: 0x8a258430	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System	Address: 0x8a258430	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System	Address: 0x8a258430	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x8a258430	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a258430	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a258430	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a258430	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System	Address: 0x8a258430	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a258430	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System	Address: 0x8a258430	Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_CREATE]
Process: System	Address: 0x8a5a21f8	Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_CLOSE]
Process: System	Address: 0x8a5a21f8	Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a5a21f8	Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a5a21f8	Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_POWER]
Process: System	Address: 0x8a5a21f8	Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a5a21f8	Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_PNP]
Process: System	Address: 0x8a5a21f8	Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE]
Process: System	Address: 0x8a0cc1f8	Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CLOSE]
Process: System	Address: 0x8a0cc1f8	Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_READ]
Process: System	Address: 0x8a0cc1f8	Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_WRITE]
Process: System	Address: 0x8a0cc1f8	Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a0cc1f8	Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a0cc1f8	Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_POWER]
Process: System	Address: 0x8a0cc1f8	Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a0cc1f8	Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_PNP]
Process: System	Address: 0x8a0cc1f8	Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System	Address: 0x8a304500	Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System	Address: 0x8a304500	Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a304500	Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a304500	Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System	Address: 0x8a304500	Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a304500	Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System	Address: 0x8a304500	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System	Address: 0x8a5a31f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System	Address: 0x8a5a31f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System	Address: 0x8a5a31f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x8a5a31f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a5a31f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a5a31f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a5a31f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System	Address: 0x8a5a31f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System	Address: 0x8a5a31f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a5a31f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System	Address: 0x8a5a31f8	Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System	Address: 0x8a37b500	Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System	Address: 0x8a37b500	Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a37b500	Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a37b500	Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System	Address: 0x8a37b500	Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System	Address: 0x8a37b500	Address: 121

Object: Hidden Code [Driver: agvko7uwЅ敓Ёఈ浍浓訍Ā, IRP_MJ_CREATE]
Process: System	Address: 0x8a2401f8	Address: 121

Object: Hidden Code [Driver: agvko7uwЅ敓Ёఈ浍浓訍Ā, IRP_MJ_CLOSE]
Process: System	Address: 0x8a2401f8	Address: 121

Object: Hidden Code [Driver: agvko7uwЅ敓Ёఈ浍浓訍Ā, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a2401f8	Address: 121

Object: Hidden Code [Driver: agvko7uwЅ敓Ёఈ浍浓訍Ā, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a2401f8	Address: 121

Object: Hidden Code [Driver: agvko7uwЅ敓Ёఈ浍浓訍Ā, IRP_MJ_POWER]
Process: System	Address: 0x8a2401f8	Address: 121

Object: Hidden Code [Driver: agvko7uwЅ敓Ёఈ浍浓訍Ā, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a2401f8	Address: 121

Object: Hidden Code [Driver: agvko7uwЅ敓Ёఈ浍浓訍Ā, IRP_MJ_PNP]
Process: System	Address: 0x8a2401f8	Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System	Address: 0x8a323500	Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System	Address: 0x8a323500	Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a323500	Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a323500	Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System	Address: 0x8a323500	Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a323500	Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System	Address: 0x8a323500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System	Address: 0x89f78500	Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_CREATE]
Process: System	Address: 0x8a0cb1f8	Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_CLOSE]
Process: System	Address: 0x8a0cb1f8	Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_READ]
Process: System	Address: 0x8a0cb1f8	Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x8a0cb1f8	Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x8a0cb1f8	Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x8a0cb1f8	Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x8a0cb1f8	Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x8a0cb1f8	Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a0cb1f8	Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a0cb1f8	Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x8a0cb1f8	Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_CLEANUP]
Process: System	Address: 0x8a0cb1f8	Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_PNP]
Process: System	Address: 0x8a0cb1f8	Address: 121

==EOF==


Alt 15.07.2009, 22:47   #21
john.doe
 
Infiziert? - Standard

Infiziert?


Zitat:
ob er schon abgeschlossen war.
EOF=End of file => abgeschlossen.

Jetzt haben wir ihn, endlich , wieder ein Neuer.

1.) Kontrolliere bitte folgendes:
Start => Ausführen => devmgmt.msc eingeben und [Enter] drücken
Ansicht => Ausgeblendete Geräte anzeigen => Nicht-PNP-Treiber
Ist dort etwas zu sehen, dass mit ESQUL anfängt?

2.) Anleitung Avenger (by swandog46)

Lade dir das Tool Hopsassa und speichere es auf dem Desktop:
  • Doppelklick auf das Avenger-Symbol
  • Kopiere nun folgenden Text in das weiße Feld bei -> "input script here"
Code:
ATTFilter
Drivers to delete:
aujasnkj.sys
ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys
gusvc
GMSIPCI
agvko7uw

Registry keys to delete:
HKLM\SYSTEM\ControlSet001\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys
HKLM\SYSTEM\ControlSet002\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys
HKLM\SYSTEM\ControlSet003\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys
HKLM\SYSTEM\ControlSet004\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys

Files to delete:
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
C:\WINDOWS\tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job
C:\DOKUME~1\kwam\LOKALE~1\Temp\b.exe
C:\WINDOWS\system32\drivers\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys
C:\WINDOWS\system32\drivers\ESQULcrlbgpsvaxtvndqqnxxoquvgvupxtvyk.dll
C:\WINDOWS\system32\ESQULcrlbgpsvaxtvndqqnxxoquvgvupxtvyk.dll
  • Schliesse nun alle Programme und Browser-Fenster
  • Um den Avenger zu starten klicke auf -> Execute
  • Dann bestätigen mit "Yes" das der Rechner neu startet
  • Nachdem das System neu gestartet ist, findest du einen Report vom Avenger unter -> C:\avenger.txt
  • Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.

3.) Poste ein neues Rootrepeal-Log.
__________________
--> Infiziert?

Alt 15.07.2009, 23:06   #22
der_gizmo
 
Infiziert? - Standard

Infiziert?


Nein, nichts zu sehen. Gutes oder schlechtes Zeichen?

Wenn ich zum Avenger navigieren will, meldet AntiVir:
Achtung Fund!
C:\Avenger\b.exe
Ist das Trojanische Pferd TR/Dldr.Zlob.LL

Alt 15.07.2009, 23:08   #23
der_gizmo
 
Infiziert? - Standard

Infiziert?


Code:
ATTFilter
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "ESQULserv.sys" found!
ImagePath:  \systemroot\system32\drivers\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys 
Start Type:  1 (System)

Rootkit scan completed.


Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\aujasnkj.sys" not found!
Deletion of driver "aujasnkj.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" not found!
Deletion of driver "ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

Driver "gusvc" deleted successfully.
Driver "GMSIPCI" deleted successfully.

Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\agvko7uw" not found!
Deletion of driver "agvko7uw" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKLM\SYSTEM\ControlSet001\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet001\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKLM\SYSTEM\ControlSet002\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet002\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKLM\SYSTEM\ControlSet003\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet003\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKLM\SYSTEM\ControlSet004\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet004\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\WINDOWS\tasks\AppleSoftwareUpdate.job" deleted successfully.
File "C:\WINDOWS\tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job" deleted successfully.
File "C:\WINDOWS\tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job" deleted successfully.
File "C:\DOKUME~1\kwam\LOKALE~1\Temp\b.exe" deleted successfully.
File "C:\WINDOWS\system32\drivers\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" deleted successfully.

Error:  file "C:\WINDOWS\system32\drivers\ESQULcrlbgpsvaxtvndqqnxxoquvgvupxtvyk.dll" not found!
Deletion of file "C:\WINDOWS\system32\drivers\ESQULcrlbgpsvaxtvndqqnxxoquvgvupxtvyk.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\WINDOWS\system32\ESQULcrlbgpsvaxtvndqqnxxoquvgvupxtvyk.dll" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

Alt 15.07.2009, 23:12   #24
john.doe
 
Infiziert? - Standard

Infiziert?


Code:
ATTFilter
Gutes oder schlechtes Zeichen?
Schlecht, die ließen sich früher dort ganz einfach austricksen. Mittlerweile zeigt selbst GMER nichts mehr an. Es wird immer schwieriger die zu finden.

Hast du mit Avenger schon gelöscht? Falls ja,

1.) Deaktiviere den Wächter von Avira.

2.) Im Ordner Avenger sollte eine backup.zip sein. Falls nicht, dann packe den kompletten Avengerordner mit Rar oder Zip, lade die Datei bei einem Filehoster hoch (z.B. www.materialordner.de) und schicke mir den Link als Private Nachricht.

3.) Aktiviere den Wächter von Avira.

ciao, andreas
__________________
Kein Support per PN! Das ist hier ein Forum und keine Privatbetreuung!
Privatbetreuung nur gegen Bezahlung und ich koste sehr teuer.
Für alle Neuen
Anleitungen
Virenscanner
Kompromittierung unvermeidbar?

Alt 15.07.2009, 23:15   #25
der_gizmo
 
Infiziert? - Standard

Infiziert?


Nein, ich hab noch nichts gemacht (Wüsste auch nicht, wie ich das anstell^^).

Ich warte momentan darauf, dass RootRepeal fertig wird, dauert dieses Mal bedeutend länger als vorhin.

Alt 15.07.2009, 23:21   #26
john.doe
 
Infiziert? - Standard

Infiziert?


Ich habe einen Fehler gemacht, neues Skript für Avenger.
Code:
ATTFilter
Drivers to delete:
ESQULserv.sys

Registry keys to delete:
HKLM\SYSTEM\ControlSet001\Services\ESQULserv.sys
HKLM\SYSTEM\ControlSet002\Services\ESQULserv.sys
HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys
HKLM\SYSTEM\ControlSet004\Services\ESQULserv.sys

Files to delete:
C:\WINDOWS\tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
C:\WINDOWS\tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job
C:\DOKUME~1\kwam\LOKALE~1\Temp\b.exe
C:\WINDOWS\system32\drivers\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys
C:\WINDOWS\system32\ESQULcrlbgpsvaxtvndqqnxxoquvgvupxtvyk.dll
Bitte sofort nach dem Log von Rootrepeal ausführen.

ciao, andreas
__________________
Kein Support per PN! Das ist hier ein Forum und keine Privatbetreuung!
Privatbetreuung nur gegen Bezahlung und ich koste sehr teuer.
Für alle Neuen
Anleitungen
Virenscanner
Kompromittierung unvermeidbar?

Alt 15.07.2009, 23:28   #27
der_gizmo
 
Infiziert? - Standard

Infiziert?


Code:
ATTFilter
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:			2009/07/16 00:17
Program Version:		Version 1.3.2.0
Windows Version:		Windows XP SP3
==================================================

Drivers
-------------------
Name: dpqo.sys
Image Path: dpqo.sys
Address: 0xBA8A8000	Size: 61440	File Visible: No	Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB2D93000	Size: 98304	File Visible: No	Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE0E000	Size: 8192	File Visible: No	Signed: -
Status: -

Name: PCI_PNP8976
Image Path: \Driver\PCI_PNP8976
Address: 0x00000000	Size: 0	File Visible: No	Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBAAA8000	Size: 49152	File Visible: No	Signed: -
Status: -

Name: spaa.sys
Image Path: spaa.sys
Address: 0xBA6A7000	Size: 1048576	File Visible: No	Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000	Size: 0	File Visible: No	Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\dokumente und einstellungen\kwam\lokale einstellungen\anwendungsdaten\mozilla\firefox\profiles\rf06ey9t.default\cache\c2857b96d01
Status: Size mismatch (API: 34238, Raw: 36661)

SSDT
-------------------
#: 041	Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xbaf9a60e

#: 053	Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xbaf9a604

#: 063	Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xbaf9a613

#: 065	Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xbaf9a61d

#: 071	Function Name: NtEnumerateKey
Status: Hooked by "spaa.sys" at address 0xba6c6ca2

#: 073	Function Name: NtEnumerateValueKey
Status: Hooked by "spaa.sys" at address 0xba6c7030

#: 098	Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xbaf9a622

#: 119	Function Name: NtOpenKey
Status: Hooked by "spaa.sys" at address 0xba6a80c0

#: 122	Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xbaf9a5f0

#: 128	Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xbaf9a5f5

#: 160	Function Name: NtQueryKey
Status: Hooked by "spaa.sys" at address 0xba6c7108

#: 177	Function Name: NtQueryValueKey
Status: Hooked by "spaa.sys" at address 0xba6c6f88

#: 193	Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xbaf9a62c

#: 204	Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xbaf9a627

#: 247	Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xbaf9a618

#: 257	Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xbaf9a5ff

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System	Address: 0x8a5a11f8	Address: 121

Object: Hidden Code [Driver: a26nmpe8ࠅఈ浍浓着註C, IRP_MJ_CREATE]
Process: System	Address: 0x8a2741f8	Address: 121

Object: Hidden Code [Driver: a26nmpe8ࠅఈ浍浓着註C, IRP_MJ_CLOSE]
Process: System	Address: 0x8a2741f8	Address: 121

Object: Hidden Code [Driver: a26nmpe8ࠅఈ浍浓着註C, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a2741f8	Address: 121

Object: Hidden Code [Driver: a26nmpe8ࠅఈ浍浓着註C, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a2741f8	Address: 121

Object: Hidden Code [Driver: a26nmpe8ࠅఈ浍浓着註C, IRP_MJ_POWER]
Process: System	Address: 0x8a2741f8	Address: 121

Object: Hidden Code [Driver: a26nmpe8ࠅఈ浍浓着註C, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a2741f8	Address: 121

Object: Hidden Code [Driver: a26nmpe8ࠅఈ浍浓着註C, IRP_MJ_PNP]
Process: System	Address: 0x8a2741f8	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System	Address: 0x8a2b7400	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System	Address: 0x8a2b7400	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System	Address: 0x8a2b7400	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System	Address: 0x8a2b7400	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x8a2b7400	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a2b7400	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a2b7400	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a2b7400	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System	Address: 0x8a2b7400	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a2b7400	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System	Address: 0x8a2b7400	Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_CREATE]
Process: System	Address: 0x8a5a21f8	Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_CLOSE]
Process: System	Address: 0x8a5a21f8	Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a5a21f8	Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a5a21f8	Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_POWER]
Process: System	Address: 0x8a5a21f8	Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a5a21f8	Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_PNP]
Process: System	Address: 0x8a5a21f8	Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE]
Process: System	Address: 0x8a0e7310	Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CLOSE]
Process: System	Address: 0x8a0e7310	Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_READ]
Process: System	Address: 0x8a0e7310	Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_WRITE]
Process: System	Address: 0x8a0e7310	Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a0e7310	Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a0e7310	Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_POWER]
Process: System	Address: 0x8a0e7310	Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a0e7310	Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_PNP]
Process: System	Address: 0x8a0e7310	Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System	Address: 0x8a33d1f8	Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System	Address: 0x8a33d1f8	Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a33d1f8	Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a33d1f8	Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System	Address: 0x8a33d1f8	Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a33d1f8	Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System	Address: 0x8a33d1f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System	Address: 0x8a5a31f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System	Address: 0x8a5a31f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System	Address: 0x8a5a31f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x8a5a31f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a5a31f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a5a31f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a5a31f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System	Address: 0x8a5a31f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System	Address: 0x8a5a31f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a5a31f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System	Address: 0x8a5a31f8	Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System	Address: 0x882121f8	Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System	Address: 0x882121f8	Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x882121f8	Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x882121f8	Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System	Address: 0x882121f8	Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System	Address: 0x882121f8	Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System	Address: 0x8a30f1f8	Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System	Address: 0x8a30f1f8	Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a30f1f8	Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a30f1f8	Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System	Address: 0x8a30f1f8	Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a30f1f8	Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System	Address: 0x8a30f1f8	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System	Address: 0x899c3500	Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_CREATE]
Process: System	Address: 0x8a0b92b8	Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_CLOSE]
Process: System	Address: 0x8a0b92b8	Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_READ]
Process: System	Address: 0x8a0b92b8	Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x8a0b92b8	Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x8a0b92b8	Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x8a0b92b8	Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x8a0b92b8	Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x8a0b92b8	Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a0b92b8	Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a0b92b8	Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x8a0b92b8	Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_CLEANUP]
Process: System	Address: 0x8a0b92b8	Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_PNP]
Process: System	Address: 0x8a0b92b8	Address: 121

Hidden Services
-------------------
Service Name: ESQULserv.sys
Image PathC:\WINDOWS\system32\drivers\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys

==EOF==
wird gemacht

Alt 15.07.2009, 23:35   #28
der_gizmo
 
Infiziert? - Standard

Infiziert?


Code:
ATTFilter
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "ESQULserv.sys" deleted successfully.

Error:  registry key "HKLM\SYSTEM\ControlSet001\Services\ESQULserv.sys" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet001\Services\ESQULserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKLM\SYSTEM\ControlSet002\Services\ESQULserv.sys" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet002\Services\ESQULserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

Registry key "HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys" deleted successfully.

Error:  registry key "HKLM\SYSTEM\ControlSet004\Services\ESQULserv.sys" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet004\Services\ESQULserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job" not found!
Deletion of file "C:\WINDOWS\tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job" not found!
Deletion of file "C:\WINDOWS\tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\DOKUME~1\kwam\LOKALE~1\Temp\b.exe" not found!
Deletion of file "C:\DOKUME~1\kwam\LOKALE~1\Temp\b.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\drivers\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\ESQULcrlbgpsvaxtvndqqnxxoquvgvupxtvyk.dll" not found!
Deletion of file "C:\WINDOWS\system32\ESQULcrlbgpsvaxtvndqqnxxoquvgvupxtvyk.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.

Alt 15.07.2009, 23:42   #29
john.doe
 
Infiziert? - Standard

Infiziert?


Jetzt arbeite bitte das ab => http://www.trojaner-board.de/448377-post24.html

Die Programme sollten jetzt wieder alle laufen. Kannst mit ComboFix anfangen, danach Malwarebytes.

ciao, andreas
__________________
Kein Support per PN! Das ist hier ein Forum und keine Privatbetreuung!
Privatbetreuung nur gegen Bezahlung und ich koste sehr teuer.
Für alle Neuen
Anleitungen
Virenscanner
Kompromittierung unvermeidbar?

Alt 16.07.2009, 00:03   #30
der_gizmo
 
Infiziert? - Standard

Infiziert?


Also, ComboFix lief nun prima
Hier der Report:

Code:
ATTFilter
ComboFix 09-07-14.08 - kwam 16.07.2009  0:53.1.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.49.1031.18.2046.1510 [GMT 2:00]
ausgeführt von:: c:\dokumente und einstellungen\kwam\Desktop\combo-fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cleanup.exe
c:\windows\system32\ESQULjwoaypplxqliosrhdgapirxxdnowqyin.dll
c:\windows\system32\ic32.dll
c:\windows\system32\msxml71.dll
c:\windows\system32\wk32.dll

.
(((((((((((((((((((((((   Dateien erstellt von 2009-06-15 bis 2009-07-15  ))))))))))))))))))))))))))))))
.

2009-07-15 22:29 . 2009-07-15 22:29	574	----a-w-	C:\cleanup.bat
2009-07-15 22:29 . 2009-07-15 22:29	135168	----a-w-	C:\zip.exe
2009-07-15 20:13 . 2009-07-15 20:13	--------	d-----w-	c:\programme\CCleaner
2009-07-15 17:40 . 2009-07-15 17:40	--------	d-----w-	C:\rsit
2009-07-15 13:15 . 2009-07-13 11:36	38160	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 13:15 . 2009-07-15 13:15	--------	d-----w-	c:\programme\Malwarebytes' Anti-Malware
2009-07-15 13:15 . 2009-07-15 13:15	--------	d-----w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2009-07-15 13:15 . 2009-07-13 11:36	19096	----a-w-	c:\windows\system32\drivers\mbam.sys
2009-07-14 20:35 . 2009-07-15 17:41	--------	d-----w-	c:\programme\Trend Micro
2009-07-14 18:45 . 2009-07-14 18:45	69632	----a-w-	c:\windows\system32\drivers\geyekrvtjiqjml.sys
2009-07-14 18:38 . 2009-07-14 18:38	--------	d-----w-	c:\dokumente und einstellungen\kwam\Anwendungsdaten\MAGIX
2009-07-14 18:23 . 2001-05-11 11:18	420240	----a-w-	c:\windows\system32\mpg4c32.dll
2009-07-14 18:23 . 2001-05-16 15:54	309616	----a-w-	c:\windows\system32\wmv8dmod.dll
2009-07-14 18:21 . 2007-04-27 08:43	120200	----a-w-	c:\windows\system32\DLLDEV32i.dll
2009-07-14 18:21 . 2009-07-14 18:22	--------	d-----w-	c:\windows\system32\MAGIX
2009-07-14 18:21 . 2008-04-15 14:14	700416	----a-w-	c:\windows\system32\mgxoschk.dll
2009-07-14 17:27 . 2009-07-14 17:27	--------	d-----w-	c:\programme\Audacity
2009-07-09 21:09 . 2009-07-09 21:09	--------	d-----w-	c:\dokumente und einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Apple
2009-07-07 16:30 . 2009-07-08 14:16	96104	----a-w-	c:\windows\system32\drivers\avipbb.sys
2009-07-07 16:30 . 2009-07-08 14:16	55640	----a-w-	c:\windows\system32\drivers\avgntflt.sys
2009-07-07 16:30 . 2009-02-13 09:29	22360	----a-w-	c:\windows\system32\drivers\avgntmgr.sys
2009-07-07 16:30 . 2009-02-13 09:17	45416	----a-w-	c:\windows\system32\drivers\avgntdd.sys
2009-07-07 16:30 . 2009-07-07 16:30	--------	d-----w-	c:\programme\Avira
2009-07-07 16:30 . 2009-07-07 16:30	--------	d-----w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira
2009-07-06 20:52 . 2009-07-06 20:52	--------	d-----w-	c:\dokumente und einstellungen\kwam\Library
2009-07-06 20:52 . 2009-07-06 20:52	--------	d-----w-	c:\dokumente und einstellungen\kwam\Anwendungsdaten\com.adobe.ExMan
2009-07-02 19:11 . 2009-07-02 19:11	--------	d-----w-	c:\dokumente und einstellungen\kwam\Anwendungsdaten\Apple Computer
2009-06-22 13:26 . 2009-06-22 13:26	--------	d-----w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\BVRP Software
2009-06-22 13:15 . 2009-06-22 13:15	--------	d-----w-	c:\dokumente und einstellungen\kwam\Lokale Einstellungen\Anwendungsdaten\Sony
2009-06-22 13:12 . 2009-06-22 13:12	--------	d-----w-	c:\programme\Gemeinsame Dateien\Sony Shared
2009-06-22 13:11 . 2009-06-22 13:11	--------	d-----w-	c:\programme\Sony
2009-06-22 13:09 . 2009-06-22 13:09	--------	d-----w-	c:\programme\Gemeinsame Dateien\Apple
2009-06-22 13:09 . 2009-06-22 13:09	--------	d-----w-	c:\programme\QuickTime
2009-06-22 13:09 . 2009-06-22 13:09	--------	d-----w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\Apple Computer
2009-06-22 13:08 . 2009-06-22 13:08	--------	d-----w-	c:\dokumente und einstellungen\kwam\Lokale Einstellungen\Anwendungsdaten\Apple
2009-06-22 13:08 . 2009-06-22 13:08	--------	d-----w-	c:\programme\Apple Software Update
2009-06-22 13:08 . 2009-06-22 13:08	--------	d-----w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\Apple
2009-06-22 13:08 . 2009-06-22 13:08	--------	d-----w-	c:\dokumente und einstellungen\kwam\Lokale Einstellungen\Anwendungsdaten\Apple Computer
2009-06-22 13:08 . 2009-06-22 13:28	--------	d-----w-	c:\windows\system32\drivers\UMDF
2009-06-22 13:05 . 2009-06-22 13:05	--------	d-----w-	c:\dokumente und einstellungen\kwam\Anwendungsdaten\Sony

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-15 19:51 . 2009-03-03 19:47	--------	d-----w-	c:\dokumente und einstellungen\kwam\Anwendungsdaten\Winamp
2009-07-15 13:40 . 2008-10-23 15:51	42360	----a-w-	c:\dokumente und einstellungen\kwam\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2009-07-14 20:06 . 2008-10-23 15:52	--------	d-----w-	c:\programme\Warcraft III
2009-07-14 18:22 . 2009-07-14 18:21	--------	d-----w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\MAGIX
2009-07-14 18:21 . 2008-12-23 22:40	--------	d-----w-	c:\dokumente und einstellungen\kwam\Anwendungsdaten\Azureus
2009-07-10 19:15 . 2008-10-24 20:20	--------	d-----w-	c:\dokumente und einstellungen\kwam\Anwendungsdaten\FrostWire
2009-07-10 18:10 . 2008-10-25 00:11	--------	d-----w-	c:\programme\Microsoft Games
2009-07-10 14:06 . 2008-12-23 16:31	--------	d-----w-	c:\dokumente und einstellungen\kwam\Anwendungsdaten\Skype
2009-07-10 14:01 . 2008-12-23 16:32	--------	d-----w-	c:\dokumente und einstellungen\kwam\Anwendungsdaten\skypePM
2009-07-02 19:16 . 2009-03-08 20:51	--------	d-----w-	c:\programme\Gemeinsame Dateien\DVDVideoSoft
2009-07-02 19:16 . 2009-03-08 20:51	--------	d-----w-	c:\programme\DVDVideoSoft
2009-06-22 13:22 . 2009-06-22 13:22	148736	----a-w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\hpe146.dll
2009-06-22 13:22 . 2009-06-22 13:22	148736	----a-w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\hpe146.dll
2009-06-22 13:22 . 2008-10-24 20:01	--------	d-----w-	c:\programme\Sony Ericsson
2009-06-22 13:22 . 2008-10-22 17:32	--------	d--h--w-	c:\programme\InstallShield Installation Information
2009-06-11 17:33 . 2009-06-11 17:33	--------	d-sh--w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\System Restore
2009-06-11 01:41 . 2009-06-11 01:41	--------	d-----w-	c:\dokumente und einstellungen\kwam\Anwendungsdaten\Canneverbe_Limited
2009-06-11 01:41 . 2009-06-11 01:41	--------	d-----w-	c:\programme\CDBurnerXP
2009-06-05 23:05 . 2008-10-31 16:23	--------	d-----w-	c:\programme\Gemeinsame Dateien\Adobe
2009-06-05 18:05 . 2009-06-05 18:05	--------	d-----w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\FLEXnet
2009-06-05 17:41 . 2009-06-05 17:41	--------	d-----w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\ALM
2009-06-05 17:15 . 2009-06-05 17:15	--------	d-----w-	c:\programme\Adobe Media Player
2009-06-05 17:13 . 2009-06-05 17:13	--------	d-----w-	c:\programme\Gemeinsame Dateien\Adobe AIR
2009-06-05 17:07 . 2009-06-05 17:07	--------	d-----w-	c:\programme\Gemeinsame Dateien\Macrovision Shared
2009-06-05 16:56 . 2006-02-28 12:00	96862	----a-w-	c:\windows\system32\perfc007.dat
2009-06-05 16:56 . 2006-02-28 12:00	505988	----a-w-	c:\windows\system32\perfh007.dat
2009-06-05 16:56 . 2009-06-05 16:56	64312	----a-w-	c:\dokumente und einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\FontCache3.0.0.0.dat
2009-06-05 16:55 . 2009-06-05 16:55	--------	d-----w-	c:\programme\MSBuild
2009-06-04 22:58 . 2009-06-04 22:58	--------	d-----w-	c:\programme\Reference Assemblies
2009-05-07 15:32 . 2006-02-28 12:00	348160	----a-w-	c:\windows\system32\localspl.dll
2009-05-06 09:29 . 2009-05-06 09:29	17744	----a-w-	c:\windows\system32\aspnet_counters.dll
2009-05-06 07:08 . 2009-05-06 07:08	70456	----a-w-	c:\windows\system32\dxva2.dll
2009-05-06 07:08 . 2009-05-06 07:08	489800	----a-w-	c:\windows\system32\evr.dll
2009-05-06 07:08 . 2009-05-06 07:08	13120	----a-w-	c:\windows\system32\mscorier.dll
2009-05-06 07:08 . 2009-05-06 07:08	103304	----a-w-	c:\windows\system32\PresentationCFFRasterizerNative_v0400.dll
2009-05-06 06:13 . 2009-05-06 06:13	76648	----a-w-	c:\windows\system32\PresentationHostProxy.dll
2009-05-06 06:13 . 2009-05-06 06:13	404320	----a-w-	c:\windows\system32\PresentationHost.exe
2009-05-06 06:13 . 2009-05-06 06:13	291152	----a-w-	c:\windows\system32\mscoree.dll
2009-05-06 06:13 . 2009-05-06 06:13	158048	----a-w-	c:\windows\system32\UIAutomationCore.dll
2009-05-06 06:13 . 2009-05-06 06:13	14160	----a-w-	c:\windows\system32\netfxperf.dll
2009-05-06 06:13 . 2009-05-06 06:13	1083720	----a-w-	c:\windows\system32\dfshim.dll
2009-04-29 04:33 . 2006-02-28 12:00	672256	----a-w-	c:\windows\system32\wininet.dll
2009-04-29 04:33 . 2006-02-28 12:00	81920	----a-w-	c:\windows\system32\ieencode.dll
2009-04-19 19:46 . 2006-02-28 12:00	1847296	----a-w-	c:\windows\system32\win32k.sys
2009-06-12 17:33 . 2008-10-24 17:38	134648	----a-w-	c:\programme\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Creative Detector"="c:\programme\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"Sony Ericsson PC Suite"="c:\programme\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-02-16 405504]
"ICQ"="c:\programme\ICQ6.5\ICQ.exe" [2009-03-01 172792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-13 7606272]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"D-Link AirPlus G"="c:\programme\D-Link\AirPlus G\AirGCFG.exe" [2005-07-22 1519616]
"ANIWZCS2Service"="c:\programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 49152]
"JMB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-04-20 385024]
"Sony Ericsson PC Suite"="c:\programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-03-27 593920]
"WinampAgent"="c:\programme\Winamp\winampa.exe" [2009-02-25 37888]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AdobeCS4ServiceManager"="c:\programme\Gemeinsame Dateien\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\programme\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\programme\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"QuickTime Task"="c:\programme\QuickTime\QTTask.exe" [2008-09-06 413696]
"avgnt"="c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-13 1519616]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2006-05-13 86016]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-08-07 16384]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2005-08-07 18944]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-04 16206848]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-04-24 1448960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\FrostWire\\FrostWire.exe"=
"c:\\Programme\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\ICQ6.5\\ICQ.exe"=
"c:\\Programme\\Vuze\\Azureus.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Dokumente und Einstellungen\\kwam\\Desktop\\dud\\Age Of Empires 2 & The Conquerors Expansion -\\age2_x1.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Programme\\Gemeinsame Dateien\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Programme\\Gemeinsame Dateien\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [07.07.2009 18:30 108289]
R2 ICQ Service;ICQ Service;c:\programme\ICQ6Toolbar\ICQ Service.exe [08.12.2008 20:23 222456]
R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [22.06.2009 15:22 86696]
R3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [22.06.2009 15:22 15016]
R3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [22.06.2009 15:22 114472]
R3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [22.06.2009 15:22 108328]
R3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [22.06.2009 15:22 26024]
R3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [22.06.2009 15:22 104616]
R3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [22.06.2009 15:22 109736]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\programme\Gemeinsame Dateien\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15.08.2008 05:46 284016]
S3 clr_optimization_v4.0.20506_32;.NET Runtime Optimization Service v4.0.20506_X86;c:\windows\Microsoft.NET\Framework\v4.0.20506\mscorsvw.exe [06.05.2009 09:08 104272]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\programme\MAGIX\Common\Database\bin\fbserver.exe --> c:\programme\MAGIX\Common\Database\bin\fbserver.exe [?]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.ask.com/?o=101677&l=dis
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: An vorhandene PDF-Datei anfügen - c:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: In Adobe PDF konvertieren - c:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Linkziel an vorhandene PDF-Datei anhängen - c:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Linkziel in Adobe PDF konvertieren - c:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
FF - ProfilePath - c:\dokumente und einstellungen\kwam\Anwendungsdaten\Mozilla\Firefox\Profiles\rf06ey9t.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.yodl.de/href.php?hrefname=FF-splug_google&q=
FF - prefs.js: browser.startup.homepage - www.google.de/ig
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\programme\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\windows\Microsoft.NET\Framework\v4.0.20506\WPF\NPWPF.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v4.0.20506\WPF\DotNetAssistantExtension\

---- FIREFOX Richtlinien ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-16 00:59
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse... 

Scanne versteckte Autostarteinträge... 

Scanne versteckte Dateien... 

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-602162358-861567501-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4253CC67-8266-6CC7-E300-0AFF8DB0ABBD}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oaekjkbfbepihimmfanddhhpkpmmmg"=hex:64,61,64,69,70,62,61,63,00,85
"oailjhhlcmlbmnhbkmoclnfonplpan"=hex:6a,61,64,69,70,62,6f,63,6c,70,62,6a,6b,69,
   6a,6e,6c,61,69,6a,00,0f
"nacipnbaldjcfbiifafcoeinhgmo"=hex:6a,61,64,69,70,62,6f,63,6c,70,62,6a,6b,69,
   6a,6e,6c,61,69,6a,00,02
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\programme\Gemeinsame Dateien\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Zeit der Fertigstellung: 2009-07-15  1:01
ComboFix-quarantined-files.txt  2009-07-15 23:01

Vor Suchlauf: 8 Verzeichnis(se), 134.340.575.232 Bytes frei
Nach Suchlauf: 7 Verzeichnis(se), 134.466.969.600 Bytes frei

221	--- E O F ---	2009-06-23 22:06

Antwort
Seite 2 von 6 1 2 34 Letzte »

Themen zu Infiziert?
anwendung, b.exe, beendet, datei, deaktiviert, download, exe-datei, fehlermeldung, guten, heute, hijack, hijackthis, hijackthis log-file, infiziert, infiziert?, installation, log-file, malware, nicht öffnen, problem, problemlos, programm, systemstart, taskmanager, überhaupt, öffnen, öffnet, öffnet sich ständig


« WoW gehackt Triojaner wird vermutet könntet ihr euch vielleicht den Log ansehen? | Logfile Analyse - Langsamer CPU und gelegentliche Abstürze »


Ähnliche Themen: Infiziert?


  1. PC ist infiziert
    Plagegeister aller Art und deren Bekämpfung - 09.07.2012 (5)
  2. Bin ich infiziert?
    Log-Analyse und Auswertung - 14.06.2012 (12)
  3. PC mit S.M.A.R.T. infiziert
    Plagegeister aller Art und deren Bekämpfung - 30.05.2012 (31)
  4. System infiziert. USB-Stick und Datensicherung auch infiziert?
    Plagegeister aller Art und deren Bekämpfung - 05.07.2011 (2)
  5. PC infiziert?
    Plagegeister aller Art und deren Bekämpfung - 26.03.2010 (20)
  6. bin ich infiziert?
    Überwachung, Datenschutz und Spam - 06.01.2010 (1)
  7. Bin ich infiziert?
    Log-Analyse und Auswertung - 03.11.2009 (1)
  8. PC infiziert?
    Log-Analyse und Auswertung - 22.10.2009 (12)
  9. Bin ich Infiziert?
    Plagegeister aller Art und deren Bekämpfung - 16.02.2009 (0)
  10. Was los?Infiziert?
    Mülltonne - 24.08.2008 (0)
  11. PC infiziert !!
    Plagegeister aller Art und deren Bekämpfung - 01.06.2008 (3)
  12. Infiziert?
    Plagegeister aller Art und deren Bekämpfung - 13.03.2008 (21)
  13. infiziert ?
    Log-Analyse und Auswertung - 21.09.2007 (1)
  14. Infiziert?
    Log-Analyse und Auswertung - 09.04.2006 (1)
  15. Infiziert? :)
    Log-Analyse und Auswertung - 23.01.2006 (9)
  16. Infiziert??
    Log-Analyse und Auswertung - 08.10.2005 (3)
Anleitungen und Tipps

- Für alle Hilfesuchenden! Was beachten?

- Anleitung: MyStartSearch.com entfernen

- Anleitung: WebSearches löschen

- Hilfe: iStartSurf entfernen – so gehts!

- Anleitung: Omiga Plus richtig entfernen

- Browser Viren entfernen


Zum Thema Infiziert? - Das kam bei GMER heraus: Code: Alles auswählen Aufklappen ATTFilter GMER 1.0.15.14972 - http://www.gmer.net Rootkit scan 2009-07-15 23:00:43 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.15 ---- SSDT - Infiziert?...
Archiv
Du betrachtest: Infiziert? auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54