Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 16.08.2010, 08:45   #1
medigus
 
Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys - Standard

Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys



Hallo,

ich bekomme folgenden Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys über Malwarebytes nicht gelöscht. Über Eure Hilfe wäre ich sehr dankbar!

Anbei die entsprechenden Logfiles:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Datenbank Version: 4434

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

16.08.2010 08:28:20
mbam-log-2010-08-16 (08-28-20).txt

Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 135462
Laufzeit: 25 Minute(n), 15 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\WINDOWS\system32\drivers\lpvmtsvd.sys (Rootkit.Agent) -> No action taken.


OTLOTL Logfile:
Code:
ATTFilter
OTL logfile created on: 16.08.2010 07:03:38 - Run 2
OTL by OldTimer - Version 3.2.9.1     Folder = C:\Dokumente und Einstellungen\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
511,00 Mb Total Physical Memory | 50,00 Mb Available Physical Memory | 10,00% Memory free
1,00 Gb Paging File | 1,00 Gb Available in Paging File | 66,00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 37,25 Gb Total Space | 18,67 Gb Free Space | 50,12% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: GAL-0GHQ06EMM55
Current User Name: Administrator
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
 
========== Processes (SafeList) ==========
 
PRC - C:\Dokumente und Einstellungen\Administrator\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Programme\Buhl finance\tax 2010 Standard\taxaktuell.exe ()
PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Programme\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)
PRC - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Programme\Windows Live Toolbar\msn_sl.exe (Microsoft Corporation)
PRC - C:\Programme\Mindjet\MindManager 6\MmReminderService.exe (Mindjet)
PRC - C:\Programme\AntiVir PersonalEdition Classic\sched.exe (Avira GmbH)
PRC - C:\Programme\WinZip\WZQKPICK.EXE (WinZip Computing LP)
PRC - C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe (H+BEDV Datentechnik GmbH)
PRC - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIAHE.EXE (SEIKO EPSON CORPORATION)
PRC - C:\Programme\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe (Tracker Software Products Ltd.)
PRC - C:\WINDOWS\twain_32\SlimU2\HotKey.Exe (Pmx. Electronics Ltd.)
PRC - C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe (Adobe Systems Inc.)
 
 
========== Modules (SafeList) ==========
 
MOD - C:\Dokumente und Einstellungen\Administrator\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)
 
 
========== Win32 Services (SafeList) ==========
 
SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
SRV - (AntiVirService) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (AntiVirSchedulerService) -- C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (Apple Mobile Device) -- C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (WLSetupSvc) -- C:\Programme\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)
SRV - (AntiVirScheduler) -- C:\Programme\AntiVir PersonalEdition Classic\sched.exe (Avira GmbH)
SRV - (IDriverT) -- C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (CVPND) -- C:\Programme\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
SRV - (ose) -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (avgio) -- C:\Programme\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (CVPNDRVA) -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys (Cisco Systems, Inc.)
DRV - (DNE) -- C:\WINDOWS\system32\drivers\dne2000.sys (Deterministic Networks, Inc.)
DRV - (CVirtA) -- C:\WINDOWS\system32\drivers\CVirtA.sys (Cisco Systems, Inc.)
DRV - (vsdatant) -- C:\WINDOWS\system32\vsdatant.sys (Zone Labs LLC)
DRV - (rtl8139) NT-Treiber für Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\rtl8139.sys (Realtek Semiconductor Corporation)
DRV - (BTWUSB) -- C:\WINDOWS\system32\drivers\btwusb.sys ()
DRV - (WBSD) Winbond Secure Digital Storage (SD/MMC) -- C:\WINDOWS\system32\drivers\wbsd.sys (Winbond Electronics Corp.)
DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (w70n51) Intel(R) -- C:\WINDOWS\system32\drivers\w70n51.sys (Intel® Corporation)
DRV - (OVT511Plus) -- C:\WINDOWS\system32\drivers\omcamvid.sys (OmniVision Technologies, Inc.)
DRV - (SMCIRDA) -- C:\WINDOWS\system32\drivers\smcirda.sys (SMC)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = hxxp://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = hxxp://www.google.com/ie
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010.03.09 22:10:36 | 000,000,000 | ---D | M]
 
 
O1 HOSTS File: ([2002.08.29 22:00:00 | 000,000,820 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (CmjBrowserHelperObject Object) - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Programme\Mindjet\MindManager 6\Mm6InternetExplorer.dll (Mindjet)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O2 - BHO: (EpsonToolBandKicker Class) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [ATIModeChange] C:\WINDOWS\System32\Ati2mdxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [avgnt] C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe (H+BEDV Datentechnik GmbH)
O4 - HKLM..\Run: [EPSON Stylus Photo R240 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [HotKey] C:\WINDOWS\twain_32\SlimU2\HotKey.Exe (Pmx. Electronics Ltd.)
O4 - HKLM..\Run: [MMReminderService] C:\Programme\Mindjet\MindManager 6\MmReminderService.exe (Mindjet)
O4 - HKLM..\Run: [pdfSaver3]  File not found
O4 - HKLM..\Run: [TkBellExe] C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [MsnMsgr] C:\PROGRA~1\WI1F86~1\MESSEN~1\msnmsgr.exe File not found
O4 - HKCU..\Run: [pdfSaver3] C:\Programme\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe (Tracker Software Products Ltd.)
O4 - HKCU..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart\Yahoo! Widgets.lnk = C:\Programme\Yahoo!\Widgets\YahooWidgets.exe File not found
O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe (Adobe Systems Inc.)
O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\t@x aktuell.lnk = C:\Programme\Buhl finance\tax 2010 Standard\taxaktuell.exe ()
O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\VPN Client.lnk = C:\WINDOWS\Installer\{24C67B54-0718-445E-B663-3138D9246BD1}\Icon3E5562ED7.ico ()
O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE (WinZip Computing LP)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Windows Live Search - C:\Programme\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O8 - Extra context menu item: Digest - C:\Programme\NeuroPower\Digest2005\NPDigest.htm.ie ()
O8 - Extra context menu item: Google Sidewiki... - C:\Programme\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.)
O9 - Extra Button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Programme\Mindjet\MindManager 6\Mm6InternetExplorer.dll (Mindjet)
O9 - Extra Button: Digest - {F9341940-7640-4157-9C5C-7D86B7449E20} - C:\Programme\NeuroPower\Digest2005\Iereg.exe ()
O9 - Extra 'Tools' menuitem : Digest - {F9341940-7640-4157-9C5C-7D86B7449E20} - C:\Programme\NeuroPower\Digest2005\Iereg.exe ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)
O12 - Plugin for: .spop - C:\Programme\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O15 - HKCU\..Trusted Domains:   ([]msn in My Computer)
O16 - DPF: {0000000A-9980-0010-8000-00AA00389B71} hxxp://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab (Reg Error: Key error.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab (Reg Error: Key error.)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} hxxp://office.microsoft.com/officeupdate/content/opuc3.cab (Office Update Installation Engine)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} hxxp://software-dl.real.com/016e92cb316664252f15/netzip/RdxIE601_de.cab (RdxIE Class)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} hxxp://download.divx.com/player/DivXBrowserPlugin.cab (DivXBrowserPlugin Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} hxxp://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab (IPSUploader4 Control)
O16 - DPF: {CAC677B6-4963-4305-9066-0BD135CD9233} hxxp://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab (IPSUploader4 Control)
O16 - DPF: {CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA} hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_10)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Gemeinsame Dateien\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O24 - Desktop WallPaper: C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.05.06 20:12:24 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{fd8ee1e0-be6c-11db-8f74-00042371d4f1}\Shell - "" = AutoRun
O33 - MountPoints2\{fd8ee1e0-be6c-11db-8f74-00042371d4f1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{fd8ee1e0-be6c-11db-8f74-00042371d4f1}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2010.08.15 22:38:10 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Malwarebytes
[2010.08.15 22:37:50 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010.08.15 22:37:44 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
[2010.08.15 22:37:43 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010.08.15 22:37:42 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware
[2010.08.15 22:37:00 | 006,153,648 | ---- | C] (Malwarebytes Corporation                                    ) -- C:\Dokumente und Einstellungen\Administrator\Desktop\mbam-setup.exe
[2010.08.15 22:33:00 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Administrator\Desktop\OTL.exe
[2010.08.15 22:20:37 | 000,057,344 | ---- | C] (H+BEDV Datentechnik GmbH) -- C:\WINDOWS\System32\avsda.dll
[2010.08.15 22:20:34 | 000,000,000 | ---D | C] -- C:\Programme\AntiVir PersonalEdition Classic
[2010.08.15 22:20:34 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Classic
[2010.08.15 22:19:03 | 066,950,544 | ---- | C] (Microsoft Corporation) -- C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\mpam-fe.exe
[2010.08.15 22:14:33 | 000,221,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010.08.13 16:58:11 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2010.08.16 07:19:06 | 000,741,376 | ---- | M] () -- C:\WINDOWS\System32\drivers\lpvmtsvd.sys
[2010.08.16 07:16:17 | 000,000,262 | ---- | M] () -- C:\WINDOWS\tasks\Auf Updates für Windows Live Toolbar prüfen.job
[2010.08.16 07:00:20 | 000,002,423 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\VPN Client.lnk
[2010.08.16 06:59:13 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.08.16 06:59:09 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010.08.16 06:59:04 | 000,001,084 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010.08.16 06:59:03 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1060284298-1957994488-1343024091-500.job
[2010.08.16 06:58:41 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.08.16 06:58:34 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.08.16 06:56:47 | 008,912,896 | -H-- | M] () -- C:\Dokumente und Einstellungen\Administrator\NTUSER.DAT
[2010.08.16 06:56:47 | 000,000,300 | -HS- | M] () -- C:\Dokumente und Einstellungen\Administrator\ntuser.ini
[2010.08.16 06:55:00 | 000,001,088 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010.08.15 22:39:50 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1060284298-1957994488-1343024091-500.job
[2010.08.15 22:37:56 | 000,000,676 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.08.15 22:37:05 | 006,153,648 | ---- | M] (Malwarebytes Corporation                                    ) -- C:\Dokumente und Einstellungen\Administrator\Desktop\mbam-setup.exe
[2010.08.15 22:33:05 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Administrator\Desktop\OTL.exe
[2010.08.15 22:20:43 | 000,001,719 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\AntiVir PE Classic.lnk
[2010.08.15 22:19:17 | 066,950,544 | ---- | M] (Microsoft Corporation) -- C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\mpam-fe.exe
[2010.08.15 16:36:45 | 000,000,558 | -H-- | M] () -- C:\WINDOWS\tasks\Norton Security Scan for Administrator.job
[2010.08.15 15:43:31 | 000,463,354 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat
[2010.08.15 15:43:31 | 000,444,820 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010.08.15 15:43:31 | 000,072,696 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010.08.15 15:43:30 | 000,086,198 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat
[2010.08.15 15:43:24 | 001,074,600 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010.08.15 15:26:46 | 000,241,536 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010.08.13 17:11:02 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010.08.13 17:08:39 | 000,000,664 | ---- | M] () -- C:\WINDOWS\win.ini
[2010.08.13 16:54:18 | 000,000,186 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010.08.02 21:43:54 | 000,055,907 | ---- | M] () -- C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\Impfkalender.pdf
[2010.07.30 19:53:16 | 000,872,960 | ---- | M] () -- C:\Dokumente und Einstellungen\Administrator\Desktop\Zukunft der Krankenhäuser.ppt
[2010.07.29 21:36:26 | 001,094,486 | ---- | M] () -- C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\Hammer Unterlagen.pdf
[2010.07.29 21:20:57 | 001,172,992 | ---- | M] () -- C:\Dokumente und Einstellungen\Administrator\Desktop\Katholische Krankenhäuser2.ppt
[2010.07.27 08:29:42 | 008,503,296 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shell32.dll
[2010.07.25 21:20:51 | 000,074,406 | ---- | M] () -- C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\Rechnung Rollo Rieper.pdf
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2010.08.15 22:37:56 | 000,000,676 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.08.15 22:20:43 | 000,001,719 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\AntiVir PE Classic.lnk
[2010.08.02 21:43:48 | 000,055,907 | ---- | C] () -- C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\Impfkalender.pdf
[2010.07.30 19:53:16 | 000,872,960 | ---- | C] () -- C:\Dokumente und Einstellungen\Administrator\Desktop\Zukunft der Krankenhäuser.ppt
[2010.07.29 21:36:12 | 001,094,486 | ---- | C] () -- C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\Hammer Unterlagen.pdf
[2010.07.29 21:20:57 | 001,172,992 | ---- | C] () -- C:\Dokumente und Einstellungen\Administrator\Desktop\Katholische Krankenhäuser2.ppt
[2010.07.25 21:20:45 | 000,074,406 | ---- | C] () -- C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\Rechnung Rollo Rieper.pdf
[2010.04.15 13:39:17 | 000,000,186 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010.03.22 21:07:39 | 000,741,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\lpvmtsvd.sys
[2010.03.09 22:25:14 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008.11.21 23:47:52 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008.11.21 23:45:16 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008.11.21 23:45:16 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008.11.21 23:44:16 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2007.10.08 14:54:47 | 000,001,059 | ---- | C] () -- C:\WINDOWS\WISO.INI
[2006.11.14 00:15:38 | 000,000,099 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2006.11.14 00:11:43 | 000,000,025 | ---- | C] () -- C:\WINDOWS\CDE R240R245EU.ini
[2006.10.03 12:25:26 | 000,000,274 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006.05.08 22:19:12 | 000,003,319 | ---- | C] () -- C:\WINDOWS\tm.ini
[2006.05.08 22:15:25 | 000,000,267 | ---- | C] () -- C:\WINDOWS\buhl.ini
[2006.05.08 09:47:59 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2006.05.08 09:47:54 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\adistres.dll
[2006.05.08 09:39:22 | 000,000,400 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006.05.07 17:43:45 | 000,065,568 | R--- | C] () -- C:\WINDOWS\System32\drivers\btwusb.sys
[2006.05.07 17:43:45 | 000,017,388 | R--- | C] () -- C:\WINDOWS\System32\drivers\frmupgr.sys
[2006.05.07 17:43:41 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\btw_ci.dll
[2005.11.04 11:21:48 | 000,197,672 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2005.11.04 10:21:24 | 000,189,480 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2003.04.25 04:59:46 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll
[2003.02.20 17:53:42 | 000,005,702 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001.09.18 13:00:00 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\bmpproc.dll
[2001.02.14 23:00:00 | 000,287,744 | ---- | C] () -- C:\WINDOWS\uno364mi.dll
[2001.02.14 23:00:00 | 000,109,568 | ---- | C] () -- C:\WINDOWS\vos364mi.dll
[2001.02.14 23:00:00 | 000,091,648 | ---- | C] () -- C:\WINDOWS\osl364mi.dll
[2001.02.14 23:00:00 | 000,000,083 | ---- | C] () -- C:\WINDOWS\uno.ini
< End of report >
         
--- --- ---
OTL Logfile:
Code:
ATTFilter
OTL Extras logfile created on: 16.08.2010 07:03:38 - Run 2
OTL by OldTimer - Version 3.2.9.1     Folder = C:\Dokumente und Einstellungen\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
511,00 Mb Total Physical Memory | 50,00 Mb Available Physical Memory | 10,00% Memory free
1,00 Gb Paging File | 1,00 Gb Available in Paging File | 66,00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 37,25 Gb Total Space | 18,67 Gb Free Space | 50,12% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: GAL-0GHQ06EMM55
Current User Name: Administrator
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Programme\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Programme\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Programme\Windows Live\Messenger\msnmsgr.exe" = C:\Programme\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- File not found
"C:\Programme\Windows Live\Messenger\livecall.exe" = C:\Programme\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- File not found
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Programme\Java\j2re1.4.2_10\bin\javaw.exe" = C:\Programme\Java\j2re1.4.2_10\bin\javaw.exe:*:Enabled:javaw -- ()
"C:\Programme\Java\j2re1.4.2_10\bin\java.exe" = C:\Programme\Java\j2re1.4.2_10\bin\java.exe:*:Enabled:java -- ()
"C:\Programme\Kontiki\KService.exe" = C:\Programme\Kontiki\KService.exe:*:Enabled:Delivery Manager Service -- File not found
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Programme\Windows Live\Messenger\msnmsgr.exe" = C:\Programme\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- File not found
"C:\Programme\Windows Live\Messenger\livecall.exe" = C:\Programme\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- File not found
"C:\Programme\iTunes\iTunes.exe" = C:\Programme\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{00D0200F-3B4D-4A2F-869E-533ED835A943}" = Hervorhebe-Funktion (Windows Live Toolbar)
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0AC49543-9CE2-4434-AD42-5AA6E2967FA5}" = Windows Live Toolbar
"{0C3FB717-87A4-4634-84E7-C8D4ADA75C45}" = BDElster
"{162B71B8-8464-4680-A086-601D555B331D}" = Apple Mobile Device Support
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F2899C5-8938-4232-98CC-7A075ECB3172}" = t@x 2010 Standard
"{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{218761F6-CBF6-4973-B910-A33E6563A1EA}" = Windows Live Toolbar-Erweiterung (Windows Live Toolbar)
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{24C67B54-0718-445E-B663-3138D9246BD1}" = Cisco Systems VPN Client 4.8.00.0440
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 11
"{27F650A9-6FAB-41C8-8621-92FF0118B0C4}" = EPSON Easy Photo Print
"{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}" = EPSON Scan Assistant
"{2DD6C198-FA9A-40B4-8DE5-CE5206E3EB34}" = Smart Menus (Windows Live Toolbar)
"{30145F57-0736-419A-98B0-954E97981B35}" = CortalConsors TradingAPI DE 1.0.7
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java(TM) SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java(TM) 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}" = Google Earth
"{40030378-9EB9-482A-AC10-195097CA624D}" = t@x 2009 Standard
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7148F0A8-6813-11D6-A77B-00B0D0142100}" = Java 2 Runtime Environment, SE v1.4.2_10
"{73006B34-9743-4A39-AC37-38EDFCEB6DCE}" = Adobe Product/Adobe Studio Update 10/2001
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}" = Windows Live Favorites für Windows Live Toolbar
"{7A7B0BF3-2F00-4F03-8A9B-6ABCC07B90C6}" = Windows Live installer
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}" = EPSON Web-To-Page
"{804DE1A3-45D2-4AAC-8526-E9ADE47D84DF}" = Mindjet MindManager Pro 6
"{80A97464-A741-44B0-8AD6-0C16B1FEF7F6}" = Norton Security Scan
"{83E2CFA9-E0EB-4E08-9F85-43E577FF3D60}" = Windows Live Anmelde-Assistent
"{89EC8757-A934-11D6-8732-00105A376200}" = mapserver 4 COM-Module
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90110407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9F45E494-BFFB-4E85-B821-59BF40636640}" = Buhl finance - tax money
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C26B06A9-27BB-45B0-9873-9C623EC2BA38}" = iTunes
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D8D22773-14BF-4178-A683-3DBA515C2A26}" = WISO Mein Geld 2008 Professional
"{D90AFDE3-3E67-407A-ACA8-F0BAAD012F08}" = Safari
"{E0091C29-DEE8-4B24-BF65-8C35B5940D77}" = Letstrade
"{E728E952-DD4F-4BCD-A5C8-40FBFEFF91FE}" = OpenOffice.org Installer 1.0
"{E86BC406-944E-41F6-ADE6-2C136734C96B}" = EPSON File Manager
"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"Agere Systems Soft Modem" = Agere Systems AC'97 Modem
"AntiVir PersonalEdition Classic" = Avira AntiVir PersonalEdition Classic
"ATI Display Driver" = ATI Display Driver
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Digest2005_is1" = Neuropower Digest 2005
"EPSON Printer and Utilities" = EPSON-Drucker-Software
"ESPR240-Benutzerhandbuch" = ESPR240-Benutzerhandbuch
"GMX ProfiFax" = GMX ProfiFax
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1  (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NeroShowTime!UninstallKey" = Nero ShowTime CE
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NSS" = Norton Security Scan
"PDF-XChange 3_is1" = PDF-XChange 3.0
"RealPlayer 12.0" = RealPlayer
"Slim USB2 Scanner" = Slim USB2 Scanner
"Windows Live Toolbar" = Windows Live Toolbar
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
 
========== HKEY_CURRENT_USER Uninstall List ==========
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ActiveTrader 4.2.10_b1" = ActiveTrader 4.2.10_b1
 
========== Last 10 Event Log Errors ==========
 
[ Application Events ]
Error - 03.07.2010 16:00:09 | Computer Name = GAL-0GHQ06EMM55 | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung iexplore.exe, Version 8.0.6001.18702, Stillstandmodul
 hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.
 
Error - 25.07.2010 14:23:17 | Computer Name = GAL-0GHQ06EMM55 | Source = crypt32 | ID = 131083
Description = Die Extrahierung der Drittanbieterstammlisten aus der automatischen
 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
 ist fehlgeschlagen mit dem Fehler: Ein erforderliches Zertifikat befindet sich 
nicht im Gültigkeitszeitraum gemessen an der aktuellen Systemzeit oder dem Zeitstempel
 in der signierten Datei.  .
 
Error - 25.07.2010 14:23:17 | Computer Name = GAL-0GHQ06EMM55 | Source = crypt32 | ID = 131083
Description = Die Extrahierung der Drittanbieterstammlisten aus der automatischen
 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
 ist fehlgeschlagen mit dem Fehler: Ein erforderliches Zertifikat befindet sich 
nicht im Gültigkeitszeitraum gemessen an der aktuellen Systemzeit oder dem Zeitstempel
 in der signierten Datei.  .
 
Error - 01.08.2010 12:40:55 | Computer Name = GAL-0GHQ06EMM55 | Source = Avira AntiVir | ID = 4112
Description = Bei der Anforderung nach einer Resource des Betriebssystems trat ein
 Fehler auf.  Die Resource 'ThreadInit' wurde nicht zugewiesen.  Der Grund hierfür könnte
 zu wenig Hauptspeicher oder ein anderer Systemfehler sein.  Fehlercode: 0x18
 
Error - 15.08.2010 09:43:55 | Computer Name = GAL-0GHQ06EMM55 | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung OUTLOOK.EXE, Version 11.0.8325.0, Stillstandmodul
 hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.
 
Error - 15.08.2010 09:43:56 | Computer Name = GAL-0GHQ06EMM55 | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung OUTLOOK.EXE, Version 11.0.8325.0, Stillstandmodul
 hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.
 
Error - 15.08.2010 10:43:09 | Computer Name = GAL-0GHQ06EMM55 | Source = crypt32 | ID = 131083
Description = Die Extrahierung der Drittanbieterstammlisten aus der automatischen
 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
 ist fehlgeschlagen mit dem Fehler: Ein erforderliches Zertifikat befindet sich 
nicht im Gültigkeitszeitraum gemessen an der aktuellen Systemzeit oder dem Zeitstempel
 in der signierten Datei.  .
 
Error - 15.08.2010 10:43:09 | Computer Name = GAL-0GHQ06EMM55 | Source = crypt32 | ID = 131083
Description = Die Extrahierung der Drittanbieterstammlisten aus der automatischen
 Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
 ist fehlgeschlagen mit dem Fehler: Ein erforderliches Zertifikat befindet sich 
nicht im Gültigkeitszeitraum gemessen an der aktuellen Systemzeit oder dem Zeitstempel
 in der signierten Datei.  .
 
Error - 15.08.2010 16:08:40 | Computer Name = GAL-0GHQ06EMM55 | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung explorer.exe, Version 6.0.2900.5512, Stillstandmodul
 hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.
 
Error - 15.08.2010 17:37:36 | Computer Name = GAL-0GHQ06EMM55 | Source = Application Hang | ID = 1002
Description = Stillstehende Anwendung iexplore.exe, Version 8.0.6001.18702, Stillstandmodul
 hungapp, Version 0.0.0.0, Stillstandadresse 0x00000000.
 
[ System Events ]
Error - 15.08.2010 09:29:44 | Computer Name = GAL-0GHQ06EMM55 | Source = Service Control Manager | ID = 7009
Description = Zeitüberschreitung (30000 ms) beim Verbindungsversuch mit Dienst HTTP-SSL.
 
Error - 15.08.2010 09:29:44 | Computer Name = GAL-0GHQ06EMM55 | Source = Service Control Manager | ID = 7000
Description = Der Dienst "HTTP-SSL" wurde aufgrund folgenden Fehlers nicht gestartet:
   %%1053
 
Error - 15.08.2010 17:15:10 | Computer Name = GAL-0GHQ06EMM55 | Source = Service Control Manager | ID = 7026
Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
   PCIIde
 
Error - 15.08.2010 17:16:42 | Computer Name = GAL-0GHQ06EMM55 | Source = RemoteAccess | ID = 20106
Description = Die Schnittstelle "{AC3C477C-D918-4C8F-BA84-F819CB6E53BF}" kann nicht
 zu dem Router-Manager für das Protokoll IP hinzugefügt werden.  Fehler: Die Funktion
 kann nicht abgeschlossen werden.  
 
Error - 15.08.2010 17:16:42 | Computer Name = GAL-0GHQ06EMM55 | Source = RemoteAccess | ID = 20106
Description = Die Schnittstelle "{97625F7E-271C-44DA-A5CD-435D5B45FBEB}" kann nicht
 zu dem Router-Manager für das Protokoll IP hinzugefügt werden.  Fehler: Die Funktion
 kann nicht abgeschlossen werden.  
 
Error - 15.08.2010 17:16:42 | Computer Name = GAL-0GHQ06EMM55 | Source = RemoteAccess | ID = 20106
Description = Die Schnittstelle "{5CB68A60-E046-448D-83BB-78B5A34E6877}" kann nicht
 zu dem Router-Manager für das Protokoll IP hinzugefügt werden.  Fehler: Die Funktion
 kann nicht abgeschlossen werden.  
 
Error - 16.08.2010 00:59:26 | Computer Name = GAL-0GHQ06EMM55 | Source = Service Control Manager | ID = 7026
Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
   PCIIde
 
Error - 16.08.2010 01:01:14 | Computer Name = GAL-0GHQ06EMM55 | Source = RemoteAccess | ID = 20106
Description = Die Schnittstelle "{AC3C477C-D918-4C8F-BA84-F819CB6E53BF}" kann nicht
 zu dem Router-Manager für das Protokoll IP hinzugefügt werden.  Fehler: Die Funktion
 kann nicht abgeschlossen werden.  
 
Error - 16.08.2010 01:01:14 | Computer Name = GAL-0GHQ06EMM55 | Source = RemoteAccess | ID = 20106
Description = Die Schnittstelle "{97625F7E-271C-44DA-A5CD-435D5B45FBEB}" kann nicht
 zu dem Router-Manager für das Protokoll IP hinzugefügt werden.  Fehler: Die Funktion
 kann nicht abgeschlossen werden.  
 
Error - 16.08.2010 01:01:14 | Computer Name = GAL-0GHQ06EMM55 | Source = RemoteAccess | ID = 20106
Description = Die Schnittstelle "{5CB68A60-E046-448D-83BB-78B5A34E6877}" kann nicht
 zu dem Router-Manager für das Protokoll IP hinzugefügt werden.  Fehler: Die Funktion
 kann nicht abgeschlossen werden.  
 
 
< End of report >
         
--- --- ---

Alt 16.08.2010, 09:22   #2
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys - Standard

Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys



Hallo,

Bitte Logs mit GMER und OSAM erstellen und posten. GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus

Anschließend den bootkit_remover herunterladen. Entpacke das Tool in einen eigenen Ordner auf dem Desktop und führe in diesem Ordner die Datei remove.exe aus.

Wenn Du Windows Vista oder Windows 7 verwendest, musst Du die remover.exe über ein Rechtsklick => als Administrator ausführen

Ein schwarzes Fenster wird sich öffnen und automatisch nach bösartigen Veränderungen im MBR suchen.
Poste dann bitte, ob es Veränderungen gibt und wenn ja in welchem device. Am besten alles posten was die remover.exe ausgibt.
__________________

__________________

Alt 16.08.2010, 20:58   #3
medigus
 
Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys - Standard

Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys



Hallo Arne,

das log-file von GMER lautet:

GMER Logfile:
Code:
ATTFilter
GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-08-16 20:15:11
Windows 5.1.2600 Service Pack 3
Running: lvug7xpi.exe; Driver: C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\kwaiifog.sys


---- System - GMER 1.0.15 ----

SSDT     F8B62DE6                                                                                                                                ZwCreateKey
SSDT     F8B62DDC                                                                                                                                ZwCreateThread
SSDT     F8B62DEB                                                                                                                                ZwDeleteKey
SSDT     F8B62DF5                                                                                                                                ZwDeleteValueKey
SSDT     F8B62DFA                                                                                                                                ZwLoadKey
SSDT     F8B62DC8                                                                                                                                ZwOpenProcess
SSDT     F8B62DCD                                                                                                                                ZwOpenThread
SSDT     F8B62E04                                                                                                                                ZwReplaceKey
SSDT     F8B62DFF                                                                                                                                ZwRestoreKey
SSDT     F8B62DF0                                                                                                                                ZwSetValueKey

---- Kernel code sections - GMER 1.0.15 ----

.text    ntoskrnl.exe!_abnormal_termination + 150                                                                                                804E27BC 1 Byte  [F5]
?        wutbfqq.sys                                                                                                                             Das System kann die angegebene Datei nicht finden. !
?        C:\WINDOWS\system32\drivers\lpvmtsvd.sys                                                                                                Ein an das System angeschlossenes Gerät funktioniert nicht.
PAGE     Ntfs.sys                                                                                                                                F82EDE55 4 Bytes  CALL 823D2B09 

---- User code sections - GMER 1.0.15 ----

.text    C:\Programme\Internet Explorer\iexplore.exe[2528] USER32.dll!DialogBoxParamW                                                            7E3747AB 5 Bytes  JMP 41195501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[2528] USER32.dll!CreateWindowExW                                                            7E37D0A3 5 Bytes  JMP 4126DB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[2528] USER32.dll!DialogBoxIndirectParamW                                                    7E382072 5 Bytes  JMP 41364B6F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[2528] USER32.dll!MessageBoxIndirectA                                                        7E38A082 5 Bytes  JMP 41364AA1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[2528] USER32.dll!DialogBoxParamA                                                            7E38B144 5 Bytes  JMP 41364B0C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[2528] USER32.dll!MessageBoxExW                                                              7E3A0838 5 Bytes  JMP 41364972 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[2528] USER32.dll!MessageBoxExA                                                              7E3A085C 5 Bytes  JMP 413649D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[2528] USER32.dll!DialogBoxIndirectParamA                                                    7E3A6D7D 5 Bytes  JMP 41364BD2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[2528] USER32.dll!MessageBoxIndirectW                                                        7E3B64D5 5 Bytes  JMP 41364A36 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[2556] USER32.dll!DialogBoxParamW                                                            7E3747AB 5 Bytes  JMP 41195501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[2556] USER32.dll!SetWindowsHookExW                                                          7E37820F 5 Bytes  JMP 41269AD5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[2556] USER32.dll!CallNextHookEx                                                             7E37B3C6 5 Bytes  JMP 4125D135 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[2556] USER32.dll!CreateWindowExW                                                            7E37D0A3 5 Bytes  JMP 4126DB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[2556] USER32.dll!UnhookWindowsHookEx                                                        7E37D5F3 5 Bytes  JMP 411D4666 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[2556] USER32.dll!DialogBoxIndirectParamW                                                    7E382072 5 Bytes  JMP 41364B6F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[2556] USER32.dll!MessageBoxIndirectA                                                        7E38A082 5 Bytes  JMP 41364AA1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[2556] USER32.dll!DialogBoxParamA                                                            7E38B144 5 Bytes  JMP 41364B0C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[2556] USER32.dll!MessageBoxExW                                                              7E3A0838 5 Bytes  JMP 41364972 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[2556] USER32.dll!MessageBoxExA                                                              7E3A085C 5 Bytes  JMP 413649D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[2556] USER32.dll!DialogBoxIndirectParamA                                                    7E3A6D7D 5 Bytes  JMP 41364BD2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[2556] USER32.dll!MessageBoxIndirectW                                                        7E3B64D5 5 Bytes  JMP 41364A36 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[2556] ole32.dll!CoCreateInstance                                                            774D057E 5 Bytes  JMP 4126DB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[2556] ole32.dll!OleLoadFromStream                                                           774F9C85 5 Bytes  JMP 41364EF0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[3096] USER32.dll!DialogBoxParamW                                                            7E3747AB 5 Bytes  JMP 41195501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[3096] USER32.dll!SetWindowsHookExW                                                          7E37820F 5 Bytes  JMP 41269AD5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[3096] USER32.dll!CallNextHookEx                                                             7E37B3C6 5 Bytes  JMP 4125D135 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[3096] USER32.dll!CreateWindowExW                                                            7E37D0A3 5 Bytes  JMP 4126DB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[3096] USER32.dll!UnhookWindowsHookEx                                                        7E37D5F3 5 Bytes  JMP 411D4666 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[3096] USER32.dll!DialogBoxIndirectParamW                                                    7E382072 5 Bytes  JMP 41364B6F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[3096] USER32.dll!MessageBoxIndirectA                                                        7E38A082 5 Bytes  JMP 41364AA1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[3096] USER32.dll!DialogBoxParamA                                                            7E38B144 5 Bytes  JMP 41364B0C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[3096] USER32.dll!MessageBoxExW                                                              7E3A0838 5 Bytes  JMP 41364972 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[3096] USER32.dll!MessageBoxExA                                                              7E3A085C 5 Bytes  JMP 413649D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[3096] USER32.dll!DialogBoxIndirectParamA                                                    7E3A6D7D 5 Bytes  JMP 41364BD2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[3096] USER32.dll!MessageBoxIndirectW                                                        7E3B64D5 5 Bytes  JMP 41364A36 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[3096] ole32.dll!CoCreateInstance                                                            774D057E 5 Bytes  JMP 4126DB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text    C:\Programme\Internet Explorer\iexplore.exe[3096] ole32.dll!OleLoadFromStream                                                           774F9C85 5 Bytes  JMP 41364EF0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT      C:\Programme\Internet Explorer\iexplore.exe[2556] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW]                         [451F1ACB] C:\Programme\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT      C:\Programme\Internet Explorer\iexplore.exe[3096] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW]                         [451F1ACB] C:\Programme\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device   \FileSystem\Ntfs \Ntfs                                                                                                                  82366DF8

---- Services - GMER 1.0.15 ----

Service   (*** hidden *** )                                                                                                                      [BOOT] lpvmtsvd                                                                                                              <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg      HKLM\SYSTEM\CurrentControlSet\Services\lpvmtsvd@Type                                                                                    1
Reg      HKLM\SYSTEM\CurrentControlSet\Services\lpvmtsvd@Start                                                                                   0
Reg      HKLM\SYSTEM\CurrentControlSet\Services\lpvmtsvd@ErrorControl                                                                            0
Reg      HKLM\SYSTEM\CurrentControlSet\Services\lpvmtsvd@Group                                                                                   Boot Bus Extender
Reg      HKLM\SYSTEM\ControlSet002\Services\lpvmtsvd@Type                                                                                        1
Reg      HKLM\SYSTEM\ControlSet002\Services\lpvmtsvd@Start                                                                                       0
Reg      HKLM\SYSTEM\ControlSet002\Services\lpvmtsvd@ErrorControl                                                                                0
Reg      HKLM\SYSTEM\ControlSet002\Services\lpvmtsvd@Group                                                                                       Boot Bus Extender
Reg      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A1ED4082D54CAA458629EDA4ED748FD\Usage@Program_Pro  1024508611

---- EOF - GMER 1.0.15 ----
         
--- --- ---


OSAM lässt sich leider nach dem Entpacken nicht öffnen. Als Grund wird ein Problem mit der Anwendungsdatei osam.exe angegeben.

Dafür gibt der bootkiz_remover folgendes ab:

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 5ddc20efcc4d1dab37c348c7db7289cf

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...



Ich hoffe es hilft weiter.

Danke vorab!
__________________

Alt 16.08.2010, 21:46   #4
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys - Standard

Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys



Nimm zum Entpacken von OSAM bitte WinRAR oder 7-Zip
__________________
"Die Wahrheit ist normalerweise nur eine Entschuldigung für einen Mangel an Fantasie." (Elim Garak)

Das Trojaner-Board unterstützen
Warum Linux besser als Windows ist!

Alt 16.08.2010, 22:28   #5
medigus
 
Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys - Standard

Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys



Danke für den Tipp!.

hier ist das OSAM log file:

OSAM Logfile:
Code:
ATTFilter
Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 22:26:51 on 16.08.2010

OS: Windows XP Professional Service Pack 3 (Build 2600)
Default Browser: Microsoft Corporation Internet Explorer 8.00.6001.18702

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries


[Common]
-----( %SystemRoot%\Tasks )-----
"AppleSoftwareUpdate.job" - "Apple Inc." - C:\Programme\Apple Software Update\SoftwareUpdate.exe
"Auf Updates für Windows Live Toolbar prüfen.job" - "Microsoft Corporation" - C:\Programme\Windows Live Toolbar\MSNTBUP.EXE
"GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe
"GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe
"Norton Security Scan for Administrator.job" - "Symantec Corporation" - C:\Programme\Norton Security Scan\Norton Security Scan\Engine\2.7.3.34\Nss.exe
"RealUpgradeLogonTaskS-1-5-21-1060284298-1957994488-1343024091-500.job" - "RealNetworks, Inc." - C:\Programme\Real\RealUpgrade\realupgrade.exe
"RealUpgradeScheduledTaskS-1-5-21-1060284298-1957994488-1343024091-500.job" - "RealNetworks, Inc." - C:\Programme\Real\RealUpgrade\realupgrade.exe
"WGASetup.job" - "Microsoft Corporation" - C:\WINDOWS\system32\KB905474\wgasetup.exe

[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"Ddbaccpl.cpl" - "DataDesign AG" - C:\WINDOWS\system32\Ddbaccpl.cpl
"ddBACCTM.cpl" - "DataDesign AG" - C:\WINDOWS\system32\ddBACCTM.cpl
"infocardcpl.cpl" - "Microsoft Corporation" - C:\WINDOWS\system32\infocardcpl.cpl
"javacpl.cpl" - "Sun Microsystems, Inc." - C:\WINDOWS\system32\javacpl.cpl
"pmxusb.cpl" - ? - C:\WINDOWS\system32\pmxusb.cpl  (File signed by Microsoft | File found, but it contains no detailed information)
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"Avira AntiVir Personal - Free Antivirus " - "Avira GmbH" - C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl
"Avira AntiVir PersonalEdition Classic Konfiguration" - "Avira GmbH" - C:\PROGRA~1\ANTIVI~1\avconfig.cpl
"QuickTime" - "Apple Inc." - C:\Programme\QuickTime\QTSystem\QuickTime.cpl

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"avgio" (avgio) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avgio.sys
"avgntflt" (avgntflt) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avgntflt.sys
"avipbb" (avipbb) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avipbb.sys
"Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys  (File not found)
"Cisco Systems Inc. IPSec Driver" (CVPNDRVA) - "Cisco Systems, Inc." - C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
"i2omgmt" (i2omgmt) - ? - C:\WINDOWS\system32\drivers\i2omgmt.sys  (File not found)
"lbrtfdc" (lbrtfdc) - ? - C:\WINDOWS\system32\drivers\lbrtfdc.sys  (File not found)
"lpvmtsvd" (lpvmtsvd) - ? - C:\WINDOWS\system32\drivers\lpvmtsvd.sys  (Hidden file | Hidden registry entry, rootkit activity | File found, but it contains no detailed information)
"PCIDump" (PCIDump) - ? - C:\WINDOWS\system32\drivers\PCIDump.sys  (File not found)
"PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys  (File not found)
"PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys  (File not found)
"PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys  (File not found)
"PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys  (File not found)
"PxHelp20" (PxHelp20) - "Sonic Solutions" - C:\WINDOWS\System32\Drivers\PxHelp20.sys
"ssmdrv" (ssmdrv) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\ssmdrv.sys
"vsdatant" (vsdatant) - "Zone Labs LLC" - C:\WINDOWS\System32\vsdatant.sys
"WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys  (File not found)
"WIDCOMM USB Bluetooth Driver" (BTWUSB) - ? - C:\WINDOWS\System32\Drivers\btwusb.sys

[Explorer]
-----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )-----
{89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{7D4D6379-F301-4311-BEBA-E26EB0561882} "NeroDigitalColumnHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll
-----( HKLM\Software\Classes\Protocols\Filter )-----
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{807553E5-5146-11D5-A672-00B0D022E945} "text/xml" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
-----( HKLM\Software\Classes\Protocols\Handler )-----
{32505114-5902-49B2-880A-1F7738E5A384} "Data Page Plugable Protocal mso-offdap11 Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
{3D9F03FA-7A94-11D3-BE81-0050048385D1} "Data Page Pluggable Protocol mso-offdap Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - C:\Programme\7-Zip\7-zip.dll
{42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" - ? - deskpan.dll  (File not found)
{1D2680C9-0E2A-469d-B787-065558BC7D43} "Fusion Cache" - "Microsoft Corporation" - c:\WINDOWS\system32\mscoree.dll
{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "iTunes" - "Apple Inc." - C:\Programme\iTunes\iTunesMiniPlayer.dll
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" - ? -   (File not found | COM-object registry key not found)
{32683183-48a0-441b-a342-7c2a440a9478} "Media Band" - ? -   (File not found | COM-object registry key not found)
{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Programme\Microsoft Office\OFFICE11\msohev.dll
{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll
{00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll
{B327765E-D724-4347-8B16-78AE18552FC3} "NeroDigitalIconHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll
{7F1CF152-04F8-453A-B34C-E609530A9DC8} "NeroDigitalPropSheetHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll
{0006F045-0000-0000-C000-000000000046} "Outlook-Dateisymbolerweiterung" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} "RealOne Player Context Menu Class" - "RealNetworks, Inc." - c:\program files\real\realplayer\rpshell.dll
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "H+BEDV Datentechnik GmbH" - C:\Programme\AntiVir PersonalEdition Classic\shlext.dll
{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll
{764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" - ? -   (File not found | COM-object registry key not found)
{e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Webordner" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{E0D79304-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing LP" - C:\Programme\WinZip\wzshlstb.dll
{E0D79305-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing LP" - C:\Programme\WinZip\wzshlstb.dll
{E0D79306-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing LP" - C:\Programme\WinZip\wzshlstb.dll
{E0D79307-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing LP" - C:\Programme\WinZip\wzshlstb.dll

[Internet Explorer]
-----( HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars )-----
{32683183-48a0-441b-a342-7c2a440a9478} "{32683183-48a0-441b-a342-7c2a440a9478}" - ? -   (File not found | COM-object registry key not found)
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
<binary data> "EPSON Web-To-Page" - "SEIKO EPSON CORPORATION" - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
<binary data> "Google Toolbar" - "Google Inc." - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll
ITBar7Height "ITBar7Height" - ? -   (File not found | COM-object registry key not found)
<binary data> "ITBar7Layout" - ? -   (File not found | COM-object registry key not found)
<binary data> "ITBarLayout" - ? -   (File not found | COM-object registry key not found)
<binary data> "Windows Live Toolbar" - "Microsoft Corporation" - C:\Programme\Windows Live Toolbar\msntb.dll
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
DirectAnimation Java Classes "DirectAnimation Java Classes" - ? -   (File not found | COM-object registry key not found) / file://C:\WINDOWS\Java\classes\dajava.cab
{67DABFBF-D0AB-41FA-9C46-CC0F21721616} "DivXBrowserPlugin Object" - "DivX,Inc." - C:\Programme\DivX\DivX Web Player\npdivx32.dll / hxxp://download.divx.com/player/DivXBrowserPlugin.cab
{AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} "IPSUploader4 Control" - "IP Labs GmbH - Germany" - C:\WINDOWS\Downloaded Program Files\IPSUploader.ocx / hxxp://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab
{CAC677B6-4963-4305-9066-0BD135CD9233} "IPSUploader4 Control" - "IP Labs GmbH - Germany" - C:\WINDOWS\Downloaded Program Files\IPSUploader4.ocx / hxxp://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab
{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA} "Java Plug-in 1.4.2_10" - "JavaSoft / Sun Microsystems, Inc." - C:\Programme\Java\j2re1.4.2_10\bin\npjpi142_10.dll / hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} "Java Plug-in 1.5.0_09" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_09\bin\npjpi150_09.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} "Java Plug-in 1.5.0_10" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_10\bin\npjpi150_10.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} "Java Plug-in 1.6.0_01" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_01\bin\npjpi160_01.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} "Java Plug-in 1.6.0_02" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_02\bin\npjpi160_02.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} "Java Plug-in 1.6.0_03" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} "Java Plug-in 1.6.0_05" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_05\bin\npjpi160_05.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} "Java Plug-in 1.6.0_07" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_11" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_11.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} "Java Plug-in 1.6.0_11" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_11.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_11" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_11.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Microsoft XML Parser for Java "Microsoft XML Parser for Java" - ? -   (File not found | COM-object registry key not found) / file://C:\WINDOWS\Java\classes\xmldso.cab
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} "Office Update Installation Engine" - "Microsoft Corporation" - C:\WINDOWS\opuc.dll / hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
{56336BCB-3D8A-11D6-A00B-0050DA18DE71} "RdxIE Class" - "RealNetworks, Inc." - C:\WINDOWS\Downloaded Program Files\RdxIE.dll / hxxp://software-dl.real.com/016e92cb316664252f15/netzip/RdxIE601_de.cab
{166B1BCA-3F9C-11CF-8075-444553540000} "Shockwave ActiveX Control" - "Adobe Systems, Inc." - C:\WINDOWS\system32\Adobe\Director\SwDir.dll / hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} "Shockwave Flash Object" - "Adobe Systems, Inc." - C:\WINDOWS\system32\Macromed\Flash\Flash10b.ocx / hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
{644E432F-49D3-41A1-8DD5-E099162EEEC5} "Symantec RuFSI Utility Class" - "Symantec Corporation" - C:\WINDOWS\Downloaded Program Files\rufsi.dll / hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
{0000000A-9980-0010-8000-00AA00389B71} "{0000000A-9980-0010-8000-00AA00389B71}" - ? -   (File not found | COM-object registry key not found) / hxxp://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab
{33564D57-0000-0010-8000-00AA00389B71} "{33564D57-0000-0010-8000-00AA00389B71}" - ? -   (File not found | COM-object registry key not found) / hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
{33564D57-9980-0010-8000-00AA00389B71} "{33564D57-9980-0010-8000-00AA00389B71}" - ? -   (File not found | COM-object registry key not found) / hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} "{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}" - ? -   (File not found | COM-object registry key not found) / hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
"Digest" - ? - C:\Programme\NeuroPower\Digest2005\iereg.exe  (File found, but it contains no detailed information)
{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Recherchieren" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
{AC41D38F-B56D-40AD-94E0-B493D130C959} "Send to Mindjet MindManager" - "Mindjet" - C:\Programme\Mindjet\MindManager 6\Mm6InternetExplorer.dll
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension )-----
"Location" - "InterTrust Technologies Corporation, Inc." - C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )-----
<binary data> "EPSON Web-To-Page" - "SEIKO EPSON CORPORATION" - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
<binary data> "Google Toolbar" - "Google Inc." - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll
<binary data> "Windows Live Toolbar" - "Microsoft Corporation" - C:\Programme\Windows Live Toolbar\msntb.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "AcroIEHlprObj Class" - ? - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
{AC41D38F-B56D-40AD-94E0-B493D130C959} "CmjBrowserHelperObject Object" - "Mindjet" - C:\Programme\Mindjet\MindManager 6\Mm6InternetExplorer.dll
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} "EpsonToolBandKicker Class" - "SEIKO EPSON CORPORATION" - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} "Google Toolbar Helper" - "Google Inc." - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} "Google Toolbar Notifier BHO" - "Google Inc." - C:\Programme\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
{DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jp2ssv.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} "Java(tm) Plug-In SSV Helper" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\ssv.dll
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} "JQSIEStartDetectorImpl Class" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
{3049C3E9-B461-4BC5-8870-4C09146192CA} "RealPlayer Download and Record Plugin for Internet Explorer" - "RealPlayer" - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} "Windows Live Anmelde-Hilfsprogramm" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} "Windows Live Toolbar Helper" - "Microsoft Corporation" - C:\Programme\Windows Live Toolbar\msntb.dll

[Logon]
-----( %AllUsersProfile%\Startmenü\Programme\Autostart )-----
"Acrobat Assistant.lnk" - "Adobe Systems Inc." - C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe  (Shortcut exists | File exists)
"desktop.ini" - ? - C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
"t@x aktuell.lnk" - "R&S EDV-Beratung, Hannover" - C:\Programme\Buhl finance\tax 2010 Standard\taxaktuell.exe  (Shortcut exists | File exists)
"VPN Client.lnk" - "Cisco Systems, Inc." - C:\Programme\Cisco Systems\VPN Client\vpngui.exe  (Shortcut exists | File exists)
"WinZip Quick Pick.lnk" - "WinZip Computing, S.L." - C:\Programme\WinZip\WZQKPICK.EXE  (Shortcut exists | File exists)
-----( %UserProfile%\Startmenü\Programme\Autostart )-----
"desktop.ini" - ? - C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart\desktop.ini
"Yahoo! Widgets.lnk" - ? - C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart\Yahoo! Widgets.lnk  (Shortcut exists | File not found)
-----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )-----
"MsnMsgr" - ? - "C:\PROGRA~1\WI1F86~1\MESSEN~1\msnmsgr.exe" /background  (File not found)
"pdfSaver3" - "Tracker Software Products Ltd." - "C:\Programme\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
"Skype" - "Skype Technologies S.A." - "C:\Programme\Skype\\Phone\Skype.exe" /nosplash /minimized
"swg" - "Google Inc." - "C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"avgnt" - "H+BEDV Datentechnik GmbH" - "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
"HotKey" - "Pmx. Electronics Ltd." - C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
"iTunesHelper" - "Apple Inc." - "C:\Programme\iTunes\iTunesHelper.exe"
"MMReminderService" - "Mindjet" - C:\Programme\Mindjet\MindManager 6\MMReminderService.exe
"QuickTime Task" - "Apple Inc." - "C:\Programme\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Programme\Java\jre6\bin\jusched.exe"
"TkBellExe" - "RealNetworks, Inc." - "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe"  -osboot

[Print Monitors]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----
"GMX Fax Monitor" - "GMX GmbH" - C:\WINDOWS\system32\UIGMXMON.DLL
"Microsoft Document Imaging Writer Monitor" - "Microsoft Corporation" - C:\WINDOWS\system32\mdimon.dll
"PDF Port" - "Adobe Systems Incorporated." - C:\WINDOWS\System32\pdfports.dll
"PDF-XChange" - "Tracker Software" - C:\WINDOWS\system32\pxc25pm.dll

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
"AntiVir PersonalEdition Classic Planer" (AntiVirScheduler) - "Avira GmbH" - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
"Apple Mobile Device" (Apple Mobile Device) - "Apple Inc." - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
"ASP.NET State Service" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
"Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avguard.exe
"Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\sched.exe
"Bonjour-Dienst" (Bonjour Service) - "Apple Inc." - C:\Programme\Bonjour\mDNSResponder.exe
"Cisco Systems, Inc. VPN Service" (CVPND) - "Cisco Systems, Inc." - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
"Google Software Updater" (gusvc) - "Google" - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
"Google Update Service (gupdate)" (gupdate) - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe
"InstallDriver Table Manager" (IDriverT) - "Macrovision Corporation" - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
"iPod-Dienst" (iPod Service) - "Apple Inc." - C:\Programme\iPod\bin\iPodService.exe
"Java Quick Starter" (JavaQuickStarterService) - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jqs.exe
"Office Source Engine" (ose) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE
"Windows CardSpace" (idsvc) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
"Windows Presentation Foundation Font Cache 3.0.0.0" (FontCache3.0.0.0) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe

[Winlogon]
-----( HKCU\Control Panel\IOProcs )-----
"MVB" - ? - mvfs32.dll  (File not found)
-----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )-----
"WgaLogon" - "Microsoft Corporation" - C:\WINDOWS\system32\WgaLogon.dll

[Winsock Providers]
-----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries )-----
"mdnsNSP" - "Apple Inc." - C:\Programme\Bonjour\mdnsNSP.dll

===[ Logfile end ]=========================================[ Logfile end ]===
         
--- --- ---

If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru


Alt 17.08.2010, 09:40   #6
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys - Standard

Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys



Zitat:
"lpvmtsvd" (lpvmtsvd) - ? - C:\WINDOWS\system32\drivers\lpvmtsvd.sys (Hidden file | Hidden registry entry, rootkit activity | File found, but it contains no detailed information)
Bitte mit OSAM deaktivieren und löschen. Danach ein neues OSAM-Log bitte posten.

Im Anschluss - falls noch nicht getan - die Datei remover.exe (vom BootkitRemover) vom Desktop nach c:\windows\system32 kopieren!
Danach die Konsole starten über Start, Ausführen, cmd eintippen, ok.

Den Text im folgenden Codefeld eintippen und mit Enter/Return ausführen:
Code:
ATTFilter
remover.exe fix \\.\PhysicalDrive0
         
__________________
--> Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys

Alt 17.08.2010, 21:46   #7
medigus
 
Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys - Standard

Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys



Hallo,

zunächst das Ergebnis des OSAM logfile nach Deaktivierung:

OSAM Logfile:
Code:
ATTFilter
Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 21:18:43 on 17.08.2010

OS: Windows XP Professional Service Pack 3 (Build 2600)
Default Browser: Microsoft Corporation Internet Explorer 8.00.6001.18702

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries


[Common]
-----( %SystemRoot%\Tasks )-----
"AppleSoftwareUpdate.job" - "Apple Inc." - C:\Programme\Apple Software Update\SoftwareUpdate.exe
"Auf Updates für Windows Live Toolbar prüfen.job" - "Microsoft Corporation" - C:\Programme\Windows Live Toolbar\MSNTBUP.EXE
"GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe
"GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe
"Norton Security Scan for Administrator.job" - "Symantec Corporation" - C:\Programme\Norton Security Scan\Norton Security Scan\Engine\2.7.3.34\Nss.exe
"RealUpgradeLogonTaskS-1-5-21-1060284298-1957994488-1343024091-500.job" - "RealNetworks, Inc." - C:\Programme\Real\RealUpgrade\realupgrade.exe
"RealUpgradeScheduledTaskS-1-5-21-1060284298-1957994488-1343024091-500.job" - "RealNetworks, Inc." - C:\Programme\Real\RealUpgrade\realupgrade.exe
"WGASetup.job" - "Microsoft Corporation" - C:\WINDOWS\system32\KB905474\wgasetup.exe

[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"Ddbaccpl.cpl" - "DataDesign AG" - C:\WINDOWS\system32\Ddbaccpl.cpl
"ddBACCTM.cpl" - "DataDesign AG" - C:\WINDOWS\system32\ddBACCTM.cpl
"infocardcpl.cpl" - "Microsoft Corporation" - C:\WINDOWS\system32\infocardcpl.cpl
"javacpl.cpl" - "Sun Microsystems, Inc." - C:\WINDOWS\system32\javacpl.cpl
"pmxusb.cpl" - ? - C:\WINDOWS\system32\pmxusb.cpl  (File signed by Microsoft | File found, but it contains no detailed information)
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"Avira AntiVir Personal - Free Antivirus " - "Avira GmbH" - C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl
"Avira AntiVir PersonalEdition Classic Konfiguration" - "Avira GmbH" - C:\PROGRA~1\ANTIVI~1\avconfig.cpl
"QuickTime" - "Apple Inc." - C:\Programme\QuickTime\QTSystem\QuickTime.cpl

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"avgio" (avgio) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avgio.sys
"avgntflt" (avgntflt) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avgntflt.sys
"avipbb" (avipbb) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avipbb.sys
"Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys  (File not found)
"Cisco Systems Inc. IPSec Driver" (CVPNDRVA) - "Cisco Systems, Inc." - C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
"i2omgmt" (i2omgmt) - ? - C:\WINDOWS\system32\drivers\i2omgmt.sys  (File not found)
"lbrtfdc" (lbrtfdc) - ? - C:\WINDOWS\system32\drivers\lbrtfdc.sys  (File not found)
"PCIDump" (PCIDump) - ? - C:\WINDOWS\system32\drivers\PCIDump.sys  (File not found)
"PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys  (File not found)
"PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys  (File not found)
"PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys  (File not found)
"PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys  (File not found)
"PxHelp20" (PxHelp20) - "Sonic Solutions" - C:\WINDOWS\System32\Drivers\PxHelp20.sys
"ssmdrv" (ssmdrv) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\ssmdrv.sys
"vsdatant" (vsdatant) - "Zone Labs LLC" - C:\WINDOWS\System32\vsdatant.sys
"WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys  (File not found)
"WIDCOMM USB Bluetooth Driver" (BTWUSB) - ? - C:\WINDOWS\System32\Drivers\btwusb.sys
(Disabled) "lpvmtsvd" (lpvmtsvd) - ? - C:\WINDOWS\system32\drivers\lpvmtsvd.sys  (Hidden file | Hidden registry entry, rootkit activity | File found, but it contains no detailed information)

[Explorer]
-----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )-----
{89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{7D4D6379-F301-4311-BEBA-E26EB0561882} "NeroDigitalColumnHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll
-----( HKLM\Software\Classes\Protocols\Filter )-----
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{807553E5-5146-11D5-A672-00B0D022E945} "text/xml" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
-----( HKLM\Software\Classes\Protocols\Handler )-----
{32505114-5902-49B2-880A-1F7738E5A384} "Data Page Plugable Protocal mso-offdap11 Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
{3D9F03FA-7A94-11D3-BE81-0050048385D1} "Data Page Pluggable Protocol mso-offdap Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - C:\Programme\7-Zip\7-zip.dll
{42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" - ? - deskpan.dll  (File not found)
{1D2680C9-0E2A-469d-B787-065558BC7D43} "Fusion Cache" - "Microsoft Corporation" - c:\WINDOWS\system32\mscoree.dll
{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "iTunes" - "Apple Inc." - C:\Programme\iTunes\iTunesMiniPlayer.dll
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" - ? -   (File not found | COM-object registry key not found)
{32683183-48a0-441b-a342-7c2a440a9478} "Media Band" - ? -   (File not found | COM-object registry key not found)
{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Programme\Microsoft Office\OFFICE11\msohev.dll
{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll
{00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll
{B327765E-D724-4347-8B16-78AE18552FC3} "NeroDigitalIconHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll
{7F1CF152-04F8-453A-B34C-E609530A9DC8} "NeroDigitalPropSheetHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll
{0006F045-0000-0000-C000-000000000046} "Outlook-Dateisymbolerweiterung" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} "RealOne Player Context Menu Class" - "RealNetworks, Inc." - c:\program files\real\realplayer\rpshell.dll
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "H+BEDV Datentechnik GmbH" - C:\Programme\AntiVir PersonalEdition Classic\shlext.dll
{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll
{764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" - ? -   (File not found | COM-object registry key not found)
{e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Webordner" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{E0D79304-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing LP" - C:\Programme\WinZip\wzshlstb.dll
{E0D79305-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing LP" - C:\Programme\WinZip\wzshlstb.dll
{E0D79306-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing LP" - C:\Programme\WinZip\wzshlstb.dll
{E0D79307-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing LP" - C:\Programme\WinZip\wzshlstb.dll

[Internet Explorer]
-----( HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars )-----
{32683183-48a0-441b-a342-7c2a440a9478} "{32683183-48a0-441b-a342-7c2a440a9478}" - ? -   (File not found | COM-object registry key not found)
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
<binary data> "EPSON Web-To-Page" - "SEIKO EPSON CORPORATION" - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
<binary data> "Google Toolbar" - "Google Inc." - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll
ITBar7Height "ITBar7Height" - ? -   (File not found | COM-object registry key not found)
<binary data> "ITBar7Layout" - ? -   (File not found | COM-object registry key not found)
<binary data> "ITBarLayout" - ? -   (File not found | COM-object registry key not found)
<binary data> "Windows Live Toolbar" - "Microsoft Corporation" - C:\Programme\Windows Live Toolbar\msntb.dll
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
DirectAnimation Java Classes "DirectAnimation Java Classes" - ? -   (File not found | COM-object registry key not found) / file://C:\WINDOWS\Java\classes\dajava.cab
{67DABFBF-D0AB-41FA-9C46-CC0F21721616} "DivXBrowserPlugin Object" - "DivX,Inc." - C:\Programme\DivX\DivX Web Player\npdivx32.dll / hxxp://download.divx.com/player/DivXBrowserPlugin.cab
{AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} "IPSUploader4 Control" - "IP Labs GmbH - Germany" - C:\WINDOWS\Downloaded Program Files\IPSUploader.ocx / hxxp://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab
{CAC677B6-4963-4305-9066-0BD135CD9233} "IPSUploader4 Control" - "IP Labs GmbH - Germany" - C:\WINDOWS\Downloaded Program Files\IPSUploader4.ocx / hxxp://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab
{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA} "Java Plug-in 1.4.2_10" - "JavaSoft / Sun Microsystems, Inc." - C:\Programme\Java\j2re1.4.2_10\bin\npjpi142_10.dll / hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} "Java Plug-in 1.5.0_09" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_09\bin\npjpi150_09.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} "Java Plug-in 1.5.0_10" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_10\bin\npjpi150_10.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} "Java Plug-in 1.6.0_01" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_01\bin\npjpi160_01.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} "Java Plug-in 1.6.0_02" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_02\bin\npjpi160_02.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} "Java Plug-in 1.6.0_03" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} "Java Plug-in 1.6.0_05" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_05\bin\npjpi160_05.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} "Java Plug-in 1.6.0_07" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_11" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_11.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} "Java Plug-in 1.6.0_11" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_11.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_11" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_11.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Microsoft XML Parser for Java "Microsoft XML Parser for Java" - ? -   (File not found | COM-object registry key not found) / file://C:\WINDOWS\Java\classes\xmldso.cab
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} "Office Update Installation Engine" - "Microsoft Corporation" - C:\WINDOWS\opuc.dll / hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
{56336BCB-3D8A-11D6-A00B-0050DA18DE71} "RdxIE Class" - "RealNetworks, Inc." - C:\WINDOWS\Downloaded Program Files\RdxIE.dll / hxxp://software-dl.real.com/016e92cb316664252f15/netzip/RdxIE601_de.cab
{166B1BCA-3F9C-11CF-8075-444553540000} "Shockwave ActiveX Control" - "Adobe Systems, Inc." - C:\WINDOWS\system32\Adobe\Director\SwDir.dll / hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} "Shockwave Flash Object" - "Adobe Systems, Inc." - C:\WINDOWS\system32\Macromed\Flash\Flash10b.ocx / hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
{644E432F-49D3-41A1-8DD5-E099162EEEC5} "Symantec RuFSI Utility Class" - "Symantec Corporation" - C:\WINDOWS\Downloaded Program Files\rufsi.dll / hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
{0000000A-9980-0010-8000-00AA00389B71} "{0000000A-9980-0010-8000-00AA00389B71}" - ? -   (File not found | COM-object registry key not found) / hxxp://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab
{33564D57-0000-0010-8000-00AA00389B71} "{33564D57-0000-0010-8000-00AA00389B71}" - ? -   (File not found | COM-object registry key not found) / hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
{33564D57-9980-0010-8000-00AA00389B71} "{33564D57-9980-0010-8000-00AA00389B71}" - ? -   (File not found | COM-object registry key not found) / hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} "{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}" - ? -   (File not found | COM-object registry key not found) / hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
"Digest" - ? - C:\Programme\NeuroPower\Digest2005\iereg.exe  (File found, but it contains no detailed information)
{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Recherchieren" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
{AC41D38F-B56D-40AD-94E0-B493D130C959} "Send to Mindjet MindManager" - "Mindjet" - C:\Programme\Mindjet\MindManager 6\Mm6InternetExplorer.dll
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension )-----
"Location" - "InterTrust Technologies Corporation, Inc." - C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )-----
<binary data> "EPSON Web-To-Page" - "SEIKO EPSON CORPORATION" - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
<binary data> "Google Toolbar" - "Google Inc." - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll
<binary data> "Windows Live Toolbar" - "Microsoft Corporation" - C:\Programme\Windows Live Toolbar\msntb.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "AcroIEHlprObj Class" - ? - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
{AC41D38F-B56D-40AD-94E0-B493D130C959} "CmjBrowserHelperObject Object" - "Mindjet" - C:\Programme\Mindjet\MindManager 6\Mm6InternetExplorer.dll
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} "EpsonToolBandKicker Class" - "SEIKO EPSON CORPORATION" - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} "Google Toolbar Helper" - "Google Inc." - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} "Google Toolbar Notifier BHO" - "Google Inc." - C:\Programme\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
{DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jp2ssv.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} "Java(tm) Plug-In SSV Helper" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\ssv.dll
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} "JQSIEStartDetectorImpl Class" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
{3049C3E9-B461-4BC5-8870-4C09146192CA} "RealPlayer Download and Record Plugin for Internet Explorer" - "RealPlayer" - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} "Windows Live Anmelde-Hilfsprogramm" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} "Windows Live Toolbar Helper" - "Microsoft Corporation" - C:\Programme\Windows Live Toolbar\msntb.dll

[Logon]
-----( %AllUsersProfile%\Startmenü\Programme\Autostart )-----
"Acrobat Assistant.lnk" - "Adobe Systems Inc." - C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe  (Shortcut exists | File exists)
"desktop.ini" - ? - C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
"t@x aktuell.lnk" - "R&S EDV-Beratung, Hannover" - C:\Programme\Buhl finance\tax 2010 Standard\taxaktuell.exe  (Shortcut exists | File exists)
"VPN Client.lnk" - "Cisco Systems, Inc." - C:\Programme\Cisco Systems\VPN Client\vpngui.exe  (Shortcut exists | File exists)
"WinZip Quick Pick.lnk" - "WinZip Computing, S.L." - C:\Programme\WinZip\WZQKPICK.EXE  (Shortcut exists | File exists)
-----( %UserProfile%\Startmenü\Programme\Autostart )-----
"desktop.ini" - ? - C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart\desktop.ini
"Yahoo! Widgets.lnk" - ? - C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart\Yahoo! Widgets.lnk  (Shortcut exists | File not found)
-----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )-----
"MsnMsgr" - ? - "C:\PROGRA~1\WI1F86~1\MESSEN~1\msnmsgr.exe" /background  (File not found)
"pdfSaver3" - "Tracker Software Products Ltd." - "C:\Programme\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
"Skype" - "Skype Technologies S.A." - "C:\Programme\Skype\\Phone\Skype.exe" /nosplash /minimized
"swg" - "Google Inc." - "C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"avgnt" - "H+BEDV Datentechnik GmbH" - "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
"HotKey" - "Pmx. Electronics Ltd." - C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
"iTunesHelper" - "Apple Inc." - "C:\Programme\iTunes\iTunesHelper.exe"
"MMReminderService" - "Mindjet" - C:\Programme\Mindjet\MindManager 6\MMReminderService.exe
"QuickTime Task" - "Apple Inc." - "C:\Programme\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Programme\Java\jre6\bin\jusched.exe"
"TkBellExe" - "RealNetworks, Inc." - "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe"  -osboot

[Print Monitors]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----
"GMX Fax Monitor" - "GMX GmbH" - C:\WINDOWS\system32\UIGMXMON.DLL
"Microsoft Document Imaging Writer Monitor" - "Microsoft Corporation" - C:\WINDOWS\system32\mdimon.dll
"PDF Port" - "Adobe Systems Incorporated." - C:\WINDOWS\System32\pdfports.dll
"PDF-XChange" - "Tracker Software" - C:\WINDOWS\system32\pxc25pm.dll

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
"AntiVir PersonalEdition Classic Planer" (AntiVirScheduler) - "Avira GmbH" - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
"Apple Mobile Device" (Apple Mobile Device) - "Apple Inc." - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
"ASP.NET State Service" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
"Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avguard.exe
"Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\sched.exe
"Bonjour-Dienst" (Bonjour Service) - "Apple Inc." - C:\Programme\Bonjour\mDNSResponder.exe
"Cisco Systems, Inc. VPN Service" (CVPND) - "Cisco Systems, Inc." - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
"Google Software Updater" (gusvc) - "Google" - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
"Google Update Service (gupdate)" (gupdate) - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe
"InstallDriver Table Manager" (IDriverT) - "Macrovision Corporation" - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
"iPod-Dienst" (iPod Service) - "Apple Inc." - C:\Programme\iPod\bin\iPodService.exe
"Java Quick Starter" (JavaQuickStarterService) - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jqs.exe
"Office Source Engine" (ose) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE
"Windows CardSpace" (idsvc) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
"Windows Presentation Foundation Font Cache 3.0.0.0" (FontCache3.0.0.0) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe

[Winlogon]
-----( HKCU\Control Panel\IOProcs )-----
"MVB" - ? - mvfs32.dll  (File not found)
-----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )-----
"WgaLogon" - "Microsoft Corporation" - C:\WINDOWS\system32\WgaLogon.dll

[Winsock Providers]
-----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries )-----
"mdnsNSP" - "Apple Inc." - C:\Programme\Bonjour\mdnsNSP.dll

===[ Logfile end ]=========================================[ Logfile end ]===
         
--- --- ---

If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru


Dann das OSAM logfile nach Löschen und Neustart:

OSAM Logfile:
Code:
ATTFilter
Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 21:40:20 on 17.08.2010

OS: Windows XP Professional Service Pack 3 (Build 2600)
Default Browser: Microsoft Corporation Internet Explorer 8.00.6001.18702

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries


[Common]
-----( %SystemRoot%\Tasks )-----
"AppleSoftwareUpdate.job" - "Apple Inc." - C:\Programme\Apple Software Update\SoftwareUpdate.exe
"Auf Updates für Windows Live Toolbar prüfen.job" - "Microsoft Corporation" - C:\Programme\Windows Live Toolbar\MSNTBUP.EXE
"GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe
"GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe
"Norton Security Scan for Administrator.job" - "Symantec Corporation" - C:\Programme\Norton Security Scan\Norton Security Scan\Engine\2.7.3.34\Nss.exe
"RealUpgradeLogonTaskS-1-5-21-1060284298-1957994488-1343024091-500.job" - "RealNetworks, Inc." - C:\Programme\Real\RealUpgrade\realupgrade.exe
"RealUpgradeScheduledTaskS-1-5-21-1060284298-1957994488-1343024091-500.job" - "RealNetworks, Inc." - C:\Programme\Real\RealUpgrade\realupgrade.exe
"WGASetup.job" - "Microsoft Corporation" - C:\WINDOWS\system32\KB905474\wgasetup.exe

[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"Ddbaccpl.cpl" - "DataDesign AG" - C:\WINDOWS\system32\Ddbaccpl.cpl
"ddBACCTM.cpl" - "DataDesign AG" - C:\WINDOWS\system32\ddBACCTM.cpl
"infocardcpl.cpl" - "Microsoft Corporation" - C:\WINDOWS\system32\infocardcpl.cpl
"javacpl.cpl" - "Sun Microsystems, Inc." - C:\WINDOWS\system32\javacpl.cpl
"pmxusb.cpl" - ? - C:\WINDOWS\system32\pmxusb.cpl  (File signed by Microsoft | File found, but it contains no detailed information)
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"Avira AntiVir Personal - Free Antivirus " - "Avira GmbH" - C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl
"Avira AntiVir PersonalEdition Classic Konfiguration" - "Avira GmbH" - C:\PROGRA~1\ANTIVI~1\avconfig.cpl
"QuickTime" - "Apple Inc." - C:\Programme\QuickTime\QTSystem\QuickTime.cpl

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"avgio" (avgio) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avgio.sys
"avgntflt" (avgntflt) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avgntflt.sys
"avipbb" (avipbb) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avipbb.sys
"Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys  (File not found)
"Cisco Systems Inc. IPSec Driver" (CVPNDRVA) - "Cisco Systems, Inc." - C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
"i2omgmt" (i2omgmt) - ? - C:\WINDOWS\system32\drivers\i2omgmt.sys  (File not found)
"lbrtfdc" (lbrtfdc) - ? - C:\WINDOWS\system32\drivers\lbrtfdc.sys  (File not found)
"PCIDump" (PCIDump) - ? - C:\WINDOWS\system32\drivers\PCIDump.sys  (File not found)
"PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys  (File not found)
"PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys  (File not found)
"PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys  (File not found)
"PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys  (File not found)
"PxHelp20" (PxHelp20) - "Sonic Solutions" - C:\WINDOWS\System32\Drivers\PxHelp20.sys
"ssmdrv" (ssmdrv) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\ssmdrv.sys
"vsdatant" (vsdatant) - "Zone Labs LLC" - C:\WINDOWS\System32\vsdatant.sys
"WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys  (File not found)
"WIDCOMM USB Bluetooth Driver" (BTWUSB) - ? - C:\WINDOWS\System32\Drivers\btwusb.sys

[Explorer]
-----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )-----
{89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{7D4D6379-F301-4311-BEBA-E26EB0561882} "NeroDigitalColumnHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll
-----( HKLM\Software\Classes\Protocols\Filter )-----
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{807553E5-5146-11D5-A672-00B0D022E945} "text/xml" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
-----( HKLM\Software\Classes\Protocols\Handler )-----
{32505114-5902-49B2-880A-1F7738E5A384} "Data Page Plugable Protocal mso-offdap11 Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
{3D9F03FA-7A94-11D3-BE81-0050048385D1} "Data Page Pluggable Protocol mso-offdap Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - C:\Programme\7-Zip\7-zip.dll
{42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" - ? - deskpan.dll  (File not found)
{1D2680C9-0E2A-469d-B787-065558BC7D43} "Fusion Cache" - "Microsoft Corporation" - c:\WINDOWS\system32\mscoree.dll
{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "iTunes" - "Apple Inc." - C:\Programme\iTunes\iTunesMiniPlayer.dll
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" - ? -   (File not found | COM-object registry key not found)
{32683183-48a0-441b-a342-7c2a440a9478} "Media Band" - ? -   (File not found | COM-object registry key not found)
{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Programme\Microsoft Office\OFFICE11\msohev.dll
{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll
{00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll
{B327765E-D724-4347-8B16-78AE18552FC3} "NeroDigitalIconHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll
{7F1CF152-04F8-453A-B34C-E609530A9DC8} "NeroDigitalPropSheetHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll
{0006F045-0000-0000-C000-000000000046} "Outlook-Dateisymbolerweiterung" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} "RealOne Player Context Menu Class" - "RealNetworks, Inc." - c:\program files\real\realplayer\rpshell.dll
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "H+BEDV Datentechnik GmbH" - C:\Programme\AntiVir PersonalEdition Classic\shlext.dll
{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll
{764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" - ? -   (File not found | COM-object registry key not found)
{e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Webordner" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{E0D79304-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing LP" - C:\Programme\WinZip\wzshlstb.dll
{E0D79305-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing LP" - C:\Programme\WinZip\wzshlstb.dll
{E0D79306-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing LP" - C:\Programme\WinZip\wzshlstb.dll
{E0D79307-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing LP" - C:\Programme\WinZip\wzshlstb.dll

[Internet Explorer]
-----( HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars )-----
{32683183-48a0-441b-a342-7c2a440a9478} "{32683183-48a0-441b-a342-7c2a440a9478}" - ? -   (File not found | COM-object registry key not found)
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
<binary data> "EPSON Web-To-Page" - "SEIKO EPSON CORPORATION" - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
<binary data> "Google Toolbar" - "Google Inc." - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll
ITBar7Height "ITBar7Height" - ? -   (File not found | COM-object registry key not found)
<binary data> "ITBar7Layout" - ? -   (File not found | COM-object registry key not found)
<binary data> "ITBarLayout" - ? -   (File not found | COM-object registry key not found)
<binary data> "Windows Live Toolbar" - "Microsoft Corporation" - C:\Programme\Windows Live Toolbar\msntb.dll
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
DirectAnimation Java Classes "DirectAnimation Java Classes" - ? -   (File not found | COM-object registry key not found) / file://C:\WINDOWS\Java\classes\dajava.cab
{67DABFBF-D0AB-41FA-9C46-CC0F21721616} "DivXBrowserPlugin Object" - "DivX,Inc." - C:\Programme\DivX\DivX Web Player\npdivx32.dll / hxxp://download.divx.com/player/DivXBrowserPlugin.cab
{AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} "IPSUploader4 Control" - "IP Labs GmbH - Germany" - C:\WINDOWS\Downloaded Program Files\IPSUploader.ocx / hxxp://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab
{CAC677B6-4963-4305-9066-0BD135CD9233} "IPSUploader4 Control" - "IP Labs GmbH - Germany" - C:\WINDOWS\Downloaded Program Files\IPSUploader4.ocx / hxxp://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab
{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA} "Java Plug-in 1.4.2_10" - "JavaSoft / Sun Microsystems, Inc." - C:\Programme\Java\j2re1.4.2_10\bin\npjpi142_10.dll / hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} "Java Plug-in 1.5.0_09" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_09\bin\npjpi150_09.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} "Java Plug-in 1.5.0_10" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_10\bin\npjpi150_10.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} "Java Plug-in 1.6.0_01" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_01\bin\npjpi160_01.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} "Java Plug-in 1.6.0_02" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_02\bin\npjpi160_02.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} "Java Plug-in 1.6.0_03" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} "Java Plug-in 1.6.0_05" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_05\bin\npjpi160_05.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} "Java Plug-in 1.6.0_07" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_11" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_11.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} "Java Plug-in 1.6.0_11" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_11.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_11" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_11.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Microsoft XML Parser for Java "Microsoft XML Parser for Java" - ? -   (File not found | COM-object registry key not found) / file://C:\WINDOWS\Java\classes\xmldso.cab
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} "Office Update Installation Engine" - "Microsoft Corporation" - C:\WINDOWS\opuc.dll / hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
{56336BCB-3D8A-11D6-A00B-0050DA18DE71} "RdxIE Class" - "RealNetworks, Inc." - C:\WINDOWS\Downloaded Program Files\RdxIE.dll / hxxp://software-dl.real.com/016e92cb316664252f15/netzip/RdxIE601_de.cab
{166B1BCA-3F9C-11CF-8075-444553540000} "Shockwave ActiveX Control" - "Adobe Systems, Inc." - C:\WINDOWS\system32\Adobe\Director\SwDir.dll / hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} "Shockwave Flash Object" - "Adobe Systems, Inc." - C:\WINDOWS\system32\Macromed\Flash\Flash10b.ocx / hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
{644E432F-49D3-41A1-8DD5-E099162EEEC5} "Symantec RuFSI Utility Class" - "Symantec Corporation" - C:\WINDOWS\Downloaded Program Files\rufsi.dll / hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
{0000000A-9980-0010-8000-00AA00389B71} "{0000000A-9980-0010-8000-00AA00389B71}" - ? -   (File not found | COM-object registry key not found) / hxxp://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab
{33564D57-0000-0010-8000-00AA00389B71} "{33564D57-0000-0010-8000-00AA00389B71}" - ? -   (File not found | COM-object registry key not found) / hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
{33564D57-9980-0010-8000-00AA00389B71} "{33564D57-9980-0010-8000-00AA00389B71}" - ? -   (File not found | COM-object registry key not found) / hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} "{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}" - ? -   (File not found | COM-object registry key not found) / hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
"Digest" - ? - C:\Programme\NeuroPower\Digest2005\iereg.exe  (File found, but it contains no detailed information)
{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Recherchieren" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
{AC41D38F-B56D-40AD-94E0-B493D130C959} "Send to Mindjet MindManager" - "Mindjet" - C:\Programme\Mindjet\MindManager 6\Mm6InternetExplorer.dll
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension )-----
"Location" - "InterTrust Technologies Corporation, Inc." - C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )-----
<binary data> "EPSON Web-To-Page" - "SEIKO EPSON CORPORATION" - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
<binary data> "Google Toolbar" - "Google Inc." - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll
<binary data> "Windows Live Toolbar" - "Microsoft Corporation" - C:\Programme\Windows Live Toolbar\msntb.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "AcroIEHlprObj Class" - ? - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
{AC41D38F-B56D-40AD-94E0-B493D130C959} "CmjBrowserHelperObject Object" - "Mindjet" - C:\Programme\Mindjet\MindManager 6\Mm6InternetExplorer.dll
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} "EpsonToolBandKicker Class" - "SEIKO EPSON CORPORATION" - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} "Google Toolbar Helper" - "Google Inc." - C:\Programme\Google\Google Toolbar\GoogleToolbar_32.dll
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} "Google Toolbar Notifier BHO" - "Google Inc." - C:\Programme\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
{DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jp2ssv.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} "Java(tm) Plug-In SSV Helper" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\ssv.dll
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} "JQSIEStartDetectorImpl Class" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
{3049C3E9-B461-4BC5-8870-4C09146192CA} "RealPlayer Download and Record Plugin for Internet Explorer" - "RealPlayer" - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} "Windows Live Anmelde-Hilfsprogramm" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} "Windows Live Toolbar Helper" - "Microsoft Corporation" - C:\Programme\Windows Live Toolbar\msntb.dll

[Logon]
-----( %AllUsersProfile%\Startmenü\Programme\Autostart )-----
"Acrobat Assistant.lnk" - "Adobe Systems Inc." - C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe  (Shortcut exists | File exists)
"desktop.ini" - ? - C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
"t@x aktuell.lnk" - "R&S EDV-Beratung, Hannover" - C:\Programme\Buhl finance\tax 2010 Standard\taxaktuell.exe  (Shortcut exists | File exists)
"VPN Client.lnk" - "Cisco Systems, Inc." - C:\Programme\Cisco Systems\VPN Client\vpngui.exe  (Shortcut exists | File exists)
"WinZip Quick Pick.lnk" - "WinZip Computing, S.L." - C:\Programme\WinZip\WZQKPICK.EXE  (Shortcut exists | File exists)
-----( %UserProfile%\Startmenü\Programme\Autostart )-----
"desktop.ini" - ? - C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart\desktop.ini
"Yahoo! Widgets.lnk" - ? - C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart\Yahoo! Widgets.lnk  (Shortcut exists | File not found)
-----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )-----
"MsnMsgr" - ? - "C:\PROGRA~1\WI1F86~1\MESSEN~1\msnmsgr.exe" /background  (File not found)
"pdfSaver3" - "Tracker Software Products Ltd." - "C:\Programme\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
"Skype" - "Skype Technologies S.A." - "C:\Programme\Skype\\Phone\Skype.exe" /nosplash /minimized
"swg" - "Google Inc." - "C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"avgnt" - "H+BEDV Datentechnik GmbH" - "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
"HotKey" - "Pmx. Electronics Ltd." - C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
"iTunesHelper" - "Apple Inc." - "C:\Programme\iTunes\iTunesHelper.exe"
"MMReminderService" - "Mindjet" - C:\Programme\Mindjet\MindManager 6\MMReminderService.exe
"QuickTime Task" - "Apple Inc." - "C:\Programme\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Programme\Java\jre6\bin\jusched.exe"
"TkBellExe" - "RealNetworks, Inc." - "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe"  -osboot

[Print Monitors]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----
"GMX Fax Monitor" - "GMX GmbH" - C:\WINDOWS\system32\UIGMXMON.DLL
"Microsoft Document Imaging Writer Monitor" - "Microsoft Corporation" - C:\WINDOWS\system32\mdimon.dll
"PDF Port" - "Adobe Systems Incorporated." - C:\WINDOWS\System32\pdfports.dll
"PDF-XChange" - "Tracker Software" - C:\WINDOWS\system32\pxc25pm.dll

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
"AntiVir PersonalEdition Classic Planer" (AntiVirScheduler) - "Avira GmbH" - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
"Apple Mobile Device" (Apple Mobile Device) - "Apple Inc." - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
"ASP.NET State Service" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
"Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avguard.exe
"Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\sched.exe
"Bonjour-Dienst" (Bonjour Service) - "Apple Inc." - C:\Programme\Bonjour\mDNSResponder.exe
"Cisco Systems, Inc. VPN Service" (CVPND) - "Cisco Systems, Inc." - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
"Google Software Updater" (gusvc) - "Google" - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
"Google Update Service (gupdate)" (gupdate) - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe
"InstallDriver Table Manager" (IDriverT) - "Macrovision Corporation" - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
"iPod-Dienst" (iPod Service) - "Apple Inc." - C:\Programme\iPod\bin\iPodService.exe
"Java Quick Starter" (JavaQuickStarterService) - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jqs.exe
"Office Source Engine" (ose) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE
"Windows CardSpace" (idsvc) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
"Windows Presentation Foundation Font Cache 3.0.0.0" (FontCache3.0.0.0) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe

[Winlogon]
-----( HKCU\Control Panel\IOProcs )-----
"MVB" - ? - mvfs32.dll  (File not found)
-----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )-----
"WgaLogon" - "Microsoft Corporation" - C:\WINDOWS\system32\WgaLogon.dll

[Winsock Providers]
-----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries )-----
"mdnsNSP" - "Apple Inc." - C:\Programme\Bonjour\mdnsNSP.dll

===[ Logfile end ]=========================================[ Logfile end ]===
         
--- --- ---

If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru

Und abschließend das Ergebnis nach Anwendung des bootkit remover unter system 32:


Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Dokumente und Einstellungen\Administrator>
C:\Dokumente und Einstellungen\Administrator>remover.exe fix\\.\PhysicalDrive0
Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

ERROR: Unknown command.

Done;
Press any key to quit...



Sieht nicht danach aus, dass das Problem gelöst ist, oder?

Alt 17.08.2010, 21:50   #8
medigus
 
Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys - Standard

Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys



Sorry, das Ergebnis nach dem bootkit remover lautet wie folgt:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Dokumente und Einstellungen\Administrator>remover.exe fix \\.\PhysicalDrive0
Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Restoring boot code at \\.\PhysicalDrive0...
OK

Done;
Press any key to quit...

Alt 17.08.2010, 22:17   #9
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys - Standard

Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys



Zwecks Kontrolle des MBRs:

Downloade Dir bitte MBRCheck (by a_d_13) und speichere die Datei auf dem Desktop.
  • Doppelklick auf die MBRCheck.exe.
    Vista und Win7 User mit Rechtsklick "als Administrator starten"
  • Das Tool braucht nur eine Sekunde.
  • Danach solltest du eine MBRCheck_<Datum>_<Uhrzeit>.txt auf dem Desktop finden.
Poste mir bitte den Inhalt des .txt Dokumentes
__________________
"Die Wahrheit ist normalerweise nur eine Entschuldigung für einen Mangel an Fantasie." (Elim Garak)

Das Trojaner-Board unterstützen
Warum Linux besser als Windows ist!

Alt 17.08.2010, 22:26   #10
medigus
 
Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys - Standard

Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys



Voila!

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000002c

Kernel Drivers (total 134):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EF000 \WINDOWS\system32\hal.dll
0xF8A34000 \WINDOWS\system32\KDCOM.DLL
0xF8944000 \WINDOWS\system32\BOOTVID.dll
0xF84E4000 ACPI.sys
0xF8A36000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF84D3000 pci.sys
0xF8534000 isapnp.sys
0xF8544000 ohci1394.sys
0xF8554000 \WINDOWS\System32\DRIVERS\1394BUS.SYS
0xF8948000 compbatt.sys
0xF894C000 \WINDOWS\System32\DRIVERS\BATTC.SYS
0xF8AFC000 PCIIde.sys
0xF87B4000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF8A38000 intelide.sys
0xF84B5000 pcmcia.sys
0xF8564000 MountMgr.sys
0xF8496000 ftdisk.sys
0xF8A3A000 dmload.sys
0xF8470000 dmio.sys
0xF8950000 ACPIEC.sys
0xF8AFD000 \WINDOWS\System32\DRIVERS\OPRGHDLR.SYS
0xF87BC000 PartMgr.sys
0xF8574000 VolSnap.sys
0xF8458000 atapi.sys
0xF8584000 disk.sys
0xF8594000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF8438000 fltmgr.sys
0xF8426000 sr.sys
0xF85A4000 PxHelp20.sys
0xF840F000 KSecDD.sys
0xF8382000 Ntfs.sys
0xF8355000 NDIS.sys
0xF833B000 Mup.sys
0xF85B4000 agp440.sys
0xF85E4000 \SystemRoot\System32\DRIVERS\nic1394.sys
0xF8624000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF72F8000 \SystemRoot\System32\DRIVERS\ati2mtag.sys
0xF72E4000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF88CC000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF72C0000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF88D4000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF88DC000 \SystemRoot\System32\DRIVERS\RTL8139.SYS
0xF707B000 \SystemRoot\System32\DRIVERS\w70n51.sys
0xF88E4000 \SystemRoot\System32\Drivers\WBSD.SYS
0xF8634000 \SystemRoot\System32\DRIVERS\serial.sys
0xF8317000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF8644000 \SystemRoot\System32\DRIVERS\smcirda.sys
0xF8313000 \SystemRoot\System32\DRIVERS\irenum.sys
0xF7067000 \SystemRoot\System32\DRIVERS\parport.sys
0xF8654000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF88EC000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF88F4000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF8664000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF8674000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF8684000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF7044000 \SystemRoot\System32\DRIVERS\ks.sys
0xF88FC000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF6FBF000 \SystemRoot\system32\drivers\smwdm.sys
0xF6F9B000 \SystemRoot\system32\drivers\portcls.sys
0xF8694000 \SystemRoot\system32\drivers\drmk.sys
0xF6F83000 \SystemRoot\system32\drivers\aeaudio.sys
0xF6E65000 \SystemRoot\System32\DRIVERS\AGRSM.sys
0xF8904000 \SystemRoot\System32\Drivers\Modem.SYS
0xF82FF000 \SystemRoot\System32\DRIVERS\CmBatt.sys
0xF6E4A000 \SystemRoot\System32\DRIVERS\dne2000.sys
0xF8BB5000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF6E38000 \SystemRoot\system32\DRIVERS\bridge.sys
0xF890C000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF8914000 \SystemRoot\System32\DRIVERS\rasirda.sys
0xF86A4000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF89C8000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF6E21000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF86B4000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF86C4000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF6E10000 \SystemRoot\System32\DRIVERS\psched.sys
0xF86D4000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF891C000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF8924000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF8A64000 \SystemRoot\System32\DRIVERS\CVirtA.sys
0xF6DE0000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xF86E4000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF8A66000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF6D82000 \SystemRoot\System32\DRIVERS\update.sys
0xF89E0000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF8704000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF8734000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF8A68000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF8A6E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8C0C000 \SystemRoot\System32\Drivers\Null.SYS
0xF8A70000 \SystemRoot\System32\Drivers\Beep.SYS
0xF87DC000 \SystemRoot\System32\drivers\vga.sys
0xF8A72000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8A74000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF87E4000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF87EC000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF8A0C000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xEEBD4000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xEEB7B000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xEEB53000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF8A10000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xEEB31000 \SystemRoot\System32\drivers\afd.sys
0xF8774000 \SystemRoot\System32\DRIVERS\netbios.sys
0xEEB06000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xEEA96000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF8794000 \SystemRoot\System32\Drivers\Fips.SYS
0xEEA70000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF87A4000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF85F4000 \SystemRoot\System32\Drivers\btwusb.sys
0xEEA26000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xF8A80000 \??\C:\Programme\Avira\AntiVir Desktop\avgio.sys
0xF7AAA000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEDAF9000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8A8E000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xEEC27000 \SystemRoot\System32\drivers\Dxapi.sys
0xF8854000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8B47000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF059000 \SystemRoot\System32\ati3d2ag.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xEDA44000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xED9DE000 \SystemRoot\System32\DRIVERS\irda.sys
0xEDA79000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xED781000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF8A62000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xED5E4000 \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
0xED467000 \SystemRoot\system32\drivers\wdmaud.sys
0xED856000 \SystemRoot\system32\drivers\sysaudio.sys
0xED2CA000 \SystemRoot\System32\DRIVERS\srv.sys
0xECC49000 \SystemRoot\System32\Drivers\HTTP.sys
0xEC276000 \SystemRoot\system32\drivers\kmixer.sys
0x7C910000 \WINDOWS\system32\ntdll.dll

Processes (total 51):
0 System Idle Process
4 System
1348 C:\WINDOWS\system32\smss.exe
1396 csrss.exe
1428 C:\WINDOWS\system32\winlogon.exe
1472 C:\WINDOWS\system32\services.exe
1484 C:\WINDOWS\system32\lsass.exe
1676 C:\WINDOWS\system32\svchost.exe
1724 svchost.exe
188 C:\WINDOWS\system32\svchost.exe
260 svchost.exe
368 svchost.exe
988 C:\WINDOWS\system32\spoolsv.exe
1036 C:\Programme\Avira\AntiVir Desktop\sched.exe
1120 svchost.exe
1776 C:\Programme\AntiVir PersonalEdition Classic\sched.exe
1788 C:\Programme\Avira\AntiVir Desktop\avguard.exe
1808 C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1832 C:\WINDOWS\system32\ati2evxx.exe
1860 C:\Programme\Bonjour\mDNSResponder.exe
1912 C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
672 C:\Programme\Java\jre6\bin\jqs.exe
816 C:\Programme\Avira\AntiVir Desktop\avshadow.exe
620 C:\WINDOWS\system32\svchost.exe
564 C:\WINDOWS\explorer.exe
2552 C:\WINDOWS\AGRSMMSG.exe
2800 C:\Programme\Java\jre6\bin\jusched.exe
2808 C:\WINDOWS\twain_32\SlimU2\HotKey.Exe
2824 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIAHE.EXE
2832 C:\Programme\Mindjet\MindManager 6\MmReminderService.exe
2864 C:\Programme\iTunes\iTunesHelper.exe
2876 C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
2888 C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
2896 C:\WINDOWS\system32\ctfmon.exe
2904 C:\Programme\Skype\Phone\Skype.exe
2912 C:\Programme\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
2920 C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
2956 C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
2968 C:\Programme\Buhl finance\tax 2010 Standard\taxaktuell.exe
3368 C:\Programme\WinZip\WZQKPICK.EXE
256 C:\Programme\iPod\bin\iPodService.exe
1264 alg.exe
3052 C:\WINDOWS\system32\wbem\wmiapsrv.exe
3112 C:\WINDOWS\system32\svchost.exe
476 C:\Programme\Skype\Plugin Manager\skypePM.exe
3744 C:\Programme\Internet Explorer\iexplore.exe
1212 C:\Programme\Internet Explorer\iexplore.exe
1720 C:\Programme\Java\jre6\bin\jucheck.exe
560 C:\Programme\Adobe\Acrobat 5.0\Acrobat\Acrobat.exe
1332 C:\Programme\Internet Explorer\iexplore.exe
3692 C:\Dokumente und Einstellungen\Administrator\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: FUJITSUMHT2040AT, Rev: 009A

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: 31D100779DE502702C374F7C15687B56FCFD5528


Done!

Alt 17.08.2010, 22:54   #11
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys - Standard

Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys



Dann bitte jetzt CF ausführen:

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix
  • Lade dir ComboFix hier herunter auf deinen Desktop. Benenne es beim Runterladen um in cofi.exe.
  • Schliesse alle Programme, vor allem dein Antivirenprogramm und andere Hintergrundwächter sowie deinen Internetbrowser.
  • Starte cofi.exe von deinem Desktop aus, bestätige die Warnmeldungen, führe die Updates durch (falls vorgeschlagen), installiere die Wiederherstellungskonsole (falls vorgeschlagen) und lass dein System durchsuchen.
    Vermeide es auch während Combofix läuft die Maus und Tastatur zu benutzen.
  • Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte kopieren ([Strg]a, [Strg]c) und in deinen Beitrag einfügen ([Strg]v). Die Datei findest du außerdem unter: C:\ComboFix.txt.
Wichtiger Hinweis:
Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.
__________________
"Die Wahrheit ist normalerweise nur eine Entschuldigung für einen Mangel an Fantasie." (Elim Garak)

Das Trojaner-Board unterstützen
Warum Linux besser als Windows ist!

Alt 17.08.2010, 23:55   #12
medigus
 
Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys - Standard

Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys



Voila,

Combofix Logfile:
Code:
ATTFilter
ComboFix 10-08-17.02 - Administrator 17.08.2010  23:39:25.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.49.1031.18.511.261 [GMT 2:00]
ausgeführt von:: c:\dokumente und einstellungen\Administrator\Desktop\cofi.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning disabled* (Outdated) {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {806ED0B3-FFA4-00DA-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {806ED0B3-FFA4-00EB-0D24-347CA8A3377C}
.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\RdxIE.dll

.
(((((((((((((((((((((((   Dateien erstellt von 2010-07-17 bis 2010-08-17  ))))))))))))))))))))))))))))))
.

2010-08-17 21:08 . 2010-08-17 21:08	--------	d-----w-	c:\programme\CCleaner
2010-08-17 19:39 . 2010-07-21 17:50	81920	----a-w-	c:\windows\system32\remover.exe
2010-08-17 18:59 . 2010-08-17 19:08	--------	d-----w-	c:\dokumente und einstellungen\Administrator\Anwendungsdaten\Online Solutions
2010-08-16 20:15 . 2010-08-16 20:15	--------	d-----w-	c:\programme\7-Zip
2010-08-16 18:42 . 2010-08-16 18:42	--------	d-----w-	c:\dokumente und einstellungen\Administrator\Lokale Einstellungen\Anwendungsdaten\WinZip
2010-08-16 18:41 . 2010-08-16 18:41	--------	d-----w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\WinZip
2010-08-15 20:38 . 2010-08-15 20:38	--------	d-----w-	c:\dokumente und einstellungen\Administrator\Anwendungsdaten\Malwarebytes
2010-08-15 20:37 . 2010-04-29 10:19	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-15 20:37 . 2010-08-15 20:37	--------	d-----w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2010-08-15 20:37 . 2010-04-29 10:19	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-08-15 20:37 . 2010-08-15 20:37	--------	d-----w-	c:\programme\Malwarebytes' Anti-Malware
2010-08-15 20:20 . 2010-08-17 20:21	--------	d-----w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Classic
2010-08-15 20:14 . 2010-05-21 12:14	221568	------w-	c:\windows\system32\MpSigStub.exe

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-17 21:31 . 2006-06-18 20:02	--------	d-----w-	c:\dokumente und einstellungen\Administrator\Anwendungsdaten\Skype
2010-08-17 19:01 . 2010-03-22 19:07	741376	----a-w-	c:\windows\system32\drivers\lpvmtsvd.sys
2010-08-17 18:18 . 2009-11-02 20:58	--------	d-----w-	c:\dokumente und einstellungen\Administrator\Anwendungsdaten\skypePM
2010-08-16 13:28 . 2010-06-18 16:08	--------	d-----w-	c:\programme\Gemeinsame Dateien\Symantec Shared
2010-08-15 13:43 . 2002-08-29 20:00	463354	----a-w-	c:\windows\system32\perfh007.dat
2010-08-15 13:43 . 2002-08-29 20:00	86198	----a-w-	c:\windows\system32\perfc007.dat
2010-07-30 17:58 . 2007-02-17 09:55	--------	d-----w-	c:\dokumente und einstellungen\Administrator\Anwendungsdaten\U3
2010-06-30 12:28 . 2002-08-29 20:00	149504	----a-w-	c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2006-06-23 11:27	916480	----a-w-	c:\windows\system32\wininet.dll
2010-06-24 09:02 . 2002-08-29 20:00	1852032	----a-w-	c:\windows\system32\win32k.sys
2010-06-22 20:29 . 2010-06-22 20:29	501936	----a-w-	c:\dokumente und einstellungen\All Users\Anwendungsdaten\Google\Google Toolbar\Update\gtb14D.tmp.exe
2010-06-21 15:27 . 2002-08-29 20:00	354304	----a-w-	c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2002-08-29 20:00	80384	----a-w-	c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2006-05-06 18:09	744448	----a-w-	c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-14 07:41 . 2006-09-13 05:09	1172480	----a-w-	c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\programme\Skype\\Phone\Skype.exe" [2010-05-13 26192168]
"pdfSaver3"="c:\programme\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe" [2004-09-05 380928]
"swg"="c:\programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-12 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-06 88267]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 28672]
"SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [2008-12-18 136600]
"EPSON Stylus Photo R240 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE" [2005-04-25 98304]
"MMReminderService"="c:\programme\Mindjet\MindManager 6\MMReminderService.exe" [2006-06-22 31232]
"QuickTime Task"="c:\programme\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\programme\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"avgnt"="c:\programme\AntiVir PersonalEdition Classic\avgnt.exe" [2006-01-18 229416]
"TkBellExe"="c:\programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2010-03-09 202256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
Acrobat Assistant.lnk - c:\programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-5-8 49254]
t@x aktuell.lnk - c:\programme\Buhl finance\tax 2010 Standard\taxaktuell.exe [2009-11-25 558376]
VPN Client.lnk - c:\windows\Installer\{24C67B54-0718-445E-B663-3138D9246BD1}\Icon3E5562ED7.ico [2008-1-5 6144]
WinZip Quick Pick.lnk - c:\programme\WinZip\WZQKPICK.EXE [2010-4-5 494920]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\Java\\j2re1.4.2_10\\bin\\javaw.exe"=
"c:\\Programme\\Java\\j2re1.4.2_10\\bin\\java.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Programme\\Bonjour\\mDNSResponder.exe"=
"c:\\Programme\\iTunes\\iTunes.exe"=
"c:\\Programme\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [12.07.2009 22:36 135336]
R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\drivers\wbsd.sys [07.05.2006 17:40 26240]
S2 gupdate;Google Update Service (gupdate);c:\programme\Google\Update\GoogleUpdate.exe [08.02.2010 21:40 135664]
.
Inhalt des "geplante Tasks" Ordners

2010-07-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programme\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-08-17 c:\windows\Tasks\Auf Updates für Windows Live Toolbar prüfen.job
- c:\programme\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programme\Google\Update\GoogleUpdate.exe [2010-02-08 19:40]

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programme\Google\Update\GoogleUpdate.exe [2010-02-08 19:40]

2010-08-16 c:\windows\Tasks\Norton Security Scan for Administrator.job
- c:\programme\Norton Security Scan\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-06-18 07:48]

2010-08-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1060284298-1957994488-1343024091-500.job
- c:\programme\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-08-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1060284298-1957994488-1343024091-500.job
- c:\programme\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-08-17 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-10 20:18]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Windows Live Search - c:\programme\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - hxxp://favorites.live.com/quickadd.aspx
IE: Digest - c:\programme\NeuroPower\Digest2005\npdigest.htm.ie
IE: Google Sidewiki... - c:\programme\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{F9341940-7640-4157-9C5C-7D86B7449E20} - c:\programme\NeuroPower\Digest2005\iereg.exe
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} - hxxp://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

HKLM-Run-pdfSaver3 - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2010-08-17 23:46
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse... 

Scanne versteckte Autostarteinträge... 

Scanne versteckte Dateien... 

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-1060284298-1957994488-1343024091-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ba,d4,a4,c1,e1,d4,63,4c,9d,f6,44,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ba,d4,a4,c1,e1,d4,63,4c,9d,f6,44,\

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ€|ÿÿÿÿ•€|ù•6~*]
"7040110900063D11C8EF10054038389C"="C?\\WINDOWS\\System32\\FM20ENU.DLL"
.
Zeit der Fertigstellung: 2010-08-17  23:52:28
ComboFix-quarantined-files.txt  2010-08-17 21:52

Vor Suchlauf: 9 Verzeichnis(se), 21.317.492.736 Bytes frei
Nach Suchlauf: 11 Verzeichnis(se), 22.702.436.352 Bytes frei

WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 97BAC6FAC009F6AECD9269E634DE47CE
         
--- --- ---

Alt 18.08.2010, 09:25   #13
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys - Standard

Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys



Sieht ok aus. Mach bitte zur Kontrolle Vollscans mit Malwarebytes und SUPERAntiSpyware und poste die Logs.
Denk dran beide Tools zu updaten vor dem Scan!!
__________________
"Die Wahrheit ist normalerweise nur eine Entschuldigung für einen Mangel an Fantasie." (Elim Garak)

Das Trojaner-Board unterstützen
Warum Linux besser als Windows ist!

Alt 19.08.2010, 07:58   #14
medigus
 
Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys - Standard

Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys



Ich bin eher pessimistisch. Der Rechner ist wieder total langsam, so dass ich nur Malwarebytes laufen lassen konnte mit folgendem Ergebnis:

Malwarebytes' Anti-Malware 1.46
Malwarebytes

Datenbank Version: 4446

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

19.08.2010 07:48:56
mbam-log-2010-08-19 (07-48-56).txt

Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 131848
Laufzeit: 1 Stunde(n), 1 Minute(n), 10 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 2

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\antivir_workstation_win7u_de_h148.exe (Spyware.Onlinegames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\lpvmtsvd.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Antwort

Themen zu Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys
0x00000001, agere systems, antivir, avgntflt.sys, avira, bho, bonjour, components, error, fehler, firefox, flash player, format, geld, google, homepage, iexplore.exe, installation, location, mozilla, msvcrt, oldtimer, otl.exe, realtek, registry, rootkit, rundll, security scan, software, studio, system, tcp, tracker, updates, windows, windows internet, windows internet explorer



Ähnliche Themen: Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys


  1. Avira meldet TR/Rootkit.Gen in C:windows/system32/drivers....was ist zu tun?
    Plagegeister aller Art und deren Bekämpfung - 19.07.2014 (22)
  2. Trojaner/Rootkit TR/Agent.37888.248 in C:\WINDOWS\system32\drivers\a127b2c0fb888938.sys
    Log-Analyse und Auswertung - 05.07.2014 (15)
  3. TR/Rootkit.Gen2'-'C:\WINDOWS\system32\drivers\sptd.sys'
    Plagegeister aller Art und deren Bekämpfung - 01.02.2012 (1)
  4. windows\system32\drivers\sptd.sys - Rootkit Modification
    Plagegeister aller Art und deren Bekämpfung - 05.06.2011 (18)
  5. Rootkit C:\windows\system32\drivers\volmgr.sys
    Plagegeister aller Art und deren Bekämpfung - 01.02.2011 (8)
  6. TR/Rootkit.Gen in C:\Windows\System32\drivers\ghldywj.sys
    Plagegeister aller Art und deren Bekämpfung - 25.12.2010 (9)
  7. Rootkit in C:\Windows\system32\drivers\afkw4fu9.sys ?
    Log-Analyse und Auswertung - 08.08.2010 (4)
  8. Rootkit Bubnix.au in c:\windows\system32\drivers\hljrifmj.sys
    Plagegeister aller Art und deren Bekämpfung - 21.06.2010 (10)
  9. TR/Rootkit.Gen in C:\WINDOWS\system32\drivers\herbh.sys
    Plagegeister aller Art und deren Bekämpfung - 01.06.2010 (16)
  10. TR/Rootkit.Gen in C:\Windows\System32\drivers\ezokdc.sys
    Plagegeister aller Art und deren Bekämpfung - 30.05.2010 (6)
  11. Tr/rootkit.gen windows/system32/Drivers.lnuuf.sys (rootkit Agent)
    Plagegeister aller Art und deren Bekämpfung - 29.05.2010 (1)
  12. Rootkit.Agent../System32/Drivers/
    Plagegeister aller Art und deren Bekämpfung - 28.05.2010 (46)
  13. Rootkit.Agent bringe ich nicht los C:\Windows\system32\Drivers\rlmij.sys
    Plagegeister aller Art und deren Bekämpfung - 24.05.2010 (12)
  14. Was tun? Virus Rootkit C:\Windows\System32\drivers\hsntoaox.sys
    Plagegeister aller Art und deren Bekämpfung - 23.04.2010 (12)
  15. C:\WINDOWS\system32\drivers\**; befürchte Rootkit
    Plagegeister aller Art und deren Bekämpfung - 23.04.2010 (18)
  16. Rootkit.Win32.Agent.besn in system32\drivers\aec.sys / syspck32 im Autostart
    Plagegeister aller Art und deren Bekämpfung - 01.04.2010 (8)
  17. Rootkit.Agent im system32\drivers\qkavedba.sys
    Plagegeister aller Art und deren Bekämpfung - 14.03.2010 (1)

Zum Thema Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys - Hallo, ich bekomme folgenden Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys über Malwarebytes nicht gelöscht. Über Eure Hilfe wäre ich sehr dankbar! Anbei die entsprechenden Logfiles: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Datenbank Version: 4434 - Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys...
Archiv
Du betrachtest: Rootkit Agent in C:\WINDOWS\system32\drivers\lpvmtsvd.sys auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.