| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: TR/Pincav.afyp TrojanWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
14.12.2010, 15:57
| #46 |
| /// Winkelfunktion /// TB-Süch-Tiger™   |  TR/Pincav.afyp Trojan Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten. GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus - die Online-Abfrage durch OSAM bitte überspringen. Bei OSAM bitte darauf auch achten, dass Du das Log auch als *.log und nicht *.html oder so abspeicherst. Downloade Dir danach bitte MBRCheck (by a_d_13) und speichere die Datei auf dem Desktop.
__________________ Logfiles bitte immer in CODE-Tags posten  |
|
15.12.2010, 01:23
| #47 |
 | TR/Pincav.afyp Trojan Hallo Arne,
__________________erstmal vielen lieben Dank, dass Du mir weiterhilfst! Hier kommen die Logs von Osam und MBRCheck; GMER ist leider abgestürzt. Osam Log: OSAM Logfile: Code:
ATTFilter Report of OSAM: Autorun Manager v5.0.11926.0 hxxp://www.online-solutions.ru/en/ Saved at 16:45:39 on 14.12.2010 OS: Windows XP Home Edition Service Pack 3 (Build 2600) Default Browser: Mozilla Corporation Firefox 3.6.12 Scanner Settings [x] Rootkits detection (hidden registry) [x] Rootkits detection (hidden files) [x] Retrieve files information [x] Check Microsoft signatures Filters [ ] Trusted entries [ ] Empty entries [x] Hidden registry entries (rootkit activity) [x] Exclusively opened files [x] Not found files [x] Files without detailed information [x] Existing files [ ] Non-startable services [ ] Non-startable drivers [x] Active entries [x] Disabled entries [Common] -----( %SystemRoot%\Tasks )----- "BackOnTrack Instant Restore Idle.job" - "Sonic Solutions" - C:\Programme\Roxio\BackOnTrack\Instant Restore\RstIdle.exe "GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe "GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe [Control Panel Objects] -----( %SystemRoot%\system32 )----- "hpBat.cpl" - ? - C:\WINDOWS\system32\hpBat.cpl (File found, but it contains no detailed information) "infocardcpl.cpl" - "Microsoft Corporation" - C:\WINDOWS\system32\infocardcpl.cpl "ISUSPM.cpl" - "Macrovision Corporation" - C:\WINDOWS\system32\ISUSPM.cpl "javacpl.cpl" - "Sun Microsystems, Inc." - C:\WINDOWS\system32\javacpl.cpl -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )----- "Avira AntiVir Personal" - "Avira GmbH" - C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl "hpBat.CPL" - ? - C:\Programme\Hewlett-Packard\HP BatteryCheck\hpBat.CPL (File not found) [Drivers] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- "avgio" (avgio) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avgio.sys "avgntflt" (avgntflt) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avgntflt.sys "avipbb" (avipbb) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avipbb.sys "catchme" (catchme) - ? - C:\DOKUME~1\Kirsten\LOKALE~1\Temp\catchme.sys (File not found) "Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys (File not found) "lbrtfdc" (lbrtfdc) - ? - C:\WINDOWS\system32\drivers\lbrtfdc.sys (File not found) "PCIDump" (PCIDump) - ? - C:\WINDOWS\system32\drivers\PCIDump.sys (File not found) "PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys (File not found) "PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys (File not found) "PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys (File not found) "PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys (File not found) "PxHelp20" (PxHelp20) - "Sonic Solutions" - C:\WINDOWS\System32\Drivers\PxHelp20.sys "Realtek IR Driver" (Rts516xIR) - ? - C:\WINDOWS\System32\DRIVERS\Rts516xIR.sys (File not found) "Realtek Smartcard Reader Driver" (USBCCID) - ? - C:\WINDOWS\System32\DRIVERS\Rts5161ccid.sys (File not found) "SASDIFSV" (SASDIFSV) - "SUPERAdBlocker.com and SUPERAntiSpyware.com" - C:\Programme\SUPERAntiSpyware\SASDIFSV.SYS "SASKUTIL" (SASKUTIL) - "SUPERAdBlocker.com and SUPERAntiSpyware.com" - C:\Programme\SUPERAntiSpyware\SASKUTIL.SYS "ssmdrv" (ssmdrv) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\ssmdrv.sys "SysCow" (SysCow) - "Sonic Solutions" - C:\WINDOWS\System32\drivers\syscow32x.sys "WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys (File not found) [Explorer] -----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )----- {89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install -----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )----- {F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" - ? - C:\Programme\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll -----( HKLM\Software\Classes\Protocols\Filter )----- {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll {807563E5-5146-11D5-A672-00B0D022E945} "Microsoft Office InfoPath XML Mime Filter" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\MSOXMLMF.DLL -----( HKLM\Software\Classes\Protocols\Handler )----- {314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL {0A9007C0-4076-11D3-8789-0000F8105754} "Microsoft Infotech Storage Protocol for IE 4.0" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Information Retrieval\msitss.dll -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks )----- {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "SABShellExecuteHook Class" - "SuperAdBlocker.com" - C:\Programme\SUPERAntiSpyware\SASSEH.DLL -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )----- {42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" - ? - deskpan.dll (File not found) {FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" - ? - (File not found | COM-object registry key not found) {853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" - ? - (File not found | COM-object registry key not found) {42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Programme\Microsoft Office\Office12\msohevi.dll {993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll {5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C} "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\ONFILTER.DLL {C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "OpenOffice.org Column Handler" - ? - C:\Programme\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll {087B3AE3-E237-4467-B8DB-5A38AB959AC9} "OpenOffice.org Infotip Handler" - ? - C:\Programme\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll {63542C48-9552-494A-84F7-73AA6A7C99C1} "OpenOffice.org Property Sheet Handler" - ? - C:\Programme\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll {3B092F0C-7696-40E3-A80F-68D74DA84210} "OpenOffice.org Thumbnail Viewer" - ? - C:\Programme\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll {45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\shlext.dll {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll {764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" - ? - (File not found | COM-object registry key not found) {e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll {BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Web Folders" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\MSONSEXT.DLL {B41DB860-8EE4-11D2-9906-E49FADC173CA} "WinRAR" - "Alexander Roshal" - C:\Programme\WinRAR\rarext.dll [Internet Explorer] -----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )----- <binary data> "AOL Toolbar" - "AOL LLC" - C:\Programme\AOL\AOL Toolbar 5.0\aoltb.dll ITBar7Height "ITBar7Height" - ? - (File not found | COM-object registry key not found) <binary data> "ITBar7Layout" - ? - (File not found | COM-object registry key not found) -----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )----- {8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_18" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_18.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} "Java Plug-in 1.6.0_18" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_18.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_18" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\npjpi160_18.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )----- {48E73304-E1D6-4330-914C-F5F514E3486C} "An OneNote senden" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll {FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Research" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )----- {DE9C389F-3316-41A7-809B-AA305ED9D922} "AOL Toolbar" - "AOL LLC" - C:\Programme\AOL\AOL Toolbar 5.0\aoltb.dll -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )----- {18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} "AOL Toolbar BHO" - "AOL LLC" - C:\Programme\AOL\AOL Toolbar 5.0\aoltb.dll {11222041-111B-46E3-BD29-EFB2449479B1} "IEPlugin Class" - "ArcSoft, Inc." - C:\PROGRA~1\ArcSoft\MEDIAC~1\INTERN~1\ARCURL~1.DLL {DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jp2ssv.dll {E7E6F031-17CE-4C07-BC86-EABFE594F69C} "JQSIEStartDetectorImpl Class" - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [Logon] -----( %AllUsersProfile%\Startmenü\Programme\Autostart )----- "desktop.ini" - ? - C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini "Philips GoGear SA1VBExxA Device Manager.lnk" - "Philips" - C:\Programme\Philips\GoGear SA1VBExxA Device Manager\GoGear_SA1VBExxA_DeviceManager.exe (Shortcut exists | File exists) -----( %UserProfile%\Startmenü\Programme\Autostart )----- "desktop.ini" - ? - C:\Dokumente und Einstellungen\Kirsten\Startmenü\Programme\Autostart\desktop.ini "OpenOffice.org 3.2.lnk" - ? - C:\Programme\OpenOffice.org 3\program\quickstart.exe (Shortcut exists | File found, but it contains no detailed information | File exists) -----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )----- "ISUSPM" - "Macrovision Corporation" - "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler "Skype" - "Skype Technologies S.A." - "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized "SUPERAntiSpyware" - "SUPERAntiSpyware.com" - C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )----- "Adobe Reader Speed Launcher" - "Adobe Systems Incorporated" - "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" "ArcSoft Connection Service" - "ArcSoft Inc." - C:\Programme\Gemeinsame Dateien\ArcSoft\Connection Service\Bin\ACDaemon.exe "avgnt" - "Avira GmbH" - "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min "HP BTW Detect Program" - ? - C:\Programme\HP\HPBTWD.exe "SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" "WirelessAssistant" - "Hewlett-Packard" - C:\Programme\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [Print Monitors] -----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )----- "Send To Microsoft OneNote Monitor" - "Microsoft Corporation" - C:\WINDOWS\system32\msonpmon.dll [Services] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- ".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe "Anwendungsverwaltung" (AppMgmt) - ? - C:\WINDOWS\System32\appmgmts.dll (File not found) "ArcSoft Connect Daemon" (ACDaemon) - "ArcSoft Inc." - C:\Programme\Gemeinsame Dateien\ArcSoft\Connection Service\Bin\ACService.exe "ASP.NET State Service" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe "Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avguard.exe "Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\sched.exe "BOTService" (BOTService) - "Sonic Solutions" - C:\Programme\Roxio\BackOnTrack\Instant Restore\BOTService.exe "GameConsoleService" (GameConsoleService) - "WildTangent, Inc." - C:\Programme\HP Games\HP Game Console\GameConsoleService.exe "Google Update Service (gupdate)" (gupdate) - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe "hpqwmiex" (hpqwmiex) - "Hewlett-Packard Development Company, L.P." - C:\Programme\Hewlett-Packard\Shared\hpqwmiex.exe "InstallDriver Table Manager" (IDriverT) - "Macrovision Corporation" - c:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe "Java Quick Starter" (JavaQuickStarterService) - "Sun Microsystems, Inc." - C:\Programme\Java\jre6\bin\jqs.exe "Microsoft Office Diagnostics Service" (odserv) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\ODSERV.EXE "Office Source Engine" (ose) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE "Roxio SAIB Service" (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269) - ? - C:\Programme\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe "Windows CardSpace" (idsvc) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe "Windows Presentation Foundation Font Cache 3.0.0.0" (FontCache3.0.0.0) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe "WTGService" (WTGService) - ? - C:\Programme\XSManager\WTGService.exe (File found, but it contains no detailed information) [Winlogon] -----( HKCU\Control Panel\IOProcs )----- "MVB" - ? - mvfs32.dll (File not found) -----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions )----- {B587E2B1-4D59-4e7e-AED9-22B9DF11D053} "802.3 Group Policy" - "Microsoft Corporation" - C:\WINDOWS\system32\dot3gpclnt.dll (Hidden registry entry, rootkit activity | File signed by Microsoft) {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} "EFS recovery" - "Microsoft Corporation" - C:\WINDOWS\system32\scecli.dll (Hidden registry entry, rootkit activity | File signed by Microsoft) {A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B} "Internet Explorer Branding" - "Microsoft Corporation" - C:\WINDOWS\system32\iedkcs32.dll (Hidden registry entry, rootkit activity | File signed by Microsoft) {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} "Internet Explorer Machine Accelerators" - "Microsoft Corporation" - C:\WINDOWS\system32\iedkcs32.dll (Hidden registry entry, rootkit activity | File signed by Microsoft) {7B849a69-220F-451E-B3FE-2CB811AF94AE} "Internet Explorer User Accelerators" - "Microsoft Corporation" - C:\WINDOWS\system32\iedkcs32.dll (Hidden registry entry, rootkit activity | File signed by Microsoft) {4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3} "Internet Explorer Zonemapping" - "Microsoft Corporation" - C:\WINDOWS\system32\iedkcs32.dll (Hidden registry entry, rootkit activity | File signed by Microsoft) {C631DF4C-088F-4156-B058-4375F0853CD8} "Microsoft Offline Files" - "Microsoft Corporation" - C:\WINDOWS\System32\cscui.dll (Hidden registry entry, rootkit activity | File signed by Microsoft) {3610eda5-77ef-11d2-8dc5-00c04fa31a66} "Microsoft-Datenträgerkontingent" - "Microsoft Corporation" - C:\WINDOWS\system32\dskquota.dll (Hidden registry entry, rootkit activity | File signed by Microsoft) {827D319E-6EAC-11D2-A4EA-00C04F79F83A} "Security" - "Microsoft Corporation" - C:\WINDOWS\system32\scecli.dll (Hidden registry entry, rootkit activity | File signed by Microsoft) {c6dc5466-785a-11d2-84d0-00c04fb169f7} "Softwareinstallation" - ? - appmgmts.dll (Hidden registry entry, rootkit activity | File not found) -----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )----- "!SASWinLogon" - "SUPERAntiSpyware.com" - C:\Programme\SUPERAntiSpyware\SASWINLO.DLL (Hidden registry entry, rootkit activity) "crypt32chain" - "Microsoft Corporation" - C:\WINDOWS\system32\crypt32.dll (Hidden registry entry, rootkit activity | File signed by Microsoft) "cryptnet" - "Microsoft Corporation" - C:\WINDOWS\system32\cryptnet.dll (Hidden registry entry, rootkit activity | File signed by Microsoft) "cscdll" - "Microsoft Corporation" - C:\WINDOWS\system32\cscdll.dll (Hidden registry entry, rootkit activity | File signed by Microsoft) "dimsntfy" - "Microsoft Corporation" - C:\WINDOWS\System32\dimsntfy.dll (Hidden registry entry, rootkit activity | File signed by Microsoft) "igfxcui" - "Intel Corporation" - C:\WINDOWS\system32\igfxdev.dll (Hidden registry entry, rootkit activity | File signed by Microsoft) "ScCertProp" - "Microsoft Corporation" - C:\WINDOWS\system32\wlnotify.dll (Hidden registry entry, rootkit activity | File signed by Microsoft) "Schedule" - "Microsoft Corporation" - C:\WINDOWS\system32\wlnotify.dll (Hidden registry entry, rootkit activity | File signed by Microsoft) "sclgntfy" - "Microsoft Corporation" - C:\WINDOWS\system32\sclgntfy.dll (Hidden registry entry, rootkit activity | File signed by Microsoft) "SensLogn" - "Microsoft Corporation" - C:\WINDOWS\system32\WlNotify.dll (Hidden registry entry, rootkit activity | File signed by Microsoft) "termsrv" - "Microsoft Corporation" - C:\WINDOWS\system32\wlnotify.dll (Hidden registry entry, rootkit activity | File signed by Microsoft) "wlballoon" - "Microsoft Corporation" - C:\WINDOWS\system32\wlnotify.dll (Hidden registry entry, rootkit activity | File signed by Microsoft) ===[ Logfile end ]=========================================[ Logfile end ]=== If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru MBRCheck Log: MBRCheck, version 1.2.3 (c) 2010, AD Command-line: Windows Version: Windows XP Home Edition Windows Information: Service Pack 3 (build 2600) Logical Drives Mask: 0x00000004 Kernel Drivers (total 123): 0x804D7000 \WINDOWS\system32\ntkrnlpa.exe 0x806E5000 \WINDOWS\system32\hal.dll 0xF7A88000 \WINDOWS\system32\KDCOM.DLL 0xF7998000 \WINDOWS\system32\BOOTVID.dll 0xF7458000 ACPI.sys 0xF7A8A000 \WINDOWS\system32\DRIVERS\WMILIB.SYS 0xF7447000 pci.sys 0xF7588000 isapnp.sys 0xF799C000 compbatt.sys 0xF79A0000 \WINDOWS\system32\DRIVERS\BATTC.SYS 0xF7B50000 pciide.sys 0xF7808000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS 0xF7A8C000 aliide.sys 0xF7A8E000 viaide.sys 0xF7A90000 intelide.sys 0xF7598000 MountMgr.sys 0xF7428000 ftdisk.sys 0xF79A4000 ACPIEC.sys 0xF7B51000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 0xF7810000 PartMgr.sys 0xF75A8000 VolSnap.sys 0xF734E000 iaStor.sys 0xF75B8000 disk.sys 0xF75C8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS 0xF732E000 fltMgr.sys 0xF7316000 syscow32x.sys 0xF7304000 sr.sys 0xF75D8000 PxHelp20.sys 0xF72ED000 KSecDD.sys 0xF7260000 Ntfs.sys 0xF7233000 NDIS.sys 0xF7818000 SaibIa32.sys 0xF75E8000 SahdIa32.sys 0xF7219000 Mup.sys 0xF77E8000 \SystemRoot\system32\DRIVERS\intelppm.sys 0xF5F72000 \SystemRoot\system32\DRIVERS\igxpmp32.sys 0xF5F5E000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS 0xF5F36000 \SystemRoot\system32\DRIVERS\HDAudBus.sys 0xF5D8B000 \SystemRoot\system32\DRIVERS\bcmwl5.sys 0xF77F8000 \SystemRoot\system32\DRIVERS\l1c51x86.sys 0xF78A8000 \SystemRoot\system32\DRIVERS\usbuhci.sys 0xF5D67000 \SystemRoot\system32\DRIVERS\USBPORT.SYS 0xF78B0000 \SystemRoot\system32\DRIVERS\usbehci.sys 0xF7628000 \SystemRoot\system32\DRIVERS\i8042prt.sys 0xF78B8000 \SystemRoot\system32\DRIVERS\kbdclass.sys 0xF5D36000 \SystemRoot\system32\DRIVERS\SynTP.sys 0xF7AC6000 \SystemRoot\system32\DRIVERS\USBD.SYS 0xF7638000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS 0xF5CBA000 \SystemRoot\System32\Drivers\wdf01000.sys 0xF78C0000 \SystemRoot\system32\DRIVERS\mouclass.sys 0xF714D000 \SystemRoot\system32\DRIVERS\CmBatt.sys 0xF7149000 \SystemRoot\system32\DRIVERS\wmiacpi.sys 0xF7CA1000 \SystemRoot\system32\DRIVERS\audstub.sys 0xF7648000 \SystemRoot\system32\DRIVERS\rasl2tp.sys 0xF7A40000 \SystemRoot\system32\DRIVERS\ndistapi.sys 0xF5CA3000 \SystemRoot\system32\DRIVERS\ndiswan.sys 0xF7658000 \SystemRoot\system32\DRIVERS\raspppoe.sys 0xF7668000 \SystemRoot\system32\DRIVERS\raspptp.sys 0xF78C8000 \SystemRoot\system32\DRIVERS\TDI.SYS 0xF5C92000 \SystemRoot\system32\DRIVERS\psched.sys 0xF7678000 \SystemRoot\system32\DRIVERS\msgpc.sys 0xF78D0000 \SystemRoot\system32\DRIVERS\ptilink.sys 0xF78D8000 \SystemRoot\system32\DRIVERS\raspti.sys 0xF7688000 \SystemRoot\system32\DRIVERS\termdd.sys 0xF7AC8000 \SystemRoot\system32\DRIVERS\swenum.sys 0xF5C6F000 \SystemRoot\system32\DRIVERS\ks.sys 0xF5C11000 \SystemRoot\system32\DRIVERS\update.sys 0xF6EB8000 \SystemRoot\system32\DRIVERS\mssmbios.sys 0xF7698000 \SystemRoot\System32\Drivers\NDProxy.SYS 0xA9281000 \SystemRoot\system32\DRIVERS\usbhub.sys 0xA7CD8000 \SystemRoot\system32\drivers\sthda.sys 0xA7CB4000 \SystemRoot\system32\drivers\portcls.sys 0xA9271000 \SystemRoot\system32\drivers\drmk.sys 0xA7C98000 \SystemRoot\system32\drivers\AESTAud.sys 0xF71F1000 \SystemRoot\System32\Drivers\i2omgmt.SYS 0xF7B46000 \SystemRoot\System32\Drivers\Fs_Rec.SYS 0x9FE82000 \SystemRoot\System32\Drivers\Null.SYS 0xF7B48000 \SystemRoot\System32\Drivers\Beep.SYS 0xA35FD000 \SystemRoot\System32\drivers\vga.sys 0xF7B4A000 \SystemRoot\System32\Drivers\mnmdd.SYS 0xF7B4C000 \SystemRoot\System32\DRIVERS\RDPCDD.sys 0xA35F5000 \SystemRoot\System32\Drivers\Msfs.SYS 0xA35ED000 \SystemRoot\System32\Drivers\Npfs.SYS 0xF71ED000 \SystemRoot\system32\DRIVERS\rasacd.sys 0x9D4AF000 \SystemRoot\system32\DRIVERS\ipsec.sys 0x9D456000 \SystemRoot\system32\DRIVERS\tcpip.sys 0x9D406000 \SystemRoot\system32\DRIVERS\netbt.sys 0x9D3E0000 \SystemRoot\system32\DRIVERS\ipnat.sys 0x9D3BE000 \SystemRoot\System32\drivers\afd.sys 0x9D210000 \SystemRoot\system32\DRIVERS\snp2uvc.sys 0xA3877000 \SystemRoot\system32\DRIVERS\STREAM.SYS 0xA35E5000 \SystemRoot\system32\DRIVERS\sncduvc.SYS 0xA3867000 \SystemRoot\system32\DRIVERS\netbios.sys 0xA35D5000 \SystemRoot\system32\DRIVERS\ssmdrv.sys 0x9D1EE000 \??\C:\Programme\SUPERAntiSpyware\SASKUTIL.SYS 0xA35CD000 \??\C:\Programme\SUPERAntiSpyware\SASDIFSV.SYS 0xA3857000 \SystemRoot\System32\Drivers\SaibVd32.sys 0x9D1C3000 \SystemRoot\system32\DRIVERS\rdbss.sys 0x9D153000 \SystemRoot\system32\DRIVERS\mrxsmb.sys 0xA00AF000 \SystemRoot\System32\Drivers\Fips.SYS 0x9D130000 \SystemRoot\system32\DRIVERS\avipbb.sys 0xF7AF0000 \??\C:\Programme\Avira\AntiVir Desktop\avgio.sys 0x97731000 \SystemRoot\system32\DRIVERS\wanarp.sys 0x9624D000 \SystemRoot\System32\Drivers\dump_iaStor.sys 0xBF800000 \SystemRoot\System32\win32k.sys 0x98160000 \SystemRoot\System32\drivers\Dxapi.sys 0x97B4E000 \SystemRoot\System32\watchdog.sys 0xBF000000 \SystemRoot\System32\drivers\dxg.sys 0xF7C63000 \SystemRoot\System32\drivers\dxgthk.sys 0xBF024000 \SystemRoot\System32\igxpgd32.dll 0xBF012000 \SystemRoot\System32\igxprd32.dll 0xBF04F000 \SystemRoot\System32\igxpdv32.DLL 0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL 0xBFFA0000 \SystemRoot\System32\ATMFD.DLL 0x96238000 \SystemRoot\system32\DRIVERS\avgntflt.sys 0x9665E000 \SystemRoot\system32\DRIVERS\ndisuio.sys 0x961FB000 \SystemRoot\system32\drivers\wdmaud.sys 0x96996000 \SystemRoot\system32\drivers\sysaudio.sys 0x96060000 \SystemRoot\system32\DRIVERS\mrxdav.sys 0x95CE8000 \SystemRoot\system32\DRIVERS\srv.sys 0x9599D000 \SystemRoot\system32\drivers\kmixer.sys 0x97BDD000 \SystemRoot\system32\drivers\splitter.sys 0x7C910000 \WINDOWS\system32\ntdll.dll Processes (total 51): 0 System Idle Process 4 System 764 C:\WINDOWS\system32\smss.exe 812 csrss.exe 836 C:\WINDOWS\system32\winlogon.exe 880 C:\WINDOWS\system32\services.exe 892 C:\WINDOWS\system32\lsass.exe 1064 C:\WINDOWS\system32\svchost.exe 1160 svchost.exe 1216 C:\Programme\Roxio\BackOnTrack\Instant Restore\BOTService.exe 1380 svchost.exe 1428 svchost.exe 1472 C:\WINDOWS\explorer.exe 1812 C:\Programme\IDT\WDM\stacsv.exe 516 C:\Programme\Avira\AntiVir Desktop\sched.exe 644 svchost.exe 724 C:\Programme\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe 168 C:\WINDOWS\system32\igfxtray.exe 1012 C:\Programme\Gemeinsame Dateien\ArcSoft\Connection Service\Bin\ACService.exe 1008 C:\WINDOWS\system32\hkcmd.exe 1092 C:\WINDOWS\system32\igfxpers.exe 1100 C:\Programme\HP\HPBTWD.exe 1084 C:\Programme\Synaptics\SynTP\SynTPEnh.exe 1308 C:\WINDOWS\system32\AESTFltr.exe 1352 C:\Programme\Avira\AntiVir Desktop\avguard.exe 1368 C:\Programme\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe 1376 C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe 1392 C:\Programme\Avira\AntiVir Desktop\avgnt.exe 1296 C:\Programme\Gemeinsame Dateien\ArcSoft\Connection Service\Bin\ACDaemon.exe 1412 C:\Programme\Skype\Phone\Skype.exe 1444 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Macrovision\FLEXnet Connect\6\ISUSPM.exe 1552 C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe 1620 C:\WINDOWS\system32\ctfmon.exe 1500 C:\WINDOWS\system32\igfxsrvc.exe 1908 C:\Programme\Philips\GoGear SA1VBExxA Device Manager\GoGear_SA1VBExxA_DeviceManager.exe 1988 C:\Programme\Gemeinsame Dateien\ArcSoft\Connection Service\Bin\ArcCon.ac 208 C:\Programme\Java\jre6\bin\jqs.exe 224 C:\Programme\Google\Update\GoogleUpdate.exe 244 C:\Programme\Avira\AntiVir Desktop\avshadow.exe 252 C:\Programme\OpenOffice.org 3\program\soffice.exe 540 C:\WINDOWS\system32\svchost.exe 436 C:\Programme\OpenOffice.org 3\program\soffice.bin 1548 C:\Programme\XSManager\WTGService.exe 3072 C:\Programme\Hewlett-Packard\Shared\hpqWmiEx.exe 3296 C:\WINDOWS\system32\wbem\wmiapsrv.exe 3392 alg.exe 3568 C:\Programme\Hewlett-Packard\Shared\HpqToaster.exe 2244 C:\WINDOWS\system32\spoolsv.exe 1240 C:\Programme\Avira\AntiVir Desktop\avcenter.exe 692 C:\Programme\Avira\AntiVir Desktop\avwsc.exe 2820 C:\Dokumente und Einstellungen\Kirsten\Desktop\MBRCheck.exe \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS) PhysicalDrive0 Model Number: WDCWD1600BEVT-60ZCT1, Rev: 13.01A13 Size Device Name MBR Status -------------------------------------------- 149 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979 Done! Viele Grüße, kiki |
|
15.12.2010, 12:00
| #48 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | TR/Pincav.afyp Trojan Ok. Probier combofix bitte mit einer neu heruntergeladenen cofi.exe nochmal aus.
__________________
__________________ |
|
17.12.2010, 11:04
| #49 |
| | TR/Pincav.afyp Trojan Hallo Arne, Combofix habe ich neu heruntergeladen und gestartet. Das Programm lief sehr lange- mehr als 12 Stunden und meldete, dass nach infizierten Dateien gesucht wird. Als ich zur Uni musste, habe ich den Rechner weiterlaufen lassen, um Combofix nicht zu unterbrechen. Danach lief er im Ruhemodus und hat sich schließlich aufgehangen. Es erschien die Nachricht, dass nur PCxy oder ein Administrator die Computersperre aufheben kann. Ich drückte auf Enter, doch dann tat sich gar nichts mehr. Ich musste schließlich warten, bis die Batterie leer war, um ihn neu starten zu können. Soll ich es nochmal mit Combofix versuchen? Viele Grüße, kiki |
|
17.12.2010, 11:08
| #50 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | TR/Pincav.afyp Trojan Nee lass CF jetzt weg. Bitte nun Logs mit GMER und OSAM erstellen und posten. GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus - die Online-Abfrage durch OSAM bitte überspringen. Bei OSAM bitte darauf auch achten, dass Du das Log auch als *.log und nicht *.html oder so abspeicherst. Downloade Dir danach bitte MBRCheck (by a_d_13) und speichere die Datei auf dem Desktop.
__________________ Logfiles bitte immer in CODE-Tags posten |
Linear-Darstellung
