Endlich fertig ... GMER
Beim ersten Versuch: Absturz
Zweiter Versuch: leider mit aktiviertem Virenscanner, abgebrochen
Dritter Versuch: quälend langsam, nach ca. 36 Stunden (und inzwischen durch Timer gestartetem Programm Phonostar) folgendes Log:
GMER Logfile: Code:
GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2011-09-01 08:28:44
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD15 rev.51.0
Running: vn8jrqg3.exe; Driver: C:\Users\doc_mk7\AppData\Local\Temp\fgtdapow.sys
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C96539 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CBB092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? System32\Drivers\spdm.sys Das System kann den angegebenen Pfad nicht finden. !
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x91236000, 0x2FBAB4, 0xE8000020]
.text USBPORT.SYS!DllUnload 91DA5D18 5 Bytes JMP 88C904E0
.text anbfyv8h.SYS 90FC2000 12 Bytes [44, 18, C2, 82, EE, 16, C2, ...]
.text anbfyv8h.SYS 90FC200D 9 Bytes [F7, C1, 82, 48, 1B, C2, 82, ...] {TEST ECX, 0xc21b4882; ADD BYTE [EAX], 0x0}
.text anbfyv8h.SYS 90FC2017 20 Bytes [00, DE, 47, 1A, 8B, E6, 45, ...]
.text anbfyv8h.SYS 90FC202C 20 Bytes [00, 00, 00, 00, E0, 11, C9, ...]
.text anbfyv8h.SYS 90FC2041 128 Bytes [B6, CB, 82, 60, B5, CB, 82, ...]
.text ...
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [747F2494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [747D5624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [747D56E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [747F250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [747E8573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [747E4D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [747E50CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [747E51A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [747E66D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [747E82CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [747E8819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [747E907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [747EE21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2012] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [747E4C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 855721F8
Device \FileSystem\fastfat \FatCdrom 88C8E1F8
Device \Driver\volmgr \Device\HarddiskVolume12 8556E1F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume12 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\volmgr \Device\HarddiskVolume13 8556E1F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume13 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\volmgr \Device\VolMgrControl 8556E1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{732048A9-7E8D-428F-9AF3-D5BE1F66BC7A} 88AB41F8
Device \Driver\usbehci \Device\USBPDO-0 88C91500
Device \Driver\usbehci \Device\USBPDO-1 88C91500
Device \Driver\PCI_PNP3741 \Device\00000057 spdm.sys
Device \Driver\USBSTOR \Device\00000070 893B51F8
Device \Driver\volmgr \Device\HarddiskVolume1 8556E1F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\USBSTOR \Device\00000071 893B51F8
Device \Driver\volmgr \Device\HarddiskVolume2 8556E1F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\cdrom \Device\CdRom0 88AF41F8
Device \Driver\USBSTOR \Device\00000072 893B51F8
Device \Driver\iaStor \Device\Ide\iaStor0 [8B47D420] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [8B47D420] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 [8B47D420] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-2 [8B47D420] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\cdrom \Device\CdRom1 88AF41F8
Device \Driver\volmgr \Device\HarddiskVolume3 8556E1F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\USBSTOR \Device\00000074 893B51F8
Device \Driver\volmgr \Device\HarddiskVolume4 8556E1F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\volmgr \Device\HarddiskVolume5 8556E1F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\volmgr \Device\HarddiskVolume6 8556E1F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\volmgr \Device\HarddiskVolume7 8556E1F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\sptd \Device\1401779742 spdm.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 88AB41F8
Device \Driver\volmgr \Device\HarddiskVolume8 8556E1F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\volmgr \Device\HarddiskVolume9 8556E1F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\0000004d halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Driver\NetBT \Device\NetBT_Tcpip_{9A295CD5-A244-421C-A8EF-9E3A343737CB} 88AB41F8
Device \Driver\usbehci \Device\USBFDO-0 88C91500
Device \Driver\usbehci \Device\USBFDO-1 88C91500
Device \Driver\volmgr \Device\HarddiskVolume10 8556E1F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume10 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\volmgr \Device\HarddiskVolume11 8556E1F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume11 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\anbfyv8h \Device\Scsi\anbfyv8h1Port1Path0Target0Lun0 88CB5400
Device \Driver\anbfyv8h \Device\Scsi\anbfyv8h1 88CB5400
Device \FileSystem\fastfat \Fat 88C8E1F8
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x41 0xE8 0x7C 0xA4 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x2A 0x37 0xC9 0x01 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x95 0x94 0x0B 0x93 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x82 0x53 0x78 0xA6 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFC 0x21 0xC0 0x4B ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x2A 0x37 0xC9 0x01 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x95 0x94 0x0B 0x93 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x82 0x53 0x78 0xA6 ...
---- EOF - GMER 1.0.15 ---- --- --- --- Osam
lief zügig durch und lieferte folgendes Log:
OSAM Logfile: Code:
Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 08:43:56 on 01.09.2011
OS: Windows 7 Home Premium Edition (Build 7600), 32-bit
Default Browser: Mozilla Corporation Firefox 3.6.18
Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures
Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries
[Common]
-----( %SystemRoot%\Tasks )-----
"GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe
"GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe
[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"DivXControlPanelApplet.cpl" - "DivX, Inc." - C:\Windows\system32\DivXControlPanelApplet.cpl
"FlashPlayerCPLApp.cpl" - "Adobe Systems Incorporated" - C:\Windows\system32\FlashPlayerCPLApp.cpl
"ODBCCP32.CPL" - "Microsoft Corporation" - C:\Windows\system32\ODBCCP32.CPL
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"mlcfg32.cpl" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\MLCFG32.CPL
[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"anbfyv8h" (anbfyv8h) - "Microsoft Corporation" - C:\Windows\system32\drivers\anbfyv8h.sys (Hidden registry entry, rootkit activity | File signed by Microsoft)
"avgntflt" (avgntflt) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avgntflt.sys
"avipbb" (avipbb) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avipbb.sys
"catchme" (catchme) - ? - C:\Users\doc_mk7\AppData\Local\Temp\catchme.sys (File not found)
"epmntdrv" (epmntdrv) - ? - C:\Windows\system32\epmntdrv.sys (File found, but it contains no detailed information)
"EuGdiDrv" (EuGdiDrv) - ? - C:\Windows\system32\EuGdiDrv.sys (File found, but it contains no detailed information)
"fgtdapow" (fgtdapow) - ? - C:\Users\doc_mk7\AppData\Local\Temp\fgtdapow.sys (Hidden registry entry, rootkit activity | File not found)
"MBAMSwissArmy" (MBAMSwissArmy) - "Malwarebytes Corporation" - C:\Windows\system32\drivers\mbamswissarmy.sys
"pwdrvio" (pwdrvio) - ? - C:\Windows\system32\pwdrvio.sys (File found, but it contains no detailed information)
"pwdspio" (pwdspio) - ? - C:\Windows\system32\pwdspio.sys (File found, but it contains no detailed information)
"sptd" (sptd) - "Duplex Secure Ltd." - C:\Windows\System32\Drivers\sptd.sys (File is exclusively opened, access blocked)
"ssmdrv" (ssmdrv) - "Avira GmbH" - C:\Windows\System32\DRIVERS\ssmdrv.sys
"truecrypt" (truecrypt) - "TrueCrypt Foundation" - C:\Windows\System32\drivers\truecrypt.sys
[Explorer]
-----( HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} "DropboxExt" - ? - (File not found | COM-object registry key not found)
{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} "DropboxExt" - ? - (File not found | COM-object registry key not found)
{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} "DropboxExt" - ? - (File not found | COM-object registry key not found)
{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} "DropboxExt" - ? - (File not found | COM-object registry key not found)
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
-----( HKLM\Software\Classes\Protocols\Filter )-----
{807563E5-5146-11D5-A672-00B0D022E945} "Microsoft Office InfoPath XML Mime Filter" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
-----( HKLM\Software\Classes\Protocols\Handler )-----
{314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
{828030A1-22C1-4009-854F-8E305202313F} "livecall" - "Microsoft Corporation" - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL
{828030A1-22C1-4009-854F-8E305202313F} "msnim" - "Microsoft Corporation" - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL
{03C514A3-1EFB-4856-9F99-10D7BE1653C0} "Windows Live Mail HTML Asynchronous Pluggable Protocol Handler" - "Microsoft Corporation" - C:\Program Files\Windows Live\Mail\mailcomm.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - C:\Program Files\7-Zip\7-zip.dll
{653DCCC2-13DB-45B2-A389-427885776CFE} "Activities Property Page" - "Microsoft Corporation" - c:\Program Files\Microsoft IntelliPoint\ipcplact.dll
{124597D8-850A-41AE-849C-017A4FA99CA2} "Buttons Property Page" - "Microsoft Corporation" - c:\Program Files\Microsoft IntelliPoint\ipcplbtn.dll
{DE902992-61FC-4A01-8091-53E1895C9775} "CDR Icon Handler" - "Corel Corporation" - c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll
{7AD101F2-0B93-4D66-A1CA-DF73F3C4377B} "CDR preview provider" - "Corel Corporation" - c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellVista.dll
{7FA63AC0-F5BC-4F3B-A9CF-94328D812B62} "CDR Property Handler" - "Corel Corporation" - c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellVista.dll
{1462EBAA-96E7-4D93-9A66-0E4068DE4FCF} "CDR Thumbnail provider" - "Corel Corporation" - c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll
{0563DB41-F538-4B37-A92D-4659049B7766} "CLSID_WLMCMimeFilter" - "Microsoft Corporation" - C:\Program Files\Windows Live\Mail\mailcomm.dll
{DE902994-61FC-4A01-8091-53E1895C9775} "CMX Icon Handler" - "Corel Corporation" - c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll
{1462EBAC-96E7-4D93-9A66-0E4068DE4FCF} "CMX Thumbnail provider" - "Corel Corporation" - c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll
{DE902993-61FC-4A01-8091-53E1895C9775} "CPT Icon Handler" - "Corel Corporation" - c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll
{7FA63AC1-F5BC-4F3B-A9CF-94328D812B62} "CPT Property Handler" - "Corel Corporation" - c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellVista.dll
{1462EBAB-96E7-4D93-9A66-0E4068DE4FCF} "CPT Thumbnail provider" - "Corel Corporation" - c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll
{872A9397-E0D6-4e28-B64D-52B8D0A7EA35} "DisplayCplExt Class" - "Advanced Micro Devices, Inc." - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiamaxx.dll
{D8D1CE8C-B1EB-4E95-B63B-1531BA60E992} "DivX Property Handler" - "DivX, Inc." - C:\Program Files\DivX\DivX Plus Media Foundation Components\DivXPropertyHandler.dll
{83238FAE-D346-4E12-8734-D42F7554B3E6} "DivX Thumbnail Provider" - "DivX, Inc." - C:\Program Files\DivX\DivX Plus Media Foundation Components\DivXThumbnailProvider.dll
{3BEABCC1-BF31-42df-88D9-A2955D6B8528} "IntelliPoint Sensitivity Property Page" - "Microsoft Corporation" - c:\Program Files\Microsoft IntelliPoint\ipcplsens.dll
{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\msohevi.dll
{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
{00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\MLSHEXT.DLL
{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
{0006F045-0000-0000-C000-000000000046} "Outlook File Icon Extension" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\OLKFSTUB.DLL
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\shlext.dll
{5E2121EE-0300-11D4-8D3B-444553540000} "SimpleShlExt Class" - "Advanced Micro Devices, Inc." - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll
{1184D0ED-DBCE-4170-8DBB-4D0C3905DA85} "Touch Property Page" - "Microsoft Corporation" - c:\Program Files\Microsoft IntelliPoint\ipcpltouch.dll
{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE} "Wheel Property Page" - "Microsoft Corporation" - c:\Program Files\Microsoft IntelliPoint\ipcplwhl.dll
{2BE99FD4-A181-4996-BFA9-58C5FFD11F6C} "Windows Live Photo Gallery Autoplay Drop Target" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe
{00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C} "Windows Live Photo Gallery Editor Drop Target" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe
{00F3712A-CA79-45B4-9E4D-D7891E7F8B9D} "Windows Live Photo Gallery Editor Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll
{00F30F90-3E96-453B-AFCD-D71989ECC2C7} "Windows Live Photo Gallery Viewer Autoplay Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll
{00F33137-EE26-412F-8D71-F84E4C2C6625} "Windows Live Photo Gallery Viewer Autoplay Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll
{00F374B7-B390-4884-B372-2FC349F2172B} "Windows Live Photo Gallery Viewer Drop Target" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe
{00F346CB-35A4-465B-8B8F-65A29DBAB1F6} "Windows Live Photo Gallery Viewer Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll
{20082881-FC36-4E47-9A7A-644C95FF749F} "Wireless Property Page" - "Microsoft Corporation" - c:\Program Files\Microsoft IntelliPoint\ipcplwir.dll
{06A2568A-CED6-4187-BB20-400B8C02BE5A} "{06A2568A-CED6-4187-BB20-400B8C02BE5A}" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoAcquireWizard.exe
[Internet Explorer]
-----( HKCU\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
"eBay - Der weltweite Online-Marktplatz" - ? - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4 (HTTP value)
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
<binary data> "Google Toolbar" - "Google Inc." - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
ITBar7Height "ITBar7Height" - ? - (File not found | COM-object registry key not found)
<binary data> "ITBar7Layout" - ? - (File not found | COM-object registry key not found)
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_21" - "Oracle" - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} "Java Plug-in 1.6.0_21" - "Oracle" - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_21" - "Oracle" - C:\Program Files\Java\jre6\bin\npjpi160_21.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
{7530BFB8-7293-4D34-9923-61A11451AFC5} "OnlineScanner Control" - "ESET" - C:\PROGRA~1\ESET\ESETON~1\ONLINE~1.OCX / hxxp://download.eset.com/special/eos/OnlineScanner.cab
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} "@C:\Windows\WindowsMobile\INetRepl.dll,-222" - "Microsoft Corporation" - C:\Windows\WindowsMobile\INetRepl.dll
{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} "ClsidExtension" - "Microsoft Corporation" - C:\Windows\WindowsMobile\INetRepl.dll
"eBay - Der weltweite Online-Marktplatz" - ? - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4 (HTTP value)
{5F7B1267-94A9-47F5-98DB-E99415F33AEC} "In Blog veröffentlichen" - "Microsoft Corporation" - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Research" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )-----
<binary data> "Google Toolbar" - "Google Inc." - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
{CC59E0F9-7E43-44FA-9FAA-8377850BF205} "FDMIECookiesBHO Class" - ? - C:\Program Files\Free Download Manager\iefdm2.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} "Google Toolbar Helper" - "Google Inc." - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} "Google Toolbar Notifier BHO" - "Google Inc." - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
{DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Oracle" - C:\Program Files\Java\jre6\bin\jp2ssv.dll
{6EBF7485-159F-4bff-A14F-B9E3AAC4465B} "Search Helper" - "Microsoft Corporation" - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} "Windows Live Anmelde-Hilfsprogramm" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
{5C255C8A-E604-49b4-9D64-90988571CECB} "{5C255C8A-E604-49b4-9D64-90988571CECB}" - ? - (File not found | COM-object registry key not found)
[Logon]
-----( %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"desktop.ini" - ? - C:\Users\doc_mk7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
"Dropbox.lnk" - "Dropbox, Inc." - C:\Users\doc_mk7\AppData\Roaming\Dropbox\bin\Dropbox.exe (Shortcut exists | File exists)
"portfolio.lnk" - ? - C:\moneten\portfolio.exe (Shortcut exists | File exists)
-----( %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"desktop.ini" - ? - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
-----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )-----
"DAEMON Tools Lite" - "DT Soft Ltd" - "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
"Free Download Manager" - "FreeDownloadManager.ORG" - C:\Program Files\Free Download Manager\fdm.exe -autorun
"phonostar-Player" - ? - C:\Program Files\phonostar-Player\phonostarStarter.exe (File found, but it contains no detailed information)
"phonostarTimer" - ? - C:\Program Files\phonostar-Player\phonostarTimer.exe (File found, but it contains no detailed information)
"swg" - "Google Inc." - "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
-----( HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd )-----
"StartupPrograms" - ? - rdpclip (File not found)
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"Adobe ARM" - "Adobe Systems Incorporated" - "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher" - "Adobe Systems Incorporated" - "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"avgnt" - "Avira GmbH" - "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
"CLMLServer" - "CyberLink" - "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"
"DivXUpdate" - ? - "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
"IAStorIcon" - "Intel Corporation" - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
"IntelliPoint" - "Microsoft Corporation" - "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
"Malwarebytes' Anti-Malware (reboot)" - "Malwarebytes Corporation" - "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
"NUSB3MON" - "Renesas Electronics Corporation" - "C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
"StartCCC" - "Advanced Micro Devices, Inc." - "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"ASP.NET-Zustandsdienst" (aspnet_state) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
"Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
"Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\sched.exe
"Google Software Updater" (gusvc) - "Google" - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
"Google Update Service (gupdate)" (gupdate) - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe
"Google Update-Dienst (gupdatem)" (gupdatem) - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe
"Intel(R) Rapid Storage Technology" (IAStorDataMgrSvc) - "Intel Corporation" - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
"Microsoft .NET Framework NGEN v4.0.30319_X86" (clr_optimization_v4.0.30319_32) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
"Microsoft Office Diagnostics Service" (odserv) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
"Office Source Engine" (ose) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"Protexis Licensing V2" (PSI_SVC_2) - "Protexis Inc." - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
"SeaPort" (SeaPort) - "Microsoft Corporation" - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
===[ Logfile end ]=========================================[ Logfile end ]=== --- --- --- aswMBR
lief zuerst auch sehr langsam und hängte sich dann nach einiger Zeit beim Scannen einer dll (CDRip.DLL) auf.
Nach Abbruch und Neustart des Rechners lief der zweite Versuch dann zügig (mit einem gelben und einem roten Eintrag) durch, wie man am Log sieht: Code:
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-01 08:45:28
-----------------------------
08:45:28.629 OS Version: Windows 6.1.7600
08:45:28.629 Number of processors: 4 586 0x2505
08:45:28.630 ComputerName: PC7 UserName:
08:45:31.262 Initialize success
08:48:47.910 AVAST engine defs: 11083101
08:49:55.403 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
08:49:55.405 Disk 0 Vendor: WDC_WD15 51.0 Size: 1430799MB BusType: 3
08:49:55.406 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-2
08:49:55.408 Disk 1 Vendor: ST332082 3.AA Size: 305245MB BusType: 3
08:49:55.409 Disk 2 \Device\Harddisk2\DR2 -> \Device\00000071
08:49:55.411 Disk 2 Vendor: Size: 305245MB BusType: 0
08:49:55.413 Disk 3 \Device\Harddisk3\DR3 -> \Device\00000072
08:49:55.415 Disk 3 Vendor: Size: 305245MB BusType: 0
08:49:57.586 Disk 0 MBR read successfully
08:49:57.592 Disk 0 MBR scan
08:49:57.709 Disk 0 unknown MBR code
08:49:57.716 Disk 0 MBR hidden
08:49:57.974 Disk 0 scanning sectors +2930275120
08:49:59.360 Disk 0 scanning C:\Windows\system32\drivers
08:55:00.009 Service scanning
08:55:00.450 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
08:55:00.988 Modules scanning
09:00:29.429 Disk 0 trace - called modules:
09:00:29.517 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys spdm.sys halmacpi.dll >>UNKNOWN [0x8554a938]<<
09:00:29.521 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87e9d880]
09:00:29.524 3 CLASSPNP.SYS[8ba4e59e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x86318028]
09:00:31.300 AVAST engine scan C:\Windows
09:23:25.446 AVAST engine scan C:\Windows\system32
10:48:37.334 AVAST engine scan C:\Windows\system32\drivers
11:27:20.288 AVAST engine scan C:\Users\doc_mk7
14:56:06.922 Disk 0 MBR has been saved successfully to "C:\Users\doc_mk7\Desktop\MBR.dat"
14:56:06.933 The log file has been saved successfully to "C:\Users\doc_mk7\Desktop\aswMBR.txt"
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-02 00:11:03
-----------------------------
00:11:03.486 OS Version: Windows 6.1.7600
00:11:03.486 Number of processors: 4 586 0x2505
00:11:03.486 ComputerName: PC7 UserName:
00:11:08.743 Initialize success
00:14:16.911 AVAST engine defs: 11090101
00:14:23.213 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
00:14:23.213 Disk 0 Vendor: WDC_WD15 51.0 Size: 1430799MB BusType: 3
00:14:23.229 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-2
00:14:23.229 Disk 1 Vendor: ST332082 3.AA Size: 305245MB BusType: 3
00:14:23.229 Disk 2 \Device\Harddisk2\DR2 -> \Device\00000073
00:14:23.244 Disk 2 Vendor: Size: 305245MB BusType: 0
00:14:23.244 Disk 3 \Device\Harddisk3\DR3 -> \Device\00000074
00:14:23.244 Disk 3 Vendor: Size: 305245MB BusType: 0
00:14:25.272 Disk 0 MBR read successfully
00:14:25.272 Disk 0 MBR scan
00:14:25.288 Disk 0 unknown MBR code
00:14:25.288 Disk 0 scanning sectors +2930275120
00:14:25.382 Disk 0 scanning C:\Windows\system32\drivers
00:14:38.361 Service scanning
00:14:38.907 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
00:14:39.468 Modules scanning
00:14:46.629 Disk 0 trace - called modules:
00:14:46.660 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys spsg.sys halmacpi.dll >>UNKNOWN [0x8554a938]<<
00:14:46.660 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87e9ba38]
00:14:46.676 3 CLASSPNP.SYS[8ba7f59e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x862b4028]
00:14:49.312 AVAST engine scan C:\Windows
00:14:56.363 AVAST engine scan C:\Windows\system32
00:16:59.962 AVAST engine scan C:\Windows\system32\drivers
00:17:11.849 AVAST engine scan C:\Users\doc_mk7
00:58:40.007 AVAST engine scan C:\ProgramData
00:59:28.710 Scan finished successfully
01:01:10.298 Disk 0 MBR has been saved successfully to "C:\Users\doc_mk7\Desktop\MBR.dat"
01:01:10.313 The log file has been saved successfully to "C:\Users\doc_mk7\Desktop\aswMBR.txt" |