Google Umleitung

Datenbank Version: 2388
Windows 5.1.2600 Service Pack 2

21.07.2009 22:17:29
mbam-log-2009-07-21 (22-17-26).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 101463
Laufzeit: 2 minute(s), 47 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 3

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
c:\WINDOWS\system32\hjgruingndmosp.dll (Trojan.TDSS) -> No action taken.
c:\WINDOWS\system32\hjgruinidpetct.dll (Trojan.Agent) -> No action taken.
c:\windows\system32\UACthluqrjagstidbs.dll (Trojan.Agent) -> No action taken.
         

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:		2009/07/21 21:50
Program Version:		Version 1.3.2.0
Windows Version:		Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB4BB7000	Size: 98304	File Visible: No	Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE3A000	Size: 8192	File Visible: No	Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB2AEF000	Size: 49152	File Visible: No	Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xBA5E2000	Size: 81920	File Visible: No	Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Dokumente und Einstellungen\*****\Anwendungsdaten\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ 
Status: Locked to the Windows API!

Path: C:\Dokumente und Einstellungen\*****\Anwendungsdaten\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ 
Status: Locked to the Windows API!

-------------------
#: 031	Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ddf040

#: 037	Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ddb930

#: 041	Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xba6df514

#: 046	Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ddf510

#: 047	Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4de5870

#: 048	Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4de5aa0

#: 050	Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4de8fd0

#: 053	Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xbaf1b5dc

#: 056	Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ddf600

#: 062	Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ddbf20

#: 063	Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xba6dfd00

#: 065	Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xba6dffb8

#: 068	Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4de5580

#: 098	Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4de78b0

#: 116	Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ddbd70

#: 119	Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xba6de3fa

#: 122	Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xbaf1b5c8

#: 128	Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xbaf1b5cd

#: 192	Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xba6e0422

#: 193	Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4de7cb0

#: 200	Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ddec00

#: 204	Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4de8080

#: 210	Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ddf220

#: 224	Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ddc120

#: 247	Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xba6df7d8

#: 257	Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xbaf1b5d7

#: 277	Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0xbaf1b5d2

Hidden Services
-------------------
Service Name: hjgruipojeemov
Image PathC:\WINDOWS\system32\drivers\hjgruippkhifsw.sys

==EOF==
         

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-21 23:51:06
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Fastfat \Fat                                    fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device          \Driver\Tcpip \Device\Ip                                    vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device          \Driver\Tcpip \Device\Tcp                                   vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device          \Driver\Tcpip \Device\Udp                                   vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device          \Driver\Tcpip \Device\RawIp                                 vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

---- Services - GMER 1.0.15 ----

Service         system32\drivers\hjgruippkhifsw.sys (*** hidden *** )       [SYSTEM] hjgruipojeemov                                     <-- ROOTKIT !!! 

---- EOF - GMER 1.0.15 ----
         

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:16:03, on 21.07.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Programme\Java\jre1.6.0_02\bin\jusched.exe
C:\util\_network\ZoneAlarm\zlclient.exe
C:\online\Skype\SAM\SAM.exe
C:\WINDOWS\System32\svchost.exe
C:\online\Skype\Skype\Skype.exe
c:\util\_virus\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVidia Grafikkarte)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install (NVidia Grafikkarte)
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe (Webcam)
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe (Canon Camera Monitor)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\util\_network\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] c:\util\_virus\mbam\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-PV3LV.exe" /REG
O4 - S-1-5-21-1292428093-1417001333-725345543-1003 Startup: SAM.lnk = C:\online\Skype\SAM\SAM.exe (User '?')
O4 - S-1-5-21-1292428093-1417001333-725345543-1003 Startup: (User '?')
O4 - Startup: SAM.lnk = C:\online\Skype\SAM\SAM.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - C:\util\_virus\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programme\Canon\CAL\CALMAIN.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file
         

HKU\S-1-5-21-1292428093-1417001333-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{13A6164E-7DA1-B099-0A3D-2A11BC190C30}*	20.03.2009 23:35	0 bytes	Key name contains embedded nulls (*)
HKU\S-1-5-21-1292428093-1417001333-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{79E45BCC-AEBC-4E8E-446A-26D760E8AB4E}*	20.03.2009 23:01	0 bytes	Key name contains embedded nulls (*)
HKU\S-1-5-21-1292428093-1417001333-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8488FEDF-4D70-C922-8CD7-990773394C61}*	20.03.2009 23:19	0 bytes	Key name contains embedded nulls (*)
HKU\S-1-5-21-1292428093-1417001333-725345543-1003\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY*	26.05.2009 16:36	0 bytes	Key name contains embedded nulls (*)
HKU\S-1-5-21-1292428093-1417001333-725345543-1003\Software\SecuROM\License information*	13.10.2008 22:21	0 bytes	Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAC*	13.09.2006 00:03	0 bytes	Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI*	13.09.2006 00:03	0 bytes	Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed	22.07.2009 00:44	80 bytes	Data mismatch between Windows API and raw hive data.
C:\Dokumente und Einstellungen\*****\Lokale Einstellungen\Temporary Internet Files\Content.IE5\8XYBOPQF\dnx[4].htm	22.07.2009 00:46	5.80 KB	Visible in Windows API, MFT, but not in directory index.
C:\Dokumente und Einstellungen\*****\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ODQFG5I7\dnx[4].htm	22.07.2009 00:44	5.80 KB	Visible in Windows API, directory index, but not in MFT.
C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll	13.07.2008 16:46	252.00 KB	Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll	13.07.2008 16:46	111.50 KB	Visible in Windows API, but not in MFT or directory index.