Trojaner-Board
Seite 2 von 2 1 2
100 Beiträge dieses Themas auf einer Seite anzeigen

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Windows aus Sicherheitsgründen gesperrt- Zahlungaufforderung 50€ (https://www.trojaner-board.de/113484-windows-sicherheitsgruenden-gesperrt-zahlungaufforderung-50-a.html)

cosinus 24.04.2012 20:35
Dann bitte jetzt CF ausführen:

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix
  • Schliesse alle Programme, vor allem dein Antivirenprogramm und andere Hintergrundwächter sowie deinen Internetbrowser.
  • Starte combofix.exe von deinem Desktop aus, bestätige die Warnmeldungen, führe die Updates durch (falls vorgeschlagen), installiere die Wiederherstellungskonsole (falls vorgeschlagen) und lass dein System durchsuchen.
    Vermeide es auch während Combofix läuft die Maus und Tastatur zu benutzen.
  • Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte kopieren ([Strg]a, [Strg]c) und in deinen Beitrag einfügen ([Strg]v). Die Datei findest du außerdem unter: C:\ComboFix.txt.
Wichtiger Hinweis:
Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!

Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Solltest du nach der Ausführung von Combofix Probleme beim Starten von Anwendungen haben und Meldungen erhalten wie

Zitat:
Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.
startest du Windows dann manuell neu und die Fehlermeldungen sollten nicht mehr auftauchen.

Gyroyoy 25.04.2012 20:18
Okay die Combofix tet

Combofix Logfile:
Code:
ComboFix 12-04-25.02 - Sven  Bruns 25.04.2012  21:01:37.1.2 - x86
Microsoft® Windows Vista™ Home Premium  6.0.6002.2.1252.49.1031.18.3066.2008 [GMT 2:00]
ausgeführt von:: c:\users\Sven  Bruns\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((  Weitere Löschungen  ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\Sven  Bruns\AppData\Roaming\Mozilla\Firefox\Profiles\0nx00ne6.default\weave\toFetch
c:\users\Sven  Bruns\AppData\Roaming\Mozilla\Firefox\Profiles\0nx00ne6.default\weave\toFetch\clients.json
c:\users\Sven  Bruns\AppData\Roaming\Mozilla\Firefox\Profiles\0nx00ne6.default\weave\toFetch\tabs.json
c:\users\Sven  Bruns\AppData\Roaming\Uninstal.exe
c:\windows\IsUn0407.exe
c:\windows\system32\urttemp
c:\windows\system32\urttemp\regtlib.exe
.
.
(((((((((((((((((((((((  Dateien erstellt von 2012-03-25 bis 2012-04-25  ))))))))))))))))))))))))))))))
.
.
2074-05-07 17:38 . 2006-11-21 19:48        203576        ------w-        c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
2012-04-25 19:12 . 2012-04-25 19:12        --------        d-----w-        c:\users\UpdatusUser\AppData\Local\temp
2012-04-25 19:12 . 2012-04-25 19:12        --------        d-----w-        c:\users\Default\AppData\Local\temp
2012-04-25 18:55 . 2012-04-25 18:55        111        ----a-w-        C:\user.js
2012-04-25 18:55 . 2012-04-25 18:55        --------        d-----w-        c:\program files\Softonic
2012-04-25 18:52 . 2012-04-25 18:52        --------        d-----w-        c:\program files\Common Files\Blizzard Entertainment
2012-04-25 18:44 . 2012-04-25 18:44        --------        d-----w-        c:\program files\Mozilla Maintenance Service
.
.
.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-15 21:53 . 2011-06-05 19:17        70304        ----a-w-        c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-22 19:12 . 2012-03-22 19:12        4435968        ----a-w-        c:\windows\system32\GPhotos.scr
2012-02-15 17:06 . 2011-10-16 12:05        137416        ----a-w-        c:\windows\system32\drivers\avipbb.sys
2012-01-31 17:15 . 2012-02-13 14:18        4659712        ----a-w-        c:\windows\system32\Redemption.dll
2012-01-31 17:15 . 2012-01-31 17:15        90112        ----a-w-        c:\windows\MAMCityDownload.ocx
2012-01-31 17:15 . 2012-01-31 17:15        49152        ----a-w-        c:\windows\system32\MaJGUILib.dll
2012-01-31 17:15 . 2012-01-31 17:15        45056        ----a-w-        c:\windows\system32\MaXMLProto.dll
2012-01-31 17:15 . 2012-01-31 17:15        40960        ----a-w-        c:\windows\system32\MTTELECHIP.dll
2012-01-31 17:15 . 2012-01-31 17:15        325552        ----a-w-        c:\windows\MASetupCaller.dll
2012-01-31 17:15 . 2012-01-31 17:15        30568        ----a-w-        c:\windows\MusiccityDownload.exe
2012-01-31 17:15 . 2012-01-31 17:15        200704        ----a-w-        c:\windows\system32\muzwmts.dll
2012-01-31 17:15 . 2012-01-31 17:15        135168        ----a-w-        c:\windows\system32\muzaf1.dll
2012-01-31 17:15 . 2012-01-31 17:15        122880        ----a-w-        c:\windows\system32\muzeffect.ax
2012-01-31 17:15 . 2012-01-31 17:15        118784        ----a-w-        c:\windows\system32\MaDRM.dll
2012-01-31 17:15 . 2012-01-31 17:15        110592        ----a-w-        c:\windows\system32\muzmp4sp.ax
2012-01-31 17:15 . 2012-02-13 14:17        821824        ----a-w-        c:\windows\system32\dgderapi.dll
2012-01-31 17:15 . 2012-02-13 14:17        20032        ----a-w-        c:\windows\system32\drivers\dgderdrv.sys
2012-01-31 17:15 . 2012-01-31 17:15        974848        ----a-w-        c:\windows\system32\cis-2.4.dll
2012-01-31 17:15 . 2012-01-31 17:15        81920        ----a-w-        c:\windows\system32\issacapi_bs-2.3.dll
2012-01-31 17:15 . 2012-01-31 17:15        65536        ----a-w-        c:\windows\system32\issacapi_pe-2.3.dll
2012-01-31 17:15 . 2012-01-31 17:15        57344        ----a-w-        c:\windows\system32\MTXSYNCICON.dll
2012-01-31 17:15 . 2012-01-31 17:15        57344        ----a-w-        c:\windows\system32\MK_Lyric.dll
2012-01-31 17:15 . 2012-01-31 17:15        57344        ----a-w-        c:\windows\system32\issacapi_se-2.3.dll
2012-01-31 17:15 . 2012-01-31 17:15        569344        ----a-w-        c:\windows\system32\muzdecode.ax
2012-01-31 17:15 . 2012-01-31 17:15        491520        ----a-w-        c:\windows\system32\muzapp.dll
2012-01-31 17:15 . 2012-01-31 17:15        45056        ----a-w-        c:\windows\system32\MACXMLProto.dll
2012-01-31 17:15 . 2012-01-31 17:15        40960        ----a-w-        c:\windows\system32\MAMACExtract.dll
2012-01-31 17:15 . 2012-01-31 17:15        352256        ----a-w-        c:\windows\system32\MSLUR71.dll
2012-01-31 17:15 . 2012-01-31 17:15        258048        ----a-w-        c:\windows\system32\muzoggsp.ax
2012-01-31 17:15 . 2012-01-31 17:15        245760        ----a-w-        c:\windows\system32\MSCLib.dll
2012-01-31 17:15 . 2012-01-31 17:15        24576        ----a-w-        c:\windows\system32\MASetupCleaner.exe
2012-01-31 17:15 . 2012-01-31 17:15        172032        ----a-w-        c:\windows\system32\muzapp.exe
2012-01-31 17:15 . 2012-01-31 17:15        155648        ----a-w-        c:\windows\system32\MSFLib.dll
2012-01-31 17:15 . 2012-01-31 17:15        143360        ----a-w-        c:\windows\system32\3DAudio.ax
2012-01-31 17:15 . 2012-01-31 17:15        131072        ----a-w-        c:\windows\system32\muzmpgsp.ax
2012-01-31 17:15 . 2009-04-26 08:44        319456        ----a-w-        c:\windows\system32\DIFxAPI.dll
2012-04-25 18:44 . 2011-07-04 12:26        97208        ----a-w-        c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((  Autostartpunkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E87806B5-E908-45FD-AF5E-957D83E58E68}]
2012-03-15 13:57        242384        ----a-w-        c:\program files\Softonic\Softonic\1.5.21.0\bh\Softonic.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5018CFD2-804D-4C99-9F81-25EAEA2769DE}"= "c:\program files\Softonic\Softonic\1.5.21.0\SoftonicTlbr.dll" [2012-03-15 250576]
.
[HKEY_CLASSES_ROOT\clsid\{5018cfd2-804d-4c99-9f81-25eaea2769de}]
[HKEY_CLASSES_ROOT\Softonic.dskBnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}]
[HKEY_CLASSES_ROOT\Softonic.dskBnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ProductReg"="c:\program files\Acer\WR_PopUp\ProductReg.exe" [2008-11-17 135168]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"KiesHelper"="c:\program files\Samsung\Kies\KiesHelper.exe" [2012-02-03 943504]
"KiesPDLR"="c:\program files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe" [2012-03-01 21416]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent.exe" [2008-11-05 474168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-05 1434920]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-03-05 805384]
"Acer ePower Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2009-04-03 698912]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-11 258512]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"KiesTrayAgent"="c:\program files\Samsung\Kies\KiesTrayAgent.exe" [2012-02-03 3508624]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4StoryPrePatch]
2010-11-01 17:45        319488        ----a-w-        c:\program files\Gameforge4D\4Story\PrePatch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-12-08 00:36        421736        ----a-w-        c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2008-12-02 20:39        3882312        ----a-w-        c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 12:06        254696        ----a-w-        c:\program files\Common Files\Java\Java Update\jusched.exe
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 253088]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation        REG_MULTI_SZ          FontCache
.
Inhalt des "geplante Tasks" Ordners
.
2012-04-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 21:53]
.
2012-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 23:11]
.
2012-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 23:11]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page =
uDefault_Search_URL =
mStart Page =
uSearchAssistant =
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Free YouTube to Mp3 Converter - c:\users\Sven  Bruns\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{77F665FD-3F60-4B0A-AE14-EC124B7A7FCE} - c:\program files\ICQ7.7\ICQ.exe
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.1
DPF: {C212D449-8B3C-41F2-BD9A-047BD770550F} - hxxp://operation7.fiaa.eu/OPLauncher.cab
FF - ProfilePath - c:\users\Sven  Bruns\AppData\Roaming\Mozilla\Firefox\Profiles\0nx00ne6.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxps://www.google.de/
FF - user.js: extensions.Softonic.rvrtMsg - Click Yes to keep current home page and default search settings, Click No to restore original settings
FF - user.js: extensions.Softonic.autoRvrt - false
FF - user.js: extensions.Softonic_i.newTab - false
FF - user.js: extensions.Softonic.tlbrSrchUrl - hxxp://search.softonic.com/MON1204T11/tb_v1?SearchSource=1&cc=&q=
FF - user.js: extensions.Softonic.id - a03fb7820000000000000c6076313ecc
FF - user.js: extensions.Softonic.instlDay - 15455
FF - user.js: extensions.Softonic.vrsn - 1.5.21.0
FF - user.js: extensions.Softonic.vrsni - 1.5.21.0
FF - user.js: extensions.Softonic_i.vrsnTs - 1.5.21.020:55
FF - user.js: extensions.Softonic.prtnrId - softonic
FF - user.js: extensions.Softonic.prdct - Softonic
FF - user.js: extensions.Softonic.aflt - SD
FF - user.js: extensions.Softonic_i.smplGrp - none
FF - user.js: extensions.Softonic.tlbrId - base
FF - user.js: extensions.Softonic.instlRef - MON1204T11
FF - user.js: extensions.Softonic.dfltLng - de
FF - user.js: extensions.Softonic.excTlbr - false
FF - user.js: extensions.Softonic.admin - false
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
HKCU-Run-MediaGet2 - c:\users\Sven  Bruns\AppData\Local\MediaGet2\mediaget.exe
HKLM-Run-Ocs_SM - c:\users\Sven  Bruns\AppData\Roaming\OCS\SM\SearchAnonymizer.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-ICQ - c:\program files\ICQ7.5\ICQ.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe
AddRemove-Minecraft 1.2.0_02 - c:\users\Sven  Bruns\AppData\Roaming\Uninstal.exe
AddRemove-SearchAnonymizer - c:\users\Sven  Bruns\AppData\Roaming\OCS\SM\SearchAnonymizer.exe
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\Samsung\USB Drivers\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\Samsung\USB Drivers\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\Samsung\USB Drivers\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\Samsung\USB Drivers\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\Samsung\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\Samsung\USB Drivers\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-21_Searsburg - c:\program files\Samsung\USB Drivers\21_Searsburg\Uninstall.exe
AddRemove-22_WiBro_WiMAX - c:\program files\Samsung\USB Drivers\22_WiBro_WiMAX\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2012-04-25 21:12
Windows 6.0.6002 Service Pack 2 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
Scanne versteckte Dateien...
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_USERS\S-1-5-21-1899564752-3391272897-2100108512-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:5a,0c,62,98,3e,9d,8e,d7,c5,b2,40,62,46,b4,6a,08,af,e2,98,6f,22,e8,14,
  f1,31,d8,2a,38,5f,70,30,f9,e1,e1,22,e9,f2,f2,14,fb,b0,4b,a1,9d,96,5f,56,1c,\
"??"=hex:b9,03,eb,50,79,e1,2e,2c,2e,24,7f,2b,a0,c2,0b,8f
.
[HKEY_USERS\S-1-5-21-1899564752-3391272897-2100108512-1003\Software\SecuROM\License information*]
"datasecu"=hex:d1,72,69,78,9d,0b,15,50,34,54,c6,e7,ac,58,18,a3,c3,49,f9,8c,48,
  e8,92,11,51,1f,bf,a4,8e,d1,90,97,ca,f7,91,a0,95,6b,90,9f,51,1c,57,9a,45,d3,\
"rkeysecu"=hex:bb,c8,f2,f8,0a,59,09,8b,00,a3,e5,0c,84,45,b7,b3
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Zeit der Fertigstellung: 2012-04-25  21:16:03
ComboFix-quarantined-files.txt  2012-04-25 19:15
.
Vor Suchlauf: 23 Verzeichnis(se), 191.504.695.296 Bytes frei
Nach Suchlauf: 29 Verzeichnis(se), 191.428.112.384 Bytes frei
.
- - End Of File - - 9D135F640071102A507E27C6E707BFED
--- --- ---

cosinus 25.04.2012 20:45
Combofix - Scripten

1. Starte das Notepad (Start / Ausführen / notepad[Enter])

2. Jetzt füge mit copy/paste den ganzen Inhalt der untenstehenden Codebox in das Notepad Fenster ein.

Code:
File::
C:\user.js

Folder::
c:\program files\Softonic

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E87806B5-E908-45FD-AF5E-957D83E58E68}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5018CFD2-804D-4C99-9F81-25EAEA2769DE}"=-
[-HKEY_CLASSES_ROOT\clsid\{5018cfd2-804d-4c99-9f81-25eaea2769de}]
[-HKEY_CLASSES_ROOT\Softonic.dskBnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}]
[-HKEY_CLASSES_ROOT\Softonic.dskBnd]

Firefox::
FF - ProfilePath - c:\users\Sven  Bruns\AppData\Roaming\Mozilla\Firefox\Profiles\0nx00ne6.default\
FF - user.js: extensions.Softonic.rvrtMsg - Click Yes to keep current home page and default search settings, Click No to restore original settings
FF - user.js: extensions.Softonic.autoRvrt - false
FF - user.js: extensions.Softonic_i.newTab - false
FF - user.js: extensions.Softonic.tlbrSrchUrl - http://search.softonic.com/MON1204T11/tb_v1?SearchSource=1&cc=&q=
FF - user.js: extensions.Softonic.id - a03fb7820000000000000c6076313ecc
FF - user.js: extensions.Softonic.instlDay - 15455
FF - user.js: extensions.Softonic.vrsn - 1.5.21.0
FF - user.js: extensions.Softonic.vrsni - 1.5.21.0
FF - user.js: extensions.Softonic_i.vrsnTs - 1.5.21.020:55
FF - user.js: extensions.Softonic.prtnrId - softonic
FF - user.js: extensions.Softonic.prdct - Softonic
FF - user.js: extensions.Softonic.aflt - SD
FF - user.js: extensions.Softonic_i.smplGrp - none
FF - user.js: extensions.Softonic.tlbrId - base
FF - user.js: extensions.Softonic.instlRef - MON1204T11
FF - user.js: extensions.Softonic.dfltLng - de
FF - user.js: extensions.Softonic.excTlbr - false
FF - user.js: extensions.Softonic.admin - false
3. Speichere im Notepad als CFScript.txt auf dem Desktop.

4. Deaktivere den Guard Deines Antivirenprogramms und eine eventuell vorhandene Software Firewall.
(Auch Guards von Ad-, Spyware Programmen und den Tea Timer (wenn vorhanden) !)

5. Dann ziehe die CFScript.txt auf die cofi.exe, so wie es im unteren Bild zu sehen ist. Damit wird Combofix neu gestartet.

http://users.pandora.be/bluepatchy/m...s/CFScript.gif

6. Nach dem Neustart (es wird gefragt ob Du neustarten willst), poste bitte die folgenden Log Dateien:
Combofix.txt

Hinweis: Das obige Script ist nur für diesen einen User in dieser Situtation erstellt worden. Es ist auf keinen anderen Rechner portierbar und darf nicht anderweitig verwandt werden, da es das System nachhaltig schädigen kann!

Gyroyoy 25.04.2012 21:18
Und das nächste log
Combofix Logfile:
Code:
ComboFix 12-04-25.02 - Sven  Bruns 25.04.2012  22:02:55.2.2 - x86
Microsoft® Windows Vista™ Home Premium  6.0.6002.2.1252.49.1031.18.3066.1711 [GMT 2:00]
ausgeführt von:: c:\users\Sven  Bruns\Downloads\ComboFix.exe
Benutzte Befehlsschalter :: c:\users\Sven  Bruns\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Neuer Wiederherstellungspunkt wurde erstellt
.
FILE ::
"C:\user.js"
.
.
((((((((((((((((((((((((((((((((((((  Weitere Löschungen  ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Softonic
c:\program files\Softonic\Softonic\1.5.21.0\bh\Softonic.dll
c:\program files\Softonic\Softonic\1.5.21.0\escortShld.dll
c:\program files\Softonic\Softonic\1.5.21.0\SoftonicApp.dll
c:\program files\Softonic\Softonic\1.5.21.0\SoftonicEng.dll
c:\program files\Softonic\Softonic\1.5.21.0\Softonicsrv.exe
c:\program files\Softonic\Softonic\1.5.21.0\SoftonicTlbr.dll
c:\program files\Softonic\Softonic\1.5.21.0\uninstall.exe
.
.
(((((((((((((((((((((((  Dateien erstellt von 2012-03-25 bis 2012-04-25  ))))))))))))))))))))))))))))))
.
.
2074-05-07 17:38 . 2006-11-21 19:48        203576        ------w-        c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
2012-04-25 20:13 . 2012-04-25 20:13        --------        d-----w-        c:\users\UpdatusUser\AppData\Local\temp
2012-04-25 20:13 . 2012-04-25 20:13        --------        d-----w-        c:\users\Default\AppData\Local\temp
2012-04-25 18:55 . 2012-04-25 18:55        111        ----a-w-        C:\user.js
2012-04-25 18:52 . 2012-04-25 18:52        --------        d-----w-        c:\program files\Common Files\Blizzard Entertainment
2012-04-25 18:44 . 2012-04-25 18:44        --------        d-----w-        c:\program files\Mozilla Maintenance Service
.
.
.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-15 21:53 . 2011-06-05 19:17        70304        ----a-w-        c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-22 19:12 . 2012-03-22 19:12        4435968        ----a-w-        c:\windows\system32\GPhotos.scr
2012-02-15 17:06 . 2011-10-16 12:05        137416        ----a-w-        c:\windows\system32\drivers\avipbb.sys
2012-01-31 17:15 . 2012-02-13 14:18        4659712        ----a-w-        c:\windows\system32\Redemption.dll
2012-01-31 17:15 . 2012-01-31 17:15        90112        ----a-w-        c:\windows\MAMCityDownload.ocx
2012-01-31 17:15 . 2012-01-31 17:15        49152        ----a-w-        c:\windows\system32\MaJGUILib.dll
2012-01-31 17:15 . 2012-01-31 17:15        45056        ----a-w-        c:\windows\system32\MaXMLProto.dll
2012-01-31 17:15 . 2012-01-31 17:15        40960        ----a-w-        c:\windows\system32\MTTELECHIP.dll
2012-01-31 17:15 . 2012-01-31 17:15        325552        ----a-w-        c:\windows\MASetupCaller.dll
2012-01-31 17:15 . 2012-01-31 17:15        30568        ----a-w-        c:\windows\MusiccityDownload.exe
2012-01-31 17:15 . 2012-01-31 17:15        200704        ----a-w-        c:\windows\system32\muzwmts.dll
2012-01-31 17:15 . 2012-01-31 17:15        135168        ----a-w-        c:\windows\system32\muzaf1.dll
2012-01-31 17:15 . 2012-01-31 17:15        122880        ----a-w-        c:\windows\system32\muzeffect.ax
2012-01-31 17:15 . 2012-01-31 17:15        118784        ----a-w-        c:\windows\system32\MaDRM.dll
2012-01-31 17:15 . 2012-01-31 17:15        110592        ----a-w-        c:\windows\system32\muzmp4sp.ax
2012-01-31 17:15 . 2012-02-13 14:17        821824        ----a-w-        c:\windows\system32\dgderapi.dll
2012-01-31 17:15 . 2012-02-13 14:17        20032        ----a-w-        c:\windows\system32\drivers\dgderdrv.sys
2012-01-31 17:15 . 2012-01-31 17:15        974848        ----a-w-        c:\windows\system32\cis-2.4.dll
2012-01-31 17:15 . 2012-01-31 17:15        81920        ----a-w-        c:\windows\system32\issacapi_bs-2.3.dll
2012-01-31 17:15 . 2012-01-31 17:15        65536        ----a-w-        c:\windows\system32\issacapi_pe-2.3.dll
2012-01-31 17:15 . 2012-01-31 17:15        57344        ----a-w-        c:\windows\system32\MTXSYNCICON.dll
2012-01-31 17:15 . 2012-01-31 17:15        57344        ----a-w-        c:\windows\system32\MK_Lyric.dll
2012-01-31 17:15 . 2012-01-31 17:15        57344        ----a-w-        c:\windows\system32\issacapi_se-2.3.dll
2012-01-31 17:15 . 2012-01-31 17:15        569344        ----a-w-        c:\windows\system32\muzdecode.ax
2012-01-31 17:15 . 2012-01-31 17:15        491520        ----a-w-        c:\windows\system32\muzapp.dll
2012-01-31 17:15 . 2012-01-31 17:15        45056        ----a-w-        c:\windows\system32\MACXMLProto.dll
2012-01-31 17:15 . 2012-01-31 17:15        40960        ----a-w-        c:\windows\system32\MAMACExtract.dll
2012-01-31 17:15 . 2012-01-31 17:15        352256        ----a-w-        c:\windows\system32\MSLUR71.dll
2012-01-31 17:15 . 2012-01-31 17:15        258048        ----a-w-        c:\windows\system32\muzoggsp.ax
2012-01-31 17:15 . 2012-01-31 17:15        245760        ----a-w-        c:\windows\system32\MSCLib.dll
2012-01-31 17:15 . 2012-01-31 17:15        24576        ----a-w-        c:\windows\system32\MASetupCleaner.exe
2012-01-31 17:15 . 2012-01-31 17:15        172032        ----a-w-        c:\windows\system32\muzapp.exe
2012-01-31 17:15 . 2012-01-31 17:15        155648        ----a-w-        c:\windows\system32\MSFLib.dll
2012-01-31 17:15 . 2012-01-31 17:15        143360        ----a-w-        c:\windows\system32\3DAudio.ax
2012-01-31 17:15 . 2012-01-31 17:15        131072        ----a-w-        c:\windows\system32\muzmpgsp.ax
2012-01-31 17:15 . 2009-04-26 08:44        319456        ----a-w-        c:\windows\system32\DIFxAPI.dll
2012-04-25 18:44 . 2011-07-04 12:26        97208        ----a-w-        c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((  Autostartpunkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ProductReg"="c:\program files\Acer\WR_PopUp\ProductReg.exe" [2008-11-17 135168]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"KiesHelper"="c:\program files\Samsung\Kies\KiesHelper.exe" [2012-02-03 943504]
"KiesPDLR"="c:\program files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe" [2012-03-01 21416]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent.exe" [2008-11-05 474168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-05 1434920]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-03-05 805384]
"Acer ePower Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2009-04-03 698912]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-11 258512]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"KiesTrayAgent"="c:\program files\Samsung\Kies\KiesTrayAgent.exe" [2012-02-03 3508624]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4StoryPrePatch]
2010-11-01 17:45        319488        ----a-w-        c:\program files\Gameforge4D\4Story\PrePatch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-12-08 00:36        421736        ----a-w-        c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2008-12-02 20:39        3882312        ----a-w-        c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 12:06        254696        ----a-w-        c:\program files\Common Files\Java\Java Update\jusched.exe
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 253088]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation        REG_MULTI_SZ          FontCache
.
Inhalt des "geplante Tasks" Ordners
.
2012-04-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 21:53]
.
2012-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 23:11]
.
2012-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 23:11]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page =
uDefault_Search_URL =
mStart Page =
uSearchAssistant =
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Free YouTube to Mp3 Converter - c:\users\Sven  Bruns\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{77F665FD-3F60-4B0A-AE14-EC124B7A7FCE} - c:\program files\ICQ7.7\ICQ.exe
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.1
DPF: {C212D449-8B3C-41F2-BD9A-047BD770550F} - hxxp://operation7.fiaa.eu/OPLauncher.cab
FF - ProfilePath - c:\users\Sven  Bruns\AppData\Roaming\Mozilla\Firefox\Profiles\0nx00ne6.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxps://www.google.de/
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
AddRemove-Softonic - c:\program files\Softonic\Softonic\1.5.21.0\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2012-04-25 22:13
Windows 6.0.6002 Service Pack 2 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
Scanne versteckte Dateien...
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_USERS\S-1-5-21-1899564752-3391272897-2100108512-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:5a,0c,62,98,3e,9d,8e,d7,c5,b2,40,62,46,b4,6a,08,af,e2,98,6f,22,e8,14,
  f1,31,d8,2a,38,5f,70,30,f9,e1,e1,22,e9,f2,f2,14,fb,b0,4b,a1,9d,96,5f,56,1c,\
"??"=hex:b9,03,eb,50,79,e1,2e,2c,2e,24,7f,2b,a0,c2,0b,8f
.
[HKEY_USERS\S-1-5-21-1899564752-3391272897-2100108512-1003\Software\SecuROM\License information*]
"datasecu"=hex:d1,72,69,78,9d,0b,15,50,34,54,c6,e7,ac,58,18,a3,c3,49,f9,8c,48,
  e8,92,11,51,1f,bf,a4,8e,d1,90,97,ca,f7,91,a0,95,6b,90,9f,51,1c,57,9a,45,d3,\
"rkeysecu"=hex:bb,c8,f2,f8,0a,59,09,8b,00,a3,e5,0c,84,45,b7,b3
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Zeit der Fertigstellung: 2012-04-25  22:16:23
ComboFix-quarantined-files.txt  2012-04-25 20:16
ComboFix2.txt  2012-04-25 19:16
.
Vor Suchlauf: 28 Verzeichnis(se), 193.445.249.024 Bytes frei
Nach Suchlauf: 29 Verzeichnis(se), 192.677.404.672 Bytes frei
.
- - End Of File - - A400724B15FA55E4F38570FD1A0A96EA
--- --- ---

cosinus 26.04.2012 09:23
Zitat:
2012-04-25 18:55 . 2012-04-25 18:55 111 ----a-w- C:\user.js
Hm die C:\user.js ist immer noch da, obwohl die mit CF eigentlich gelöscht werden sollte. Lad die bitte mal bei uns hoch => http://www.trojaner-board.de/54791-a...ner-board.html
Du kannst diese Datei auch mit dem Editor notepad öffnen und den Inhalt hier komplett posten (bitte in CODE-Tags!)

Gyroyoy 27.04.2012 21:26
Da ich den Upload nicht hinbekomme ist hier der inhalt der .js

Code:
user_pref("extensions.Softonic_i.dfltLng", "de");
user_pref("extensions.Softonic_i.instlRef", "MON1204T11");

cosinus 28.04.2012 14:05
Feinster SOftonic-Müll ist das :pfui:
Kannst du die Datei C:\user.js manuell löschen?

Gyroyoy 29.04.2012 08:33
Also nachdem ich die Datei manuel gelöscht habe hat sich ein Fenster geüfnet mit der frage ob ich die daei neu erstellen möchte dieses habe ich mit ja beantwortet

cosinus 30.04.2012 12:14
Bitte nun Logs mit GMER und OSAM erstellen und posten.
GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus - die Online-Abfrage durch OSAM bitte überspringen.
Bei OSAM bitte darauf auch achten, dass Du das Log auch als *.log und nicht *.html oder so abspeicherst.

Hinweis: Zum Entpacken von OSAM bitte WinRAR oder 7zip verwenden! Stell auch unbedingt den Virenscanner ab, besonders der Scanner von McAfee meldet oft einen Fehalarm in OSAM!

Downloade dir bitte aswMBR.exe und speichere die Datei auf deinem Desktop.
  • Starte die aswMBR.exe - (aswMBR.exe Anleitung)
    Ab Windows Vista (oder höher) bitte mit Rechtsklick "als Administrator ausführen" starten".
  • Das Tool wird dich fragen, ob Du mit der aktuellen Virendefinition von AVAST! dein System scannen willst. Beantworte diese Frage bitte mit Ja. (Sollte deine Firewall fragen, bitte den Zugriff auf das Internet zulassen )
    Der Download der Definitionen kann je nach Verbindung eine Weile dauern.
  • Klicke auf Scan.
  • Warte bitte bis Scan finished successfully im DOS-Fenster steht.
  • Drücke auf Save Log und speichere diese auf dem Desktop.
Poste mir die aswMBR.txt in deiner nächsten Antwort.

Wichtig: Drücke keinesfalls einen der Fix Buttons ohne Anweisung

Hinweis: Sollte der Scan Button ausgeblendet sein, schließe das Tool und starte es erneut. Sollte der Scan abbrechen und das Programm abstürzen, dann teile mir das mit und wähle unter AV Scan die Einstellung (none).



Noch ein Hinweis: Sollte aswMBR abstürzen und es kommt eine Meldung wie "aswMBR.exe funktioniert nicht mehr, dann mach Folgendes:
Starte aswMBR neu, wähle unten links im Drop-Down-Menü (unten links im Fenster von aswMBR) bei "AV scan" (none) aus und klick nochmal auf den Scan-Button.

Gyroyoy 05.05.2012 11:18
Das GMER log
GMER Logfile:
Code:
GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-05-05 11:42:57
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0
Running: y1omjiyt.exe; Driver: C:\Users\SVENBR~1\AppData\Local\Temp\uwdcquob.sys


---- System - GMER 1.0.15 ----

SSDT      8C60096E                                                                                                                  ZwCreateSection
SSDT      8C600978                                                                                                                  ZwRequestWaitReplyPort
SSDT      8C600973                                                                                                                  ZwSetContextThread
SSDT      8C60097D                                                                                                                  ZwSetSecurityObject
SSDT      8C600982                                                                                                                  ZwSystemDebugControl
SSDT      8C60090F                                                                                                                  ZwTerminateProcess

INT 0x51  ?                                                                                                                          86F00F00
INT 0x51  ?                                                                                                                          86F00F00
INT 0x51  ?                                                                                                                          86F00F00
INT 0x72  ?                                                                                                                          86F00F00
INT 0x82  ?                                                                                                                          86F00F00
INT 0x92  ?                                                                                                                          86F00F00
INT 0xA2  ?                                                                                                                          85520BF8
INT 0xA2  ?                                                                                                                          86F00F00
INT 0xA2  ?                                                                                                                          86F00F00
INT 0xA2  ?                                                                                                                          85520BF8

---- Kernel code sections - GMER 1.0.15 ----

.text    ntkrnlpa.exe!KeSetEvent + 215                                                                                              820F4998 4 Bytes  [6E, 09, 60, 8C] {OUTSB ; OR [EAX-0x74], ESP}
.text    ntkrnlpa.exe!KeSetEvent + 539                                                                                              820F4CBC 4 Bytes  [78, 09, 60, 8C]
.text    ntkrnlpa.exe!KeSetEvent + 56D                                                                                              820F4CF0 4 Bytes  [73, 09, 60, 8C]
.text    ntkrnlpa.exe!KeSetEvent + 5D1                                                                                              820F4D54 4 Bytes  [7D, 09, 60, 8C]
.text    ntkrnlpa.exe!KeSetEvent + 619                                                                                              820F4D9C 4 Bytes  [82, 09, 60, 8C]
.text    ...                                                                                                                       
?        System32\Drivers\spft.sys                                                                                                  Das System kann den angegebenen Pfad nicht finden. !
.text    USBPORT.SYS!DllUnload                                                                                                      8EEE741B 5 Bytes  JMP 86F004E0
.text    a52qqcux.SYS                                                                                                              8ED9B000 22 Bytes  [82, C3, 01, 82, 6C, C2, 01, ...]
.text    a52qqcux.SYS                                                                                                              8ED9B017 137 Bytes  [00, 32, C7, 78, 80, 3D, C5, ...]
.text    a52qqcux.SYS                                                                                                              8ED9B0A1 29 Bytes  [10, 0F, 82, 74, 06, 09, 82, ...]
.text    a52qqcux.SYS                                                                                                              8ED9B0BF 13 Bytes  [82, 00, 00, 00, 00, 00, 00, ...] {ADD BYTE [EAX], 0x0; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text    a52qqcux.SYS                                                                                                              8ED9B0CE 10 Bytes  [00, 00, 00, 00, 00, 00, C9, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; LEAVE ; HLT ; POP ESP; DEC EDX}
.text    ...                                                                                                                       

---- User code sections - GMER 1.0.15 ----

.text    C:\Program Files\Samsung\Kies\External\DeviceModules\DeviceManager.exe[2608] kernel32.dll!SetUnhandledExceptionFilter      76BAA8C5 3 Bytes  JMP 00467D40 C:\Program Files\Samsung\Kies\External\DeviceModules\DeviceManager.exe (DeviceManager.exe/Mobileleader Co., Ltd.)
.text    C:\Program Files\Samsung\Kies\External\DeviceModules\DeviceManager.exe[2608] kernel32.dll!SetUnhandledExceptionFilter + 4  76BAA8C9 1 Byte  [89]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT      \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar]                                                  [806906D6] \SystemRoot\System32\Drivers\spft.sys
IAT      \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar]                                                  [80690042] \SystemRoot\System32\Drivers\spft.sys
IAT      \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort]                                          [80690800] \SystemRoot\System32\Drivers\spft.sys
IAT      \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort]                                                  [806900C0] \SystemRoot\System32\Drivers\spft.sys
IAT      \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort]                                            [8069013E] \SystemRoot\System32\Drivers\spft.sys
IAT      \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR]                                                        [8069FB90] \SystemRoot\System32\Drivers\spft.sys
IAT      \SystemRoot\System32\Drivers\a52qqcux.SYS[ataport.SYS!AtaPortNotification]                                                CC358B04
IAT      \SystemRoot\System32\Drivers\a52qqcux.SYS[ataport.SYS!AtaPortWritePortUchar]                                              838EDC1F
IAT      \SystemRoot\System32\Drivers\a52qqcux.SYS[ataport.SYS!AtaPortWritePortUlong]                                              458B38C6
IAT      \SystemRoot\System32\Drivers\a52qqcux.SYS[ataport.SYS!AtaPortGetPhysicalAddress]                                          A5A5A514
IAT      \SystemRoot\System32\Drivers\a52qqcux.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong]                                [100D8BA5] \Program Files\DAEMON Tools Lite\Engine.dll (Helper library/DT Soft Ltd)
IAT      \SystemRoot\System32\Drivers\a52qqcux.SYS[ataport.SYS!AtaPortGetScatterGatherList]                                        5F8EDBF0
IAT      \SystemRoot\System32\Drivers\a52qqcux.SYS[ataport.SYS!AtaPortReadPortUchar]                                                30810889
IAT      \SystemRoot\System32\Drivers\a52qqcux.SYS[ataport.SYS!AtaPortStallExecution]                                              54771129
IAT      \SystemRoot\System32\Drivers\a52qqcux.SYS[ataport.SYS!AtaPortGetParentBusType]                                            10C25D5E
IAT      \SystemRoot\System32\Drivers\a52qqcux.SYS[ataport.SYS!AtaPortRequestCallback]                                              8B55CC00
IAT      \SystemRoot\System32\Drivers\a52qqcux.SYS[ataport.SYS!AtaPortWritePortBufferUshort]                                        084D8BEC
IAT      \SystemRoot\System32\Drivers\a52qqcux.SYS[ataport.SYS!AtaPortGetUnCachedExtension]                                        0CF0918B
IAT      \SystemRoot\System32\Drivers\a52qqcux.SYS[ataport.SYS!AtaPortCompleteRequest]                                              458B0000
IAT      \SystemRoot\System32\Drivers\a52qqcux.SYS[ataport.SYS!AtaPortMoveMemory]                                                  8B108910
IAT      \SystemRoot\System32\Drivers\a52qqcux.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests]                                    000CF491
IAT      \SystemRoot\System32\Drivers\a52qqcux.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb]                                      04508900
IAT      \SystemRoot\System32\Drivers\a52qqcux.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb]                                        053C7980
IAT      \SystemRoot\System32\Drivers\a52qqcux.SYS[ataport.SYS!AtaPortReadPortUshort]                                              560C558B
IAT      \SystemRoot\System32\Drivers\a52qqcux.SYS[ataport.SYS!AtaPortReadPortBufferUshort]                                        C6127557
IAT      \SystemRoot\System32\Drivers\a52qqcux.SYS[ataport.SYS!AtaPortInitialize]                                                  B18D0502
IAT      \SystemRoot\System32\Drivers\a52qqcux.SYS[ataport.SYS!AtaPortGetDeviceBase]                                                00000CF8
IAT      \SystemRoot\System32\Drivers\a52qqcux.SYS[ataport.SYS!AtaPortDeviceStateChange]                                            A508788D

---- Devices - GMER 1.0.15 ----

Device    \FileSystem\Ntfs \Ntfs                                                                                                    855221F8
Device    \FileSystem\cdfs \Cdfs                                                                                                    84CFF1F8

---- Registry - GMER 1.0.15 ----

Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1                                                                        771343423
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2                                                                        285507792
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0                                                                        1
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                         
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                        C:\Program Files\DAEMON Tools Lite\
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                        0x00 0x00 0x00 0x00 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                        0
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                    0xC9 0x98 0xFE 0x09 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                                 
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                              0x20 0x01 0x00 0x00 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                            0x54 0x10 0x19 0x3E ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                           
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                      0x26 0x09 0x3F 0xF6 ...
Reg      HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                     
Reg      HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                            C:\Program Files\DAEMON Tools Lite\
Reg      HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                            0x00 0x00 0x00 0x00 ...
Reg      HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                            0
Reg      HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                        0xC9 0x98 0xFE 0x09 ...
Reg      HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)             
Reg      HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                                  0x20 0x01 0x00 0x00 ...
Reg      HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                                0x54 0x10 0x19 0x3E ...
Reg      HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)       
Reg      HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                          0x26 0x09 0x3F 0xF6 ...

---- EOF - GMER 1.0.15 ----
--- --- ---

Das OSAM log
OSAM Logfile:
Code:
Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 11:59:34 on 05.05.2012

OS: Windows Vista Home Premium Edition Service Pack 2 (Build 6002), 32-bit
Default Browser: Mozilla Corporation Firefox 12.0

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries


[Common]
-----( %SystemRoot%\Tasks )-----
"GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe
"GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe
"Adobe Flash Player Updater.job" - "Adobe Systems Incorporated" - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"FlashPlayerCPLApp.cpl" - "Adobe Systems Incorporated" - C:\Windows\system32\FlashPlayerCPLApp.cpl
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"mlcfg32.cpl" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\MLCFG32.CPL
"Pando" - "Pando Networks" - C:\Program Files\Pando Networks\Media Booster\PMB.cpl

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"ab0h1jtn" (ab0h1jtn) - "Microsoft Corporation" - C:\Windows\system32\drivers\ab0h1jtn.sys  (Hidden registry entry, rootkit activity | File signed by Microsoft)
"avipbb" (avipbb) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avipbb.sys
"avkmgr" (avkmgr) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avkmgr.sys
"catchme" (catchme) - ? - C:\Users\SVENBR~1\AppData\Local\Temp\catchme.sys  (File not found)
"EagleNT" (EagleNT) - ? - C:\Windows\system32\drivers\EagleNT.sys  (File not found)
"EagleXNt" (EagleXNt) - ? - C:\Windows\system32\drivers\EagleXNt.sys  (File not found)
"GridinSoft Trojan Killer Driver" (TrojanKillerDriver) - "Windows (R) Win 7 DDK provider" - C:\Windows\System32\DRIVERS\gtkdrv.sys
"Hamachi Network Interface" (hamachi) - "LogMeIn, Inc." - C:\Windows\System32\DRIVERS\hamachi.sys
"int15.sys" (int15.sys) - ? - C:\Windows\System32\OEM\Factory\int15.sys  (File found, but it contains no detailed information)
"IP in IP Tunnel Driver" (IpInIp) - ? - C:\Windows\System32\DRIVERS\ipinip.sys  (File not found)
"IPX Traffic Filter Driver" (NwlnkFlt) - ? - C:\Windows\System32\DRIVERS\nwlnkflt.sys  (File not found)
"IPX Traffic Forwarder Driver" (NwlnkFwd) - ? - C:\Windows\System32\DRIVERS\nwlnkfwd.sys  (File not found)
"sptd" (sptd) - "Duplex Secure Ltd." - C:\Windows\System32\Drivers\sptd.sys  (File is exclusively opened, access blocked)
"ssmdrv" (ssmdrv) - "Avira GmbH" - C:\Windows\System32\DRIVERS\ssmdrv.sys
"UBHelper" (UBHelper) - "NewTech Infosystems Corporation" - C:\Windows\system32\drivers\UBHelper.sys
"Upper Class Filter Driver" (NTIDrvr) - "NewTech Infosystems, Inc." - C:\Windows\System32\DRIVERS\NTIDrvr.sys
"USBIO Driver (usbio.sys)" (USBIO) - "Thesycon GmbH, Germany" - C:\Windows\System32\Drivers\usbio.sys
"XDva375" (XDva375) - ? - C:\Windows\system32\XDva375.sys  (File not found)

[Explorer]
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
-----( HKLM\Software\Classes\Protocols\Filter )-----
{807563E5-5146-11D5-A672-00B0D022E945} "Microsoft Office InfoPath XML Mime Filter" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
-----( HKLM\Software\Classes\Protocols\Handler )-----
{32505114-5902-49B2-880A-1F7738E5A384} "Data Page Plugable Protocal mso-offdap11 Handler" - "Microsoft Corporation" - c:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
{314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
{828030A1-22C1-4009-854F-8E305202313F} "livecall" - "Microsoft Corporation" - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
{828030A1-22C1-4009-854F-8E305202313F} "msnim" - "Microsoft Corporation" - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
{03C514A3-1EFB-4856-9F99-10D7BE1653C0} "Windows Live Mail HTML Asynchronous Pluggable Protocol Handler" - "Microsoft Corporation" - C:\Program Files\Windows Live\Mail\mailcomm.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{911051fa-c21c-4246-b470-070cd8df6dc4} ".cab or .zip files" - ? -  (File not found | COM-object registry key not found)
{23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - C:\Program Files\7-Zip\7-zip.dll
{1b24a030-9b20-49bc-97ac-1be4426f9e59} "ActiveDirectory Folder" - ? -  (File not found | COM-object registry key not found)
{34449847-FD14-4fc8-A75A-7432F5181EFB} "ActiveDirectory Folder" - ? -  (File not found | COM-object registry key not found)
{D5906221-A717-479B-9B49-CD848F9CE816} "BitZipper32" - ? -  (File not found | COM-object registry key not found)
{0563DB41-F538-4B37-A92D-4659049B7766} "CLSID_WLMCMimeFilter" - "Microsoft Corporation" - C:\Program Files\Windows Live\Mail\mailcomm.dll
{0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} "Contacts folder" - ? -  (File not found | COM-object registry key not found)
{A70C977A-BF00-412C-90B7-034C51DA2439} "DesktopContext Class" - "NVIDIA Corporation" - C:\Program Files\NVIDIA Corporation\Display\nvui.dll
{2C2577C2-63A7-40e3-9B7F-586602617ECB} "Explorer Query Band" - ? -  (File not found | COM-object registry key not found)
{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" - ? -  (File not found | COM-object registry key not found)
{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "iTunes" - "Apple Inc." - C:\Program Files\iTunes\iTunesMiniPlayer.dll
{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
{00020d75-0000-0000-c000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL
{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
{3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} "NVIDIA CPL Context Menu Extension" - "NVIDIA Corporation" - C:\Windows\system32\nvshext.dll
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "OpenOffice.org Column Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{087B3AE3-E237-4467-B8DB-5A38AB959AC9} "OpenOffice.org Infotip Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{63542C48-9552-494A-84F7-73AA6A7C99C1} "OpenOffice.org Property Sheet Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{3B092F0C-7696-40E3-A80F-68D74DA84210} "OpenOffice.org Thumbnail Viewer" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{0006F045-0000-0000-C000-000000000046} "Outlook File Icon Extension" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL
{C8494E42-ACDD-4739-B0FB-217361E4894F} "Sam Account Folder" - ? -  (File not found | COM-object registry key not found)
{E29F9716-5C08-4FCD-955A-119FDB5A522D} "Sam Account Folder" - ? -  (File not found | COM-object registry key not found)
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "Avira Operations GmbH & Co. KG" - C:\Program Files\Avira\AntiVir Desktop\shlext.dll
{2BE99FD4-A181-4996-BFA9-58C5FFD11F6C} "Windows Live Photo Gallery Autoplay Drop Target" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe
{00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C} "Windows Live Photo Gallery Editor Drop Target" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe
{00F3712A-CA79-45B4-9E4D-D7891E7F8B9D} "Windows Live Photo Gallery Editor Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll
{00F30F90-3E96-453B-AFCD-D71989ECC2C7} "Windows Live Photo Gallery Viewer Autoplay Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll
{00F33137-EE26-412F-8D71-F84E4C2C6625} "Windows Live Photo Gallery Viewer Autoplay Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll
{00F374B7-B390-4884-B372-2FC349F2172B} "Windows Live Photo Gallery Viewer Drop Target" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe
{00F346CB-35A4-465B-8B8F-65A29DBAB1F6} "Windows Live Photo Gallery Viewer Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll
{da67b8ad-e81b-4c70-9b91b417b5e33527} "Windows Search Shell Service" - ? -  (File not found | COM-object registry key not found)
{B41DB860-8EE4-11D2-9906-E49FADC173CA} "WinRAR" - "Alexander Roshal" - C:\Program Files\WinRAR\rarext.dll
{06A2568A-CED6-4187-BB20-400B8C02BE5A} "{06A2568A-CED6-4187-BB20-400B8C02BE5A}" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoAcquireWizard.exe

[Internet Explorer]
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
ITBar7Height "ITBar7Height" - ? -  (File not found | COM-object registry key not found)
<binary data> "ITBar7Layout" - ? -  (File not found | COM-object registry key not found)
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_32" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} "Java Plug-in 1.6.0_32" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_32" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\npjpi160_32.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
{C212D449-8B3C-41F2-BD9A-047BD770550F} "Perparer Class" - "AB" - C:\Windows\DOWNLO~1\OPLAUN~1.DLL / hxxp://operation7.fiaa.eu/OPLauncher.cab
{233C1507-6A77-46A4-9443-F871F945D258} "Shockwave ActiveX Control" - "Adobe Systems, Inc." - C:\Windows\system32\Adobe\Director\SwDir.dll / hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} "Shockwave Flash Object" - "Adobe Systems, Inc." - C:\Windows\system32\Macromed\Flash\Flash32_11_2_202_233.ocx / hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
{1E54D648-B804-468d-BC78-4AFFED8E262F} "System Requirements Lab Class" - "Husdawg, LLC" - C:\Windows\Downloaded Program Files\sysreqlab_nvd.dll / hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
"ICQ7.7" - "ICQ, LLC." - C:\Program Files\ICQ7.7\ICQ.exe
{5F7B1267-94A9-47F5-98DB-E99415F33AEC} "In Blog veröffentlichen" - "Microsoft Corporation" - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Research" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
{DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2ssv.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} "Java(tm) Plug-In SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\ssv.dll

[Logon]
-----( %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"desktop.ini" - ? - C:\Users\Sven  Bruns\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
-----( %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"desktop.ini" - ? - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
-----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )-----
"KiesHelper" - "Samsung" - C:\Program Files\Samsung\Kies\KiesHelper.exe /s
"KiesPDLR" - ? - C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
"ProductReg" - "Acer" - "C:\Program Files\Acer\WR_PopUp\ProductReg.exe"
-----( HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd )-----
"StartupPrograms" - ? - rdpclip  (File not found)
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"Acer ePower Management" - "Acer Incorporated" - C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
"Adobe ARM" - "Adobe Systems Incorporated" - "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher" - "Adobe Systems Incorporated" - "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"APSDaemon" - "Apple Inc." - "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
"avgnt" - "Avira Operations GmbH & Co. KG" - "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
"cAudioFilterAgent" - "Conexant Systems, Inc." - C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent.exe
"IAAnotif" - "Intel Corporation" - C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
"iTunesHelper" - "Apple Inc." - "C:\Program Files\iTunes\iTunesHelper.exe"
"KiesTrayAgent" - "Samsung Electronics Co., Ltd." - C:\Program Files\Samsung\Kies\KiesTrayAgent.exe
"LManager" - "Dritek System Inc." - C:\Program Files\Launch Manager\LManager.exe
"SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"@C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe,-100" (WPFFontCache_v0400) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
"Acer ePower Service" (ePowerSvc) - "Acer Incorporated" - C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
"Adobe Flash Player Update Service" (AdobeFlashPlayerUpdateSvc) - "Adobe Systems Incorporated" - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
"Apple Mobile Device" (Apple Mobile Device) - "Apple Inc." - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
"Application Updater" (Application Updater) - ? - "C:\Program Files\Application Updater\ApplicationUpdater.exe"  (File not found)
"ASP.NET-Zustandsdienst" (aspnet_state) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
"Avira Planer" (AntiVirSchedulerService) - "Avira Operations GmbH & Co. KG" - C:\Program Files\Avira\AntiVir Desktop\sched.exe
"Dienst "Bonjour"" (Bonjour Service) - "Apple Inc." - C:\Program Files\Bonjour\mDNSResponder.exe
"Google Software Updater" (gusvc) - "Google" - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
"Google Update Service (gupdate)" (gupdate) - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe
"Google Update-Dienst (gupdatem)" (gupdatem) - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe
"InstallDriver Table Manager" (IDriverT) - "Macrovision Corporation" - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
"Intel(R) Matrix Storage Event Monitor" (IAANTMON) - "Intel Corporation" - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
"iPod-Dienst" (iPod Service) - "Apple Inc." - C:\Program Files\iPod\bin\iPodService.exe
"Microsoft .NET Framework NGEN v4.0.30319_X86" (clr_optimization_v4.0.30319_32) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
"Microsoft Office Diagnostics Service" (odserv) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
"Mozilla Maintenance Service" (MozillaMaintenance) - "Mozilla Foundation" - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
"nProtect GameGuard Service" (npggsvc) - "INCA Internet Co., Ltd." - C:\Windows\system32\GameMon.des
"NTI Backup Now 5 Backup Service" (NTIBackupSvc) - "NewTech InfoSystems, Inc." - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
"NTI Backup Now 5 Scheduler Service" (NTISchedulerSvc) - "NewTech Infosystems, Inc." - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
"NVIDIA Display Driver Service" (nvsvc) - "NVIDIA Corporation" - C:\Windows\system32\nvvsvc.exe
"NVIDIA Update Service Daemon" (nvUpdatusService) - "NVIDIA Corporation" - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
"Office Source Engine" (ose) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"Raw Socket Service" (RS_Service) - "Acer Incorporated" - C:\Program Files\Acer\Acer VCM\RS_Service.exe
"SearchAnonymizer" (SearchAnonymizer) - ? - C:\Users\Sven  Bruns\AppData\Roaming\OCS\SM\SearchAnonymizerHelper.exe
"Skype Updater" (SkypeUpdate) - "Skype Technologies" - C:\Program Files\Skype\Updater\Updater.exe
"SQL Server (MSSMLBIZ)" (MSSQL$MSSMLBIZ) - "Microsoft Corporation" - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
"SQL Server VSS Writer" (SQLWriter) - "Microsoft Corporation" - C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
"SQL Server-Startdienst für Business Contact Manager" (BcmSqlStartupSvc) - "Microsoft Corporation" - C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
"Steam Client Service" (Steam Client Service) - "Valve Corporation" - C:\Program Files\Common Files\Steam\SteamService.exe
"TeamViewer 5" (TeamViewer5) - "TeamViewer GmbH" - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe

[Winsock Providers]
-----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries )-----
"mdnsNSP" - "Apple Inc." - C:\Program Files\Bonjour\mdnsNSP.dll

===[ Logfile end ]=========================================[ Logfile end ]===
--- --- ---
If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru
[/code]
und der aswMBR log
Code:
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-05-05 12:00:17
-----------------------------
12:00:17.670    OS Version: Windows 6.0.6002 Service Pack 2
12:00:17.670    Number of processors: 2 586 0x170A
12:00:17.672    ComputerName: SVENBRUNS-PC  UserName: Sven  Bruns
12:00:20.384    Initialize success
12:12:56.118    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
12:12:56.124    Disk 0 Vendor: WDC_WD32 11.0 Size: 305245MB BusType: 3
12:12:56.171    Disk 0 MBR read successfully
12:12:56.175    Disk 0 MBR scan
12:12:56.178    Disk 0 Windows VISTA default MBR code
12:12:56.187    Disk 0 Partition 1 00    27 Hidden NTFS WinRE NTFS        12288 MB offset 2048
12:12:56.207    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS      292955 MB offset 25167872
12:12:56.214    Disk 0 scanning sectors +625139712
12:12:56.292    Disk 0 scanning C:\Windows\system32\drivers
12:13:03.967    Service scanning
12:13:16.877    Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
12:13:22.410    Modules scanning
12:13:27.662    Disk 0 trace - called modules:
12:13:27.689    ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys sppw.sys >>UNKNOWN [0x854d7938]<<
12:13:27.703    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8658f8a0]
12:13:27.712    3 CLASSPNP.SYS[8a79d8b3] -> nt!IofCallDriver -> [0x85592198]
12:13:27.721    5 acpi.sys[807bf6bc] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x85594028]
12:13:27.729    Scan finished successfully
12:15:30.160    Disk 0 MBR has been saved successfully to "C:\Users\Sven  Bruns\Desktop\MBR.dat"
12:15:30.176    The log file has been saved successfully to "C:\Users\Sven  Bruns\Desktop\aswMBR.txt"

cosinus 06.05.2012 18:13
Sieht ok aus. Mach bitte zur Kontrolle Vollscans mit Malwarebytes und SASW und poste die Logs.
Denk dran beide Tools zu updaten vor dem Scan!!


Alle Zeitangaben in WEZ +1. Es ist jetzt 22:42 Uhr.
Seite 2 von 2 1 2
100 Beiträge dieses Themas auf einer Seite anzeigen

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131