|  | 
| 
 | |||||||
| Plagegeister aller Art und deren Bekämpfung: Verdacht auf Rootkit, Antivirenherstellerseiten werden geblockt, ständ. svchost.exe connectsWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. | 
|  | 
|  | 
|  08.08.2010, 16:22 | #1 | ||
|  |   Verdacht auf Rootkit, Antivirenherstellerseiten werden geblockt, ständ. svchost.exe connects Hi, nach all den Jahren habe ich mir wahrscheinlich wieder einen Trojaner eingefangen, und brauche eure Hilfe um ihn wieder loszuwerden. System: Win XP SP3, Sygate Personal Firewall Symptome: - Keine Antivirenseiten aufrufbar im Browser (Firefox), u.a. www.kaspersky.com, www.bitdefender.de, etc und sogar hxxp://www.virustotal.com/ und hxxp://virusscan.jotti.org/ werden geblockt, d.h. "Adresse nicht gefunden" - Ab und zu Verbindungsaufbaus zu diversen random erscheinenden IPs - allg. etwas lahmer Was ich getan habe: - HiJackThis: HiJackthis Logfile: Code: 
  ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:15:45, on 08.08.2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINXP\System32\smss.exe C:\WINXP\system32\winlogon.exe C:\WINXP\system32\services.exe C:\WINXP\system32\lsass.exe C:\WINXP\system32\nvsvc32.exe C:\WINXP\system32\svchost.exe C:\WINXP\System32\svchost.exe C:\Programme\Sygate\SPF\Smc.exe C:\WINXP\System32\svchost.exe C:\WINXP\System32\svchost.exe C:\WINXP\system32\LEXBCES.EXE C:\WINXP\system32\LEXPPS.EXE C:\WINXP\system32\spoolsv.exe C:\WINXP\System32\svchost.exe C:\Programme\NVIDIA Corporation\nTune\nTuneService.exe C:\WINXP\system32\svchost.exe C:\WINXP\Explorer.EXE C:\WINXP\V0230Mon.exe C:\WINXP\system32\RUNDLL32.EXE C:\Programme\Mozilla Firefox\firefox.exe C:\Programme\Trend Micro\HijackThis\HijackThis.exe C:\Programme\gmer\gmer.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Home/Home.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [V0230Mon.exe] C:\WINXP\V0230Mon.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Programme\MAGIX\Common\Database\bin\fbserver.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe O23 - Service: Jana Server 2 (Janad) - Thomas Hauck, Privat - C:\Programme\Jana2\Janad.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINXP\system32\LEXBCES.EXE O23 - Service: MagicTuneEngine - Unknown owner - C:\Programme\MagicTune Premium\MagicTuneEngine.exe O23 - Service: MySQL - Unknown owner - C:\Programme\MySQL\MySQL.exe (file missing) O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Programme\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINXP\system32\PnkBstrA.exe O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Programme\Sandboxie\SbieSvc.exe O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\Smc.exe O23 - Service: Messenger USN Journal Reader-Service für freigegebene Ordner (usnjsvc) - Unknown owner - C:\Programme\MSN Messenger\usnsvc.exe (file missing) O23 - Service: Creative VF0230 RunApp Service (VF0230Srv) - Creative Technology Ltd. - C:\WINXP\system32\V0230Srv.exe -- End of file - 3748 bytes ..ist aber m.E. sauber. - GMER: GMER Logfile: Code: 
  ATTFilter GMER 1.0.14.14536 - hxxp://www.gmer.net
Rootkit scan 2010-08-08 17:16:53
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.14 ----
SSDT            \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)                                                             ZwAllocateVirtualMemory [0xB7141B30]
SSDT            spjx.sys                                                                                                                                    ZwCreateKey [0xB7EA80E0]
SSDT            \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)                                                             ZwCreateThread [0xB71416F0]
SSDT            spjx.sys                                                                                                                                    ZwEnumerateKey [0xB7EC6CA2]
SSDT            spjx.sys                                                                                                                                    ZwEnumerateValueKey [0xB7EC7030]
SSDT            \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)                                                             ZwMapViewOfSection [0xB7141470]
SSDT            spjx.sys                                                                                                                                    ZwOpenKey [0xB7EA80C0]
SSDT            \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)                                                             ZwProtectVirtualMemory [0xB7141C50]
SSDT            spjx.sys                                                                                                                                    ZwQueryKey [0xB7EC7108]
SSDT            spjx.sys                                                                                                                                    ZwQueryValueKey [0xB7EC6F88]
SSDT            spjx.sys                                                                                                                                    ZwSetValueKey [0xB7EC719A]
SSDT            \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)                                                             ZwShutdownSystem [0xB7141990]
SSDT            \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)                                                             ZwTerminateProcess [0xB71418D0]
SSDT            \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)                                                             ZwWriteVirtualMemory [0xB7141D60]
INT 0x62        ?                                                                                                                                           8A55CBF8
INT 0x63        ?                                                                                                                                           8A2DEF00
INT 0x73        ?                                                                                                                                           8A5CFBF8
INT 0x83        ?                                                                                                                                           8A5CFBF8
INT 0xB1        ?                                                                                                                                           8A55CBF8
INT 0xB1        ?                                                                                                                                           8A5CFBF8
INT 0xB1        ?                                                                                                                                           8A5CFBF8
INT 0xB4        ?                                                                                                                                           8A2DEF00
---- Kernel code sections - GMER 1.0.14 ----
.text           ntkrnlpa.exe!KeDelayExecutionThread + 2                                                                                                     804FA86C 5 Bytes  JMP B3666AE0 \SystemRoot\System32\Drivers\rkhdrv10.SYS
PAGE            ntkrnlpa.exe!NtOpenProcess + 5                                                                                                              805CB401 5 Bytes  JMP B3666A80 \SystemRoot\System32\Drivers\rkhdrv10.SYS
?               spjx.sys                                                                                                                                    Das System kann die angegebene Datei nicht finden. !
.text           af6c9tcs.SYS                                                                                                                                B7B40384 1 Byte  [ 20 ]
.text           af6c9tcs.SYS                                                                                                                                B7B40386 35 Bytes  [ 00, 68, 00, 00, 00, 00, 00, ... ]
.text           af6c9tcs.SYS                                                                                                                                B7B403AA 24 Bytes  [ 00, 00, 20, 00, 00, E0, 00, ... ]
.text           af6c9tcs.SYS                                                                                                                                B7B403C4 3 Bytes  [ 00, 00, 00 ]
.text           af6c9tcs.SYS                                                                                                                                B7B403C9 1 Byte  [ 00 ]
.text           ...                                                                                                                                         
.text           USBPORT.SYS!DllUnload                                                                                                                       B7B208AC 5 Bytes  JMP 8A2DE4E0 
.text           a9tkk9gu.SYS                                                                                                                                B71F3386 35 Bytes  [ 00, 00, 00, 00, 00, 00, 20, ... ]
.text           a9tkk9gu.SYS                                                                                                                                B71F33AA 24 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text           a9tkk9gu.SYS                                                                                                                                B71F33C4 3 Bytes  [ 00, 70, 02 ]
.text           a9tkk9gu.SYS                                                                                                                                B71F33C9 1 Byte  [ 2E ]
.text           a9tkk9gu.SYS                                                                                                                                B71F33CB 9 Bytes  [ 00, 00, 5A, 02, 00, 00, 00, ... ]
.text           ...                                                                                                                                         
.text           tcpip.sys!IPTransmit + 10FC                                                                                                                 B4962D3A 6 Bytes  CALL B7CCFCE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text           tcpip.sys!IPTransmit + 2A52                                                                                                                 B4964690 6 Bytes  CALL B7CCFCE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text           tcpip.sys!IPRegisterProtocol + 930                                                                                                          B497A454 6 Bytes  CALL B7CCFCE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text           wanarp.sys                                                                                                                                  B71343FD 7 Bytes  CALL B7CCFE30 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
?               C:\WINXP\system32\2.tmp                                                                                                                     Das System kann die angegebene Datei nicht finden. !
---- User code sections - GMER 1.0.14 ----
.text           C:\WINXP\System32\svchost.exe[1336] ntdll.dll!NtQueryInformationProcess                                                                     7C91D7E0 5 Bytes  JMP 01959DB4 
.text           C:\WINXP\System32\svchost.exe[1336] NETAPI32.dll!NetpwPathCanonicalize                                                                      597DA3A9 5 Bytes  JMP 01959D54 
.text           C:\WINXP\system32\svchost.exe[1512] ntdll.dll!NtQueryInformationProcess                                                                     7C91D7E0 5 Bytes  JMP 00819DB4 
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT             atapi.sys[HAL.dll!READ_PORT_UCHAR]                                                                                                          [B7EA9040] spjx.sys
IAT             atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT]                                                                                                  [B7EA913C] spjx.sys
IAT             atapi.sys[HAL.dll!READ_PORT_USHORT]                                                                                                         [B7EA90BE] spjx.sys
IAT             atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                                                                                 [B7EA97FC] spjx.sys
IAT             atapi.sys[HAL.dll!WRITE_PORT_UCHAR]                                                                                                         [B7EA96D2] spjx.sys
IAT             \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!KfAcquireSpinLock]                                                                        00000034
IAT             \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!READ_PORT_UCHAR]                                                                          0000008E
IAT             \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!KeGetCurrentIrql]                                                                         00000043
IAT             \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!KfRaiseIrql]                                                                              00000044
IAT             \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!KfLowerIrql]                                                                              000000C4
IAT             \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!HalGetInterruptVector]                                                                    000000DE
IAT             \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!HalTranslateBusAddress]                                                                   000000E9
IAT             \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!KeStallExecutionProcessor]                                                                000000CB
IAT             \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!KfReleaseSpinLock]                                                                        00000054
IAT             \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!READ_PORT_BUFFER_USHORT]                                                                  0000007B
IAT             \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!READ_PORT_USHORT]                                                                         00000094
IAT             \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                                                 00000032
IAT             \SystemRoot\System32\Drivers\af6c9tcs.SYS[HAL.dll!WRITE_PORT_UCHAR]                                                                         000000A6
IAT             \SystemRoot\System32\Drivers\af6c9tcs.SYS[WMILIB.SYS!WmiSystemControl]                                                                      00000023
IAT             \SystemRoot\System32\Drivers\af6c9tcs.SYS[WMILIB.SYS!WmiCompleteRequest]                                                                    0000003D
IAT             \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR]                                                                          [B7EB9048] spjx.sys
IAT             \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!KfAcquireSpinLock]                                                                        C0840CEC
IAT             \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!READ_PORT_UCHAR]                                                                          053C0D74
IAT             \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!KeGetCurrentIrql]                                                                         57B80974
IAT             \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!KfRaiseIrql]                                                                              8B000000
IAT             \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!KfLowerIrql]                                                                              56C35DE5
IAT             \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!HalGetInterruptVector]                                                                    8D08758B
IAT             \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!HalTranslateBusAddress]                                                                   8D51FC4D
IAT             \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!KeStallExecutionProcessor]                                                                8D52FD55
IAT             \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!KfReleaseSpinLock]                                                                        8D51FE4D
IAT             \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!READ_PORT_BUFFER_USHORT]                                                                  8D52FF55
IAT             \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!READ_PORT_USHORT]                                                                         8D51F84D
IAT             \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                                                 5052F455
IAT             \SystemRoot\System32\Drivers\a9tkk9gu.SYS[HAL.dll!WRITE_PORT_UCHAR]                                                                         EACAE856
IAT             \SystemRoot\System32\Drivers\a9tkk9gu.SYS[WMILIB.SYS!WmiSystemControl]                                                                      0FC08520
IAT             \SystemRoot\System32\Drivers\a9tkk9gu.SYS[WMILIB.SYS!WmiCompleteRequest]                                                                    0001B185
IAT             \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter]                                                                         [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter]                                                                          [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol]                                                                   [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol]                                                                     [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol]                                                                    [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter]                                                                         [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter]                                                                        [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol]                                                                  [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol]                                                                    [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol]                                                                      [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter]                                                                           [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter]                                                                          [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol]                                                                     [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol]                                                                   [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter]                                                                         [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter]                                                                          [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter]                                                                           [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter]                                                                            [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol]                                                                       [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol]                                                                    [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol]                                                                      [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter]                                                                           [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter]                                                                          [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol]                                                                     [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol]                                                                   [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter]                                                                         [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter]                                                                          [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
---- User IAT/EAT - GMER 1.0.14 ----
IAT             C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\Explorer.EXE [KERNEL32.dll!GetProcAddress]                                                           [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress]                                                  [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress]                                                    [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\Secur32.dll [KERNEL32.dll!GetProcAddress]                                                   [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\GDI32.dll [KERNEL32.dll!GetProcAddress]                                                     [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\USER32.dll [KERNEL32.dll!GetProcAddress]                                                    [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\ole32.dll [KERNEL32.dll!GetProcAddress]                                                     [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress]                                                   [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress]                                                   [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress]                                                  [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\WININET.dll [KERNEL32.dll!GetProcAddress]                                                   [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress]                                                   [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\USERENV.dll [KERNEL32.dll!GetProcAddress]                                                   [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress]                                                     [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress]                                                  [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress]                                                    [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1640] @ C:\WINXP\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress]                                                   [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
---- Devices - GMER 1.0.14 ----
Device          \FileSystem\Ntfs \Ntfs                                                                                                                      8A5CB1F8
Device          \Driver\Tcpip \Device\Ip                                                                                                                    wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device          \Driver\libusb0 \Device\libusb00001                                                                                                         USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\libusb0 \Device\libusb00002                                                                                                         USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\libusb0 \Device\libusb00003                                                                                                         USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\libusb0 \Device\libusb00004                                                                                                         USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\usbohci \Device\USBPDO-0                                                                                                            8A2D5500
Device          \Driver\usbohci \Device\USBPDO-0                                                                                                            USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\usbehci \Device\USBPDO-1                                                                                                            8A3081F8
Device          \Driver\usbehci \Device\USBPDO-1                                                                                                            USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\dmio \Device\DmControl\DmIoDaemon                                                                                                   8A5CD1F8
Device          \Driver\dmio \Device\DmControl\DmConfig                                                                                                     8A5CD1F8
Device          \Driver\dmio \Device\DmControl\DmPnP                                                                                                        8A5CD1F8
Device          \Driver\dmio \Device\DmControl\DmInfo                                                                                                       8A5CD1F8
Device          \Driver\usbhub \Device\USBPDO-2                                                                                                             USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\usbhub \Device\USBPDO-3                                                                                                             USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\Tcpip \Device\Tcp                                                                                                                   wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device          \Driver\usbhub \Device\USBPDO-5                                                                                                             USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\usbhub \Device\000000a2                                                                                                             USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\Ftdisk \Device\HarddiskVolume1                                                                                                      8A55D1F8
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume1                                                                                                      snapman.sys (Acronis Snapshot API/Acronis)
Device          \Driver\sptd \Device\4154638052                                                                                                             spjx.sys
Device          \Driver\usbhub \Device\000000a3                                                                                                             USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\Ftdisk \Device\HarddiskVolume2                                                                                                      8A55D1F8
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume2                                                                                                      snapman.sys (Acronis Snapshot API/Acronis)
Device          \Driver\Cdrom \Device\CdRom0                                                                                                                8A26C500
Device          \Driver\HidUsb \Device\000000b0                                                                                                             USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\Ftdisk \Device\HarddiskVolume3                                                                                                      8A55D1F8
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume3                                                                                                      snapman.sys (Acronis Snapshot API/Acronis)
Device          \Driver\Cdrom \Device\CdRom1                                                                                                                8A26C500
Device          \Driver\PCI_PNP9302 \Device\00000073                                                                                                        spjx.sys
Device          \Driver\HidUsb \Device\000000b1                                                                                                             USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\Ftdisk \Device\HarddiskVolume4                                                                                                      8A55D1F8
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume4                                                                                                      snapman.sys (Acronis Snapshot API/Acronis)
Device          \Driver\Cdrom \Device\CdRom2                                                                                                                8A26C500
Device          \Driver\PCI_PNP9302 \Device\00000074                                                                                                        spjx.sys
Device          \Driver\Ftdisk \Device\HarddiskVolume5                                                                                                      8A55D1F8
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume5                                                                                                      snapman.sys (Acronis Snapshot API/Acronis)
Device          \Driver\Cdrom \Device\CdRom3                                                                                                                8A26C500
Device          \Driver\PCI_PNP9302 \Device\00000075                                                                                                        spjx.sys
Device          \Driver\usbccgp \Device\000000a7                                                                                                            USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\NetBT \Device\NetBT_Tcpip_{2AD7F161-852C-4CC4-B375-F5B658583059}                                                                    89CAB390
Device          \Driver\Ftdisk \Device\HarddiskVolume6                                                                                                      8A55D1F8
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume6                                                                                                      snapman.sys (Acronis Snapshot API/Acronis)
Device          \Driver\Cdrom \Device\CdRom4                                                                                                                8A26C500
Device          \Driver\usbccgp \Device\000000a8                                                                                                            USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\Cdrom \Device\CdRom5                                                                                                                8A26C500
Device          \Driver\NetBT \Device\NetBt_Wins_Export                                                                                                     89CAB390
Device          \Driver\USBSTOR \Device\000000a9                                                                                                            89F0C1F8
Device          \Driver\USBSTOR \Device\000000a9                                                                                                            USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\Cdrom \Device\CdRom6                                                                                                                8A26C500
Device          \Driver\Cdrom \Device\CdRom7                                                                                                                8A26C500
Device          \Driver\NetBT \Device\NetbiosSmb                                                                                                            89CAB390
Device          \Driver\sptd \Device\4154794302                                                                                                             spjx.sys
Device          \Driver\Tcpip \Device\Udp                                                                                                                   wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device          \Driver\Tcpip \Device\RawIp                                                                                                                 wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device          \Driver\usbohci \Device\USBFDO-0                                                                                                            8A2D5500
Device          \Driver\usbohci \Device\USBFDO-0                                                                                                            USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\usbehci \Device\USBFDO-1                                                                                                            8A3081F8
Device          \Driver\usbehci \Device\USBFDO-1                                                                                                            USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \FileSystem\MRxSmb \Device\LanmanDatagramReceiver                                                                                           88F251F8
Device          \Driver\Tcpip \Device\IPMULTICAST                                                                                                           wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device          \Driver\USBSTOR \Device\000000ad                                                                                                            89F0C1F8
Device          \Driver\USBSTOR \Device\000000ad                                                                                                            USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \FileSystem\MRxSmb \Device\LanmanRedirector                                                                                                 88F251F8
Device          \Driver\HidUsb \Device\000000af                                                                                                             USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\Ftdisk \Device\FtControl                                                                                                            8A55D1F8
Device          \Driver\af6c9tcs \Device\Scsi\af6c9tcs1Port6Path0Target0Lun0                                                                                8A2D6500
Device          \Driver\a9tkk9gu \Device\Scsi\a9tkk9gu1                                                                                                     8A246500
Device          \Driver\a9tkk9gu \Device\Scsi\a9tkk9gu1Port5Path0Target2Lun0                                                                                8A246500
Device          \Driver\a9tkk9gu \Device\Scsi\a9tkk9gu1Port5Path0Target0Lun0                                                                                8A246500
Device          \Driver\nvgts \Device\Scsi\nvgts2Port4Path0Target0Lun0                                                                                      8A5CC1F8
Device          \Driver\nvgts \Device\Scsi\nvgts1Port3Path1Target1Lun0                                                                                      8A5CC1F8
Device          \Driver\nvgts \Device\Scsi\nvgts1                                                                                                           8A5CC1F8
Device          \Driver\nvgts \Device\Scsi\nvgts2                                                                                                           8A5CC1F8
Device          \Driver\af6c9tcs \Device\Scsi\af6c9tcs1                                                                                                     8A2D6500
Device          \Driver\a9tkk9gu \Device\Scsi\a9tkk9gu1Port5Path0Target1Lun0                                                                                8A246500
Device          \Driver\a9tkk9gu \Device\Scsi\a9tkk9gu1Port5Path0Target3Lun0                                                                                8A246500
Device          \Driver\nvgts \Device\Scsi\nvgts1Port3Path0Target0Lun0                                                                                      8A5CC1F8
Device          \FileSystem\Cdfs \Cdfs                                                                                                                      87E861F8
---- Services - GMER 1.0.14 ----
Service         C:\WINXP\system32\svchost.exe (*** hidden *** )                                                                                             [AUTO] fwatk                                                                                                               <-- ROOTKIT !!!
Service         C:\Programme\NVIDIA (*** hidden *** )                                                                                                       [AUTO] nTuneService                                                                                                        <-- ROOTKIT !!!
---- Registry - GMER 1.0.14 ----
Reg             HKLM\SYSTEM\CurrentControlSet\Services\fwatk@DisplayName                                                                                    Windows Monitor
Reg             HKLM\SYSTEM\CurrentControlSet\Services\fwatk@Type                                                                                           32
Reg             HKLM\SYSTEM\CurrentControlSet\Services\fwatk@Start                                                                                          2
Reg             HKLM\SYSTEM\CurrentControlSet\Services\fwatk@ErrorControl                                                                                   0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\fwatk@ImagePath                                                                                      %SystemRoot%\system32\svchost.exe -k netsvcs
Reg             HKLM\SYSTEM\CurrentControlSet\Services\fwatk@ObjectName                                                                                     LocalSystem
Reg             HKLM\SYSTEM\CurrentControlSet\Services\fwatk@Description                                                                                    Erstellt eine Verbindung zu einem Remotenetzwerk, wenn ein Programm eine Remote-DNS- oder -NetBIOS-Adresse referenziert.
Reg             HKLM\SYSTEM\CurrentControlSet\Services\fwatk\Parameters                                                                                     
Reg             HKLM\SYSTEM\CurrentControlSet\Services\fwatk\Parameters@ServiceDll                                                                          C:\WINXP\system32\dgmqdvl.dll
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1                                                                                          -1556605242
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2                                                                                          -822666141
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0                                                                                          2
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                                            
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                                         C:\Programme\DAEMON Tools Pro\
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                                         1
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                                      0x7B 0x59 0x19 0x5D ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                                                   
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                                                0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                                             0x6F 0x64 0xFF 0x71 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                                              
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                                        0x95 0x08 0x39 0xAC ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002                                                   
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12                                             0xEF 0x7A 0x2A 0x18 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0                                                0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0                                              
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12                                        0xF8 0xDD 0x37 0xD9 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1                                              
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12                                        0xC0 0x10 0x5C 0xB7 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4                                                            
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                                         0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                                      0xE8 0x9D 0x99 0x9A ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                                         C:\Programme\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001                                                   
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                                             0x44 0x43 0xB8 0x40 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                                                0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40                                             
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                                       0x9B 0x02 0x54 0xD9 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41                                             
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh                                       0x0C 0xEC 0xA8 0xCE ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42                                             
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh                                       0x0C 0xEC 0xA8 0xCE ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43                                             
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh                                       0x0C 0xEC 0xA8 0xCE ...
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs                                                                      
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout                                                          15
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota                                                             10000
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler                                                                           yes
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk                                                                          
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout                                                          90
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota                                                            10000
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs                                                                  1
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9FEFE5DA-A060-3A28-BC58-423BD3BC8E9C}                             
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9FEFE5DA-A060-3A28-BC58-423BD3BC8E9C}@laghfdgnoplmdoikmjlfckjj    0x64 0x62 0x61 0x6F ...
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9FEFE5DA-A060-3A28-BC58-423BD3BC8E9C}@maihobkjbcbjfgcbjgmmcjhmca  0x64 0x61 0x61 0x6F ...
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9FEFE5DA-A060-3A28-BC58-423BD3BC8E9C}@laihobkjbcbjfgcbphcldgbn    0x64 0x62 0x61 0x6F ...
---- EOF - GMER 1.0.14 ----[/quote]
         wobei folgende Einträge rot hinterlegt waren: Zitat: 
 also liegt das Problem wahrscheinlich hier: Zitat: 
 auch die Datei "dgmqdvl.dll" ist unauffindbar. Wie sollte ich weiter vorgehen? Gruss Pete | 
|  08.08.2010, 16:32 | #2 | 
| /// Malware-holic       |   Verdacht auf Rootkit, Antivirenherstellerseiten werden geblockt, ständ. svchost.exe connects bitte erstelle und poste ein combofix log.__________________ Ein Leitfaden und Tutorium zur Nutzung von ComboFix | 
|  08.08.2010, 18:12 | #3 | 
|  |   Verdacht auf Rootkit, Antivirenherstellerseiten werden geblockt, ständ. svchost.exe connects Was ich getan habe:__________________ Combofix heruntergeladen. Combofix ausgeführt, "ja" geklickt. Es kommt die Meldung, AVG AntiVir wäre aktiv, was nicht der Fall ist, lediglich ein deaktivierter Dienst ist in der Diensteverwaltung eingetragen, klick auf OK -> noch ein Fenster, AVG wäre immer noch aktiv, trotzdem ausführen -> klick auf OK -> nichts. ComboFix.exe nicht mal mehr im Speicher zu sehen. Versucht, AVG 8.0 zu deinstallieren -> fehlgeschlagen. Nochmals versucht, ComboFix zu starten -> wie vorher. Ideen? | 
|  08.08.2010, 18:26 | #4 | 
| /// Malware-holic       |   Verdacht auf Rootkit, Antivirenherstellerseiten werden geblockt, ständ. svchost.exe connects kannst du es im abgesicherten modus versuchen? sollte bei pcstart die f8-taste sein. | 
|  08.08.2010, 21:10 | #5 | 
|  |   Verdacht auf Rootkit, Antivirenherstellerseiten werden geblockt, ständ. svchost.exe connects Es passiert genau dasselbe im abgesicherten Modus. Habe mittlerweile versucht, AVG mittels AVG Remover zu entfernen [1], hat auch einiges entfernt, wenn man nach dem Log geht, leider kommt trotzdem beim ausführen von combofix die Meldung, dass AVG läuft. [1] hxxp://www.computerbild.de/download/AVG-Remover-4324307.html Ausserdem schliesst sich der Taskmanager beim ausführen von Combofix und es starten und beenden sich viele prozesse in schneller Abfolge, habe mal drauf geachtet. Geändert von GoodFella (08.08.2010 um 21:28 Uhr) | 
|  08.08.2010, 21:46 | #6 | ||
|  |   Verdacht auf Rootkit, Antivirenherstellerseiten werden geblockt, ständ. svchost.exe connects Ich habe mich erinnert, dass ich ein ähnliches Problem schonmal hatte und das damalige Vorgehen kopiert s. hier: http://www.trojaner-board.de/69512-v...blockiert.html Habe also Avenger mit folgendem Script benutzt: Zitat: 
 Zitat: 
 GMER sagt folgendes: GMER Logfile: Code: 
  ATTFilter GMER 1.0.14.14536 - hxxp://www.gmer.net
Rootkit scan 2010-08-08 22:42:06
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.14 ----
SSDT            \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)                                                             ZwAllocateVirtualMemory [0xB82BAB30]
SSDT            spkk.sys                                                                                                                                    ZwCreateKey [0xB7EA80E0]
SSDT            \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)                                                             ZwCreateThread [0xB82BA6F0]
SSDT            spkk.sys                                                                                                                                    ZwEnumerateKey [0xB7EC6CA2]
SSDT            spkk.sys                                                                                                                                    ZwEnumerateValueKey [0xB7EC7030]
SSDT            \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)                                                             ZwMapViewOfSection [0xB82BA470]
SSDT            spkk.sys                                                                                                                                    ZwOpenKey [0xB7EA80C0]
SSDT            \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)                                                             ZwProtectVirtualMemory [0xB82BAC50]
SSDT            spkk.sys                                                                                                                                    ZwQueryKey [0xB7EC7108]
SSDT            spkk.sys                                                                                                                                    ZwQueryValueKey [0xB7EC6F88]
SSDT            spkk.sys                                                                                                                                    ZwSetValueKey [0xB7EC719A]
SSDT            \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)                                                             ZwShutdownSystem [0xB82BA990]
SSDT            \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)                                                             ZwTerminateProcess [0xB82BA8D0]
SSDT            \??\C:\WINXP\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)                                                             ZwWriteVirtualMemory [0xB82BAD60]
INT 0x62        ?                                                                                                                                           8A5CCBF8
INT 0x63        ?                                                                                                                                           8A2DEF00
INT 0x73        ?                                                                                                                                           8A55FBF8
INT 0x83        ?                                                                                                                                           8A55FBF8
INT 0xB1        ?                                                                                                                                           8A5CCBF8
INT 0xB1        ?                                                                                                                                           8A55FBF8
INT 0xB1        ?                                                                                                                                           8A55FBF8
INT 0xB4        ?                                                                                                                                           8A2DEF00
---- Kernel code sections - GMER 1.0.14 ----
?               rfvttg.sys                                                                                                                                  Das System kann die angegebene Datei nicht finden. !
?               spkk.sys                                                                                                                                    Das System kann die angegebene Datei nicht finden. !
.text           acd3hc2y.SYS                                                                                                                                B7B40384 1 Byte  [ 20 ]
.text           acd3hc2y.SYS                                                                                                                                B7B40386 35 Bytes  [ 00, 68, 00, 00, 00, 00, 00, ... ]
.text           acd3hc2y.SYS                                                                                                                                B7B403AA 24 Bytes  [ 00, 00, 20, 00, 00, E0, 00, ... ]
.text           acd3hc2y.SYS                                                                                                                                B7B403C4 3 Bytes  [ 00, 00, 00 ]
.text           acd3hc2y.SYS                                                                                                                                B7B403C9 1 Byte  [ 00 ]
.text           ...                                                                                                                                         
.text           USBPORT.SYS!DllUnload                                                                                                                       B7B208AC 5 Bytes  JMP 8A2DE4E0 
.text           agki3jfh.SYS                                                                                                                                B71F3386 35 Bytes  [ 00, 00, 00, 00, 00, 00, 20, ... ]
.text           agki3jfh.SYS                                                                                                                                B71F33AA 24 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text           agki3jfh.SYS                                                                                                                                B71F33C4 3 Bytes  [ 00, 70, 02 ]
.text           agki3jfh.SYS                                                                                                                                B71F33C9 1 Byte  [ 2E ]
.text           agki3jfh.SYS                                                                                                                                B71F33CB 9 Bytes  [ 00, 00, 5A, 02, 00, 00, 00, ... ]
.text           ...                                                                                                                                         
.text           tcpip.sys!IPTransmit + 10FC                                                                                                                 B4962D3A 6 Bytes  CALL B7CCFCE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text           tcpip.sys!IPTransmit + 2A52                                                                                                                 B4964690 6 Bytes  CALL B7CCFCE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text           tcpip.sys!IPRegisterProtocol + 930                                                                                                          B497A454 6 Bytes  CALL B7CCFCE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text           wanarp.sys                                                                                                                                  B82CD3FD 4 Bytes  CALL B7CCFE30 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text           wanarp.sys                                                                                                                                  B82CD402 2 Bytes  [ 90, 90 ]
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT             atapi.sys[HAL.dll!READ_PORT_UCHAR]                                                                                                          [B7EA9040] spkk.sys
IAT             atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT]                                                                                                  [B7EA913C] spkk.sys
IAT             atapi.sys[HAL.dll!READ_PORT_USHORT]                                                                                                         [B7EA90BE] spkk.sys
IAT             atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                                                                                 [B7EA97FC] spkk.sys
IAT             atapi.sys[HAL.dll!WRITE_PORT_UCHAR]                                                                                                         [B7EA96D2] spkk.sys
IAT             \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!KfAcquireSpinLock]                                                                        00000034
IAT             \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!READ_PORT_UCHAR]                                                                          0000008E
IAT             \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!KeGetCurrentIrql]                                                                         00000043
IAT             \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!KfRaiseIrql]                                                                              00000044
IAT             \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!KfLowerIrql]                                                                              000000C4
IAT             \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!HalGetInterruptVector]                                                                    000000DE
IAT             \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!HalTranslateBusAddress]                                                                   000000E9
IAT             \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!KeStallExecutionProcessor]                                                                000000CB
IAT             \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!KfReleaseSpinLock]                                                                        00000054
IAT             \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!READ_PORT_BUFFER_USHORT]                                                                  0000007B
IAT             \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!READ_PORT_USHORT]                                                                         00000094
IAT             \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                                                 00000032
IAT             \SystemRoot\System32\Drivers\acd3hc2y.SYS[HAL.dll!WRITE_PORT_UCHAR]                                                                         000000A6
IAT             \SystemRoot\System32\Drivers\acd3hc2y.SYS[WMILIB.SYS!WmiSystemControl]                                                                      00000023
IAT             \SystemRoot\System32\Drivers\acd3hc2y.SYS[WMILIB.SYS!WmiCompleteRequest]                                                                    0000003D
IAT             \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR]                                                                          [B7EB9048] spkk.sys
IAT             \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!KfAcquireSpinLock]                                                                        C0840CEC
IAT             \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!READ_PORT_UCHAR]                                                                          053C0D74
IAT             \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!KeGetCurrentIrql]                                                                         57B80974
IAT             \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!KfRaiseIrql]                                                                              8B000000
IAT             \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!KfLowerIrql]                                                                              56C35DE5
IAT             \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!HalGetInterruptVector]                                                                    8D08758B
IAT             \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!HalTranslateBusAddress]                                                                   8D51FC4D
IAT             \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!KeStallExecutionProcessor]                                                                8D52FD55
IAT             \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!KfReleaseSpinLock]                                                                        8D51FE4D
IAT             \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!READ_PORT_BUFFER_USHORT]                                                                  8D52FF55
IAT             \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!READ_PORT_USHORT]                                                                         8D51F84D
IAT             \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                                                 5052F455
IAT             \SystemRoot\System32\Drivers\agki3jfh.SYS[HAL.dll!WRITE_PORT_UCHAR]                                                                         EACAE856
IAT             \SystemRoot\System32\Drivers\agki3jfh.SYS[WMILIB.SYS!WmiSystemControl]                                                                      0FC08520
IAT             \SystemRoot\System32\Drivers\agki3jfh.SYS[WMILIB.SYS!WmiCompleteRequest]                                                                    0001B185
IAT             \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter]                                                                         [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter]                                                                          [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol]                                                                   [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol]                                                                     [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol]                                                                    [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter]                                                                         [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter]                                                                        [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol]                                                                  [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol]                                                                    [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol]                                                                      [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter]                                                                           [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter]                                                                          [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol]                                                                     [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol]                                                                   [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter]                                                                         [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter]                                                                          [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter]                                                                           [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter]                                                                            [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol]                                                                       [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol]                                                                    [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol]                                                                      [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter]                                                                           [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter]                                                                          [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol]                                                                     [B7CD0760] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol]                                                                   [B7CD0970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter]                                                                         [B7CD0AD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT             \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter]                                                                          [B7CD0A30] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
---- User IAT/EAT - GMER 1.0.14 ----
IAT             C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\Explorer.EXE [KERNEL32.dll!GetProcAddress]                                                           [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress]                                                  [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress]                                                    [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\Secur32.dll [KERNEL32.dll!GetProcAddress]                                                   [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\GDI32.dll [KERNEL32.dll!GetProcAddress]                                                     [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\USER32.dll [KERNEL32.dll!GetProcAddress]                                                    [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\ole32.dll [KERNEL32.dll!GetProcAddress]                                                     [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress]                                                   [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress]                                                   [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress]                                                  [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\WININET.dll [KERNEL32.dll!GetProcAddress]                                                   [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress]                                                   [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\USERENV.dll [KERNEL32.dll!GetProcAddress]                                                   [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress]                                                     [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress]                                                  [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress]                                                    [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT             C:\WINXP\Explorer.EXE[1872] @ C:\WINXP\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress]                                                   [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
---- Devices - GMER 1.0.14 ----
Device          \FileSystem\Ntfs \Ntfs                                                                                                                      8A55B1F8
Device          \Driver\Tcpip \Device\Ip                                                                                                                    wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device          \Driver\libusb0 \Device\libusb00001                                                                                                         USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\libusb0 \Device\libusb00002                                                                                                         USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\sptd \Device\2806207844                                                                                                             spkk.sys
Device          \Driver\libusb0 \Device\libusb00003                                                                                                         USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\libusb0 \Device\libusb00004                                                                                                         USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\usbohci \Device\USBPDO-0                                                                                                            8A2701F8
Device          \Driver\usbohci \Device\USBPDO-0                                                                                                            USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\dmio \Device\DmControl\DmIoDaemon                                                                                                   8A55D1F8
Device          \Driver\dmio \Device\DmControl\DmConfig                                                                                                     8A55D1F8
Device          \Driver\dmio \Device\DmControl\DmPnP                                                                                                        8A55D1F8
Device          \Driver\dmio \Device\DmControl\DmInfo                                                                                                       8A55D1F8
Device          \Driver\usbehci \Device\USBPDO-1                                                                                                            8A2641F8
Device          \Driver\usbehci \Device\USBPDO-1                                                                                                            USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\usbhub \Device\USBPDO-2                                                                                                             USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\usbhub \Device\USBPDO-3                                                                                                             USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\Tcpip \Device\Tcp                                                                                                                   wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device          \Driver\usbhub \Device\USBPDO-5                                                                                                             USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\Ftdisk \Device\HarddiskVolume1                                                                                                      8A5CD1F8
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume1                                                                                                      snapman.sys (Acronis Snapshot API/Acronis)
Device          \Driver\usbhub \Device\000000a3                                                                                                             USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\Cdrom \Device\CdRom0                                                                                                                8A2541F8
Device          \Driver\Ftdisk \Device\HarddiskVolume2                                                                                                      8A5CD1F8
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume2                                                                                                      snapman.sys (Acronis Snapshot API/Acronis)
Device          \Driver\HidUsb \Device\000000b0                                                                                                             USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\usbhub \Device\000000a4                                                                                                             USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\Cdrom \Device\CdRom1                                                                                                                8A2541F8
Device          \Driver\Ftdisk \Device\HarddiskVolume3                                                                                                      8A5CD1F8
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume3                                                                                                      snapman.sys (Acronis Snapshot API/Acronis)
Device          \Driver\HidUsb \Device\000000b1                                                                                                             USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\Cdrom \Device\CdRom2                                                                                                                8A2541F8
Device          \Driver\Ftdisk \Device\HarddiskVolume4                                                                                                      8A5CD1F8
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume4                                                                                                      snapman.sys (Acronis Snapshot API/Acronis)
Device          \Driver\HidUsb \Device\000000b2                                                                                                             USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\PCI_PNP9094 \Device\00000074                                                                                                        spkk.sys
Device          \Driver\Cdrom \Device\CdRom3                                                                                                                8A2541F8
Device          \Driver\Ftdisk \Device\HarddiskVolume5                                                                                                      8A5CD1F8
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume5                                                                                                      snapman.sys (Acronis Snapshot API/Acronis)
Device          \Driver\PCI_PNP9094 \Device\00000075                                                                                                        spkk.sys
Device          \Driver\NetBT \Device\NetBT_Tcpip_{2AD7F161-852C-4CC4-B375-F5B658583059}                                                                    8900D500
Device          \Driver\Cdrom \Device\CdRom4                                                                                                                8A2541F8
Device          \Driver\Ftdisk \Device\HarddiskVolume6                                                                                                      8A5CD1F8
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume6                                                                                                      snapman.sys (Acronis Snapshot API/Acronis)
Device          \Driver\usbccgp \Device\000000a8                                                                                                            USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\PCI_PNP9094 \Device\00000076                                                                                                        spkk.sys
Device          \Driver\Cdrom \Device\CdRom5                                                                                                                8A2541F8
Device          \Driver\NetBT \Device\NetBt_Wins_Export                                                                                                     8900D500
Device          \Driver\usbccgp \Device\000000a9                                                                                                            USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\Cdrom \Device\CdRom6                                                                                                                8A2541F8
Device          \Driver\Cdrom \Device\CdRom7                                                                                                                8A2541F8
Device          \Driver\NetBT \Device\NetbiosSmb                                                                                                            8900D500
Device          \Driver\Tcpip \Device\Udp                                                                                                                   wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device          \Driver\Tcpip \Device\RawIp                                                                                                                 wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device          \Driver\USBSTOR \Device\000000aa                                                                                                            88EF4500
Device          \Driver\USBSTOR \Device\000000aa                                                                                                            USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\usbohci \Device\USBFDO-0                                                                                                            8A2701F8
Device          \Driver\usbohci \Device\USBFDO-0                                                                                                            USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\usbehci \Device\USBFDO-1                                                                                                            8A2641F8
Device          \Driver\usbehci \Device\USBFDO-1                                                                                                            USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \FileSystem\MRxSmb \Device\LanmanDatagramReceiver                                                                                           88F231F8
Device          \Driver\Tcpip \Device\IPMULTICAST                                                                                                           wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device          \FileSystem\MRxSmb \Device\LanmanRedirector                                                                                                 88F231F8
Device          \Driver\USBSTOR \Device\000000ae                                                                                                            88EF4500
Device          \Driver\USBSTOR \Device\000000ae                                                                                                            USBlyzer.sys (USBlyzer Capture Driver/usblyzer.com)
Device          \Driver\Ftdisk \Device\FtControl                                                                                                            8A5CD1F8
Device          \Driver\agki3jfh \Device\Scsi\agki3jfh1Port5Path0Target0Lun0                                                                                8A245500
Device          \Driver\acd3hc2y \Device\Scsi\acd3hc2y1                                                                                                     8A5CA1F8
Device          \Driver\acd3hc2y \Device\Scsi\acd3hc2y1Port6Path0Target0Lun0                                                                                8A5CA1F8
Device          \Driver\nvgts \Device\Scsi\nvgts2Port4Path0Target0Lun0                                                                                      8A55C1F8
Device          \Driver\agki3jfh \Device\Scsi\agki3jfh1                                                                                                     8A245500
Device          \Driver\nvgts \Device\Scsi\nvgts1Port3Path1Target1Lun0                                                                                      8A55C1F8
Device          \Driver\agki3jfh \Device\Scsi\agki3jfh1Port5Path0Target2Lun0                                                                                8A245500
Device          \Driver\nvgts \Device\Scsi\nvgts1                                                                                                           8A55C1F8
Device          \Driver\nvgts \Device\Scsi\nvgts2                                                                                                           8A55C1F8
Device          \Driver\agki3jfh \Device\Scsi\agki3jfh1Port5Path0Target3Lun0                                                                                8A245500
Device          \Driver\agki3jfh \Device\Scsi\agki3jfh1Port5Path0Target1Lun0                                                                                8A245500
Device          \Driver\nvgts \Device\Scsi\nvgts1Port3Path0Target0Lun0                                                                                      8A55C1F8
Device          \Driver\sptd \Device\2806364094                                                                                                             spkk.sys
Device          \FileSystem\Cdfs \Cdfs                                                                                                                      87EA71F8
---- Services - GMER 1.0.14 ----
Service         C:\Programme\NVIDIA (*** hidden *** )                                                                                                       [AUTO] nTuneService                                                                    <-- ROOTKIT !!!
---- Registry - GMER 1.0.14 ----
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1                                                                                          -1556605242
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2                                                                                          -822666141
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0                                                                                          2
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                                            
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                                         C:\Programme\DAEMON Tools Pro\
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                                         1
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                                      0x7B 0x59 0x19 0x5D ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                                                   
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                                                0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                                             0x6F 0x64 0xFF 0x71 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                                              
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                                        0x95 0x08 0x39 0xAC ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002                                                   
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12                                             0xEF 0x7A 0x2A 0x18 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0                                                0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0                                              
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12                                        0xF8 0xDD 0x37 0xD9 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1                                              
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12                                        0xC0 0x10 0x5C 0xB7 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4                                                            
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                                         0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                                      0xE8 0x9D 0x99 0x9A ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                                         C:\Programme\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001                                                   
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                                             0x44 0x43 0xB8 0x40 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                                                0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40                                             
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                                       0x9B 0x02 0x54 0xD9 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41                                             
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh                                       0x0C 0xEC 0xA8 0xCE ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42                                             
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh                                       0x0C 0xEC 0xA8 0xCE ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43                                             
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh                                       0x0C 0xEC 0xA8 0xCE ...
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs                                                                      
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout                                                          15
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota                                                             10000
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler                                                                           yes
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk                                                                          
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout                                                          90
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota                                                            10000
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs                                                                  1
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9FEFE5DA-A060-3A28-BC58-423BD3BC8E9C}                             
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9FEFE5DA-A060-3A28-BC58-423BD3BC8E9C}@laghfdgnoplmdoikmjlfckjj    0x64 0x62 0x61 0x6F ...
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9FEFE5DA-A060-3A28-BC58-423BD3BC8E9C}@maihobkjbcbjfgcbjgmmcjhmca  0x64 0x61 0x61 0x6F ...
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9FEFE5DA-A060-3A28-BC58-423BD3BC8E9C}@laihobkjbcbjfgcbphcldgbn    0x64 0x62 0x61 0x6F ...
---- EOF - GMER 1.0.14 ----
         ..der verdächtige Treiber und die Datei sind also weg ^^ Was kann ich jetzt noch tun, um ComboFix zum laufen zu bringen bzw. AVG loszuwerden? Leider sind immer noch jegliche Antivirenseiten unerreichbar, d.h. irgendwas hat überlebt. Habe mal die hosts Datei gecheckt, nichts aussergewöhnliches. Hoffe du verzeihst mir meine Eigeninitiative  Gruss Pete | 
|  09.08.2010, 11:19 | #7 | 
| /// Malware-holic       |   Verdacht auf Rootkit, Antivirenherstellerseiten werden geblockt, ständ. svchost.exe connects versuchs jetzt noch mal. und du solltest dir mal gedanken über dein sicherheitskonzept machen, wenn du dich 2mal mit der selben malware inizierst stimmt da was nicht. | 
|  21.08.2010, 20:01 | #8 | 
|  |   Verdacht auf Rootkit, Antivirenherstellerseiten werden geblockt, ständ. svchost.exe connects hi, combofix geht nicht, egal was ich mache. Habe aber einen Erfolg zu verbuchen: Mein System war nämlich clean, aber jeden Tag nachm Zocken war er wieder infiziert. Habe dann alle betroffenen Datein per Virustotal checken lassen und siehe da, der Warcraft III HP View Helper war n Trojan Downloader. Den gelöscht und seitdem hab ich keine Probs mehr. Danke für eure Zeit.   | 
|  | 
| Themen zu Verdacht auf Rootkit, Antivirenherstellerseiten werden geblockt, ständ. svchost.exe connects | 
| antivirus, avg free, avira, bho, browser, firefox, google, hal.dll, helper, hijack, hijackthis, internet, internet explorer, logfile, mozilla, nicht gefunden, ntdll.dll, object, plug-in, problem, registry, rootkit, secur, server, shell32.dll, software, svchost.exe, thomas, trojaner, trojaner eingefangen, usbport.sys, windows, windows xp |