Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: winlogon

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 11.11.2010, 23:14   #16
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
winlogon - Standard

winlogon



Hast Du ZoneAlarm noch nicht deinstalliert?

Wir müssen nochmal mit CF ran: => File-Upload.net - cosinus.zip
Die cosinus.zip runterladen und nach c:\cosinus entpacken, dann so wieder vorgehen:

Combofix - Scripten

1. Starte das Notepad (Start / Ausführen / notepad[Enter])

2. Jetzt füge mit copy/paste den ganzen Inhalt der untenstehenden Codebox in das Notepad Fenster ein.

Code:
ATTFilter
FCopy::
c:\cosinus\explorer.exe | c:\windows\explorer.exe
c:\cosinus\winlogon.exe | c:\windows\system32\winlogon.exe

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4547:TCP"=-
         

3. Speichere im Notepad als CFScript.txt auf dem Desktop.

4. Deaktivere den Guard Deines Antivirenprogramms und eine eventuell vorhandene Software Firewall.
(Auch Guards von Ad-, Spyware Programmen und den Tea Timer (wenn vorhanden) !)

5. Dann ziehe die CFScript.txt auf die cofi.exe, so wie es im unteren Bild zu sehen ist. Damit wird Combofix neu gestartet.



6. Nach dem Neustart (es wird gefragt ob Du neustarten willst), poste bitte die folgenden Log Dateien:
Combofix.txt

Hinweis: Das obige Script ist nur für diesen einen User in dieser Situtation erstellt worden. Es ist auf keinen anderen Rechner portierbar und darf nicht anderweitig verwandt werden, da es das System nachhaltig schädigen kann!
__________________
Logfiles bitte immer in CODE-Tags posten

Alt 12.11.2010, 01:26   #17
fcangmar
 
winlogon - Standard

winlogon



zonealarm wurde deinstalliert, schon beim erstenmal

Combofix Logfile:
Code:
ATTFilter
ComboFix 10-11-07.A2 - Martin 12.11.2010   1:16.3.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.43.1033.18.2047.1526 [GMT 1:00]
ausgeführt von:: c:\documents and settings\Martin\Desktop\cofi.exe
Benutzte Befehlsschalter :: c:\documents and settings\Martin\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\explorer.exe
C:\winlogon.exe

c:\windows\system32\winlogon.exe . . . ist infiziert!!

Infizierte Kopie von c:\windows\explorer.exe wurde gefunden und desinfiziert 
Kopie von - c:\windows\ServicePackFiles\i386\explorer.exe wurde wiederhergestellt 

.
(((((((((((((((((((((((   Dateien erstellt von 2010-10-12 bis 2010-11-12  ))))))))))))))))))))))))))))))
.

2010-11-08 21:58 . 2010-11-08 21:58	--------	d-----w-	C:\_OTL
2010-11-06 22:43 . 2010-11-06 22:44	--------	d-----w-	C:\!KillBox
2010-11-06 09:31 . 2010-11-06 09:31	--------	d-----w-	c:\documents and settings\All Users\Application Data\KONAMI
2010-11-05 22:03 . 2001-08-17 12:28	771581	-c--a-w-	c:\windows\system32\dllcache\winacisa.sys
2010-11-05 22:02 . 2001-08-17 21:36	26624	-c--a-w-	c:\windows\system32\dllcache\umaxu22.dll
2010-11-05 22:01 . 2001-08-17 11:13	37961	-c--a-w-	c:\windows\system32\dllcache\tdk100b.sys
2010-11-05 22:00 . 2001-08-17 12:56	7552	-c--a-w-	c:\windows\system32\dllcache\sonypvu1.sys
2010-11-05 21:59 . 2001-08-17 11:50	101760	-c--a-w-	c:\windows\system32\dllcache\sis300ip.sys
2010-11-05 21:58 . 2001-08-17 21:36	79872	-c--a-w-	c:\windows\system32\dllcache\rwia430.dll
2010-11-05 21:57 . 2001-08-17 13:07	19840	-c--a-w-	c:\windows\system32\dllcache\philtune.sys
2010-11-05 21:56 . 2001-08-17 11:49	51552	-c--a-w-	c:\windows\system32\dllcache\ntgrip.sys
2010-11-05 21:55 . 2008-04-13 23:16	51200	-c--a-w-	c:\windows\system32\dllcache\msdv.sys
2010-11-05 21:54 . 2001-08-17 21:36	8192	-c--a-w-	c:\windows\system32\dllcache\kbdkor.dll
2010-11-05 21:53 . 2001-08-17 21:36	61952	-c--a-w-	c:\windows\system32\dllcache\icam4ext.dll
2010-11-05 21:52 . 2001-08-17 21:36	9759	-c--a-w-	c:\windows\system32\dllcache\hsf_inst.dll
2010-11-05 21:51 . 2001-08-17 11:13	27165	-c--a-w-	c:\windows\system32\dllcache\fetnd5.sys
2010-11-05 21:51 . 2001-08-17 11:10	22090	-c--a-w-	c:\windows\system32\dllcache\fem556n5.sys
2010-11-05 21:51 . 2001-08-17 11:12	24618	-c--a-w-	c:\windows\system32\dllcache\fa410nd5.sys
2010-11-05 21:51 . 2001-08-17 11:12	16074	-c--a-w-	c:\windows\system32\dllcache\fa312nd5.sys
2010-11-05 21:51 . 2001-08-17 11:11	11850	-c--a-w-	c:\windows\system32\dllcache\f3ab18xj.sys
2010-11-05 21:51 . 2001-08-17 11:11	12362	-c--a-w-	c:\windows\system32\dllcache\f3ab18xi.sys
2010-11-05 21:51 . 2001-08-17 12:52	7040	-c--a-w-	c:\windows\system32\dllcache\exabyte2.sys
2010-11-05 21:51 . 2001-08-17 11:12	16998	-c--a-w-	c:\windows\system32\dllcache\ex10.sys
2010-11-05 21:47 . 2001-08-17 21:36	6729	-c--a-w-	c:\windows\system32\dllcache\disrvci.dll
2010-11-05 21:46 . 2001-08-17 12:51	13824	-c--a-w-	c:\windows\system32\dllcache\bulltlp3.sys
2010-11-05 20:45 . 2010-11-11 21:10	513024	----a-w-	c:\windows\system32\winlogon.exe
2010-11-05 14:44 . 2010-11-05 14:44	--------	d-----w-	c:\documents and settings\Martin\Application Data\AVG10
2010-11-05 14:44 . 2010-11-05 14:44	--------	d--h--w-	c:\documents and settings\All Users\Application Data\Common Files
2010-11-05 14:44 . 2010-11-12 00:12	--------	d-----w-	c:\documents and settings\All Users\Application Data\AVG10
2010-11-05 14:44 . 2010-11-05 14:44	--------	d-----w-	c:\program files\AVG
2010-11-05 14:37 . 2010-11-05 14:40	--------	d-----w-	c:\documents and settings\All Users\Application Data\MFAData
2010-11-05 14:12 . 2010-11-05 14:12	--------	d-----w-	c:\program files\Enigma Software Group
2010-11-03 04:52 . 2010-11-03 04:55	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-02 18:39 . 2010-06-28 12:00	46592	----a-w-	c:\windows\system32\vsutil_loc0407.dll
2010-11-02 18:07 . 2008-04-14 04:42	1033728	----a-w-	c:\windows\explorer.exe
2010-11-02 17:58 . 2010-11-05 14:40	--------	d-----w-	c:\documents and settings\All Users\Application Data\avg8
2010-11-02 16:57 . 2010-11-11 20:54	--------	d-----w-	c:\windows\Internet Logs
2010-11-02 16:41 . 2010-11-02 16:44	--------	d-----w-	c:\documents and settings\All Users\Application Data\fssg
2010-11-02 16:38 . 2010-11-02 16:40	--------	d-----w-	c:\documents and settings\All Users\Application Data\f-secure
2010-11-01 16:34 . 2010-11-01 16:34	--------	d-----w-	c:\documents and settings\Martin\Application Data\TrojanHunter
2010-10-27 22:04 . 2010-10-27 22:05	--------	d-----w-	c:\documents and settings\Martin\Local Settings\Application Data\Temp
2010-10-26 17:20 . 2010-10-26 17:21	--------	d-----w-	c:\program files\Graboid
2010-10-26 10:52 . 2010-10-26 10:52	--------	d-----w-	c:\documents and settings\Martin\Application Data\Malwarebytes
2010-10-26 10:41 . 2010-10-26 10:41	--------	d-----w-	c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-10-26 10:41 . 2010-04-29 14:39	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-26 10:41 . 2010-10-26 10:41	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-26 10:41 . 2010-04-29 14:39	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-10-26 10:36 . 2010-10-26 10:36	--------	d-----w-	c:\documents and settings\Administrator\Application Data\ProgSense
2010-10-26 10:36 . 2010-10-26 10:39	--------	d-----w-	c:\documents and settings\Administrator\Application Data\Orbit
2010-10-26 10:33 . 2010-10-26 10:33	--------	d-----w-	c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-10-26 09:34 . 2010-10-26 09:35	--------	d-----w-	c:\documents and settings\Martin\Application Data\FCAAC60ADBD2A67431F87ADADD3EE6E0
2010-10-25 17:55 . 2010-10-25 17:56	--------	d-----w-	c:\documents and settings\Martin\Application Data\Youtube Downloader HD

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-12 00:13 . 2010-11-12 00:13	687173	----a-w-	C:\cosinus.zip
.

------- Sigcheck -------

[-] 2010-11-11 . 2F1F63845DB7EB2C6BD4EAB69F2B728C . 513024 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 358F7515ABCDCBB13201A42BEADD170E . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
.
(((((((((((((((((((((((((((((   SnapShot@2010-11-09_06.19.13   )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-12 00:21 . 2010-11-12 00:21	16384              c:\windows\Temp\Perflib_Perfdata_7e8.dat
+ 2010-11-11 21:23 . 2010-11-11 21:23	16384              c:\windows\Temp\Perflib_Perfdata_614.dat
+ 2004-08-04 12:00 . 2010-11-09 06:22	83950              c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2010-11-02 18:23	83950              c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-11-09 06:22	476318              c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-11-02 18:23	476318              c:\windows\system32\perfh009.dat
+ 2010-11-11 21:49 . 2010-11-11 21:49	3019264              c:\windows\Installer\1796a9.msi
+ 2010-11-11 21:48 . 2010-11-11 21:48	1543680              c:\windows\Installer\1796a5.msi
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AVer HID Receiver.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AVer HID Receiver.lnk
backup=c:\windows\pss\AVer HID Receiver.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AVerQuick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AVerQuick.lnk
backup=c:\windows\pss\AVerQuick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Martin^Start Menu^Programs^Startup^Folding@home-gpu.lnk]
path=c:\documents and settings\Martin\Start Menu\Programs\Startup\Folding@home-gpu.lnk
backup=c:\windows\pss\Folding@home-gpu.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Martin^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Martin\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2009-12-21 17:35	640440	----a-w-	f:\software\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2009-12-22 00:26	38840	----a-w-	f:\software\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37	932288	----a-w-	c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 06:58	611712	----a-w-	c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]
2010-02-05 19:50	2521464	----a-w-	c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2009-03-02 09:14	57344	----a-w-	c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2007-10-04 16:38	307200	----a-w-	c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 04:42	15360	----a-w-	c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-12-29 10:40	687560	----a-w-	e:\program\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-03-05 15:32	1135912	----a-w-	c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 10:44	31072	----a-w-	e:\program\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LCDMon]
2008-11-06 11:21	1548296	----a-w-	c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LGDCore]
2008-11-06 11:39	2816520	----a-w-	c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LgDevAgt]
2008-11-06 11:41	358920	----a-w-	c:\program files\Logitech\GamePanel Software\LGDevAgt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-10-06 14:34	18750976	----a-w-	c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S7UB Start]
2008-07-14 23:02	102453	----a-w-	e:\program files\Common Files\Siemens\S7UBTOOX\S7ubTstx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-12-11 14:38	98304	----a-w-	c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 14:21	246504	----a-w-	c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMonitorVMUVC]
2008-06-16 01:02	135168	----a-w-	c:\program files\Vimicro Corporation\VMUVC\VMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gupdate1c9dc50e11d5e64"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"e:\\Program\\BitTorrent\\bittorrent.exe"=
"e:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"e:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/3/2009 1:18 AM 717296]
R2 almservice;Automation License Manager Service;e:\program files\Common Files\Siemens\SWS\almsrv\almsrvx.exe [5/20/2008 3:10 PM 1146880]
R2 AVerRemote;AVerRemote;c:\program files\Common Files\AVerMedia\Service\AVerRemote.exe [6/18/2010 7:26 PM 344064]
R2 AVerScheduleService;AVerScheduleService;c:\program files\Common Files\AVerMedia\Service\AVerScheduleService.exe [6/18/2010 7:26 PM 389120]
R2 Dpmtrcdd;Dpmtrcdd;c:\windows\system32\drivers\dpmtrcdd.sys [6/25/2007 3:47 PM 28363]
R2 IGDCTRL;AVM IGD CTRL Service;e:\program\FRITZ!DSL\IGDCTRL.EXE [9/4/2007 10:14 AM 87344]
R2 s7asysvx;S7 Global Services;g:\program\Siemens\Step7\S7BIN\s7asysvx.exe [7/14/2008 7:02 PM 69685]
R2 s7oiehsx;SIMATIC IEPG Help Service;e:\program files\Common Files\Siemens\S7IEPG\s7oiehsx.exe [7/3/2008 1:30 PM 1571912]
R2 S7opcsrtx;PROFINET IO RT-Protocol (LLDP);c:\windows\system32\drivers\s7opcsrtx.sys [7/3/2008 1:04 PM 31232]
R2 s7snsrtx;PROFINET IO RT-Protocol;c:\windows\system32\drivers\s7snsrtx.sys [7/30/2007 12:06 PM 71168]
R2 S7TraceServiceX;S7TraceServiceX;c:\program files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe [7/3/2008 1:30 PM 240712]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 AF05BDA;Cinergy T USB XE service;c:\windows\system32\drivers\AF05BDA.sys [4/25/2009 4:48 PM 117376]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/19/2009 4:27 PM 1684736]
S3 AVerAF35;AVerMedia A835 USB DVB-T;c:\windows\system32\drivers\AVerAF35.sys [6/18/2010 7:28 PM 474880]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2/11/2010 1:19 PM 36608]
S3 s7oefs_x;SIMATIC MPI/EFS Driver;c:\windows\system32\drivers\s7oefs_x.sys [10/18/2002 2:34 AM 30512]
S3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\drivers\VMUVC.sys [9/2/2010 8:00 AM 252032]
S3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [9/2/2010 8:00 AM 398720]
S4 gupdate1c9dc50e11d5e64;Google Update Service (gupdate1c9dc50e11d5e64);c:\program files\Google\Update\GoogleUpdate.exe [5/24/2009 10:20 AM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper	REG_MULTI_SZ   	getPlusHelper
.
Inhalt des "geplante Tasks" Ordners

2010-11-07 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.1.0.13\DriverRobot.exe [2009-10-18 20:35]

2010-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-24 09:20]

2010-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-24 09:20]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.com/
IE: &Download by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: An vorhandene PDF-Datei anfügen - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Do&wnload selected by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/202
IE: In Adobe PDF konvertieren - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Linkziel an vorhandene PDF-Datei anhängen - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Linkziel in Adobe PDF konvertieren - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Nach Microsoft E&xel exportieren - e:\program\MICROS~1\Office12\EXCEL.EXE/3000
IE: Save Flash - e:\program\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
IE: Save YouTube Video - e:\program\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/217
FF - ProfilePath - c:\documents and settings\Martin\Application Data\Mozilla\Firefox\Profiles\hag7fc90.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (de)
FF - prefs.js: browser.startup.homepage - www.google.at
FF - component: e:\program files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabXpcom.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: e:\program\Google\Picasa3\npPicasa3.dll
FF - plugin: e:\program\VideoLAN\VLC\npvlc.dll

---- FIREFOX Richtlinien ----
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true);  // Traditional
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true);  // Simplified
e:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2010-11-12 01:21
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse... 

Scanne versteckte Autostarteinträge... 

Scanne versteckte Dateien... 

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-1004336348-1563985344-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:20,77,a7,13,4d,57,e7,e8,f0,71,d5,4e,f0,fe,81,02,ba,e8,04,20,06,f0,12,
   ff,a0,3a,e8,55,45,eb,4e,ba,69,97,3d,64,ae,00,f3,4c,ba,e1,09,ca,88,7d,80,8c,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-1004336348-1563985344-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:7d,b4,35,b9,89,0b,d1,22,ec,e3,6a,6c,19,e1,c7,73,d3,d5,30,67,23,
   55,da,9f,42,e1,82,db,07,d2,9f,27,e8,e9,44,bb,dc,19,cb,aa,98,73,df,bb,29,2e,\
"rkeysecu"=hex:9b,04,a8,92,08,fb,4f,36,8b,5e,a1,13,bb,bb,01,d1

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:97,5d,d3,2c,23,ce,9f,1f,b5,4c,46,8b,97,b4,c3,aa,1e,d2,5a,0e,57,
   91,8f,44,d6,46,e1,d8,d2,fd,d3,50,fd,80,f8,fe,aa,26,03,84,3c,e9,20,1b,17,ec,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:97,5d,d3,2c,23,ce,9f,1f,b5,4c,46,8b,97,b4,c3,aa,1e,d2,5a,0e,57,
   91,8f,44,d6,46,e1,d8,d2,fd,d3,50,fd,80,f8,fe,aa,26,03,84,3c,e9,20,1b,17,ec,\
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3828)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
e:\program\CDBurnerXP\NMSAccessU.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2010-11-12  01:23:49 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2010-11-12 00:23
ComboFix2.txt  2010-11-11 21:25
ComboFix3.txt  2010-11-09 06:21

Vor Suchlauf: 15.900.323.840 bytes free
Nach Suchlauf: 15.885.885.440 bytes free

- - End Of File - - 83E136E3E9300873900DE65411C35A21
         
--- --- ---
__________________


Alt 12.11.2010, 06:14   #18
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
winlogon - Standard

winlogon



Lässt sich mit CF nicht fixen

PartedMagic

1. Lade Dir das ISO-Image von PartedMagic herunter, müssten ca. 70 MB sein
2. Brenn es per Imagebrennfunktion auf CD, geht zB mit ImgBurn oder Nero per Imagebrennfunktion unter Windows
3. Boote von der gebrannten CD, im Bootmenü von Option 1 starten und warten bis der Linux-Desktop oben ist



4. Du müsstest ein Symbol "Mount Devices" finden, das doppelklicken
5. Mounte die Partition wo Windows installiert ist, meistens ist es /dev/sda1
6. Benenne auf der Windows-Partition die Dateien um:

/windows/system32/winlogon.exe in winlogon.vir
/windows/explorer.exe in explorer.vir


7. Kopiere die beiden sauberen Dateien aus der cosinus.zip (ggf vorher per Rechtsklick entpacken) in die jew. Ordner - winlogon.exe nach windows/system32, die explorer.exe in den windows ordner

8. Starte den Rechner neu und boote Windows
9. Die in Linux umbenannte Dateien bei Virustotal.com auswerten lassen und Ergebnislinks posten
__________________
__________________

Alt 14.11.2010, 11:40   #19
fcangmar
 
winlogon - Standard

winlogon



Hi,

die neuen .exe Dateien, wären somit ok? Wie gehe ich mit den .vir um, löschen? Wie kann ich in Zukunft solch einen Fall vermeiden, habe immer AVG free verwendet und bis dato keine Schwierigkeiten gehabt.

anbei die Links:
explorer:

hxxp://www.virustotal.com/file-scan/reanalysis.html?id=34205b1a8f2b67ad40c7268956ce0b986f5efd096022591c8a11206744f4fb70-1289730818
hxxp://www.virustotal.com/file-scan/report.html?id=34205b1a8f2b67ad40c7268956ce0b986f5efd096022591c8a11206744f4fb70-1289730818


winlogon:

hxxp://www.virustotal.com/file-scan/report.html?id=15bfd2571480a86f939b3280dc6ef87ae6c17536ec4091fa9acb655e7fd6c041-1289730918

Mfg
Martin

Alt 14.11.2010, 18:43   #20
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
winlogon - Standard

winlogon



Zitat:
habe immer AVG free verwendet und bis dato keine Schwierigkeiten gehabt.
Welchen Virenscanner du verwendest ist im Grunde völlig egal, denn 100% SIcherheit bietet keiner. Mal hat der eine Scanner bessere Erkennungsraten, mal ein anderer. Das ist fast schon eine Glaubensfrage. AVG Free ist schon ok.


Mach mal bitte einen neuen Durchgang mit CF mit neuer cofi.exe - ich will sehen ob das Ersetzen der Dateien diesmal von dauerhaftem Erfolg ist oder ob die kürzlich zurückkopierten Dateien wieder infiziert wurden:

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix
  • Lade dir ComboFix hier herunter auf deinen Desktop. Benenne es beim Runterladen um in cofi.exe.
  • Schliesse alle Programme, vor allem dein Antivirenprogramm und andere Hintergrundwächter sowie deinen Internetbrowser.
  • Starte cofi.exe von deinem Desktop aus, bestätige die Warnmeldungen, führe die Updates durch (falls vorgeschlagen), installiere die Wiederherstellungskonsole (falls vorgeschlagen) und lass dein System durchsuchen.
    Vermeide es auch während Combofix läuft die Maus und Tastatur zu benutzen.
  • Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte kopieren ([Strg]a, [Strg]c) und in deinen Beitrag einfügen ([Strg]v). Die Datei findest du außerdem unter: C:\ComboFix.txt.
Wichtiger Hinweis:
Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

__________________
Logfiles bitte immer in CODE-Tags posten

Alt 14.11.2010, 20:35   #21
fcangmar
 
winlogon - Standard

winlogon



Hi,

Combofix Logfile:
Code:
ATTFilter
ComboFix 10-11-13.01 - Martin 14.11.2010  20:30:17.4.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.43.1033.18.2047.1526 [GMT 1:00]
ausgeführt von:: c:\documents and settings\Martin\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
 * Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((   Dateien erstellt von 2010-10-14 bis 2010-11-14  ))))))))))))))))))))))))))))))
.

2010-11-14 10:14 . 2010-11-11 22:10	1036800	----a-w-	c:\windows\explorer.exe
2010-11-14 10:14 . 2010-11-11 22:09	513024	----a-w-	c:\windows\system32\winlogon.exe
2010-11-08 21:58 . 2010-11-08 21:58	--------	d-----w-	C:\_OTL
2010-11-06 22:43 . 2010-11-06 22:44	--------	d-----w-	C:\!KillBox
2010-11-06 09:31 . 2010-11-06 09:31	--------	d-----w-	c:\documents and settings\All Users\Application Data\KONAMI
2010-11-05 22:03 . 2001-08-17 12:28	771581	-c--a-w-	c:\windows\system32\dllcache\winacisa.sys
2010-11-05 22:02 . 2001-08-17 21:36	26624	-c--a-w-	c:\windows\system32\dllcache\umaxu22.dll
2010-11-05 22:01 . 2001-08-17 11:13	37961	-c--a-w-	c:\windows\system32\dllcache\tdk100b.sys
2010-11-05 22:00 . 2001-08-17 12:56	7552	-c--a-w-	c:\windows\system32\dllcache\sonypvu1.sys
2010-11-05 21:59 . 2001-08-17 11:50	101760	-c--a-w-	c:\windows\system32\dllcache\sis300ip.sys
2010-11-05 21:58 . 2001-08-17 21:36	79872	-c--a-w-	c:\windows\system32\dllcache\rwia430.dll
2010-11-05 21:57 . 2001-08-17 13:07	19840	-c--a-w-	c:\windows\system32\dllcache\philtune.sys
2010-11-05 21:56 . 2001-08-17 11:49	51552	-c--a-w-	c:\windows\system32\dllcache\ntgrip.sys
2010-11-05 21:55 . 2008-04-13 23:16	51200	-c--a-w-	c:\windows\system32\dllcache\msdv.sys
2010-11-05 21:54 . 2001-08-17 21:36	8192	-c--a-w-	c:\windows\system32\dllcache\kbdkor.dll
2010-11-05 21:53 . 2001-08-17 21:36	61952	-c--a-w-	c:\windows\system32\dllcache\icam4ext.dll
2010-11-05 21:52 . 2001-08-17 21:36	9759	-c--a-w-	c:\windows\system32\dllcache\hsf_inst.dll
2010-11-05 21:51 . 2001-08-17 11:13	27165	-c--a-w-	c:\windows\system32\dllcache\fetnd5.sys
2010-11-05 21:51 . 2001-08-17 11:10	22090	-c--a-w-	c:\windows\system32\dllcache\fem556n5.sys
2010-11-05 21:51 . 2001-08-17 11:12	24618	-c--a-w-	c:\windows\system32\dllcache\fa410nd5.sys
2010-11-05 21:51 . 2001-08-17 11:12	16074	-c--a-w-	c:\windows\system32\dllcache\fa312nd5.sys
2010-11-05 21:51 . 2001-08-17 11:11	11850	-c--a-w-	c:\windows\system32\dllcache\f3ab18xj.sys
2010-11-05 21:51 . 2001-08-17 11:11	12362	-c--a-w-	c:\windows\system32\dllcache\f3ab18xi.sys
2010-11-05 21:51 . 2001-08-17 12:52	7040	-c--a-w-	c:\windows\system32\dllcache\exabyte2.sys
2010-11-05 21:51 . 2001-08-17 11:12	16998	-c--a-w-	c:\windows\system32\dllcache\ex10.sys
2010-11-05 21:47 . 2001-08-17 21:36	6729	-c--a-w-	c:\windows\system32\dllcache\disrvci.dll
2010-11-05 21:46 . 2001-08-17 12:51	13824	-c--a-w-	c:\windows\system32\dllcache\bulltlp3.sys
2010-11-05 20:45 . 2010-11-11 21:10	513024	----a-w-	c:\windows\system32\winlogon.vir
2010-11-05 14:44 . 2010-11-05 14:44	--------	d-----w-	c:\documents and settings\Martin\Application Data\AVG10
2010-11-05 14:44 . 2010-11-05 14:44	--------	d--h--w-	c:\documents and settings\All Users\Application Data\Common Files
2010-11-05 14:44 . 2010-11-12 00:12	--------	d-----w-	c:\documents and settings\All Users\Application Data\AVG10
2010-11-05 14:44 . 2010-11-05 14:44	--------	d-----w-	c:\program files\AVG
2010-11-05 14:37 . 2010-11-05 14:40	--------	d-----w-	c:\documents and settings\All Users\Application Data\MFAData
2010-11-05 14:12 . 2010-11-05 14:12	--------	d-----w-	c:\program files\Enigma Software Group
2010-11-03 04:52 . 2010-11-03 04:55	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-02 18:39 . 2010-06-28 12:00	46592	----a-w-	c:\windows\system32\vsutil_loc0407.dll
2010-11-02 18:07 . 2008-04-14 04:42	1033728	----a-w-	c:\windows\explorer.vir
2010-11-02 17:58 . 2010-11-05 14:40	--------	d-----w-	c:\documents and settings\All Users\Application Data\avg8
2010-11-02 16:57 . 2010-11-11 20:54	--------	d-----w-	c:\windows\Internet Logs
2010-11-02 16:41 . 2010-11-02 16:44	--------	d-----w-	c:\documents and settings\All Users\Application Data\fssg
2010-11-02 16:38 . 2010-11-02 16:40	--------	d-----w-	c:\documents and settings\All Users\Application Data\f-secure
2010-11-01 16:34 . 2010-11-01 16:34	--------	d-----w-	c:\documents and settings\Martin\Application Data\TrojanHunter
2010-10-27 22:04 . 2010-10-27 22:05	--------	d-----w-	c:\documents and settings\Martin\Local Settings\Application Data\Temp
2010-10-26 17:20 . 2010-10-26 17:21	--------	d-----w-	c:\program files\Graboid
2010-10-26 10:52 . 2010-10-26 10:52	--------	d-----w-	c:\documents and settings\Martin\Application Data\Malwarebytes
2010-10-26 10:41 . 2010-10-26 10:41	--------	d-----w-	c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-10-26 10:41 . 2010-04-29 14:39	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-26 10:41 . 2010-10-26 10:41	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-26 10:41 . 2010-04-29 14:39	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-10-26 10:36 . 2010-10-26 10:36	--------	d-----w-	c:\documents and settings\Administrator\Application Data\ProgSense
2010-10-26 10:36 . 2010-10-26 10:39	--------	d-----w-	c:\documents and settings\Administrator\Application Data\Orbit
2010-10-26 10:33 . 2010-10-26 10:33	--------	d-----w-	c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-10-26 09:34 . 2010-10-26 09:35	--------	d-----w-	c:\documents and settings\Martin\Application Data\FCAAC60ADBD2A67431F87ADADD3EE6E0
2010-10-25 17:55 . 2010-10-25 17:56	--------	d-----w-	c:\documents and settings\Martin\Application Data\Youtube Downloader HD

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-12 00:13 . 2010-11-12 00:13	687173	----a-w-	C:\cosinus.zip
.

------- Sigcheck -------

[-] 2010-11-11 . F09A527B422E25C478E38CAA0E44417A . 513024 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2010-11-11 . 418045A93CD87A352098AB7DABE1B53E . 1036800 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
.
(((((((((((((((((((((((((((((   SnapShot@2010-11-09_06.19.13   )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-14 10:28 . 2010-11-14 10:28	16384              c:\windows\Temp\Perflib_Perfdata_678.dat
+ 2004-08-04 12:00 . 2010-11-09 06:22	83950              c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2010-11-02 18:23	83950              c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-11-09 06:22	476318              c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-11-02 18:23	476318              c:\windows\system32\perfh009.dat
+ 2010-11-11 21:49 . 2010-11-11 21:49	3019264              c:\windows\Installer\1796a9.msi
+ 2010-11-11 21:48 . 2010-11-11 21:48	1543680              c:\windows\Installer\1796a5.msi
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AVer HID Receiver.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AVer HID Receiver.lnk
backup=c:\windows\pss\AVer HID Receiver.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AVerQuick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AVerQuick.lnk
backup=c:\windows\pss\AVerQuick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Martin^Start Menu^Programs^Startup^Folding@home-gpu.lnk]
path=c:\documents and settings\Martin\Start Menu\Programs\Startup\Folding@home-gpu.lnk
backup=c:\windows\pss\Folding@home-gpu.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Martin^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Martin\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2009-12-21 17:35	640440	----a-w-	f:\software\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2009-12-22 00:26	38840	----a-w-	f:\software\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37	932288	----a-w-	c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 06:58	611712	----a-w-	c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]
2010-02-05 19:50	2521464	----a-w-	c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2009-03-02 09:14	57344	----a-w-	c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2007-10-04 16:38	307200	----a-w-	c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 04:42	15360	----a-w-	c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-12-29 10:40	687560	----a-w-	e:\program\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-03-05 15:32	1135912	----a-w-	c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 10:44	31072	----a-w-	e:\program\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LCDMon]
2008-11-06 11:21	1548296	----a-w-	c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LGDCore]
2008-11-06 11:39	2816520	----a-w-	c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LgDevAgt]
2008-11-06 11:41	358920	----a-w-	c:\program files\Logitech\GamePanel Software\LGDevAgt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-10-06 14:34	18750976	----a-w-	c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S7UB Start]
2008-07-14 23:02	102453	----a-w-	e:\program files\Common Files\Siemens\S7UBTOOX\S7ubTstx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-12-11 14:38	98304	----a-w-	c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 14:21	246504	----a-w-	c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMonitorVMUVC]
2008-06-16 01:02	135168	----a-w-	c:\program files\Vimicro Corporation\VMUVC\VMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gupdate1c9dc50e11d5e64"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"e:\\Program\\BitTorrent\\bittorrent.exe"=
"e:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"e:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"g:\\Games\\PES11\\pes2011.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/3/2009 1:18 AM 717296]
R2 almservice;Automation License Manager Service;e:\program files\Common Files\Siemens\SWS\almsrv\almsrvx.exe [5/20/2008 3:10 PM 1146880]
R2 AVerRemote;AVerRemote;c:\program files\Common Files\AVerMedia\Service\AVerRemote.exe [6/18/2010 7:26 PM 344064]
R2 AVerScheduleService;AVerScheduleService;c:\program files\Common Files\AVerMedia\Service\AVerScheduleService.exe [6/18/2010 7:26 PM 389120]
R2 Dpmtrcdd;Dpmtrcdd;c:\windows\system32\drivers\dpmtrcdd.sys [6/25/2007 3:47 PM 28363]
R2 IGDCTRL;AVM IGD CTRL Service;e:\program\FRITZ!DSL\IGDCTRL.EXE [9/4/2007 10:14 AM 87344]
R2 s7asysvx;S7 Global Services;g:\program\Siemens\Step7\S7BIN\s7asysvx.exe [7/14/2008 7:02 PM 69685]
R2 s7oiehsx;SIMATIC IEPG Help Service;e:\program files\Common Files\Siemens\S7IEPG\s7oiehsx.exe [7/3/2008 1:30 PM 1571912]
R2 S7opcsrtx;PROFINET IO RT-Protocol (LLDP);c:\windows\system32\drivers\s7opcsrtx.sys [7/3/2008 1:04 PM 31232]
R2 s7snsrtx;PROFINET IO RT-Protocol;c:\windows\system32\drivers\s7snsrtx.sys [7/30/2007 12:06 PM 71168]
R2 S7TraceServiceX;S7TraceServiceX;c:\program files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe [7/3/2008 1:30 PM 240712]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 AF05BDA;Cinergy T USB XE service;c:\windows\system32\drivers\AF05BDA.sys [4/25/2009 4:48 PM 117376]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/19/2009 4:27 PM 1684736]
S3 AVerAF35;AVerMedia A835 USB DVB-T;c:\windows\system32\drivers\AVerAF35.sys [6/18/2010 7:28 PM 474880]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2/11/2010 1:19 PM 36608]
S3 s7oefs_x;SIMATIC MPI/EFS Driver;c:\windows\system32\drivers\s7oefs_x.sys [10/18/2002 2:34 AM 30512]
S3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\drivers\VMUVC.sys [9/2/2010 8:00 AM 252032]
S3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [9/2/2010 8:00 AM 398720]
S4 gupdate1c9dc50e11d5e64;Google Update Service (gupdate1c9dc50e11d5e64);c:\program files\Google\Update\GoogleUpdate.exe [5/24/2009 10:20 AM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper	REG_MULTI_SZ   	getPlusHelper
.
Inhalt des "geplante Tasks" Ordners

2010-11-07 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.1.0.13\DriverRobot.exe [2009-10-18 20:35]

2010-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-24 09:20]

2010-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-24 09:20]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.com/
IE: &Download by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: An vorhandene PDF-Datei anfügen - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Do&wnload selected by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/202
IE: In Adobe PDF konvertieren - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Linkziel an vorhandene PDF-Datei anhängen - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Linkziel in Adobe PDF konvertieren - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Nach Microsoft E&xel exportieren - e:\program\MICROS~1\Office12\EXCEL.EXE/3000
IE: Save Flash - e:\program\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
IE: Save YouTube Video - e:\program\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/217
FF - ProfilePath - c:\documents and settings\Martin\Application Data\Mozilla\Firefox\Profiles\hag7fc90.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (de)
FF - prefs.js: browser.startup.homepage - www.google.at
FF - component: e:\program files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabXpcom.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: e:\program\Google\Picasa3\npPicasa3.dll
FF - plugin: e:\program\VideoLAN\VLC\npvlc.dll

---- FIREFOX Richtlinien ----
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true);  // Traditional
e:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true);  // Simplified
e:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2010-11-14 20:32
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse... 

Scanne versteckte Autostarteinträge... 

Scanne versteckte Dateien... 

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-1004336348-1563985344-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:20,77,a7,13,4d,57,e7,e8,f0,71,d5,4e,f0,fe,81,02,ba,e8,04,20,06,f0,12,
   ff,a0,3a,e8,55,45,eb,4e,ba,69,97,3d,64,ae,00,f3,4c,ba,e1,09,ca,88,7d,80,8c,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-1004336348-1563985344-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:7d,b4,35,b9,89,0b,d1,22,ec,e3,6a,6c,19,e1,c7,73,d3,d5,30,67,23,
   55,da,9f,42,e1,82,db,07,d2,9f,27,e8,e9,44,bb,dc,19,cb,aa,98,73,df,bb,29,2e,\
"rkeysecu"=hex:9b,04,a8,92,08,fb,4f,36,8b,5e,a1,13,bb,bb,01,d1

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:97,5d,d3,2c,23,ce,9f,1f,b5,4c,46,8b,97,b4,c3,aa,1e,d2,5a,0e,57,
   91,8f,44,d6,46,e1,d8,d2,fd,d3,50,fd,80,f8,fe,aa,26,03,84,3c,e9,20,1b,17,ec,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:97,5d,d3,2c,23,ce,9f,1f,b5,4c,46,8b,97,b4,c3,aa,1e,d2,5a,0e,57,
   91,8f,44,d6,46,e1,d8,d2,fd,d3,50,fd,80,f8,fe,aa,26,03,84,3c,e9,20,1b,17,ec,\
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3540)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
.
Zeit der Fertigstellung: 2010-11-14  20:34:01
ComboFix-quarantined-files.txt  2010-11-14 19:33
ComboFix2.txt  2010-11-12 00:23
ComboFix3.txt  2010-11-11 21:25
ComboFix4.txt  2010-11-09 06:21

Vor Suchlauf: 15.761.002.496 bytes free
Nach Suchlauf: 15.743.012.864 bytes free

- - End Of File - - 35756ADC67B286C0CE19A15B48BC4E0A
         
--- --- ---


Lg

Alt 14.11.2010, 21:07   #22
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
winlogon - Standard

winlogon



Code:
ATTFilter
[-] 2010-11-11 . F09A527B422E25C478E38CAA0E44417A . 513024 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[-] 2010-11-11 . 418045A93CD87A352098AB7DABE1B53E . 1036800 . . [6.00.2900.5512] . . c:\windows\explorer.exe
         
So richtig gefällt CF das noch nicht, aber ich denke die Prüfsummen sind einfach nur unbekannt. Die bei dir stimmen jetzt mit den auf meinem WinXP überein, sollte also jetzt sauber sein.

Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten.
GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus - die Online-Abfrage durch OSAM bitte überspringen.
Bei OSAM bitte darauf auch achten, dass Du das Log auch als *.log und nicht *.html oder so abspeicherst.


Downloade Dir danach bitte MBRCheck (by a_d_13) und speichere die Datei auf dem Desktop.
  • Doppelklick auf die MBRCheck.exe.
    Vista und Win7 User mit Rechtsklick "als Administrator starten"
  • Das Tool braucht nur eine Sekunde.
  • Danach solltest du eine MBRCheck_<Datum>_<Uhrzeit>.txt auf dem Desktop finden.
Poste mir bitte den Inhalt des .txt Dokumentes
__________________
Logfiles bitte immer in CODE-Tags posten

Alt 14.11.2010, 22:01   #23
fcangmar
 
winlogon - Standard

winlogon



Hi,

Osam:

OSAM Logfile:
Code:
ATTFilter
Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 21:57:45 on 14.11.2010

OS: Windows XP Professional Service Pack 3 (Build 2600)
Default Browser: Microsoft Corporation Internet Explorer 7.00.6000.16915

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries


[Common]
-----( %SystemRoot%\Tasks )-----
"GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe
"GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe
"Driver Robot.job" - ? - C:\Program Files\Driver Robot\1.1.0.13\DriverRobot.exe

[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"DivXControlPanelApplet.cpl" - "DivX, Inc." - C:\WINDOWS\system32\DivXControlPanelApplet.cpl
"infocardcpl.cpl" - "Microsoft Corporation" - C:\WINDOWS\system32\infocardcpl.cpl
"javacpl.cpl" - "Sun Microsystems, Inc." - C:\WINDOWS\system32\javacpl.cpl
"S7epaepx.cpl" - "SIEMENS AG" - C:\WINDOWS\system32\S7epaepx.cpl
"S7EPATDX.CPL" - "SIEMENS AG" - C:\WINDOWS\system32\S7EPATDX.CPL
"S7UBCPLX.CPL" - "SIEMENS AG" - C:\WINDOWS\system32\S7UBCPLX.CPL
"wuaucpl.cpl" - "Microsoft Corporation" - C:\WINDOWS\system32\wuaucpl.cpl
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"Adobe Version Cue CS4" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.cpl
"lgLcdCpl" - "Logitech Inc." - C:\Program Files\Logitech\GamePanel Software\LCD Manager\LgLcdCpl.cpl
"mlcfg32.cpl" - "Microsoft Corporation" - E:\Program\MICROS~1\Office12\MLCFG32.CPL
"Nero BurnRights" - "Nero AG" - E:\Program\Nero 9\Nero 9\Nero BurnRights\NeroBurnRights_cpl.cpl

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"a9ks41g6" (a9ks41g6) - "Microsoft Corporation" - C:\WINDOWS\system32\drivers\a9ks41g6.sys  (Hidden registry entry, rootkit activity | File signed by Microsoft)
"adfs" (adfs) - "Adobe Systems, Inc." - C:\WINDOWS\system32\drivers\adfs.sys
"AnyDVD" (AnyDVD) - "SlySoft, Inc." - C:\WINDOWS\System32\Drivers\AnyDVD.sys
"atksgt" (atksgt) - ? - C:\WINDOWS\System32\DRIVERS\atksgt.sys  (File found, but it contains no detailed information)
"AVG Anti-Rootkit Driver" (Avgrkx86) - ? - C:\WINDOWS\System32\DRIVERS\avgrkx86.sys  (File not found)
"AVG TDI Driver" (Avgtdix) - ? - C:\WINDOWS\System32\DRIVERS\avgtdix.sys  (File not found)
"AVGIDSDriver" (AVGIDSDriver) - ? - C:\WINDOWS\System32\DRIVERS\AVGIDSDriver.Sys  (File not found)
"AVGIDSEH" (AVGIDSEH) - ? - C:\WINDOWS\System32\DRIVERS\AVGIDSEH.Sys  (File not found)
"AVGIDSFilter" (AVGIDSFilter) - ? - C:\WINDOWS\System32\DRIVERS\AVGIDSFilter.Sys  (File not found)
"AVGIDSShim" (AVGIDSShim) - ? - C:\WINDOWS\System32\DRIVERS\AVGIDSShim.Sys  (File not found)
"catchme" (catchme) - ? - C:\DOCUME~1\Martin\LOCALS~1\Temp\catchme.sys  (File not found)
"Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys  (File not found)
"Cinergy T USB XE service" (AF05BDA) - "AfaTech                  " - C:\WINDOWS\System32\DRIVERS\AF05BDA.sys
"Dpmtrcdd" (Dpmtrcdd) - "SIEMENS AG" - C:\WINDOWS\System32\DRIVERS\dpmtrcdd.sys
"ElbyCDIO Driver" (ElbyCDIO) - "Elaborate Bytes AG" - C:\WINDOWS\System32\Drivers\ElbyCDIO.sys
"ENTECH" (ENTECH) - "EnTech Taiwan" - C:\WINDOWS\system32\DRIVERS\ENTECH.sys
"esgiguard" (esgiguard) - ? - C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys  (File not found)
"FsUsbExDisk" (FsUsbExDisk) - ? - C:\WINDOWS\system32\FsUsbExDisk.SYS  (File found, but it contains no detailed information)
"i2omgmt" (i2omgmt) - ? - C:\WINDOWS\system32\drivers\i2omgmt.sys  (File not found)
"lbrtfdc" (lbrtfdc) - ? - C:\WINDOWS\system32\drivers\lbrtfdc.sys  (File not found)
"lirsgt" (lirsgt) - ? - C:\WINDOWS\System32\DRIVERS\lirsgt.sys  (File found, but it contains no detailed information)
"mbr" (mbr) - ? - C:\DOCUME~1\Martin\LOCALS~1\Temp\mbr.sys  (Hidden registry entry, rootkit activity | File not found)
"PCIDump" (PCIDump) - ? - C:\WINDOWS\system32\drivers\PCIDump.sys  (File not found)
"PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys  (File not found)
"PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys  (File not found)
"PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys  (File not found)
"PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys  (File not found)
"PROFINET IO RT-Protocol" (s7snsrtx) - "SIEMENS AG" - C:\WINDOWS\System32\DRIVERS\s7snsrtx.sys
"PROFINET IO RT-Protocol (LLDP)" (S7opcsrtx) - "SIEMENS AG" - C:\WINDOWS\System32\DRIVERS\s7opcsrtx.sys
"PxHelp20" (PxHelp20) - "Sonic Solutions" - C:\WINDOWS\System32\Drivers\PxHelp20.sys
"pxtdqpow" (pxtdqpow) - ? - C:\DOCUME~1\Martin\LOCALS~1\Temp\pxtdqpow.sys  (Hidden registry entry, rootkit activity | File not found)
"SIMATIC Industrial Ethernet (ISO)" (SNTIE) - "SIEMENS AG" - C:\WINDOWS\System32\DRIVERS\sntie.sys
"SIMATIC MPI/EFS Driver" (s7oefs_x) - "SIEMENS AG" - C:\WINDOWS\System32\drivers\s7oefs_x.sys
"sptd" (sptd) - "Duplex Secure Ltd." - C:\WINDOWS\System32\Drivers\sptd.sys  (File is exclusively opened, access blocked)
"StarOpen" (StarOpen) - ? - C:\WINDOWS\system32\drivers\StarOpen.sys  (File found, but it contains no detailed information)
"Vimicro Camera Filter Service VMUVC" (vvftUVC) - "Vimicro Corporation" - C:\WINDOWS\System32\drivers\vvftUVC.sys
"Vimicro Camera Service VMUVC" (VMUVC) - "Vimicro Corporation" - C:\WINDOWS\System32\Drivers\VMUVC.sys
"WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys  (File not found)

[Explorer]
-----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )-----
{89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{C9E60ED7-FEAE-477b-B6A6-7D62103A0C6B} "NeroDigitalColumnHandler Class" - "Nero AG" - C:\Program Files\Common Files\Nero\SMC\NeroDigitalExt.dll
{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" - ? - E:\Program\Open Office\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
-----( HKLM\Software\Classes\Protocols\Filter )-----
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{807563E5-5146-11D5-A672-00B0D022E945} "Microsoft Office InfoPath XML Mime Filter" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
-----( HKLM\Software\Classes\Protocols\Handler )-----
{314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
{88FED34C-F0CA-4636-A375-3CB6248B04CD} "Local Groove Web Services Protocol" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveSystemServices.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks )-----
{B5A7F190-DDA6-4420-B3BA-52453494E6CD} "Groove GFS Stub Execution Hook" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - C:\Program Files\7-Zip\7-zip.dll
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} "Acrobat Elements Context Menu" - "Adobe Systems Inc." - F:\Software\Adobe\Acrobat 9.0\Acrobat Elements\ContextMenu.dll
{5F327514-6C5E-4d60-8F16-D07FA08A78ED} "Auto Update Property Sheet Extension" - "Microsoft Corporation" - C:\WINDOWS\system32\wuaucpl.cpl
{D66DC78C-4F61-447F-942B-3FB6980118CF} "CInfoTipShellExt Class" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\VISSHE.DLL
{42071714-76d4-11d1-8b24-00a0c9068ff3} "Display Panning CPL Extension" - ? - deskpan.dll  (File not found)
{872A9397-E0D6-4e28-B64D-52B8D0A7EA35} "DisplayCplExt Class" - "Advanced Micro Devices, Inc." - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiamaxx.dll
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Encryption Context Menu" - ? -   (File not found | COM-object registry key not found)
{E81FFB23-40E2-431C-A041-76AEA0E4B04C} "Enterprise-Projekte" - "Microsoft Corporation" - E:\Program\MICROS~1\Office12\NAMEEXT.DLL
{99FD978C-D287-4F50-827F-B2C658EDA8E7} "Groove Explorer Icon Overlay 1 (GFS Unread Stub)" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} "Groove Explorer Icon Overlay 2 (GFS Stub)" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
{920E6DB1-9907-4370-B3A0-BAFC03D81399} "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
{16F3DD56-1AF5-4347-846D-7C10C4192619} "Groove Explorer Icon Overlay 3 (GFS Folder)" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} "Groove Explorer Icon Overlay 4 (GFS Unread Mark)" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
{2A541AE1-5BF6-4665-A8A3-CFA9672E4291} "Groove Folder Synchronization" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} "Groove GFS Browser Helper" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
{6C467336-8281-4E60-8204-430CED96822D} "Groove GFS Context Menu Handler" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
{B5A7F190-DDA6-4420-B3BA-52453494E6CD} "Groove GFS Stub Execution Hook" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
{A449600E-1DC6-4232-B948-9BD794D62056} "Groove GFS Stub Icon Handler" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
{387E725D-DC16-4D76-B310-2C93ED4752A0} "Groove XML Icon Handler" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
{506F4668-F13E-4AA1-BB04-B43203AB3CC0} "ImageExtractorShellExt Class" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\VISSHE.DLL
{B2260382-5E6E-4EEB-9E6F-1122AC37C1E4} "JtWinShellExt" - ? -   (File not found | COM-object registry key not found)
{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\msohevi.dll
{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C} "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" - "Microsoft Corporation" - E:\Program\MICROS~1\Office12\ONFILTER.DLL
{00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - E:\Program\MICROS~1\Office12\MLSHEXT.DLL
{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2} "NeroCoverEdLiveIcons Class" - "Nero AG" - E:\Program\Nero 9\Nero 9\Nero CoverDesigner\CoverEdExtension.dll
{C9E60ED7-FEAE-477b-B6A6-7D62103A0C6B} "NeroDigitalColumnHandler Class" - "Nero AG" - C:\Program Files\Common Files\Nero\SMC\NeroDigitalExt.dll
{1CA6BBC9-E9FA-4021-822B-075DF1837B63} "NeroDigitalIconHandler Class" - "Nero AG" - C:\Program Files\Common Files\Nero\SMC\NeroDigitalExt.dll
{4FBFFA8D-F390-471a-AE46-FEB93623AD63} "NeroDigitalInfoHandler Class" - "Nero AG" - C:\Program Files\Common Files\Nero\SMC\NeroDigitalExt.dll
{846083A4-BFC6-4447-985C-6578B466A7D7} "NeroDigitalPropSheetHandler Class" - "Nero AG" - C:\Program Files\Common Files\Nero\SMC\NeroDigitalExt.dll
{EDCC595A-F0EE-4d81-B554-D5D01C7AFB87} "NeroDigitalThumbnailHandler Class" - "Nero AG" - C:\Program Files\Common Files\Nero\SMC\NeroDigitalExt.dll
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "OpenOffice.org Column Handler" - ? - E:\Program\Open Office\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{087B3AE3-E237-4467-B8DB-5A38AB959AC9} "OpenOffice.org Infotip Handler" - ? - E:\Program\Open Office\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{63542C48-9552-494A-84F7-73AA6A7C99C1} "OpenOffice.org Property Sheet Handler" - ? - E:\Program\Open Office\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{3B092F0C-7696-40E3-A80F-68D74DA84210} "OpenOffice.org Thumbnail Viewer" - ? - E:\Program\Open Office\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{0006F045-0000-0000-C000-000000000046} "Outlook File Icon Extension" - "Microsoft Corporation" - E:\Program\MICROS~1\Office12\OLKFSTUB.DLL
{764BF0E1-F219-11ce-972D-00AA00A14F56} "Shell extensions for file compression" - ? -   (File not found | COM-object registry key not found)
{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - C:\WINDOWS\system32\dfshim.dll
{e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - C:\WINDOWS\system32\dfshim.dll
{5E2121EE-0300-11D4-8D3B-444553540000} "SimpleShlExt Class" - "Advanced Micro Devices, Inc." - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll
{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} "UnlockerShellExtension" - ? - E:\Program Files\Unlocker\UnlockerCOM.dll  (File found, but it contains no detailed information)
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Web Folders" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL
{45670FA8-ED97-4F44-BC93-305082590BFB} "Windows XPS Document Metadata Handler" - "Microsoft Corporation" - C:\WINDOWS\System32\XPSSHHDR.DLL
{44121072-A222-48f2-A58A-6D9AD51EBBE9} "Windows XPS Document Thumbnail Handler" - "Microsoft Corporation" - C:\WINDOWS\System32\XPSSHHDR.DLL

[Internet Explorer]
-----( HKCU\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
{F81D52BF-F2F1-4F49-BF5F-05664E803039} "Flash" - ? -   (File not found | COM-object registry key not found)
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
<binary data> "Adobe PDF" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
<binary data> "EPSON Web-To-Page" - "SEIKO EPSON CORPORATION" - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
<binary data> "Grab Pro" - ? - E:\Program Files\Orbitdownloader\GrabPro.dll
<binary data> "ITBar7Layout" - ? -   (File not found | COM-object registry key not found)
<binary data> "{32099AAC-C132-4136-9E9A-4E364A424E17}" - ? -   (File not found | COM-object registry key not found)
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} "Java Plug-in 1.6.0_07" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_18" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\npjpi160_18.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} "Java Plug-in 1.6.0_18" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\npjpi160_18.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_18" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\npjpi160_18.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
{48E73304-E1D6-4330-914C-F5F514E3486C} "An OneNote senden" - "Microsoft Corporation" - E:\Program\MICROS~1\Office12\ONBttnIE.dll
{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Research" - "Microsoft Corporation" - E:\Program\MICROS~1\Office12\REFIEBAR.DLL
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )-----
<binary data> "Adobe PDF" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
{517BDDE4-E3A7-4570-B21E-2B52B6139FC7} "Contribute Toolbar" - "Adobe Systems Incorporated." - F:\Software\Adobe\Adobe Contribute CS4\contributeieplugin.dll
<binary data> "EPSON Web-To-Page" - "SEIKO EPSON CORPORATION" - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
<binary data> "Grab Pro" - ? - E:\Program Files\Orbitdownloader\GrabPro.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{AE7CD045-E861-484f-8273-0445EE161910} "Adobe PDF Conversion Toolbar Helper" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "Adobe PDF Reader" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
{074C1DC5-9320-4A9A-947D-C042949C6216} "ContributeBHO Class" - "Adobe Systems Incorporated." - F:\Software\Adobe\Adobe Contribute CS4\contributeieplugin.dll
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} "EpsonToolBandKicker Class" - "SEIKO EPSON CORPORATION" - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} "Groove GFS Browser Helper" - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
{DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2ssv.dll
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} "JQSIEStartDetectorImpl Class" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
{000123B4-9B42-4900-B3F7-F4B073EFC214} "Octh Class" - "Orbitdownloader.com" - E:\Program Files\Orbitdownloader\orbitcth.dll
{F4971EE7-DAA0-4053-9964-665D8EE6A077} "SmartSelect Class" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} "Windows Live Anmelde-Hilfsprogramm" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[Logon]
-----( %AllUsersProfile%\Start Menu\Programs\Startup )-----
"desktop.ini" - ? - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
-----( %UserProfile%\Start Menu\Programs\Startup )-----
"desktop.ini" - ? - C:\Documents and Settings\Martin\Start Menu\Programs\Startup\desktop.ini
-----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon )-----
"Shell" - "Microsoft Corporation" - C:\WINDOWS\Explorer.exe

[Network Providers]
-----( HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order )-----
"Adobe Drive CS4 Network" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

[Print Monitors]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----
"EPSON Stylus Photo RX585 Series 32MonitorBE" - "SEIKO EPSON CORPORATION" - C:\WINDOWS\system32\E_FLBCLE.DLL
"Microsoft Document Imaging Writer Monitor" - "Microsoft Corporation" - C:\WINDOWS\system32\mdimon.dll
"PDFCreator" - ? - C:\WINDOWS\system32\pdfcmnnt.dll  (File found, but it contains no detailed information)
"Send To Microsoft OneNote Monitor" - "Microsoft Corporation" - C:\WINDOWS\system32\msonpmon.dll

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
"Adobe Version Cue CS4" (Adobe Version Cue CS4) - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
"ASP.NET State Service" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
"Automation License Manager Service" (almservice) - "SIEMENS AG" - E:\Program Files\Common Files\Siemens\sws\almsrv\almsrvx.exe
"AVerRemote" (AVerRemote) - "AVerMedia" - C:\Program Files\Common Files\AVerMedia\Service\AVerRemote.exe
"AVerScheduleService" (AVerScheduleService) - ? - C:\Program Files\Common Files\AVerMedia\Service\AVerScheduleService.exe
"AVM IGD CTRL Service" (IGDCTRL) - "AVM Berlin" - E:\Program\FRITZ!DSL\IGDCTRL.EXE
"FLEXnet Licensing Service" (FLEXnet Licensing Service) - "Acresso Software Inc." - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
"getPlus(R) Helper" (getPlusHelper) - "NOS Microsystems Ltd." - C:\Program Files\NOS\bin\getPlus_Helper.dll
"Google Updater Service" (gusvc) - "Google" - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
"InstallDriver Table Manager" (IDriverT) - "Macrovision Corporation" - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
"Java Quick Starter" (JavaQuickStarterService) - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jqs.exe
"Microsoft Office Diagnostics Service" (odserv) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
"Microsoft Office Groove Audit Service" (Microsoft Office Groove Audit Service) - "Microsoft Corporation" - E:\Program\Microsoft Office\Office12\GrooveAuditService.exe
"Nero BackItUp Scheduler 4.0" (Nero BackItUp Scheduler 4.0) - "Nero AG" - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
"NMSAccess" (NMSAccess) - ? - E:\Program\CDBurnerXP\NMSAccessU.exe  (File found, but it contains no detailed information)
"Office Source Engine" (ose) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"S7 Global Services" (s7asysvx) - "SIEMENS AG" - G:\Program\Siemens\Step7\S7BIN\s7asysvx.exe
"S7TraceServiceX" (S7TraceServiceX) - "SIEMENS AG" - C:\Program Files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe
"SIMATIC IEPG Help Service" (s7oiehsx) - "SIEMENS AG" - E:\Program Files\Common Files\Siemens\S7IEPG\s7oiehsx.exe
"SQL Server (SQLEXPRESS)" (MSSQL$SQLEXPRESS) - "Microsoft Corporation" - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
"SQL Server VSS Writer" (SQLWriter) - "Microsoft Corporation" - C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
"Windows CardSpace" (idsvc) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe

[Winlogon]
-----( HKCU\Control Panel\IOProcs )-----
"MVB" - ? - mvfs32.dll  (File not found)

===[ Logfile end ]=========================================[ Logfile end ]===
         
--- --- ---



Gmer hat nicht einwandfrei funktioniert, habe daher es ohne File-Scan probiert, das hat geklapt:

GMER Logfile:
Code:
ATTFilter
GMER 1.0.15.15530 - hxxp://www.gmer.net
Rootkit scan 2010-11-14 21:54:30
Windows 5.1.2600 Service Pack 3 
Running: l1cqvlvk.exe; Driver: C:\DOCUME~1\Martin\LOCALS~1\Temp\pxtdqpow.sys


---- System - GMER 1.0.15 ----

SSDT            spnz.sys                                                                                                             ZwCreateKey [0xB9EA80E0]
SSDT            spnz.sys                                                                                                             ZwEnumerateKey [0xB9EC6CA2]
SSDT            spnz.sys                                                                                                             ZwEnumerateValueKey [0xB9EC7030]
SSDT            spnz.sys                                                                                                             ZwOpenKey [0xB9EA80C0]
SSDT            \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys                                                                          ZwOpenProcess [0xA7DB06C0]
SSDT            spnz.sys                                                                                                             ZwQueryKey [0xB9EC7108]
SSDT            spnz.sys                                                                                                             ZwQueryValueKey [0xB9EC6F88]
SSDT            spnz.sys                                                                                                             ZwSetValueKey [0xB9EC719A]
SSDT            \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys                                                                          ZwTerminateProcess [0xA7DB0770]
SSDT            \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys                                                                          ZwTerminateThread [0xA7DB0810]
SSDT            \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys                                                                          ZwWriteVirtualMemory [0xA7DB08B0]

INT 0x63        ?                                                                                                                    8A624BF8
INT 0x63        ?                                                                                                                    8A624BF8
INT 0x63        ?                                                                                                                    8A624BF8
INT 0x63        ?                                                                                                                    8A624BF8
INT 0x63        ?                                                                                                                    8A3BFF00
INT 0x63        ?                                                                                                                    8A624BF8
INT 0x83        ?                                                                                                                    8A624BF8
INT 0x83        ?                                                                                                                    8A624BF8
INT 0x83        ?                                                                                                                    8A3BFF00
INT 0x83        ?                                                                                                                    8A624BF8
INT 0x84        ?                                                                                                                    8A3BFF00
INT 0xA4        ?                                                                                                                    8A3BFF00
INT 0xA4        ?                                                                                                                    8A3BFF00
INT 0xA4        ?                                                                                                                    8A3BFF00
INT 0xA4        ?                                                                                                                    8A3BFF00
INT 0xB4        ?                                                                                                                    8A3BFF00

Code            \??\C:\DOCUME~1\Martin\LOCALS~1\Temp\catchme.sys                                                                     pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

?               spnz.sys                                                                                                             The system cannot find the file specified. !
.text           C:\WINDOWS\system32\DRIVERS\ati2mtag.sys                                                                             section is writeable [0xB926E000, 0x223937, 0xE8000020]
.text           USBPORT.SYS!DllUnload                                                                                                B92258AC 5 Bytes  JMP 8A3BF4E0 
.text           a9ks41g6.SYS                                                                                                         B919C386 35 Bytes  [00, 00, 00, 00, 00, 00, 20, ...]
.text           a9ks41g6.SYS                                                                                                         B919C3AA 24 Bytes  [00, 00, 00, 00, 00, 00, 00, ...]
.text           a9ks41g6.SYS                                                                                                         B919C3C4 3 Bytes  [00, 70, 02] {ADD [EAX+0x2], DH}
.text           a9ks41g6.SYS                                                                                                         B919C3C9 1 Byte  [2E]
.text           a9ks41g6.SYS                                                                                                         B919C3C9 11 Bytes  [2E, 00, 00, 00, 5C, 02, 00, ...] {ADD CS:[EAX], AL; ADD [EDX+EAX+0x0], BL; ADD [EAX], AL; ADD [EAX], AL}
.text           ...                                                                                                                  
.text           C:\WINDOWS\system32\DRIVERS\atksgt.sys                                                                               section is writeable [0xA9777300, 0x3B6D8, 0xE8000020]
.text           C:\WINDOWS\system32\DRIVERS\lirsgt.sys                                                                               section is writeable [0xBA3A8300, 0x1BEE, 0xE8000020]
?               C:\DOCUME~1\Martin\LOCALS~1\Temp\mbr.sys                                                                             The system cannot find the file specified. !
?               C:\WINDOWS\system32\Drivers\PROCEXP113.SYS                                                                           The system cannot find the file specified. !
?               C:\DOCUME~1\Martin\LOCALS~1\Temp\catchme.sys                                                                         The system cannot find the file specified. !
?               system32\DRIVERS\avgrkx86.sys                                                                                        The system cannot find the path specified. !
?               system32\DRIVERS\avgtdix.sys                                                                                         The system cannot find the path specified. !
?               system32\DRIVERS\AVGIDSShim.Sys                                                                                      The system cannot find the path specified. !
?               system32\DRIVERS\AVGIDSEH.Sys                                                                                        The system cannot find the path specified. !
?               system32\DRIVERS\AVGIDSFilter.Sys                                                                                    The system cannot find the path specified. !
?               system32\DRIVERS\AVGIDSDriver.Sys                                                                                    The system cannot find the path specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT             atapi.sys[HAL.dll!READ_PORT_UCHAR]                                                                                   [B9EA9040] spnz.sys
IAT             atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT]                                                                           [B9EA913C] spnz.sys
IAT             atapi.sys[HAL.dll!READ_PORT_USHORT]                                                                                  [B9EA90BE] spnz.sys
IAT             atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                                                          [B9EA97FC] spnz.sys
IAT             atapi.sys[HAL.dll!WRITE_PORT_UCHAR]                                                                                  [B9EA96D2] spnz.sys
IAT             \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!KfAcquireSpinLock]                                                 4B8BDF8B
IAT             \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!READ_PORT_UCHAR]                                                   8D3F0304
IAT             \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!KeGetCurrentIrql]                                                  CB033043
IAT             \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!KfRaiseIrql]                                                       0673C13B
IAT             \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!KfLowerIrql]                                                       C13B0003
IAT             \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!HalGetInterruptVector]                                             8366FA72
IAT             \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!HalTranslateBusAddress]                                            75000E7B
IAT             \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!KeStallExecutionProcessor]                                         0B7D80E3
IAT             \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!KfReleaseSpinLock]                                                 307B8D00
IAT             \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!READ_PORT_BUFFER_USHORT]                                           00AA840F
IAT             \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!READ_PORT_USHORT]                                                  83660000
IAT             \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                          6A000E7A
IAT             \SystemRoot\System32\Drivers\a9ks41g6.SYS[HAL.dll!WRITE_PORT_UCHAR]                                                  C6647400
IAT             \SystemRoot\System32\Drivers\a9ks41g6.SYS[WMILIB.SYS!WmiSystemControl]                                               4F8B0200
IAT             \SystemRoot\System32\Drivers\a9ks41g6.SYS[WMILIB.SYS!WmiCompleteRequest]                                             968D5140

---- Devices - GMER 1.0.15 ----

Device          \FileSystem\Ntfs \Ntfs                                                                                               8A6231F8

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                               AVGIDSFilter.Sys

Device          \FileSystem\Fastfat \FatCdrom                                                                                        88D47500

AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                             avgtdix.sys

Device          \Driver\usbuhci \Device\USBPDO-0                                                                                     8A3CE1F8
Device          \Driver\PCI_PNP0910 \Device\00000045                                                                                 spnz.sys
Device          \Driver\dmio \Device\DmControl\DmIoDaemon                                                                            8A6941F8
Device          \Driver\dmio \Device\DmControl\DmConfig                                                                              8A6941F8
Device          \Driver\dmio \Device\DmControl\DmPnP                                                                                 8A6941F8
Device          \Driver\dmio \Device\DmControl\DmInfo                                                                                8A6941F8
Device          \Driver\usbuhci \Device\USBPDO-1                                                                                     8A3CE1F8
Device          \Driver\usbuhci \Device\USBPDO-2                                                                                     8A3CE1F8
Device          \Driver\usbehci \Device\USBPDO-3                                                                                     8A29D368
Device          \Driver\usbuhci \Device\USBPDO-4                                                                                     8A3CE1F8
Device          \Driver\usbuhci \Device\USBPDO-5                                                                                     8A3CE1F8

AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                            avgtdix.sys

Device          \Driver\usbuhci \Device\USBPDO-6                                                                                     8A3CE1F8
Device          \Driver\Ftdisk \Device\HarddiskVolume1                                                                               8A6251F8
Device          \Driver\usbehci \Device\USBPDO-7                                                                                     8A29D368
Device          \Driver\Ftdisk \Device\HarddiskVolume2                                                                               8A6251F8
Device          \Driver\Cdrom \Device\CdRom0                                                                                         8A25D368
Device          \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-12                                                                         [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdePort0                                                                                   [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdePort1                                                                                   [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdePort2                                                                                   [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-7                                                                          [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdePort3                                                                                   [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdePort4                                                                                   [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdePort5                                                                                   [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\Ftdisk \Device\HarddiskVolume3                                                                               8A6251F8
Device          \Driver\Cdrom \Device\CdRom1                                                                                         8A25D368
Device          \Driver\Ftdisk \Device\HarddiskVolume4                                                                               8A6251F8
Device          \Driver\NetBT \Device\NetBt_Wins_Export                                                                              8A43C500
Device          \Driver\NetBT \Device\NetbiosSmb                                                                                     8A43C500

AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                            avgtdix.sys
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                          avgtdix.sys

Device          \Driver\usbuhci \Device\USBFDO-0                                                                                     8A3CE1F8
Device          \Driver\usbuhci \Device\USBFDO-1                                                                                     8A3CE1F8
Device          \FileSystem\MRxSmb \Device\LanmanDatagramReceiver                                                                    8A3A5500
Device          \Driver\usbuhci \Device\USBFDO-2                                                                                     8A3CE1F8
Device          \FileSystem\MRxSmb \Device\LanmanRedirector                                                                          8A3A5500
Device          \Driver\usbehci \Device\USBFDO-3                                                                                     8A29D368
Device          \Driver\Ftdisk \Device\FtControl                                                                                     8A6251F8
Device          \Driver\usbuhci \Device\USBFDO-4                                                                                     8A3CE1F8
Device          \Driver\usbuhci \Device\USBFDO-5                                                                                     8A3CE1F8
Device          \Driver\sptd \Device\2890654660                                                                                      spnz.sys
Device          \Driver\usbuhci \Device\USBFDO-6                                                                                     8A3CE1F8
Device          \Driver\NetBT \Device\NetBT_Tcpip_{E146FA9B-20A8-46C7-8A0A-3390C6E56897}                                             8A43C500
Device          \Driver\usbehci \Device\USBFDO-7                                                                                     8A29D368
Device          \Driver\a9ks41g6 \Device\Scsi\a9ks41g61                                                                              8A2C1500
Device          \Driver\a9ks41g6 \Device\Scsi\a9ks41g61Port6Path0Target0Lun0                                                         8A2C1500
Device          \FileSystem\Fastfat \Fat                                                                                             88D47500

AttachedDevice  \FileSystem\Fastfat \Fat                                                                                             fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice  \FileSystem\Fastfat \Fat                                                                                             AVGIDSFilter.Sys

Device          \FileSystem\Cdfs \Cdfs                                                                                               89B93370

---- Threads - GMER 1.0.15 ----

Thread          System [4:2572]                                                                                                      A7D317FF
---- Processes - GMER 1.0.15 ----

Library         E:\Program\AVG\AVG10\avgse.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [3540]                                    0x6C330000                                                                                                                    

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1                                                                   771343423
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2                                                                   285507792
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0                                                                   1
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4                                     
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                  E:\Program\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                  0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                               0xEB 0x6D 0x75 0xC8 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001                            
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                         0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                      0xC0 0xC1 0xFA 0x1E ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40                      
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                0x41 0x32 0x0D 0x8E ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41                      
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh                0x0D 0x14 0x47 0x79 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42                      
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh                0x2A 0x1B 0x66 0x20 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43                      
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh                0x5D 0x2A 0x87 0x81 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)                 
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                      E:\Program\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                      0
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                   0xEB 0x6D 0x75 0xC8 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)        
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                             0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                          0xC0 0xC1 0xFA 0x1E ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                    0x41 0x32 0x0D 0x8E ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh                    0x0D 0x14 0x47 0x79 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh                    0x2A 0x1B 0x66 0x20 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh                    0x5D 0x2A 0x87 0x81 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version                                           
Reg             HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version                                   0x97 0x5D 0xD3 0x2C ...

---- EOF - GMER 1.0.15 ----
         
--- --- ---


MBR:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000000fd

Kernel Drivers (total 143):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9EA7000 spnz.sys
0xBA5AA000 \WINDOWS\System32\Drivers\WMILIB.SYS
0xB9E8F000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xB9E61000 ACPI.sys
0xB9E50000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9E31000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9E0B000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9DF3000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9DD3000 fltmgr.sys
0xB9DC1000 sr.sys
0xBA0F8000 PxHelp20.sys
0xB9DAA000 KSecDD.sys
0xB9D1D000 Ntfs.sys
0xB9CF0000 NDIS.sys
0xBA108000 ohci1394.sys
0xBA118000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB9CD6000 Mup.sys
0xBA208000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA288000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB926D000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB9259000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB9231000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA3D0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB920D000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3D8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA298000 \SystemRoot\system32\DRIVERS\l1e51x86.sys
0xBA3E0000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA5D0000 \SystemRoot\system32\DRIVERS\ASACPI.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA574000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB91F5000 \SystemRoot\System32\Drivers\AnyDVD.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB91D2000 \SystemRoot\system32\DRIVERS\ks.sys
0xB919C000 \SystemRoot\System32\Drivers\a9ks41g6.SYS
0xBA6CD000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA2E8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA58C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB9185000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA308000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA440000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xBA448000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA450000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB90B5000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA318000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA458000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA460000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5D6000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9057000 \SystemRoot\system32\DRIVERS\update.sys
0xBA5A4000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA168000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA198000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5DA000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xACA38000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xACA14000 \SystemRoot\system32\drivers\portcls.sys
0xBA1A8000 \SystemRoot\system32\drivers\drmk.sys
0xBA470000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xBA5DE000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA70A000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5E0000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA480000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA488000 \SystemRoot\System32\drivers\vga.sys
0xBA5E2000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5E4000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA490000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA498000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA56C000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAC951000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xAC8F8000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAC8D0000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAC8AA000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA1E8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAC7E8000 \SystemRoot\System32\drivers\afd.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAC7BD000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAC74D000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA218000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA4A0000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
0xB9037000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA238000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA340000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xBA248000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xAC707000 \SystemRoot\System32\Drivers\usbvideo.sys
0xBA258000 \SystemRoot\system32\drivers\usbaudio.sys
0xBA268000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xACA10000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xACA08000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xAC6EF000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5EC000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xAC9FC000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA3A0000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA7E3000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF060000 \SystemRoot\System32\ati2cqag.dll
0xBF0FC000 \SystemRoot\System32\atikvmag.dll
0xBF196000 \SystemRoot\System32\atiok3x2.dll
0xBF1FB000 \SystemRoot\System32\ati3duag.dll
0xBF557000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA9A62000 \SystemRoot\system32\DRIVERS\sntie.sys
0xA9BA6000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xBA478000 \SystemRoot\system32\DRIVERS\s7opcsrtx.sys
0xA9A28000 \SystemRoot\system32\DRIVERS\s7snsrtx.sys
0xA97F3000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA97BA000 \SystemRoot\System32\Drivers\adfs.SYS
0xA9777000 \SystemRoot\system32\DRIVERS\atksgt.sys
0xA984C000 \SystemRoot\System32\DRIVERS\dpmtrcdd.sys
0xBA3A8000 \SystemRoot\system32\DRIVERS\lirsgt.sys
0xA956D000 \SystemRoot\system32\DRIVERS\srv.sys
0xA8BFE000 \SystemRoot\system32\drivers\wdmaud.sys
0xA9495000 \SystemRoot\system32\drivers\sysaudio.sys
0xBA4A8000 \??\C:\DOCUME~1\Martin\LOCALS~1\Temp\mbr.sys
0xBA668000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xBA430000 \??\C:\DOCUME~1\Martin\LOCALS~1\Temp\catchme.sys
0xA7EC9000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xBA400000 \SystemRoot\system32\DRIVERS\avgrkx86.sys
0xA7C12000 \SystemRoot\system32\DRIVERS\avgtdix.sys
0xA7DAE000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
0xA7D6E000 \SystemRoot\system32\DRIVERS\AVGIDSEH.Sys
0xA9990000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
0xA7BEA000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
0xA76B6000 \??\C:\DOCUME~1\Martin\LOCALS~1\Temp\pxtdqpow.sys
0xA768B000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll
0x10000000 \Program\DAEMON Tools Lite\daemon.dll

Processes (total 34):
0 System Idle Process
4 System
436 C:\WINDOWS\system32\smss.exe
524 csrss.exe
560 C:\WINDOWS\system32\winlogon.exe
608 C:\WINDOWS\system32\services.exe
620 C:\WINDOWS\system32\lsass.exe
784 C:\WINDOWS\system32\ati2evxx.exe
804 C:\WINDOWS\system32\svchost.exe
852 svchost.exe
928 C:\WINDOWS\system32\svchost.exe
1032 svchost.exe
1104 svchost.exe
1204 C:\WINDOWS\system32\spoolsv.exe
1284 C:\WINDOWS\system32\ati2evxx.exe
1480 svchost.exe
1516 E:\Program Files\Common Files\Siemens\SWS\almsrv\almsrvx.exe
1528 C:\Program Files\Common Files\AVerMedia\Service\AVerRemote.exe
1544 C:\Program Files\Common Files\AVerMedia\Service\AVerScheduleService.exe
1628 E:\Program\FRITZ!DSL\IGDCTRL.EXE
1656 C:\Program Files\Java\jre6\bin\jqs.exe
1680 sqlservr.exe
1808 E:\Program\CDBurnerXP\NMSAccessU.exe
1880 G:\Program\Siemens\Step7\S7BIN\s7asysvx.exe
1956 E:\Program Files\Common Files\Siemens\S7IEPG\s7oiehsx.exe
2004 C:\Program Files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe
168 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
184 C:\WINDOWS\system32\svchost.exe
2068 alg.exe
2656 C:\Program Files\Google\Update\GoogleUpdate.exe
3540 C:\WINDOWS\explorer.exe
1860 C:\WINDOWS\system32\ctfmon.exe
3500 E:\Program\Mozilla Firefox\firefox.exe
3016 C:\Documents and Settings\Martin\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x0000000c`34f34a00 (NTFS)
\\.\F: --> \\.\PhysicalDrive0 at offset 0x00000024`9ed8e200 (NTFS)
\\.\G: --> \\.\PhysicalDrive0 at offset 0x0000003d`08be7a00 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHD502IJ, Rev: 1AA01113

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

Alt 15.11.2010, 05:11   #24
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
winlogon - Standard

winlogon



Sieht ok aus. Mach bitte zur Kontrolle Vollscans mit Malwarebytes und SUPERAntiSpyware und poste die Logs.
Denk dran beide Tools zu updaten vor dem Scan!!
__________________
Logfiles bitte immer in CODE-Tags posten

Alt 16.11.2010, 00:05   #25
fcangmar
 
winlogon - Standard

winlogon



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5121

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

15.11.2010 23:33:32
mbam-log-2010-11-15 (23-33-32).txt

Scan type: Full scan (C:\|E:\|F:\|G:\|)
Objects scanned: 476975
Time elapsed: 39 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\explorer.vir (Heuristics.Reserved.Word.Exploit) -> No action taken.
C:\WINDOWS\system32\winlogon.vir (Heuristics.Reserved.Word.Exploit) -> No action taken.

Alt 16.11.2010, 01:05   #26
fcangmar
 
winlogon - Standard

winlogon



SUPERAntiSpyware Scan Log
hxxp://www.superantispyware.com

Generated 11/16/2010 at 01:04 AM

Application Version : 4.45.1000

Core Rules Database Version : 5863
Trace Rules Database Version: 3675

Scan type : Complete Scan
Total Scan Time : 00:54:36

Memory items scanned : 477
Memory threats detected : 0
Registry items scanned : 10332
Registry threats detected : 0
File items scanned : 157310
File threats detected : 1

Adware.Tracking Cookie
C:\Documents and Settings\Martin\Cookies\martin@avgtechnologies.112.2o7[1].txt

Alt 16.11.2010, 08:52   #27
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
winlogon - Standard

winlogon



Sieht ok aus, da wurden nur Cookies gefunden. Und die Dateien, die du mit Linux umbenannt hast, die können gelöscht werden.
Noch Probleme oder weitere Funde in der Zwischenzeit?
__________________
Logfiles bitte immer in CODE-Tags posten

Antwort

Themen zu winlogon
avg, datei, gescannt, infiziert, jotti, killbox, logon, logon.exe, reparieren, tagen, vermeide, versucht, winlogon, winlogon.exe



Ähnliche Themen: winlogon


  1. winlogon.exe, css.exe
    Plagegeister aller Art und deren Bekämpfung - 05.09.2009 (1)
  2. Winlogon.exe infiziert
    Log-Analyse und Auswertung - 26.02.2009 (3)
  3. Winlogon Notify
    Mülltonne - 02.01.2009 (0)
  4. Trojaner winlogon.exe
    Plagegeister aller Art und deren Bekämpfung - 04.04.2008 (7)
  5. winlogon.exe infiziert?
    Plagegeister aller Art und deren Bekämpfung - 21.03.2008 (9)
  6. winlogon.exe - Trojaner ?!
    Plagegeister aller Art und deren Bekämpfung - 21.03.2008 (4)
  7. winlogon.exe???
    Mülltonne - 16.03.2008 (0)
  8. TR/Patchd.winlogon.b
    Log-Analyse und Auswertung - 12.03.2008 (4)
  9. winlogon.exe
    Plagegeister aller Art und deren Bekämpfung - 12.03.2008 (7)
  10. winlogon.exe Trojaner
    Plagegeister aller Art und deren Bekämpfung - 02.04.2007 (2)
  11. winlogon TR/WLHack.A
    Log-Analyse und Auswertung - 30.03.2007 (1)
  12. TR/PatchedI//winlogon.exe
    Plagegeister aller Art und deren Bekämpfung - 18.01.2007 (4)
  13. winlogon.exe
    Plagegeister aller Art und deren Bekämpfung - 06.01.2007 (2)
  14. winlogon.exe und explorer.exe
    Log-Analyse und Auswertung - 29.12.2006 (9)
  15. OLE##winlogon aus registry ?
    Plagegeister aller Art und deren Bekämpfung - 11.10.2006 (4)
  16. Winlogon.exe Problem
    Log-Analyse und Auswertung - 07.08.2006 (3)
  17. winlogon.exe 50 - 70 % cpu
    Log-Analyse und Auswertung - 17.02.2006 (2)

Zum Thema winlogon - Hast Du ZoneAlarm noch nicht deinstalliert? Wir müssen nochmal mit CF ran: => File-Upload.net - cosinus.zip Die cosinus.zip runterladen und nach c:\cosinus entpacken, dann so wieder vorgehen: Combofix - Scripten - winlogon...
Archiv
Du betrachtest: winlogon auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.