| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Rootkit Bubnix.au in c:\windows\system32\drivers\hljrifmj.sysWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
03.06.2010, 14:59
| #1 |
 |  Rootkit Bubnix.au in c:\windows\system32\drivers\hljrifmj.sys Hallo! Habe ein kleines Problem. Hab vor 2 Tagen von der Telekom einen Brief bekommen das mein Mailversand eingeschränkt wurde weil von meinem Account Spam versendet wurde. Daraufhin habe ich mit dem Online-Scanner der Telekom (Symantec) den Laptop (Toshiba Satelite, WinXP Pro SP3) gescannt aber nix gefunden. Ad-Aware fand auch nix. Avira läuft immer und hat auch nie angeschlagen. Nur Zone Alarm fragt seit einigen Tagen ob die services.exe ins Netz darf. Habe kurz gegoogelt aber nichts beängstigendes gefunden und mir daher erstmal keine Gedanken gemacht und es zugelassen weil die services.exe von Windows ist. War wohl ein fehler denn nachdem ich mir jetzt die Logs von Zone Alarm angesehen habe ist klar das die services.exe Kontakt aufnimmt zu MSN, Yahoo, gmail, Amazon, Slashdot und einigen anderen. Also weiter gesucht und Ad-Aware und HijackThis installiert die aber auch nix fanden. Der Onlinescanner von Panda hat mich dann endlich auf die richtige Spur gebracht und den Rootkit Bubnix.au gefunden. Er liegt im System32\drivers Ordner und nennt sich hljrifmj.sys. Nachdem ich Avira direkt diese Datei habe scannen lassen hat es ebenfalls den Bubnix angezeigt (nur warum nicht schon vorher, läuft ja schliesslich immer im Hintergrund...?). Löschen kann ihn Avira aber nicht, bzw. es meint das die Datei gelockt ist und erst beim Neustart entfernt werden kann aber das funktioniert auch nicht. Über Google bin ich dann hier im Trojaner-Board gelandet. Habe mich hier schonmal etwas schlau gemacht und GMER, OSAM, OTL und Malwarebytes Anti-Malware laufen lassen. GMER und Anti-Malware haben die hljrifmj.sys gefunden. Gelöscht habe ich aber noch nichts noch nichts damit ihr euch ein Bild machen könnt und ich nicht schon von vorneherein alles verhuntze. Ich hoffe ihr könnt mir helfen und mein System retten. Das einzige was ich bis jetzt geändert habe sind die Einstellungen von Avira. Habe es so eingestellt wie hier beschrieben: http://www.trojaner-board.de/54192-a...tellungen.html Mit "nichts gefunden" meine ich übrigens das nichts gefunden wurde das ich nicht als "gut" identifizieren konnte, wie z.B. PantsOff oder Gmaptool das mit upx gepackt wurde. Hoffe das ich für mein erstes Posting alles richtig gemacht habe  Gruß, Perle Und hier die Logfiles: GMER Code:
ATTFilter GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-06-02 22:09:06
Windows 5.1.2600 Service Pack 3
Running: 4hf4fesu.exe; Driver: C:\DOKUME~1\***\LOKALE~1\Temp\uwrcypow.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xEE5BCEB0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xEE5B9870] <-- ROOTKIT !!!
SSDT F7CBE6F6 ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xEE5BD270] <-- ROOTKIT !!!
SSDT F7CBE6EC ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xEE5BD350] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xEE5B9EF0] <-- ROOTKIT !!!
SSDT F7CBE6FB ZwDeleteKey
SSDT F7CBE705 ZwDeleteValueKey
SSDT F7CBE70A ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xEE5B9D40] <-- ROOTKIT !!!
SSDT F7CBE6D8 ZwOpenProcess
SSDT F7CBE6DD ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRenameKey [0xEE5C61D0] <-- ROOTKIT !!!
SSDT F7CBE714 ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xEE5BCB50] <-- ROOTKIT !!!
SSDT F7CBE70F ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xEE5BA060] <-- ROOTKIT !!!
SSDT F7CBE700 ZwSetValueKey
SSDT F7CBE6E7 ZwTerminateProcess
---- Kernel code sections - GMER 1.0.15 ----
? C:\WINDOWS\system32\drivers\hljrifmj.sys Ein an das System angeschlossenes Gerät funktioniert nicht.
PAGE Ntfs.sys F73B7E55 4 Bytes CALL 85769381
? srescan.sys Das System kann die angegebene Datei nicht finden. !
---- User code sections - GMER 1.0.15 ----
? C:\WINDOWS\System32\svchost.exe[772] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: imagehlp.dll
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\kbdclass.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\mouclass.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\parport.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\imapi.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\redbook.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\ks.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\drivers\portcls.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\System32\Drivers\Modem.SYS[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\CmBatt.sys[NTOSKRNL.EXE!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\intelppm.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\VMNetSrv.sys[NDIS.SYS!NdisOpenAdapter] [EE5C1EF0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\VMNetSrv.sys[NDIS.SYS!NdisCloseAdapter] [EE5C2050] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\VMNetSrv.sys[NDIS.SYS!NdisDeregisterProtocol] [EE5C1B40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\VMNetSrv.sys[NDIS.SYS!NdisRegisterProtocol] [EE5C19D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\audstub.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\ndistapi.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] 856E2D70
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] 856E2960
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 856E2F40
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 856E2770
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [EE5C19D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [EE5C1EF0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [EE5C2050] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [EE5C1B40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [EE5C1B40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [EE5C19D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [EE5C1EF0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [EE5C2050] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\msgpc.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\rdpdr.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\termdd.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\swenum.sys[NTOSKRNL.EXE!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\update.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\mssmbios.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [EE5C19D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [EE5C1B40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [EE5C2050] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [EE5C1EF0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\usbhub.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\System32\Drivers\Beep.SYS[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\System32\Drivers\Npfs.SYS[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\rasacd.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\ipsec.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [EE5C2050] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [EE5C1EF0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [EE5C19D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] 856B7660
IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] 856B7660
IAT \SystemRoot\system32\DRIVERS\ipnat.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [EE5CF360] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\netbios.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \??\C:\WINDOWS\system32\drivers\vmm.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [EE5C1B40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [EE5C19D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [EE5C1EF0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [EE5C2050] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\Fips.SYS[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\USBSTOR.SYS[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\System32\Drivers\Cdfs.SYS[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\HIDCLASS.SYS[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\mouhid.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\System32\Drivers\Fastfat.SYS[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [EE5C19D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [EE5C1B40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [EE5C2050] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [EE5C1EF0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\mrxdav.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\System32\Drivers\ParVdm.SYS[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [EE5BA510] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [EE5BA6C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [EE5BA220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [EE5BA5C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\drivers\wdmaud.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\drivers\sysaudio.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\System32\Drivers\HTTP.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
IAT \SystemRoot\system32\drivers\kmixer.sys[ntoskrnl.exe!IoCreateDevice] 856B75E0
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] 81EC8B55
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 000814EC
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 6A575300
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] FF335B04
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] 6A575757
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] 7D895701
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] F045C7F8
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] 00004E20
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] FFFC5D89
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 40208015
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] F4458900
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] 840FC73B
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] 00000132
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] 94358B56
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 458D53D6
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] 066A50F0
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] FFF475FF
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 458D53D6
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] 056A50F0
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] FFF475FF
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 0C5D8BD6
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] EC858D00
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 68FFFFF7
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] 00000800
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] AC15FF50
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] 83004020
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] 07EB10C4
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] F7EC85C6
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] 5700FFFF
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 0C320068
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] 8DFF6A8C
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] FFF7EC85
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 75FF50FF
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] F475FF08
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] 209015FF
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] F08B0040
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] 3BF87589
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] A9840FF7
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 39000000
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 1F75087B
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] FC458D57
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] EC458D50
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 00056850
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] FF562000
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] 40208C15
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] EC458B06
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] 8D084389
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] 6850FC45
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] 00000800
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] F7EC858D
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] 5650FFFF
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] 208815FF
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] 4EEB0040
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 74FC7D39
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 04438B5E
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 8BFC4503
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] FF565033
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 4020A815
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 89595900
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] 74C73B03
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 047B8B37
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 03FC4D8B
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] ECB58DF8
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] F3FFFFF7
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] FC458BA4
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 6850FC45
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 00000800
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] F7EC858D
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] FF50FFFF
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] 15FFF875
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] [00402088] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] C085FF33
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 0FEBAE75
IAT C:\WINDOWS\System32\svchost.exe[772] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 0874F73B
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 856830B8
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Threads - GMER 1.0.15 ----
Thread System [4:124] 856E88E0
Thread System [4:128] 856E88E0
Thread System [4:132] 856C18D0
Thread System [4:136] 856C18D0
Thread System [4:140] 856C18D0
Thread System [4:524] 856E88E0
Thread System [4:744] 856E88E0
---- Services - GMER 1.0.15 ----
Service (*** hidden *** ) [BOOT] hljrifmj <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\hljrifmj@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\hljrifmj@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\hljrifmj@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\hljrifmj@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\hljrifmj@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\hljrifmj@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\hljrifmj@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\hljrifmj@Group Boot Bus Extender
---- EOF - GMER 1.0.15 ----
Code:
ATTFilter Report of OSAM: Autorun Manager v5.0.11926.0 hxxp://www.online-solutions.ru/en/ Saved at 11:19:50 on 03.06.2010 OS: Windows XP Professional Service Pack 3 (Build 2600) Default Browser: Mozilla Corporation Firefox 3.6.3 Scanner Settings [x] Rootkits detection (hidden registry) [x] Rootkits detection (hidden files) [x] Retrieve files information [x] Check Microsoft signatures Filters [ ] Trusted entries [ ] Empty entries [x] Hidden registry entries (rootkit activity) [x] Exclusively opened files [x] Not found files [x] Files without detailed information [x] Existing files [ ] Non-startable services [ ] Non-startable drivers [x] Active entries [x] Disabled entries [Boot Execute] -----( HKLM\SYSTEM\CurrentControlSet\Control\Session Manager )----- "BootExecute" - ? - C:\WINDOWS\system32\lsdelete.exe (File found, but it contains no detailed information) [Common] -----( %SystemRoot%\Tasks )----- "Ad-Aware Update (Weekly).job" - "Lavasoft " - C:\Programme\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [Control Panel Objects] -----( %SystemRoot%\system32 )----- "everest_cpl.cpl" - ? - C:\WINDOWS\system32\everest_cpl.cpl (File found, but it contains no detailed information) "HWSETUP.CPL" - "TOSHIBA Corp." - C:\WINDOWS\system32\HWSETUP.CPL "infocardcpl.cpl" - "Microsoft Corporation" - C:\WINDOWS\system32\infocardcpl.cpl "javacpl.cpl" - "Sun Microsystems, Inc." - C:\WINDOWS\system32\javacpl.cpl "TOSCDSPD.cpl" - ? - C:\WINDOWS\system32\TOSCDSPD.cpl (File found, but it contains no detailed information) "TPwrSave.cpl" - "TOSHIBA Corporation" - C:\WINDOWS\system32\TPwrSave.cpl -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )----- "Avira AntiVir Personal - Free Antivirus " - "Avira GmbH" - C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl "Avira AntiVir PersonalEdition Classic " - "Avira GmbH" - C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl "ECSEPM" - "Sony Ericsson Mobile Communications AB" - C:\Programme\Sony Ericsson\Mobile2\Mobile Phone Monitor\ecsepm.cpl "Nero BurnRights" - "Nero AG" - C:\Programme\Nero\Nero 7\Nero Toolkit\NeroBurnRights.cpl "QuickTime" - "Apple Inc." - C:\Programme\QuickTime\QTSystem\QuickTime.cpl "SMAX3CP" - "Analog Devices, Inc." - C:\Programme\Analog Devices\SoundMAX\SMax3CP.cpl "X-Setup Pro" - ? - C:\Programme\X-Setup Pro\bin\dcXSPApplet.cpl (File found, but it contains no detailed information) [Drivers] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- "ANIO Service" (ANIO) - "Alpha Networks Inc." - C:\WINDOWS\system32\ANIO.SYS "avgio" (avgio) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avgio.sys "avgntflt" (avgntflt) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avgntflt.sys "avipbb" (avipbb) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avipbb.sys "Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys (File not found) "grmnusb" (grmnusb) - "GARMIN Corp." - C:\WINDOWS\System32\drivers\grmnusb.sys "hljrifmj" (hljrifmj) - ? - C:\WINDOWS\system32\drivers\hljrifmj.sys (Hidden file | Hidden registry entry, rootkit activity | File found, but it contains no detailed information) "i2omgmt" (i2omgmt) - ? - C:\WINDOWS\system32\drivers\i2omgmt.sys (File not found) "Lbd" (Lbd) - "Lavasoft AB" - C:\WINDOWS\System32\DRIVERS\Lbd.sys "lbrtfdc" (lbrtfdc) - ? - C:\WINDOWS\system32\drivers\lbrtfdc.sys (File not found) "pavboot" (pavboot) - "Panda Security, S.L." - C:\WINDOWS\System32\drivers\pavboot.sys "PCIDump" (PCIDump) - ? - C:\WINDOWS\system32\drivers\PCIDump.sys (File not found) "PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys (File not found) "PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys (File not found) "PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys (File not found) "PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys (File not found) "PxHelp20" (PxHelp20) - "Sonic Solutions" - C:\WINDOWS\System32\Drivers\PxHelp20.sys "srescan" (srescan) - "Zone Labs, LLC" - C:\WINDOWS\System32\ZoneLabs\srescan.sys "ssmdrv" (ssmdrv) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\ssmdrv.sys "TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Driver" (TVALZ) - "TOSHIBA Corporation" - C:\WINDOWS\System32\DRIVERS\TVALZ.SYS "TOSHIBA Network Device Usermode I/O Protocol" (Netdevio) - "TOSHIBA Corporation." - C:\WINDOWS\System32\DRIVERS\netdevio.sys "Virtual Machine Monitor" (vmm) - "Microsoft Corporation" - C:\WINDOWS\system32\drivers\vmm.sys "vsdatant" (vsdatant) - "Zone Labs, LLC" - C:\WINDOWS\System32\vsdatant.sys "WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys (File not found) [Explorer] -----( HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )----- {BDEADF00-C265-11d0-BCED-00A0C90AB50F} "Webordner" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL -----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )----- {89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install -----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )----- {F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" - ? - C:\Programme\OpenOffice.org 2.3\program\shlxthdl.dll -----( HKLM\Software\Classes\Protocols\Filter )----- {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {807553E5-5146-11D5-A672-00B0D022E945} "text/xml" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL -----( HKLM\Software\Classes\Protocols\Handler )----- {32505114-5902-49B2-880A-1F7738E5A384} "Data Page Plugable Protocal mso-offdap11 Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\11\OWC11.DLL {3D9F03FA-7A94-11D3-BE81-0050048385D1} "Data Page Pluggable Protocol mso-offdap Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\10\OWC10.DLL {0A9007C0-4076-11D3-8789-0000F8105754} "Microsoft Infotech Storage Protocol for IE 4.0" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Information Retrieval\MSITSS.DLL -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )----- {42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" - ? - deskpan.dll (File not found) {990a81a0-b289-11cf-a800-00a0c903a2a6} "Cryptext" - ? - C:\WINDOWS\system32\ShellExt\Cryptext.dll {F49C55B9-D417-45A1-A6E7-D6E057946280} "FdmUplShlExt Class" - ? - C:\Programme\Free Download Manager\FUM\fumshext.dll {CE3DC79D-5A27-4F86-A5B2-EF8D76E03FAC} "JDTools" - "Jörg Dähler - Software Entwicklung" - C:\Programme\JDContextMenu\JDContextMenu.dll {853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" - ? - (File not found | COM-object registry key not found) {42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Programme\Microsoft Office\OFFICE11\msohev.dll {97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2} "NeroCoverEdLiveIcons Class" - "Nero AG" - C:\Programme\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "OpenOffice.org Column Handler" - ? - C:\Programme\OpenOffice.org 2.3\program\shlxthdl.dll {087B3AE3-E237-4467-B8DB-5A38AB959AC9} "OpenOffice.org Infotip Handler" - ? - C:\Programme\OpenOffice.org 2.3\program\shlxthdl.dll {63542C48-9552-494A-84F7-73AA6A7C99C1} "OpenOffice.org Property Sheet Handler" - ? - C:\Programme\OpenOffice.org 2.3\program\shlxthdl.dll {3B092F0C-7696-40E3-A80F-68D74DA84210} "OpenOffice.org Thumbnail Viewer" - ? - C:\Programme\OpenOffice.org 2.3\program\shlxthdl.dll {45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\shlext.dll {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll {764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" - ? - (File not found | COM-object registry key not found) {e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll {03DAACC5-10BA-4E3E-9D54-2A569F6B4B87} "Sony Ericsson Datei-Manager" - "Popwire AB" - C:\Programme\Sony Ericsson\Mobile2\File Manager\FM.dll {738D66C6-0149-4D40-84E4-A7BB2D0CE949} "Sony Ericsson Datei-Manager" - "Popwire AB" - C:\Programme\Sony Ericsson\Mobile2\File Manager\FM.dll {C4213067-97B3-4929-9B98-B5600FBBBA13} "TouchShellExt Class" - "TOSHIBA Corporation" - C:\PROGRA~1\TOSHIBA\TouchED\TouchED.dll {8932AEFE-9DB6-4f43-AFB2-5682F55E773A} "VPCHostCopyHook" - "Microsoft Corporation" - C:\Programme\Microsoft Virtual PC\VPCShExH.DLL {BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Webordner" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL {B41DB860-8EE4-11D2-9906-E49FADC173CA} "WinRAR" - ? - C:\Programme\WinRAR\rarext.dll (File found, but it contains no detailed information) {D9872D13-7651-4471-9EEE-F0A00218BEBB} "ZLAVShExt Class" - "Zone Labs, LLC" - C:\Programme\ZoneAlarm\zlavscan.dll [Internet Explorer] -----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )----- ITBar7Height "ITBar7Height" - ? - (File not found | COM-object registry key not found) <binary data> "ITBar7Layout" - ? - (File not found | COM-object registry key not found) <binary data> "ITBarLayout" - ? - (File not found | COM-object registry key not found) -----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )----- {9191F686-7F0A-441D-8A98-2FE3AC1BD913} "ActiveScan 2.0 Installer Class" - "Panda Security" - C:\WINDOWS\Downloaded Program Files\as2stubie.dll / hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab {8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_17" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_17.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} "Java Plug-in 1.6.0_17" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_17.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_17" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_17.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} "MUWebControl Class" - "Microsoft Corporation" - C:\WINDOWS\system32\muweb.dll / hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231804669218 {485D813E-EE26-4DF8-9FAF-DEDF2885306E} "NSHelp Class" - "Microsoft Corporation" - C:\WINDOWS\Downloaded Program Files\nshelp.dll / hxxp://192.168.0.2/connectcomputer/nshelp.dll {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} "Symantec AntiVirus scanner" - "Symantec Corporation" - C:\WINDOWS\Downloaded Program Files\avsniff.dll / hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab {644E432F-49D3-41A1-8DD5-E099162EEEC5} "Symantec RuFSI Utility Class" - "Symantec Corporation" - C:\WINDOWS\Downloaded Program Files\rufsi.dll / hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} "{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}" - ? - (File not found | COM-object registry key not found) / hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )----- "ICQ6" - "ICQ, LLC." - C:\Programme\ICQ6.5\ICQ.exe {FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Recherchieren" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL {86529161-034E-4F8A-88D2-3C625E612E04} "Run WinHTTrack" - ? - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} "Upload" - ? - C:\Programme\Free Download Manager\FUM\fumiebtn.dll -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )----- {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "Adobe PDF Reader" - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll {CC59E0F9-7E43-44FA-9FAA-8377850BF205} "FDMIECookiesBHO Class" - ? - C:\Programme\Free Download Manager\iefdm2.dll {DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jp2ssv.dll {E7E6F031-17CE-4C07-BC86-EABFE594F69C} "JQSIEStartDetectorImpl Class" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [Logon] -----( %AllUsersProfile%\Startmenü\Programme\Autostart )----- "Adobe Gamma Loader.exe.lnk" - "Adobe Systems, Inc." - C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe (Shortcut exists | File exists) "Adobe Reader - Schnellstart.lnk" - "Adobe Systems Incorporated" - C:\Programme\Adobe\Reader 8.0\Reader\reader_sl.exe (Shortcut exists | File exists) "Adobe Reader Synchronizer.lnk" - "Adobe Systems Incorporated" - C:\Programme\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe (Shortcut exists | File exists) "desktop.ini" - ? - C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini "Microsoft Office.lnk" - "Microsoft Corporation" - C:\Programme\Microsoft Office\Office\OSA9.EXE (Shortcut exists | File exists) "Erinnerungen in Microsoft Works-Kalender.lnk" - "Microsoft® Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkCalRem.exe (Shortcut exists | File exists) -----( %UserProfile%\Startmenü\Programme\Autostart )----- "desktop.ini" - ? - C:\Dokumente und Einstellungen\***\Startmenü\Programme\Autostart\desktop.ini -----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )----- "Free Uploader Oe Integration" - ? - C:\Programme\Free Download Manager\FUM\fumoei.exe "TOSCDSPD" - "TOSHIBA" - C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )----- "000StTHK" - ? - 000StTHK.exe (File found, but it contains no detailed information) "00THotkey" - "TOSHIBA Corp." - C:\WINDOWS\system32\00THotkey.exe "ANIWZCS2Service" - "Alpha Networks Inc." - C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe "avgnt" - "Avira GmbH" - "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min "D-Link AirPlus XtremeG" - "D-Link" - C:\Programme\D-Link\AirPlus XtremeG\AirPlusCFG.exe "FreePDF Assistant" - "shbox.de" - C:\Programme\FreePDF_XP\fpassist.exe "LTSMMSG" - "LT" - LTSMMSG.exe "Microsoft Works Portfolio" - "Microsoft® Corporation" - C:\Programme\Microsoft Works\WksSb.exe /AllUsers "Microsoft Works Update Detection" - "Microsoft® Corporation" - C:\Programme\Microsoft Works\WkDetect.exe "NDSTray.exe" - ? - NDSTray.exe (File not found) "NeroFilterCheck" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe "PadTouch" - ? - "C:\Programme\TOSHIBA\PadTouch\PadExe.exe (File not found) "QuickTime Task" - "Apple Inc." - "C:\Programme\QuickTime\qttask.exe" -atboottime "Sony Ericsson PC Suite" - ? - "C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions "TFncKy" - ? - TFncKy.exe (File not found) "TouchED" - "TOSHIBA Corporation" - C:\Programme\TOSHIBA\TouchED\TouchED.Exe "TPSMain" - "TOSHIBA Corporation" - TPSMain.exe "ussshreg" - ? - C:\PROGRA~1\ULEADS~1\Ussshreg.exe /r (File found, but it contains no detailed information) "WorksFUD" - "Microsoft® Corporation" - C:\Programme\Microsoft Works\wkfud.exe "ZoneAlarm Client" - "Zone Labs, LLC" - "C:\Programme\ZoneAlarm\zlclient.exe" [Print Monitors] -----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )----- "EPSON Stylus DX4400 Series 32MonitorBE" - "SEIKO EPSON CORPORATION" - C:\WINDOWS\system32\E_FLBCAE.DLL "Redirected Port" - ? - C:\WINDOWS\system32\redmonnt.dll (File found, but it contains no detailed information) [Services] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- ".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe "ANIWZCSd Service" (ANIWZCSdService) - "Alpha Networks Inc." - C:\Programme\ANI\ANIWZCS2 Service\ANIWZCSdS.exe "ASP.NET-Zustandsdienst" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe "Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avguard.exe "Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\sched.exe "ConfigFree Service" (CFSvcs) - "TOSHIBA CORPORATION" - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe "Java Quick Starter" (JavaQuickStarterService) - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jqs.exe "Lavasoft Ad-Aware Service" (Lavasoft Ad-Aware Service) - "Lavasoft" - C:\Programme\Lavasoft\Ad-Aware\AAWService.exe "Machine Debug Manager" (MDM) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE "NMIndexingService" (NMIndexingService) - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe "Office Source Engine" (ose) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE "SiSoftware Database Agent Service" (SandraDataSrv) - "SiSoftware" - C:\Programme\SiSoft Sandra Lite\Win32\RpcDataSrv.exe "SiSoftware Sandra Agent Service" (SandraTheSrv) - "SiSoftware" - C:\Programme\SiSoft Sandra Lite\RpcSandraSrv.exe "SoundMAX Agent Service" (SoundMAX Agent Service (default)) - "Analog Devices, Inc." - C:\Programme\Analog Devices\SoundMAX\SMAgent.exe "TrueVector Internet Monitor" (vsmon) - "Zone Labs, LLC" - C:\WINDOWS\system32\ZoneLabs\vsmon.exe "Windows CardSpace" (idsvc) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe "Windows Presentation Foundation Font Cache 3.0.0.0" (FontCache3.0.0.0) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [Winlogon] -----( HKCU\Control Panel\IOProcs )----- "MVB" - ? - mvfs32.dll (File not found) -----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )----- "WgaLogon" - "Microsoft Corporation" - C:\WINDOWS\system32\WgaLogon.dll ===[ Logfile end ]=========================================[ Logfile end ]=== If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru Code:
ATTFilter Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Datenbank Version: 4166
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
03.06.2010 14:00:31
mbam-log-2010-06-03 (14-00-31).txt
Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 140574
Laufzeit: 13 Minute(n), 19 Sekunde(n)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 1
Infizierte Verzeichnisse: 0
Infizierte Dateien: 2
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)
Infizierte Dateien:
C:\WINDOWS\system32\drivers\hljrifmj.sys (Rootkit.Agent) -> No action taken.
C:\Dokumente und Einstellungen\***\Anwendungsdaten\avdrn.dat (Malware.Trace) -> No action taken.
|
|
03.06.2010, 15:00
| #2 |
| | Rootkit Bubnix.au in c:\windows\system32\drivers\hljrifmj.sys OTL
__________________Code:
ATTFilter OTL logfile created on: 03.06.2010 14:03:41 - Run 1 OTL by OldTimer - Version 3.2.5.3 Folder = C:\Dokumente und Einstellungen\***\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 495,00 Mb Total Physical Memory | 118,00 Mb Available Physical Memory | 24,00% Memory free 1,00 Gb Paging File | 1,00 Gb Available in Paging File | 53,00% Paging File free Paging file location(s): C:\pagefile.sys 744 1488 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme Drive C: | 24,41 Gb Total Space | 6,10 Gb Free Space | 24,99% Space Free | Partition Type: NTFS Drive D: | 73,24 Gb Total Space | 5,87 Gb Free Space | 8,01% Space Free | Partition Type: NTFS Drive E: | 14,13 Gb Total Space | 12,37 Gb Free Space | 87,56% Space Free | Partition Type: NTFS F: Drive not present or media not loaded Drive G: | 465,65 Gb Total Space | 191,58 Gb Free Space | 41,14% Space Free | Partition Type: FAT32 H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: LAPTOP-MR Current User Name: *** Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Dokumente und Einstellungen\***\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Programme\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft) PRC - C:\Programme\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft) PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH) PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH) PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\Programme\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe (Sony Ericsson Mobile Communications AB) PRC - C:\Programme\FreePDF_XP\fpassist.exe (shbox.de) PRC - C:\Programme\ZoneAlarm\zlclient.exe (Zone Labs, LLC) PRC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (Zone Labs, LLC) PRC - C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe () PRC - C:\Programme\Free Download Manager\FUM\fumoei.exe () PRC - C:\Programme\Gemeinsame Dateien\Teleca Shared\Generic.exe (Teleca AB) PRC - C:\Programme\TOSHIBA\ConfigFree\NDSTray.exe (TOSHIBA CORPORATION) PRC - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION) PRC - C:\WINDOWS\system32\TPSMain.exe (TOSHIBA Corporation) PRC - C:\WINDOWS\system32\TPSBattM.exe (TOSHIBA Corporation) PRC - C:\Programme\TOSHIBA\PadTouch\PadExe.exe (TOSHIBA) PRC - C:\Programme\TOSHIBA\TOSHIBA Controls\TFncKy.exe (TOSHIBA Corporation) PRC - C:\Programme\TOSHIBA\TOSCDSPD\TOSCDSPD.exe (TOSHIBA) PRC - C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation) PRC - C:\WINDOWS\system32\00THotkey.exe (TOSHIBA Corp.) PRC - C:\WINDOWS\ltsmmsg.exe (LT) PRC - C:\Programme\TOSHIBA\TouchED\TouchED.exe (TOSHIBA Corporation) PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe (HP) PRC - C:\Programme\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.) PRC - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkCalRem.exe (Microsoft® Corporation) ========== Modules (SafeList) ========== MOD - C:\Dokumente und Einstellungen\***\Desktop\OTL.exe (OldTimer Tools) MOD - C:\Programme\X-Setup Pro\bin\MSScript.ocx (Microsoft Corporation) ========== Win32 Services (SafeList) ========== SRV - (Lavasoft Ad-Aware Service) -- C:\Programme\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft) SRV - (AntiVirService) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH) SRV - (AntiVirSchedulerService) -- C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH) SRV - (SandraDataSrv) -- C:\Programme\SiSoft Sandra Lite\Win32\RpcDataSrv.exe (SiSoftware) SRV - (SandraTheSrv) -- C:\Programme\SiSoft Sandra Lite\RpcSandraSrv.exe (SiSoftware) SRV - (vsmon) -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe (Zone Labs, LLC) SRV - (NMIndexingService) -- C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe (Nero AG) SRV - (ANIWZCSdService) -- C:\Programme\ANI\ANIWZCS2 Service\ANIWZCSdS.exe (Alpha Networks Inc.) SRV - (CFSvcs) -- C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION) SRV - (ose) -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation) SRV - (MDM) -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation) SRV - (SoundMAX Agent Service (default)) -- C:\Programme\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.) ========== Driver Services (SafeList) ========== DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB) DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH) DRV - (pavboot) -- C:\WINDOWS\system32\drivers\pavboot.sys (Panda Security, S.L.) DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH) DRV - (NuidFltr) -- C:\WINDOWS\system32\drivers\nuidfltr.sys (Microsoft Corporation) DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH) DRV - (avgio) -- C:\Programme\Avira\AntiVir Desktop\avgio.sys (Avira GmbH) DRV - (vsdatant) -- C:\WINDOWS\system32\vsdatant.sys (Zone Labs, LLC) DRV - (srescan) -- C:\WINDOWS\system32\ZoneLabs\srescan.sys (Zone Labs, LLC) DRV - (KLIF) -- C:\WINDOWS\system32\drivers\klif.sys (Kaspersky Lab) DRV - (kl1) -- C:\WINDOWS\system32\DRIVERS\kl1.sys (Kaspersky Lab) DRV - (s116bus) Sony Ericsson Device 116 driver (WDM) -- C:\WINDOWS\system32\drivers\s116bus.sys (MCCI Corporation) DRV - (A5AGU) -- C:\WINDOWS\system32\drivers\a5agu.sys (D-Link Corporation) DRV - (ANIO) -- C:\WINDOWS\system32\ANIO.sys (Alpha Networks Inc.) DRV - (vmm) -- C:\WINDOWS\system32\drivers\Vmm.sys (Microsoft Corporation) DRV - (VPCNetS2) -- C:\WINDOWS\system32\drivers\VMNetSrv.sys (Microsoft Corporation) DRV - (ApfiltrService) -- C:\WINDOWS\system32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.) DRV - (TVALZ) -- C:\WINDOWS\system32\DRIVERS\TVALZ.SYS (TOSHIBA Corporation) DRV - ({E2B953A6-195A-44F9-9BA3-3D5F4E32BB55}) -- C:\WINDOWS\system32\drivers\wa301a.sys (Intel Corporation) DRV - (Netdevio) -- C:\WINDOWS\system32\drivers\Netdevio.sys (TOSHIBA Corporation.) DRV - (TOSHIBASoftModem) -- C:\WINDOWS\system32\drivers\LTSM.sys (LT) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/ IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.startup.homepage: "hxxp://eigene.domain.de" FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100408.6 FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0 FF - prefs.js..extensions.enabledItems: sxipper@sxip.com:2.3.3 FF - prefs.js..extensions.enabledItems: flickr@jzlabs.com:1.0.5 FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.10 FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.04.24 09:15:32 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2010.04.27 23:06:28 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Netscape 7.1\Extensions\\Components: C:\Programme\Netscape\Components [2009.01.18 18:01:17 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Netscape 7.1\Extensions\\Plugins: C:\Programme\Netscape\Plugins [2010.04.27 23:06:29 | 000,000,000 | ---D | M] [2010.04.23 00:15:36 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\Mozilla\Extensions [2010.06.03 12:36:08 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\Mozilla\Firefox\Profiles\xyxg34vs.default\extensions [2010.06.01 15:37:10 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\Mozilla\Firefox\Profiles\xyxg34vs.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010.05.31 20:36:38 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\Mozilla\Firefox\Profiles\xyxg34vs.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8} [2010.04.23 00:16:36 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\Mozilla\Firefox\Profiles\xyxg34vs.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781} [2010.05.31 19:52:03 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\Mozilla\Firefox\Profiles\xyxg34vs.default\extensions\flickr@jzlabs.com [2010.04.23 00:23:23 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\Mozilla\Firefox\Profiles\xyxg34vs.default\extensions\sxipper@sxip.com [2010.06.03 12:36:08 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions [2009.03.18 16:03:40 | 000,214,272 | ---- | M] (Midasplayer Ltd) -- C:\Programme\Mozilla Firefox\plugins\npmidas.dll [2010.04.01 18:54:38 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml [2010.04.01 18:54:38 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml [2010.04.01 18:54:38 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml [2010.04.01 18:54:38 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml [2010.04.01 18:54:38 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2010.06.02 00:57:28 | 000,199,085 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: 127.0.0.1 localhost.localdomain O1 - Hosts: 255.255.255.255 broadcasthost O1 - Hosts: ::1 localhost O1 - Hosts: 0.0.0.0 local O1 - Hosts: 192.168.0.1 router O1 - Hosts: 127.0.0.1 web O1 - Hosts: 127.0.0.1 web.local O1 - Hosts: 127.0.0.1 xampp O1 - Hosts: 127.0.0.1 xampp.local O1 - Hosts: 0.0.0.0 binlayer.de O1 - Hosts: 0.0.0.0 binimage.de O1 - Hosts: 0.0.0.0 binlayer.com O1 - Hosts: 0.0.0.0 binimage.com O1 - Hosts: 0.0.0.0 binlayer.ru O1 - Hosts: 0.0.0.0 binimage.ru O1 - Hosts: 0.0.0.0 goatse.cx # More information on sites such as O1 - Hosts: 0.0.0.0 www.goatse.cx # these can be found in this article O1 - Hosts: 0.0.0.0 oralse.cx # en.wikipedia.org/wiki/List_of_shock_sites O1 - Hosts: 0.0.0.0 www.oralse.cx O1 - Hosts: 0.0.0.0 goatse.ca O1 - Hosts: 0.0.0.0 www.goatse.ca O1 - Hosts: 0.0.0.0 oralse.ca O1 - Hosts: 0.0.0.0 www.oralse.ca O1 - Hosts: 0.0.0.0 goat.cx O1 - Hosts: 6585 more lines... O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (FDMIECookiesBHO Class) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Programme\Free Download Manager\iefdm2.dll () O4 - HKLM..\Run: [000StTHK] C:\WINDOWS\System32\000StTHK.exe () O4 - HKLM..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe (TOSHIBA Corp.) O4 - HKLM..\Run: [ANIWZCS2Service] C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe (Alpha Networks Inc.) O4 - HKLM..\Run: [avgnt] C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [D-Link AirPlus XtremeG] C:\Programme\D-Link\AirPlus XtremeG\AirPlusCFG.exe (D-Link) O4 - HKLM..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe (shbox.de) O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe (HP) O4 - HKLM..\Run: [KernelFaultCheck] File not found O4 - HKLM..\Run: [LTSMMSG] C:\WINDOWS\ltsmmsg.exe (LT) O4 - HKLM..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe (Microsoft® Corporation) O4 - HKLM..\Run: [Microsoft Works Update Detection] C:\Programme\Microsoft Works\WkDetect.exe (Microsoft® Corporation) O4 - HKLM..\Run: [NDSTray.exe] File not found O4 - HKLM..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe (Nero AG) O4 - HKLM..\Run: [PadTouch] C:\Programme\TOSHIBA\PadTouch\PadExe.exe (TOSHIBA) O4 - HKLM..\Run: [Sony Ericsson PC Suite] C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe () O4 - HKLM..\Run: [TFncKy] File not found O4 - HKLM..\Run: [TouchED] C:\Programme\TOSHIBA\TouchED\TouchED.exe (TOSHIBA Corporation) O4 - HKLM..\Run: [TPSMain] C:\WINDOWS\System32\TPSMain.exe (TOSHIBA Corporation) O4 - HKLM..\Run: [ussshreg] C:\Programme\Ulead SmartSaver Pro\Ussshreg.exe () O4 - HKLM..\Run: [WorksFUD] C:\Programme\Microsoft Works\wkfud.exe (Microsoft® Corporation) O4 - HKLM..\Run: [ZoneAlarm Client] C:\Programme\ZoneAlarm\zlclient.exe (Zone Labs, LLC) O4 - HKCU..\Run: [Free Uploader Oe Integration] C:\Programme\Free Download Manager\FUM\fumoei.exe () O4 - HKCU..\Run: [TOSCDSPD] C:\Programme\TOSHIBA\TOSCDSPD\TOSCDSPD.exe (TOSHIBA) O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Gamma Loader.exe.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.) O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Reader 8.0\Reader\reader_sl.exe (Adobe Systems Incorporated) O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader Synchronizer.lnk = C:\Programme\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe () O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Erinnerungen in Microsoft Works-Kalender.lnk = C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkCalRem.exe (Microsoft® Corporation) O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8 - Extra context menu item: Alles mit FDM herunterladen - C:\Programme\Free Download Manager\dlall.htm () O8 - Extra context menu item: Auswahl mit FDM herunterladen - C:\Programme\Free Download Manager\dlselected.htm () O8 - Extra context menu item: Datei mit FDM herunterladen - C:\Programme\Free Download Manager\dllink.htm () O8 - Extra context menu item: Videos mit FDM herunterladen - C:\Programme\Free Download Manager\dlfvideo.htm () O9 - Extra Button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll () O9 - Extra 'Tools' menuitem : Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll () O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.) O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.) O9 - Extra Button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Programme\Free Download Manager\FUM\fumiebtn.dll () O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab (Symantec AntiVirus scanner) O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} hxxp://192.168.0.2/connectcomputer/nshelp.dll (NSHelp Class) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231804693796 (WUWebControl Class) O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab (Symantec RuFSI Utility Class) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231804669218 (MUWebControl Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class) O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation) O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation) O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation) O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home O24 - Desktop WallPaper: C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2007.10.01 22:46:14 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O32 - AutoRun File - [2007.04.20 13:04:20 | 000,000,000 | ---D | M] - G:\autorun -- [ FAT32 ] O32 - AutoRun File - [2005.11.15 11:08:04 | 000,000,036 | -H-- | M] () - G:\autorun.inf -- [ FAT32 ] O33 - MountPoints2\{7e84ab5a-e678-11de-b2da-00080dde46f6}\Shell\AutoRun\command - "" = H:\Toshiba\more4you.exe -- File not found O34 - HKLM BootExecute: (autocheck autochk *) - File not found O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe () O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010.06.03 12:36:52 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\Malwarebytes [2010.06.03 12:36:30 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010.06.03 12:36:25 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes [2010.06.03 12:36:24 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010.06.03 12:36:23 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware [2010.06.03 12:20:51 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\***\Desktop\OTL.exe [2010.06.03 10:59:27 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\***\Desktop\osam_autorun_manager_5_0_portable [2010.06.02 13:10:58 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\Microsoft Web Folders [2010.06.02 01:14:09 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys [2010.06.02 01:10:23 | 000,000,000 | ---D | C] -- C:\Programme\Panda Security [2010.06.01 16:36:47 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys [2010.06.01 16:36:11 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys [2010.06.01 16:09:13 | 000,000,000 | -H-D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6} [2010.06.01 16:08:09 | 000,000,000 | ---D | C] -- C:\Programme\Lavasoft [2010.05.28 02:35:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump [2010.05.25 23:15:45 | 014,590,080 | ---- | C] (DivX, Inc.) -- C:\Dokumente und Einstellungen\***\Desktop\DivXInstaller 6.8.exe [2010.05.25 22:39:34 | 000,000,000 | ---D | C] -- C:\Programme\Cut Assistant 0.9.13.16 [2010.05.07 21:52:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun [5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010.06.03 14:12:35 | 000,741,376 | ---- | M] () -- C:\WINDOWS\System32\drivers\hljrifmj.sys [2010.06.03 14:02:34 | 037,885,984 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat [2010.06.03 12:20:53 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\***\Desktop\OTL.exe [2010.06.03 10:51:47 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010.06.03 10:38:13 | 000,000,470 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job [2010.06.03 10:36:30 | 000,058,727 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml [2010.06.03 10:36:04 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010.06.03 10:35:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010.06.03 05:08:57 | 000,454,772 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx [2010.06.03 05:08:38 | 007,340,032 | -H-- | M] () -- C:\Dokumente und Einstellungen\***\NTUSER.DAT [2010.06.03 05:08:38 | 000,000,190 | -HS- | M] () -- C:\Dokumente und Einstellungen\***\ntuser.ini [2010.06.02 21:41:39 | 000,293,376 | ---- | M] () -- C:\Dokumente und Einstellungen\***\Desktop\4hf4fesu.exe [2010.06.02 20:54:46 | 000,169,896 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2010.06.02 15:56:39 | 000,000,535 | ---- | M] () -- C:\hpfr5550.xml [2010.06.02 13:13:54 | 000,000,403 | ---- | M] () -- C:\WINDOWS\ODBC.INI [2010.06.02 13:12:57 | 000,001,715 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk [2010.06.02 00:17:04 | 000,001,550 | ---- | M] () -- C:\Dokumente und Einstellungen\***\Desktop\HijackThis.lnk [2010.06.01 23:42:41 | 000,114,176 | ---- | M] () -- C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010.06.01 22:49:35 | 000,648,116 | ---- | M] () -- C:\WINDOWS\umcat_01.db [2010.06.01 16:36:02 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys [2010.06.01 16:35:58 | 000,015,880 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe [2010.06.01 16:09:08 | 000,000,853 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Ad-Aware.lnk [2010.05.26 22:19:37 | 000,000,004 | ---- | M] () -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\avdrn.dat [2010.05.26 17:55:38 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn [2010.05.26 00:14:11 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini [2010.05.25 23:17:55 | 014,590,080 | ---- | M] (DivX, Inc.) -- C:\Dokumente und Einstellungen\***\Desktop\DivXInstaller 6.8.exe [2010.05.25 22:38:20 | 000,896,541 | ---- | M] () -- C:\Dokumente und Einstellungen\***\Desktop\Cut_Assistant_0.9.13.16.ZIP [2010.05.23 12:03:31 | 000,000,152 | ---- | M] () -- C:\WINDOWS\ULead32.ini [2010.05.22 13:03:17 | 000,000,047 | ---- | M] () -- C:\WINDOWS\System32\everest_cpl.ini [2010.05.13 18:25:42 | 000,071,742 | ---- | M] () -- D:\Eigene Dateien\Waschmaschinen Vergleich.ods [2010.05.07 10:35:13 | 000,432,824 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2010.05.07 10:35:12 | 000,449,576 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat [2010.05.07 10:35:12 | 000,067,780 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2010.05.07 10:35:11 | 000,080,388 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat [2010.05.07 10:35:06 | 001,042,054 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2010.06.02 21:41:38 | 000,293,376 | ---- | C] () -- C:\Dokumente und Einstellungen\***\Desktop\4hf4fesu.exe [2010.06.02 03:10:08 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe [2010.06.02 00:17:03 | 000,001,550 | ---- | C] () -- C:\Dokumente und Einstellungen\***\Desktop\HijackThis.lnk [2010.06.01 17:06:42 | 000,648,116 | ---- | C] () -- C:\WINDOWS\umcat_01.db [2010.06.01 16:42:53 | 000,000,470 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job [2010.06.01 16:09:08 | 000,000,853 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Ad-Aware.lnk [2010.05.26 22:20:52 | 000,741,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\hljrifmj.sys [2010.05.26 22:19:37 | 000,000,004 | ---- | C] () -- C:\Dokumente und Einstellungen\***\Anwendungsdaten\avdrn.dat [2010.05.25 22:38:03 | 000,896,541 | ---- | C] () -- C:\Dokumente und Einstellungen\***\Desktop\Cut_Assistant_0.9.13.16.ZIP [2010.05.13 17:03:41 | 000,071,742 | ---- | C] () -- D:\Eigene Dateien\Waschmaschinen Vergleich.ods [2009.05.11 15:15:13 | 000,000,047 | ---- | C] () -- C:\WINDOWS\System32\everest_cpl.ini [2009.04.16 13:09:22 | 000,000,058 | ---- | C] () -- C:\WINDOWS\my.ini [2008.11.21 23:47:52 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll [2008.11.21 23:45:16 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest [2008.11.21 23:45:16 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest [2008.11.21 23:44:16 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll [2008.07.14 04:33:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NSREX.INI [2008.03.18 20:42:52 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini [2007.10.23 04:16:18 | 000,000,152 | ---- | C] () -- C:\WINDOWS\ULead32.ini [2007.10.05 23:32:05 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\JJAKEn.dll [2007.10.05 01:45:52 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll [2007.10.05 01:45:52 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll [2007.10.05 01:06:07 | 000,000,405 | ---- | C] () -- C:\WINDOWS\System32\gmsblist.dll [2007.10.05 01:05:18 | 000,000,039 | ---- | C] () -- C:\WINDOWS\System32\gr6rlzay.dll [2007.10.04 02:50:12 | 000,021,904 | ---- | C] () -- C:\WINDOWS\System32\imsinstall_loc0407.dll [2007.10.04 02:50:12 | 000,017,808 | ---- | C] () -- C:\WINDOWS\System32\imslsp_install_loc0407.dll [2007.10.04 02:49:23 | 000,796,048 | ---- | C] () -- C:\WINDOWS\System32\libeay32_0.9.6l.dll [2007.10.04 02:34:19 | 000,000,186 | ---- | C] () -- C:\WINDOWS\X-Filter.INI [2007.10.04 02:06:02 | 000,000,155 | ---- | C] () -- C:\WINDOWS\winamp.ini [2007.10.04 01:39:41 | 000,000,016 | ---- | C] () -- C:\WINDOWS\Wininit.ini [2007.10.03 22:57:17 | 000,001,695 | ---- | C] () -- C:\WINDOWS\IF40LE.INI [2007.10.03 22:57:17 | 000,000,253 | ---- | C] () -- C:\WINDOWS\PEXPLORE.INI [2007.10.03 22:56:36 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmsbfn32.dll [2007.10.03 22:56:36 | 000,000,398 | ---- | C] () -- C:\WINDOWS\umxaddin.ini [2007.10.03 20:24:04 | 000,000,403 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2007.10.03 16:21:59 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\redmonnt.dll [2007.10.03 15:04:05 | 000,000,076 | ---- | C] () -- C:\WINDOWS\EasyCash.ini [2007.10.03 15:00:20 | 000,000,190 | ---- | C] () -- C:\WINDOWS\EasyCT.INI [2007.10.03 13:59:03 | 000,015,873 | ---- | C] () -- C:\WINDOWS\System32\Inetde.dll [2007.10.03 12:37:20 | 000,006,688 | ---- | C] () -- C:\WINDOWS\System32\Digita.sys [2007.10.03 12:37:18 | 000,335,872 | ---- | C] () -- C:\WINDOWS\System32\ldf252.dll [2007.10.03 01:09:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI [2007.10.03 00:08:59 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini [2007.10.03 00:08:59 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll [2007.10.03 00:08:59 | 000,010,252 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini [2007.10.03 00:08:59 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini < End of report > Code:
ATTFilter OTL Extras logfile created on: 03.06.2010 14:03:41 - Run 1
OTL by OldTimer - Version 3.2.5.3 Folder = C:\Dokumente und Einstellungen\***\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
495,00 Mb Total Physical Memory | 118,00 Mb Available Physical Memory | 24,00% Memory free
1,00 Gb Paging File | 1,00 Gb Available in Paging File | 53,00% Paging File free
Paging file location(s): C:\pagefile.sys 744 1488 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 24,41 Gb Total Space | 6,10 Gb Free Space | 24,99% Space Free | Partition Type: NTFS
Drive D: | 73,24 Gb Total Space | 5,87 Gb Free Space | 8,01% Space Free | Partition Type: NTFS
Drive E: | 14,13 Gb Total Space | 12,37 Gb Free Space | 87,56% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
Drive G: | 465,65 Gb Total Space | 191,58 Gb Free Space | 41,14% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: LAPTOP-MR
Current User Name: ***
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Programme\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [ACDBrowse] -- "C:\Programme\ACD Systems\ACDSee\ACDSee.exe" "%1" ()
Directory [AddToPlaylistVLC] -- C:\Programme\VideoLAN\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [MakeFolders] -- C:\Programme\MakeFolders\MkFldrs.exe ()
Directory [Mp3tag] -- "C:\Programme\Mp3tag\Mp3tag.exe" "/fp:%1" (Florian Heidenreich)
Directory [PlayWithVLC] -- C:\Programme\VideoLAN\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Programme\Winamp\Winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Programme\Winamp\Winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Programme\Winamp\Winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Programme\ICQ6\ICQ.exe" = C:\Programme\ICQ6\ICQ.exe:*:Enabled:ICQ6 -- File not found
"C:\Programme\SiSoft Sandra Lite\Win32\RpcDataSrv.exe" = C:\Programme\SiSoft Sandra Lite\Win32\RpcDataSrv.exe:*:Enabled:SiSoftware Database Agent Service -- (SiSoftware)
"C:\Programme\SiSoft Sandra Lite\RpcSandraSrv.exe" = C:\Programme\SiSoft Sandra Lite\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service -- (SiSoftware)
"C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe" = C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe:*:Enabled:Kaspersky AV Scanner -- ()
"C:\Programme\ICQ6.5\ICQ.exe" = C:\Programme\ICQ6.5\ICQ.exe:*:Enabled:ICQ6 -- (ICQ, LLC.)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000407-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{00170407-78E1-11D2-B60F-006097C998E7}" = Microsoft Word 2000
"{01191F55-F0E8-47E0-A942-0C1179F1A05F}" = JDContextMenu
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1E04F83B-2AB9-4301-9EF7-E86307F79C72}" = Google Earth
"{25BEC3AB-5CD4-481D-9143-215C1BBB189E}" = Sony Ericsson PC Suite
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 17
"{338F08AB-C262-42C7-B000-34DE1A475273}" = Ad-Aware Email Scanner for Outlook
"{3470FBE6-B743-420F-B5CE-0D27FA749C16}" = Touch and Launch
"{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36A1E3D6-288A-4EEE-A081-30D9808B2BE3}" = Joe
"{3C1475DA-F9D5-47B1-AB9C-B5F1C7A331C6}" = MECK
"{3CF0858D-1AC5-4308-9DE7-AD15288A8BDC}" = TOSHIBA Console
"{4082365B-0985-499A-920D-E4D4414DC58F}" = Microsoft Virtual PC 2004
"{45A54FAD-AADB-4CD2-9E56-2507A15F013D}" = Opera 9.23
"{4ACBBFC6-3F39-48DE-8D85-182736B2749B}" = Garmin MapSource
"{4C590030-7469-453E-8589-D15DA9D03F52}" = ANIWZCS2 Service
"{52C97E71-DC72-4BFC-8F27-3DD60228FBAF}" = FTP-Watchdog
"{55E90923-5691-4A15-85EA-735045C2C405}" = Suchen und ersetzen fuer HTML
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5E3CFCA6-C95A-47CB-A822-7FA80D423AF2}" = MapSource
"{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6.5
"{641FE800-650B-4E99-A304-9D50E7235BAF}" = Topo Deutschland v2
"{69640730-B830-4C24-BB5C-222DA1260548}" = Turbo Lister 2
"{74EC78BC-B379-4E29-9006-8F161DCAABA6}" = Apple Software Update
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{79B92240-9C65-4DD7-B1AD-59910D2C1353}" = AirPlus XtremeG
"{79ED0EE7-098C-465F-A853-B17F6FC6CDD8}" = GPS TrackMaker
"{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}" = ANIO Service
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7DF4C257-26FF-4FD1-BC5C-42CD5953EECB}" = MapSource - European Points of Interest v4.00
"{86F4F32B-77C7-4951-B33C-05D41A8190C1}" = Microsoft RichCopy 4.0
"{878B631B-E0F9-41B9-83D9-BC9DFB0B9F2B}" = Ebad
"{87F5E4C0-AF6F-4502-A9A7-09A0B6D62A52}" = DX-Browser
"{88645D03-45B0-4366-A24E-D88530719FCC}" = Web-Passport
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics Driver
"{8FE73E6F-2D9B-428B-BCB2-1217F56A5E87}" = CacheStats
"{90150407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Access 2003
"{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}" = QuickTime
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Alps Pointing-device Driver
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A625D45F-1DC4-47FB-ABCF-6B27684AA717}" = OpenOffice.org 2.3
"{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}" = TOSHIBA Controls
"{A89131FD-3D18-4DA8-84C8-622423011B51}_is1" = ALNO AG Küchenplaner
"{AC76BA86-7AD7-1031-7B44-A80000000002}" = Adobe Reader 8 - Deutsch
"{B5688129-7595-4E5B-9990-CEF981A31264}" = SyncToy
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BCE46757-7674-4416-BEDB-68205A60409E}" = Canon CanoScan Toolbox 4.1
"{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree
"{BF059DDE-13A5-4A5D-8DC2-D664B9D9DD15}" = GhostWriter
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2C284D2-6BD7-3B34-B0C5-B2CAED168DF7}" = Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - DEU
"{C3113E55-7BCB-4de3-8EBF-60E6CE6B2096}_is1" = SiSoftware Sandra Lite XIIc
"{C314CE45-3392-3B73-B4E1-139CD41CA933}" = Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - DEU
"{C3EBEF79-DE34-44AE-8774-F6A17ABE27B2}" = Garmin nRoute
"{C4CFD617-6906-463E-80E6-5061E8D2BE00}" = e-Coolector
"{C60BA916-9E44-4DA4-B11A-9E27B7624EF5}" = Sony Ericsson Drivers
"{C92E7DF1-624A-4D95-A4C4-18CB491B44A4}" = Sony Ericsson Device Data
"{CC399A03-4695-432E-AE6E-BB450DDE5248}_is1" = mirkes.de Tiny Hexer
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0AC6844-79D4-11D4-AFEE-00C04F443448}" = Microsoft Works 6.0
"{D6BF6477-8369-489F-8DE6-3731F4B88560}" = Sony Ericsson PC Suite
"{DC77A3D0-9ADA-47C6-9536-F9E7CF497C9D}" = Instant Sound Off
"{DD1AF1C9-1CEB-49B9-9CCC-641B7B3D55FF}" = MapSource - Atlantic BlueChart v6
"{DEB51E39-0F14-4B0C-BE19-4001399A5504}" = MapSource - European Roads and Recreation v4.00
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{DF768459-AEAF-47F4-8CD6-CC9697F43A49}" = WinAttrib
"{EC1F15E1-F3CC-46EE-B7A5-849A08ED60DC}}_is1" = PantsOff 2.0
"{EDA023EF-0F82-4030-BF23-5283C1EE1031}" = Nero 7 Essentials
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F5193D77-5EF9-4731-991A-EC1F6551C818}" = MapSource - European MetroGuide v6
"{F7107906-5D75-438A-BB33-010818834487}" = IKEA HomePlanner Kitchen
"ACDSee" = ACDSee
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 1.0" = Adobe Photoshop Elements
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Adobe SVG Viewer" = Adobe SVG Viewer
"Advanced IP Address Calculator v1.1" = Advanced IP Address Calculator v1.1
"Advanced IP Scanner v1.5" = Advanced IP Scanner v1.5
"Advanced LAN Scanner v1.0 BETA 1" = Advanced LAN Scanner v1.0 BETA 1
"Advanced Port Scanner v1.3" = Advanced Port Scanner v1.3
"AFPL Ghostscript 8.54" = AFPL Ghostscript 8.54
"AFPL Ghostscript Fonts" = AFPL Ghostscript Fonts
"AIDA32_is1" = AIDA32 v3.93
"aignesamdeadlink_is1" = AM-DeadLink 3.1
"AllDup_is1" = AllDup 1.7.12
"ASCII Art - Machine_is1" = ASCII Art - Machine 1.2
"AVCutty" = AVCutty 2.4e
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"AVS DVD Player_is1" = AVS DVD Player version 2.4
"Biet-O-Matic v2.4.0" = Biet-O-Matic v2.4.0
"Bildschutz_is1" = Bildschutz Pro
"Button Studio" = Button Studio
"cdngo_is1" = CD'n'Go! Suite 2.09 (Beta)
"Crazy Browser 3.0.0 Beta2_is1" = Crazy Browser version 3.0.0 Beta2
"CryptextNT4" = Cryptext (Remove Only)
"CSVed_is1" = CSVed 1.4.3
"DirPrinter" = DirPrinter
"DokuTool 1.0R6_is1" = DokuTool (Non Commercial Edition)
"Dragonboard_is1" = Dragonboard 0.9
"DriveScan Plus_is1" = DriveScan Plus für Windows, Version 3.6
"DynGate" = DynGate
"EasyCash&Tax_is1" = EasyCash&Tax 1.34
"EasyRide&Tax_is1" = EasyRide&Tax 1.3
"ECT Import Plugin_is1" = Re2ECT-Plugin 1.0
"ECTPlugAnlagenverzeichnis_is1" = ECTPlugAnlagenverzeichnis 1.1
"ECTPlugWolframsJournal_is1" = ECTPlugWolframsJournal 1.02
"EPSON Printer and Utilities" = EPSON-Drucker-Software
"EVEREST Home Edition_is1" = EVEREST Home Edition v2.20
"FileZilla" = FileZilla (remove only)
"FileZilla Client" = FileZilla Client 3.0.10
"FLV Player1.33 FC" = FLV Player
"Free Download Manager_is1" = Free Download Manager 2.5
"FreePDF_XP" = FreePDF XP (Remove only)
"Geocache Scanner_is1" = Geocache Scanner V5.0.1 vom 13.12.2006
"GSAK (Geocaching Swiss Army Knife)_is1" = GSAK 6.6.5.19
"HijackThis" = HijackThis 2.0.2
"hp deskjet 5550 series" = hp deskjet 5550 series (nur entfernen)
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"if40leUninstall" = Presto! ImageFolio LE
"InstallShield_{69640730-B830-4C24-BB5C-222DA1260548}" = Turbo Lister 2
"InstallShield_{79B92240-9C65-4DD7-B1AD-59910D2C1353}" = AirPlus XtremeG
"InstallShield_{DD1AF1C9-1CEB-49B9-9CCC-641B7B3D55FF}" = MapSource - Atlantic BlueChart v6
"InstallShield_{F5193D77-5EF9-4731-991A-EC1F6551C818}" = MapSource - European MetroGuide v6
"IrfanView" = IrfanView (remove only)
"IsoBuster_is1" = IsoBuster 1.4
"JDownloader" = JDownloader
"king.com" = king.com (remove only)
"Lupas Rename 2000_is1" = Lupas Rename 2000 v5.0 Release
"MakeFolders 1.10_is1" = MakeFolders 1.10
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MapSource" = MapSource
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"mIRC" = mIRC
"Mobility" = Mobility
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"Mp3tag" = Mp3tag v2.39
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Netscape (7.1)" = Netscape (7.1)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Packet Tracer 3.2_is1" = Packet Tracer 3.2
"Packet Tracer 4.0_is1" = Packet Tracer 4.0
"PageManager" = Presto! PageManager
"PC Diagnostic Tool" = TOSHIBA PC Diagnostic Tool
"phase5" = phase5
"PhraseExpress_is1" = PhraseExpress v4.1.14
"Power Saver" = TOSHIBA Power Saver
"Private Message Plus_is1" = Private Message Plus
"PROSet" = Intel(R) Network Connections Drivers
"Rechnung/2_is1" = Version 2.6.1
"Redirection Port Monitor" = RedMon - Redirection Port Monitor
"SlimBrowser" = SlimBrowser (remove only)
"Spoiler Sync_is1" = Spoiler Sync
"TeamViewer" = TeamViewer
"The Bat!" = The Bat!
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"TOSHIBA Utilities" = TOSHIBA Utilities
"TouchED" = TOSHIBA Touchpad Ein/Aus Utility V2.05.00
"Ulead SmartSaver Pro 3.0" = Ulead SmartSaver Pro 3.0 Full Version
"UNDOReg" = UNDOReg
"ViewpointMediaPlayer" = Viewpoint Media Player (Remove Only)
"VLC media player" = VLC media player 0.9.4
"VSO DivxToDVD_is1" = DivxToDVD 0.5.2
"waterMark V2" = waterMark V2
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Winamp" = Winamp (remove only)
"Winamp 5.02 Deutsche Sprachdatei v14" = Deutsche Sprachdatei für Winamp 5.02 v14
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinHTTrack Website Copier_is1" = WinHTTrack Website Copier 3.41-3
"WinRAR archiver" = WinRAR archiver
"Winston_is1" = Winston Version 02072
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"xampp" = XAMPP 1.6.3a
"xp-AntiSpy" = xp-AntiSpy 3.96-6
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"XPSEPSCLP" = XML Paper Specification Shared Components Language Pack 1.0
"xqdcXSP_is1" = Xteq-dotec X-Setup Pro 6.6.300.Final1
"ZoneAlarm" = ZoneAlarm
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Renatager" = Mp3 Renatager
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 13.11.2009 19:29:39 | Computer Name = LAPTOP-MR | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung iexplore.exe, Version 8.0.6001.18702, Stillstandmodul
hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.
Error - 03.12.2009 08:32:26 | Computer Name = LAPTOP-MR | Source = crypt32 | ID = 131083
Description = Die Extrahierung der Drittanbieterstammlisten aus der automatischen
Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
ist fehlgeschlagen mit dem Fehler: Bei der Zertifikatsverkettung ist ein interner
Fehler aufgetreten. .
Error - 05.12.2009 05:02:45 | Computer Name = LAPTOP-MR | Source = crypt32 | ID = 131083
Description = Die Extrahierung der Drittanbieterstammlisten aus der automatischen
Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
ist fehlgeschlagen mit dem Fehler: Bei der Zertifikatsverkettung ist ein interner
Fehler aufgetreten. .
Error - 19.04.2010 08:56:28 | Computer Name = LAPTOP-MR | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung iexplore.exe, Version 8.0.6001.18702, Stillstandmodul
hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.
Error - 19.04.2010 18:55:18 | Computer Name = LAPTOP-MR | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung explorer.exe, Version 6.0.2900.5512, Stillstandmodul
hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.
Error - 22.04.2010 17:24:39 | Computer Name = LAPTOP-MR | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung Opera.exe, Version 9.23.8808.0, Stillstandmodul
hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.
Error - 27.04.2010 16:03:18 | Computer Name = LAPTOP-MR | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung explorer.exe, Version 6.0.2900.5512, fehlgeschlagenes
Modul , Version 0.0.0.0, Fehleradresse 0x00000000.
Error - 27.04.2010 16:49:15 | Computer Name = LAPTOP-MR | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung explorer.exe, Version 6.0.2900.5512, fehlgeschlagenes
Modul comctl32.dll, Version 6.0.2900.5512, Fehleradresse 0x0007fda7.
Error - 27.04.2010 16:50:16 | Computer Name = LAPTOP-MR | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung explorer.exe, Version 6.0.2900.5512, fehlgeschlagenes
Modul , Version 0.0.0.0, Fehleradresse 0x00000000.
Error - 27.04.2010 22:11:06 | Computer Name = LAPTOP-MR | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung iexplore.exe, Version 8.0.6001.18702, Stillstandmodul
hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.
[ System Events ]
Error - 26.05.2010 16:20:58 | Computer Name = LAPTOP-MR | Source = Service Control Manager | ID = 7000
Description = Der Dienst "D-Link USB Wireless Network Adapter Service" wurde aufgrund
folgenden Fehlers nicht gestartet: %%31
Error - 27.05.2010 20:38:46 | Computer Name = LAPTOP-MR | Source = Service Control Manager | ID = 7009
Description = Zeitüberschreitung (30000 ms) beim Verbindungsversuch mit Dienst Gatewaydienst
auf Anwendungsebene.
Error - 27.05.2010 20:39:05 | Computer Name = LAPTOP-MR | Source = System Error | ID = 1003
Description = Fehlercode 1000008e, 1. Parameter c0000005, 2. Parameter bfa7199e,
3. Parameter ee5d9a4c, 4. Parameter 00000000.
Error - 27.05.2010 20:39:15 | Computer Name = LAPTOP-MR | Source = Service Control Manager | ID = 7000
Description = Der Dienst "Gatewaydienst auf Anwendungsebene" wurde aufgrund folgenden
Fehlers nicht gestartet: %%1053
Error - 01.06.2010 09:33:43 | Computer Name = LAPTOP-MR | Source = Service Control Manager | ID = 7034
Description = Dienst "Ad-Aware 2007 Service" wurde unerwartet beendet. Dies ist
bereits 1 Mal passiert.
Error - 02.06.2010 09:44:11 | Computer Name = LAPTOP-MR | Source = Print | ID = 6161
Description = Das Dokument Microsoft Word - 02 - Deckblatt mit Foto.doc, im Besitz
von ***, konnte nicht auf dem Drucker Automatisch hp deskjet 5550 series (2)
auf WILLI gedruckt werden. Datentyp: NT EMF 1.008. Größe der Warteschlangendatei
in Bytes: 1165664. Anzahl der gedruckten Bytes: 0. Gesamtanzahl der Seiten des
Dokuments: 1. Anzahl der gedruckten Seiten: 1. Clientcomputer: \\LAPTOP-MR. Vom
Druckprozessor zurückgelieferter Win32-Fehlercode: 53 (0x35).
Error - 02.06.2010 14:57:06 | Computer Name = LAPTOP-MR | Source = Service Control Manager | ID = 7009
Description = Zeitüberschreitung (30000 ms) beim Verbindungsversuch mit Dienst IMAPI-CD-Brenn-COM-Dienste.
Error - 02.06.2010 14:57:06 | Computer Name = LAPTOP-MR | Source = Service Control Manager | ID = 7000
Description = Der Dienst "IMAPI-CD-Brenn-COM-Dienste" wurde aufgrund folgenden Fehlers
nicht gestartet: %%1053
Error - 02.06.2010 16:13:03 | Computer Name = LAPTOP-MR | Source = Service Control Manager | ID = 7009
Description = Zeitüberschreitung (30000 ms) beim Verbindungsversuch mit Dienst Gatewaydienst
auf Anwendungsebene.
Error - 02.06.2010 16:13:03 | Computer Name = LAPTOP-MR | Source = Service Control Manager | ID = 7000
Description = Der Dienst "Gatewaydienst auf Anwendungsebene" wurde aufgrund folgenden
Fehlers nicht gestartet: %%1053
< End of report >
|
|
05.06.2010, 23:36
| #3 |
| | Rootkit Bubnix.au in c:\windows\system32\drivers\hljrifmj.sys Hm...? Wirklich niemand da der helfen kann?
__________________ |
|
06.06.2010, 00:01
| #4 | |
| /// Winkelfunktion /// TB-Süch-Tiger™   | Rootkit Bubnix.au in c:\windows\system32\drivers\hljrifmj.sys Hallo und  Zitat:
__________________ Logfiles bitte immer in CODE-Tags posten  |
|
06.06.2010, 22:56
| #5 |
| | Rootkit Bubnix.au in c:\windows\system32\drivers\hljrifmj.sys Danke! Ich glaub das sieht schonmal gut aus Code:
ATTFilter Report of OSAM: Autorun Manager v5.0.11926.0 hxxp://www.online-solutions.ru/en/ Saved at 23:53:27 on 06.06.2010 OS: Windows XP Professional Service Pack 3 (Build 2600) Default Browser: Mozilla Corporation Firefox 3.6.3 Scanner Settings [x] Rootkits detection (hidden registry) [x] Rootkits detection (hidden files) [x] Retrieve files information [x] Check Microsoft signatures Filters [ ] Trusted entries [ ] Empty entries [x] Hidden registry entries (rootkit activity) [x] Exclusively opened files [x] Not found files [x] Files without detailed information [x] Existing files [ ] Non-startable services [ ] Non-startable drivers [x] Active entries [x] Disabled entries [Boot Execute] -----( HKLM\SYSTEM\CurrentControlSet\Control\Session Manager )----- "BootExecute" - ? - C:\WINDOWS\system32\lsdelete.exe (File found, but it contains no detailed information) [Common] -----( %SystemRoot%\Tasks )----- "Ad-Aware Update (Weekly).job" - "Lavasoft " - C:\Programme\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [Control Panel Objects] -----( %SystemRoot%\system32 )----- "everest_cpl.cpl" - ? - C:\WINDOWS\system32\everest_cpl.cpl (File found, but it contains no detailed information) "HWSETUP.CPL" - "TOSHIBA Corp." - C:\WINDOWS\system32\HWSETUP.CPL "infocardcpl.cpl" - "Microsoft Corporation" - C:\WINDOWS\system32\infocardcpl.cpl "javacpl.cpl" - "Sun Microsystems, Inc." - C:\WINDOWS\system32\javacpl.cpl "TOSCDSPD.cpl" - ? - C:\WINDOWS\system32\TOSCDSPD.cpl (File found, but it contains no detailed information) "TPwrSave.cpl" - "TOSHIBA Corporation" - C:\WINDOWS\system32\TPwrSave.cpl -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )----- "Avira AntiVir Personal - Free Antivirus " - "Avira GmbH" - C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl "Avira AntiVir PersonalEdition Classic " - "Avira GmbH" - C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl "ECSEPM" - "Sony Ericsson Mobile Communications AB" - C:\Programme\Sony Ericsson\Mobile2\Mobile Phone Monitor\ecsepm.cpl "Nero BurnRights" - "Nero AG" - C:\Programme\Nero\Nero 7\Nero Toolkit\NeroBurnRights.cpl "QuickTime" - "Apple Inc." - C:\Programme\QuickTime\QTSystem\QuickTime.cpl "SMAX3CP" - "Analog Devices, Inc." - C:\Programme\Analog Devices\SoundMAX\SMax3CP.cpl "X-Setup Pro" - ? - C:\Programme\X-Setup Pro\bin\dcXSPApplet.cpl (File found, but it contains no detailed information) [Drivers] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- "ANIO Service" (ANIO) - "Alpha Networks Inc." - C:\WINDOWS\system32\ANIO.SYS "avgio" (avgio) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avgio.sys "avgntflt" (avgntflt) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avgntflt.sys "avipbb" (avipbb) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avipbb.sys "Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys (File not found) "grmnusb" (grmnusb) - "GARMIN Corp." - C:\WINDOWS\System32\drivers\grmnusb.sys "i2omgmt" (i2omgmt) - ? - C:\WINDOWS\system32\drivers\i2omgmt.sys (File not found) "Lbd" (Lbd) - "Lavasoft AB" - C:\WINDOWS\System32\DRIVERS\Lbd.sys "lbrtfdc" (lbrtfdc) - ? - C:\WINDOWS\system32\drivers\lbrtfdc.sys (File not found) "pavboot" (pavboot) - "Panda Security, S.L." - C:\WINDOWS\System32\drivers\pavboot.sys "PCIDump" (PCIDump) - ? - C:\WINDOWS\system32\drivers\PCIDump.sys (File not found) "PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys (File not found) "PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys (File not found) "PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys (File not found) "PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys (File not found) "PxHelp20" (PxHelp20) - "Sonic Solutions" - C:\WINDOWS\System32\Drivers\PxHelp20.sys "srescan" (srescan) - "Zone Labs, LLC" - C:\WINDOWS\System32\ZoneLabs\srescan.sys "ssmdrv" (ssmdrv) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\ssmdrv.sys "TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Driver" (TVALZ) - "TOSHIBA Corporation" - C:\WINDOWS\System32\DRIVERS\TVALZ.SYS "TOSHIBA Network Device Usermode I/O Protocol" (Netdevio) - "TOSHIBA Corporation." - C:\WINDOWS\System32\DRIVERS\netdevio.sys "Virtual Machine Monitor" (vmm) - "Microsoft Corporation" - C:\WINDOWS\system32\drivers\vmm.sys "vsdatant" (vsdatant) - "Zone Labs, LLC" - C:\WINDOWS\System32\vsdatant.sys "WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys (File not found) [Explorer] -----( HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )----- {BDEADF00-C265-11d0-BCED-00A0C90AB50F} "Webordner" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL -----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )----- {89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install -----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )----- {F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" - ? - C:\Programme\OpenOffice.org 2.3\program\shlxthdl.dll -----( HKLM\Software\Classes\Protocols\Filter )----- {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {807553E5-5146-11D5-A672-00B0D022E945} "text/xml" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL -----( HKLM\Software\Classes\Protocols\Handler )----- {32505114-5902-49B2-880A-1F7738E5A384} "Data Page Plugable Protocal mso-offdap11 Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\11\OWC11.DLL {3D9F03FA-7A94-11D3-BE81-0050048385D1} "Data Page Pluggable Protocol mso-offdap Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\10\OWC10.DLL {0A9007C0-4076-11D3-8789-0000F8105754} "Microsoft Infotech Storage Protocol for IE 4.0" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Information Retrieval\MSITSS.DLL -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )----- {42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" - ? - deskpan.dll (File not found) {990a81a0-b289-11cf-a800-00a0c903a2a6} "Cryptext" - ? - C:\WINDOWS\system32\ShellExt\Cryptext.dll {F49C55B9-D417-45A1-A6E7-D6E057946280} "FdmUplShlExt Class" - ? - C:\Programme\Free Download Manager\FUM\fumshext.dll {CE3DC79D-5A27-4F86-A5B2-EF8D76E03FAC} "JDTools" - "Jörg Dähler - Software Entwicklung" - C:\Programme\JDContextMenu\JDContextMenu.dll {853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" - ? - (File not found | COM-object registry key not found) {42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Programme\Microsoft Office\OFFICE11\msohev.dll {97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2} "NeroCoverEdLiveIcons Class" - "Nero AG" - C:\Programme\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "OpenOffice.org Column Handler" - ? - C:\Programme\OpenOffice.org 2.3\program\shlxthdl.dll {087B3AE3-E237-4467-B8DB-5A38AB959AC9} "OpenOffice.org Infotip Handler" - ? - C:\Programme\OpenOffice.org 2.3\program\shlxthdl.dll {63542C48-9552-494A-84F7-73AA6A7C99C1} "OpenOffice.org Property Sheet Handler" - ? - C:\Programme\OpenOffice.org 2.3\program\shlxthdl.dll {3B092F0C-7696-40E3-A80F-68D74DA84210} "OpenOffice.org Thumbnail Viewer" - ? - C:\Programme\OpenOffice.org 2.3\program\shlxthdl.dll {45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\shlext.dll {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll {764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" - ? - (File not found | COM-object registry key not found) {e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll {03DAACC5-10BA-4E3E-9D54-2A569F6B4B87} "Sony Ericsson Datei-Manager" - "Popwire AB" - C:\Programme\Sony Ericsson\Mobile2\File Manager\FM.dll {738D66C6-0149-4D40-84E4-A7BB2D0CE949} "Sony Ericsson Datei-Manager" - "Popwire AB" - C:\Programme\Sony Ericsson\Mobile2\File Manager\FM.dll {C4213067-97B3-4929-9B98-B5600FBBBA13} "TouchShellExt Class" - "TOSHIBA Corporation" - C:\PROGRA~1\TOSHIBA\TouchED\TouchED.dll {8932AEFE-9DB6-4f43-AFB2-5682F55E773A} "VPCHostCopyHook" - "Microsoft Corporation" - C:\Programme\Microsoft Virtual PC\VPCShExH.DLL {BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Webordner" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL {B41DB860-8EE4-11D2-9906-E49FADC173CA} "WinRAR" - ? - C:\Programme\WinRAR\rarext.dll (File found, but it contains no detailed information) {D9872D13-7651-4471-9EEE-F0A00218BEBB} "ZLAVShExt Class" - "Zone Labs, LLC" - C:\Programme\ZoneAlarm\zlavscan.dll [Internet Explorer] -----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )----- ITBar7Height "ITBar7Height" - ? - (File not found | COM-object registry key not found) <binary data> "ITBar7Layout" - ? - (File not found | COM-object registry key not found) <binary data> "ITBarLayout" - ? - (File not found | COM-object registry key not found) -----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )----- {9191F686-7F0A-441D-8A98-2FE3AC1BD913} "ActiveScan 2.0 Installer Class" - "Panda Security" - C:\WINDOWS\Downloaded Program Files\as2stubie.dll / hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab {8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_17" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_17.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} "Java Plug-in 1.6.0_17" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_17.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_17" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_17.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} "MUWebControl Class" - "Microsoft Corporation" - C:\WINDOWS\system32\muweb.dll / hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231804669218 {485D813E-EE26-4DF8-9FAF-DEDF2885306E} "NSHelp Class" - "Microsoft Corporation" - C:\WINDOWS\Downloaded Program Files\nshelp.dll / hxxp://192.168.0.2/connectcomputer/nshelp.dll {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} "Symantec AntiVirus scanner" - "Symantec Corporation" - C:\WINDOWS\Downloaded Program Files\avsniff.dll / hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab {644E432F-49D3-41A1-8DD5-E099162EEEC5} "Symantec RuFSI Utility Class" - "Symantec Corporation" - C:\WINDOWS\Downloaded Program Files\rufsi.dll / hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} "{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}" - ? - (File not found | COM-object registry key not found) / hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )----- "ICQ6" - "ICQ, LLC." - C:\Programme\ICQ6.5\ICQ.exe {FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Recherchieren" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL {86529161-034E-4F8A-88D2-3C625E612E04} "Run WinHTTrack" - ? - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} "Upload" - ? - C:\Programme\Free Download Manager\FUM\fumiebtn.dll -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )----- {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "Adobe PDF Reader" - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll {CC59E0F9-7E43-44FA-9FAA-8377850BF205} "FDMIECookiesBHO Class" - ? - C:\Programme\Free Download Manager\iefdm2.dll {DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jp2ssv.dll {E7E6F031-17CE-4C07-BC86-EABFE594F69C} "JQSIEStartDetectorImpl Class" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [Logon] -----( %AllUsersProfile%\Startmenü\Programme\Autostart )----- "Adobe Gamma Loader.exe.lnk" - "Adobe Systems, Inc." - C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe (Shortcut exists | File exists) "Adobe Reader - Schnellstart.lnk" - "Adobe Systems Incorporated" - C:\Programme\Adobe\Reader 8.0\Reader\reader_sl.exe (Shortcut exists | File exists) "Adobe Reader Synchronizer.lnk" - "Adobe Systems Incorporated" - C:\Programme\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe (Shortcut exists | File exists) "desktop.ini" - ? - C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini "Microsoft Office.lnk" - "Microsoft Corporation" - C:\Programme\Microsoft Office\Office\OSA9.EXE (Shortcut exists | File exists) "Erinnerungen in Microsoft Works-Kalender.lnk" - "Microsoft® Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkCalRem.exe (Shortcut exists | File exists) -----( %UserProfile%\Startmenü\Programme\Autostart )----- "desktop.ini" - ? - C:\Dokumente und Einstellungen\***\Startmenü\Programme\Autostart\desktop.ini -----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )----- "Free Uploader Oe Integration" - ? - C:\Programme\Free Download Manager\FUM\fumoei.exe "TOSCDSPD" - "TOSHIBA" - C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )----- "000StTHK" - ? - 000StTHK.exe (File found, but it contains no detailed information) "00THotkey" - "TOSHIBA Corp." - C:\WINDOWS\system32\00THotkey.exe "ANIWZCS2Service" - "Alpha Networks Inc." - C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe "avgnt" - "Avira GmbH" - "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min "D-Link AirPlus XtremeG" - "D-Link" - C:\Programme\D-Link\AirPlus XtremeG\AirPlusCFG.exe "FreePDF Assistant" - "shbox.de" - C:\Programme\FreePDF_XP\fpassist.exe "LTSMMSG" - "LT" - LTSMMSG.exe "Microsoft Works Portfolio" - "Microsoft® Corporation" - C:\Programme\Microsoft Works\WksSb.exe /AllUsers "Microsoft Works Update Detection" - "Microsoft® Corporation" - C:\Programme\Microsoft Works\WkDetect.exe "NDSTray.exe" - ? - NDSTray.exe (File not found) "NeroFilterCheck" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe "PadTouch" - ? - "C:\Programme\TOSHIBA\PadTouch\PadExe.exe (File not found) "QuickTime Task" - "Apple Inc." - "C:\Programme\QuickTime\qttask.exe" -atboottime "Sony Ericsson PC Suite" - ? - "C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions "TFncKy" - ? - TFncKy.exe (File not found) "TouchED" - "TOSHIBA Corporation" - C:\Programme\TOSHIBA\TouchED\TouchED.Exe "TPSMain" - "TOSHIBA Corporation" - TPSMain.exe "ussshreg" - ? - C:\PROGRA~1\ULEADS~1\Ussshreg.exe /r (File found, but it contains no detailed information) "WorksFUD" - "Microsoft® Corporation" - C:\Programme\Microsoft Works\wkfud.exe "ZoneAlarm Client" - "Zone Labs, LLC" - "C:\Programme\ZoneAlarm\zlclient.exe" [Print Monitors] -----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )----- "EPSON Stylus DX4400 Series 32MonitorBE" - "SEIKO EPSON CORPORATION" - C:\WINDOWS\system32\E_FLBCAE.DLL "Redirected Port" - ? - C:\WINDOWS\system32\redmonnt.dll (File found, but it contains no detailed information) [Services] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- ".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe "ANIWZCSd Service" (ANIWZCSdService) - "Alpha Networks Inc." - C:\Programme\ANI\ANIWZCS2 Service\ANIWZCSdS.exe "ASP.NET-Zustandsdienst" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe "Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avguard.exe "Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\sched.exe "ConfigFree Service" (CFSvcs) - "TOSHIBA CORPORATION" - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe "Java Quick Starter" (JavaQuickStarterService) - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jqs.exe "Lavasoft Ad-Aware Service" (Lavasoft Ad-Aware Service) - "Lavasoft" - C:\Programme\Lavasoft\Ad-Aware\AAWService.exe "Machine Debug Manager" (MDM) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE "NMIndexingService" (NMIndexingService) - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe "Office Source Engine" (ose) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE "SiSoftware Database Agent Service" (SandraDataSrv) - "SiSoftware" - C:\Programme\SiSoft Sandra Lite\Win32\RpcDataSrv.exe "SiSoftware Sandra Agent Service" (SandraTheSrv) - "SiSoftware" - C:\Programme\SiSoft Sandra Lite\RpcSandraSrv.exe "SoundMAX Agent Service" (SoundMAX Agent Service (default)) - "Analog Devices, Inc." - C:\Programme\Analog Devices\SoundMAX\SMAgent.exe "TrueVector Internet Monitor" (vsmon) - "Zone Labs, LLC" - C:\WINDOWS\system32\ZoneLabs\vsmon.exe "Windows CardSpace" (idsvc) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe "Windows Presentation Foundation Font Cache 3.0.0.0" (FontCache3.0.0.0) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [Winlogon] -----( HKCU\Control Panel\IOProcs )----- "MVB" - ? - mvfs32.dll (File not found) -----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )----- "WgaLogon" - "Microsoft Corporation" - C:\WINDOWS\system32\WgaLogon.dll ===[ Logfile end ]=========================================[ Logfile end ]=== If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru |
|
07.06.2010, 08:41
| #6 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Rootkit Bubnix.au in c:\windows\system32\drivers\hljrifmj.sys ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
__________________ --> Rootkit Bubnix.au in c:\windows\system32\drivers\hljrifmj.sys |
h:
Linear-Darstellung
