Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Bitte nicht schon wieder neu aufsetzen... (https://www.trojaner-board.de/61409-bitte-schon-neu-aufsetzen.html)

champpain 06.10.2008 11:27
Bitte nicht schon wieder neu aufsetzen...
 
Hallo.
Ich bin mir keiner Schuld bewusst. Seit den letzten Infektionen, habe ich äußerst penibel darauf geachtet, was ich so an dateien öffne & installiere, aber seit heute früh poppen im IE ständig Werbefenster auf.

Ist mal einer so nett und schaut über meine logfile?

Vielen Dank...
:)

Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:13, on 06.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\AAV\aavus.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\gtdetectsc.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\D-Link NetDefend\ncprwsnt.exe
C:\WINDOWS\D-Link NetDefend\ncpsec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Novadigm\ManagementAgent\nvdkit.exe
C:\WINDOWS\D-Link NetDefend\rwsrsu.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Program Files\ProtectTools\Embedded Security Software\SpTna.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTServs.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Razer\Copperhead\razerhid.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Razer\Copperhead\razertra.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Razer\Copperhead\razerofa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = h**p://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = h**p=localhost:8118;h**ps=localhost:8118
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Copperhead] C:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [prunnet] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\prun.exe"
O4 - HKLM\..\Run: [23fc883e] rundll32.exe "C:\WINDOWS\system32\ioyrkveu.dll",b
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [prunnet] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\prun.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Alles mit FDM herunterladen - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Auswahl mit FDM herunterladen - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Datei mit FDM herunterladen - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O14 - IERESET.INF: START_PAGE_URL=h**p://www.hp.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - h**p://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1F831FA3-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file:///C:/Program%20Files/AutoCAD%202002%20Deu/InstFred.ocx
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - h**p://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - h**p://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208630403562
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday-Steuerung) - file:///C:/Program%20Files/AutoCAD%202002%20Deu/AcDcToday.ocx
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - h**p://javadl-esd.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab
O16 - DPF: {AE563724-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///C:/Program%20Files/AutoCAD%202002%20Deu/InstBanr.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - h**p://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DAF94F73-2AA6-44D8-A562-A28831820D34} (Pixum EasyUploadX Control) - h**p://www.pixum.de/int/EasyUpload/ImgUploader.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview-Steuerung) - file:///C:/Program%20Files/AutoCAD%202002%20Deu/AcPreview.ocx
O20 - AppInit_DLLs: rqmhve.dll
O23 - Service: AAV UpdateService - Unknown owner - C:\Program Files\Common Files\AAV\aavus.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GtDetectSc Service (gtdetectsc) - OptionNV - C:\WINDOWS\system32\gtdetectsc.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ncprwsnt - Unknown owner - C:\WINDOWS\D-Link NetDefend\ncprwsnt.exe
O23 - Service: NcpSec - Unknown owner - C:\WINDOWS\D-Link NetDefend\ncpsec.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Angel (PCA) - Unknown owner - C:\WINDOWS\TEMP\UPDATE\SMINST\PCAngel.exe (file missing)
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Radia Management Agent (rma) - Unknown owner - C:/Novadigm/ManagementAgent/nvdkit.exe
O23 - Service: RwsRsu (rwsrsu) - Unknown owner - C:\WINDOWS\D-Link NetDefend\rwsrsu.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 14059 bytes

Chris4You 06.10.2008 12:16
Hi,

Bitte folgende Files prüfen:


Dateien Online überprüfen lassen:
  • Suche die Seite Virtustotal auf, klicke auf den Button „Durchsuchen“ und suche folgende Datei/Dateien:
Code:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\prun.exe
C:\WINDOWS\system32\ioyrkveu.dll
C:\WINDOWS\system32\rqmhve.dll
  • Lade nun nacheinander jede/alle Datei/Dateien hoch, und warte bis der Scan vorbei ist. (kann bis zu 2 Minuten dauern.)
  • Poste im Anschluss das Ergebnis der Auswertung, alles abkopieren und in einen Beitrag einfügen.
  • Wichtig: Auch die Größenangabe sowie den HASH mit kopieren!

Falls alles erkannt wurde, hier weitermachen...
Also:
Anleitung Avenger (by swandog46)

1.) Lade dir das Tool Avenger und speichere es auf dem Desktop:

http://saved.im/mzi3ndg3nta0/aven.jpg

2.) Das Programm so einstellen wie es auf dem Bild zu sehen ist.

Kopiere nun folgenden Text in das weiße Feld:
(bei -> "input script here")

Code:
Registry values to replace with dummy:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs

Registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run|prunnet
HKLM\Software\Microsoft\Windows\CurrentVersion\Run|23fc883e
 
Files to delete:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\prun.exe
C:\WINDOWS\system32\ioyrkveu.dll
C:\WINDOWS\system32\rqmhve.dll

Folders to delete:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp

3.) Schliesse nun alle Programme (vorher notfalls abspeichern!) und Browser-Fenster, nach dem Ausführen des Avengers wird das System neu gestartet.


4.) Um den Avenger zu starten klicke auf -> Execute
Dann bestätigen mit "Yes" das der Rechner neu startet!

5.) Nachdem das System neu gestartet ist, findest du hier einen Report vom Avenger -> C:\avenger.txt
Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.


Hijackthis, fixen:
öffne das HijackThis -- Button "scan" -- vor den nachfolgenden Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten
Beim fixen müssen alle Programme geschlossen sein!
Code:
O4 - HKLM\..\Run: [prunnet] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\prun.exe"
O4 - HKLM\..\Run: [23fc883e] rundll32.exe "C:\WINDOWS\system32\ioyrkveu.dll",b
O4 - HKCU\..\Run: [prunnet] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\prun.exe"
Danach bitte noch MAM mit Fullscan und alles bereinigen lassen, poste das Log ovn MAM und
ein neues HJ-LOG!

Malwarebytes Antimalware (MAM).
Anleitung&Download hier: http://www.trojaner-board.de/51187-malwarebytes-anti-malware.html

Chris

champpain 06.10.2008 13:11
Ok.

prun.exe
Code:
AhnLab-V3 2008.10.3.2 2008.10.06 -
AntiVir 7.8.1.34 2008.10.06 -
Authentium 5.1.0.4 2008.10.05 -
Avast 4.8.1248.0 2008.10.05 -
AVG 8.0.0.161 2008.10.05 -
BitDefender 7.2 2008.10.06 Generic.Malware.SYd.3D473CFC
CAT-QuickHeal 9.50 2008.10.06 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.10.06 -
DrWeb 4.44.0.09170 2008.10.06 -
eSafe 7.0.17.0 2008.10.05 Suspicious File
eTrust-Vet 31.6.6131 2008.10.06 -
Ewido 4.0 2008.10.05 -
F-Prot 4.4.4.56 2008.10.05 -
F-Secure 8.0.14332.0 2008.10.06 -
Fortinet 3.113.0.0 2008.10.06 -
GData 19 2008.10.06 Generic.Malware.SYd.3D473CFC
Ikarus T3.1.1.34.0 2008.10.06 Trojan.Delf.Inject.BB
K7AntiVirus 7.10.484 2008.10.04 -
Kaspersky 7.0.0.125 2008.10.06 -
McAfee 5398 2008.10.04 -
Microsoft 1.4005 2008.10.06 -
NOD32 3496 2008.10.06 probably unknown NewHeur_PE
Norman 5.80.02 2008.10.03 -
Panda 9.0.0.4 2008.10.05 -
PCTools 4.4.2.0 2008.10.05 -
Prevx1 V2 2008.10.06 Suspicious
Rising 20.65.01.00 2008.10.06 -
SecureWeb-Gateway 6.7.6 2008.10.06 -
Sophos 4.34.0 2008.10.06 -
Sunbelt 3.1.1704.1 2008.10.05 -
Symantec 10 2008.10.06 -
TheHacker 6.3.1.0.101 2008.10.04 -
TrendMicro 8.700.0.1004 2008.10.06 -
VBA32 3.12.8.6 2008.10.05 -
ViRobot 2008.10.6.1408 2008.10.06 -
VirusBuster 4.5.11.0 2008.10.05 -
weitere Informationen
File size: 33280 bytes
MD5...: 1ada7e09592e50b27dc395a96418857c
SHA1..: 1f6021b969e1dc7d8d272969487dddb8ebdd2de6
SHA256: 67f9e1c763a3ce88412aca8ec074610cce70e5f78b520bcf72d5b65347d22c7d
SHA512: 2c44fe8a6dd6fedf9831a315f9800d81a66eb1be6924400deb502ac27a930ae7
59bfd7ca0d6bd778683fc8ef3e414a13938f9c4c1018d16c30184ed408cb6270
PEiD..: PECompact 2.xx --> BitSum Technologies
TrID..: File type identification
Win32 EXE PECompact compressed (v2.x) (52.1%)
Win32 EXE PECompact compressed (generic) (36.7%)
Win32 Executable Generic (7.5%)
Generic Win/DOS Executable (1.7%)
DOS Executable Generic (1.7%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4010e0
timedatestamp.....: 0x48e91771 (Sun Oct 05 19:37:21 2008)
machinetype.......: 0x14c (I386)

( 2 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xf000 0x3000 7.89 8f5c00c8396bb3e1ac26b52077130226
.rsrc 0x10000 0x5000 0x5000 4.75 8b1aa156945d4e0e9779ba0fbfef1e56

( 2 imports )
> kernel32.dll: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree
> MSVBVM60.DLL: MethCallEngine

( 0 exports )
 
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=9109508600D4452882CE007F64C016006A89188C
packers (Kaspersky): PE_Patch.PECompact, PecBundle, PECompact
packers (F-Prot): PecBundle, PECompact
ioyrkveu.dll wird als eine andere, bereits gescannte datei erkannt (vvsndfvb.dl_)
Code:
AhnLab-V3 2008.10.3.2 2008.10.03 -
AntiVir 7.8.1.34 2008.10.04 -
Authentium 5.1.0.4 2008.10.05 -
Avast 4.8.1248.0 2008.10.05 -
AVG 8.0.0.161 2008.10.05 -
BitDefender 7.2 2008.10.06 Trojan.Vundo.FNR
CAT-QuickHeal 9.50 2008.10.04 -
ClamAV 0.93.1 2008.10.05 -
DrWeb 4.44.0.09170 2008.10.05 -
eSafe 7.0.17.0 2008.10.05 Suspicious File
eTrust-Vet 31.6.6129 2008.10.04 Win32/VundoCryptorT!generic
Ewido 4.0 2008.10.05 -
F-Prot 4.4.4.56 2008.10.05 -
F-Secure 8.0.14332.0 2008.10.06 Trojan.Win32.Monder.rhy
Fortinet 3.113.0.0 2008.10.04 -
GData 19 2008.10.06 Trojan.Vundo.FNR
Ikarus T3.1.1.34.0 2008.10.06 Trojan.Win32.Vundo.IG
K7AntiVirus 7.10.484 2008.10.04 -
Kaspersky 7.0.0.125 2008.10.06 Trojan.Win32.Monder.rhy
McAfee 5398 2008.10.04 Vundo.gen.k
Microsoft 1.4005 2008.10.06 Trojan:Win32/Vundo.gen!R
NOD32 3495 2008.10.04 -
Norman 5.80.02 2008.10.03 -
Panda 9.0.0.4 2008.10.05 -
PCTools 4.4.2.0 2008.10.05 -
Prevx1 V2 2008.10.06 Fraudulent Security Program
Rising 20.63.62.00 2008.09.28 Packer.Win32.Agent.v
SecureWeb-Gateway 6.7.6 2008.10.05 Win32.Malware.gen (suspicious)
Sophos 4.34.0 2008.10.05 Troj/Virtum-Gen
Sunbelt 3.1.1704.1 2008.10.05 -
Symantec 10 2008.10.06 -
TheHacker 6.3.1.0.101 2008.10.04 -
TrendMicro 8.700.0.1004 2008.10.03 Possible_Vundo-5
VBA32 3.12.8.6 2008.10.05 -
ViRobot 2008.10.4.1406 2008.10.04 -
VirusBuster 4.5.11.0 2008.10.05 Trojan.Monder.Gen!Pac
weitere Informationen
File size: 75264 bytes
MD5...: 3fd58e5d6a5710bc6e8265ae2e145139
SHA1..: 0339dff62e0d2f3e5315ed38a8fcfb14925dbdee
SHA256: c2c0878fd67b48f382218fdbbc1c841a650a7d8be7b2a7ed713d6bba61902b7d
SHA512: a63d4383ce040e09fdb387a7fa1adb741f7bda70455dfabc5593efc9900ee184
c12b1002e5fb349f27ae10f1cea56fc83618be42be542187383dfd9869957264
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10001000
timedatestamp.....: 0x0 (Thu Jan 01 00:00:00 1970)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x7000 0x6a00 7.96 994442fbfa1e822be2a04506595a572f
.data 0x8000 0x1000 0x400 4.64 d494c95c58506926c4f5d820a32d88e7
.rdata 0x9000 0x1c000 0xb400 7.94 38b110d9cc0583e5853f82626ad97bad

( 3 imports )
> USER32.dll: OemToCharBuffA, MessageBoxA, MessageBeep, LoadCursorFromFileA, LoadCursorA, EndPaint, EndDialog, EmptyClipboard, DrawTextA, DestroyCursor, CreateIconFromResourceEx, CreateDesktopA, CopyRect, CharToOemBuffA, CharNextA, ActivateKeyboardLayout
> KERNEL32.dll: lstrcmpiA, ReadFile, MapViewOfFile, InitializeCriticalSection, GetVersionExA, GetSystemTimeAsFileTime, GetStartupInfoA, GetModuleHandleA, ExitProcess, EnumResourceTypesA, EnumResourceLanguagesA, CloseHandle
> ADVAPI32.dll: RegQueryValueA, RegOpenKeyExA, RegCloseKey

( 0 exports )
 
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=3A4A5DF10047EA3B26D501EEA65370003B52A8D9
genauso rqmhve.dll (rkpjcgcn.dll)
Code:
AhnLab-V3 2008.10.3.2 2008.10.06 -
AntiVir 7.8.1.34 2008.10.04 -
Authentium 5.1.0.4 2008.10.05 -
Avast 4.8.1248.0 2008.10.05 -
AVG 8.0.0.161 2008.10.05 -
BitDefender 7.2 2008.10.06 -
CAT-QuickHeal 9.50 2008.10.06 -
ClamAV 0.93.1 2008.10.06 -
DrWeb 4.44.0.09170 2008.10.05 -
eSafe 7.0.17.0 2008.10.05 Suspicious File
eTrust-Vet 31.6.6129 2008.10.04 Win32/VundoCryptorT!generic
Ewido 4.0 2008.10.05 -
F-Prot 4.4.4.56 2008.10.05 -
F-Secure 8.0.14332.0 2008.10.06 -
Fortinet 3.113.0.0 2008.10.06 -
GData 19 2008.10.06 -
Ikarus T3.1.1.34.0 2008.10.06 Trojan.Win32.Vundo.IG
K7AntiVirus 7.10.484 2008.10.04 -
Kaspersky 7.0.0.125 2008.10.06 -
McAfee 5398 2008.10.04 -
Microsoft 1.4005 2008.10.06 Trojan:Win32/Vundo.gen!R
NOD32 3495 2008.10.04 -
Norman 5.80.02 2008.10.03 -
Panda 9.0.0.4 2008.10.05 -
PCTools 4.4.2.0 2008.10.05 -
Prevx1 V2 2008.10.06 -
Rising 20.65.00.00 2008.10.06 Packer.Win32.Agent.v
SecureWeb-Gateway 6.7.6 2008.10.06 Ad-Spyware.LooksLike.Virtumonde.alei
Sophos 4.34.0 2008.10.06 Troj/Virtum-Gen
Sunbelt 3.1.1704.1 2008.10.05 -
Symantec 10 2008.10.06 -
TheHacker 6.3.1.0.101 2008.10.04 -
TrendMicro 8.700.0.1004 2008.10.06 Possible_Vundo-5
VBA32 3.12.8.6 2008.10.05 -
ViRobot 2008.10.6.1407 2008.10.06 -
VirusBuster 4.5.11.0 2008.10.05 Trojan.Monder.Gen!Pac
weitere Informationen
File size: 111616 bytes
MD5...: 707f24ca3271267d3fef7915bf44e5ed
SHA1..: d2fdc2a504f55a021a70f8104d189d1ec5fbd58d
SHA256: 66f2e244a4c8683f2287870a29e8cce524b965539ddcfe08c3ffda7efb2c34d4
SHA512: ddfee04fe12fed5752b91e372076d542be60df510d4ff8a783758e7e490adda8
77cd78339fdf0cfaccb8f8095c237b872ad1896fb71e37f6fbb488b9df202142
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10001000
timedatestamp.....: 0x0 (Thu Jan 01 00:00:00 1970)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x16000 0x16000 7.99 151381b5cceccdf2818cd959dc668863
.data 0x17000 0x1000 0x400 4.75 66c59ab03ab7e5421e05893deb5c7628
.rdata 0x18000 0x27000 0x4c00 7.81 cd9324f635ea74f13cf3ca093613ee3b

( 3 imports )
> USER32.dll: OemToCharBuffA, MessageBoxA, MessageBeep, LoadCursorFromFileA, LoadCursorA, EndPaint, EndDialog, EmptyClipboard, DrawTextA, DestroyCursor, CreateIconFromResourceEx, CreateDesktopA, CopyRect, CharToOemBuffA, CharNextA, ActivateKeyboardLayout
> KERNEL32.dll: lstrcmpiA, ReadFile, MapViewOfFile, InitializeCriticalSection, GetVersionExA, GetSystemTimeAsFileTime, GetStartupInfoA, GetModuleHandleA, ExitProcess, EnumResourceTypesA, EnumResourceLanguagesA, CloseHandle
> ADVAPI32.dll: RegQueryValueA, RegOpenKeyExA, RegCloseKey

( 0 exports )
Jetzt gleich den avenger starten?

Grüße

Chris4You 06.10.2008 13:54
Hi,

ja, danach MAM und noch folgendes:

RSIT
Random's System Information Tool (RSIT) von random/random liest Systemdetails aus und erstellt ein aussagekräftiges Logfile.
Lade Random's System Information Tool (RSIT) herunter http://filepony.de/download-rsit/
speichere es auf Deinem Desktop.
Starte mit Doppelklick die RSIT.exe.
Klicke auf Continue, um die Nutzungsbedingungen zu akzeptieren.
Wenn Du HijackThis nicht installiert hast, wird RSIT das für Dich herunterladen und installieren.
In dem Fall bitte auch die Nutzungsbedingungen von Trend Micro (http://de.trendmicro.com/de/home) für HJT akzeptieren "I accept".
Wenn Deine Firewall fragt, bitte RSIT erlauben, ins Netz zu gehen.
Der Scan startet automatisch, RSIT checkt nun einige wichtige System-Bereiche und produziert Logfiles als Analyse-Grundlage.
Wenn der Scan beendet ist, werden zwei Logfiles erstellt und in Deinem Editor geöffnet.
Bitte poste den Inhalt von C:\rsit\log.txt und C:\rsit\info.txt (<= minimiert) hier in den Thread.

chris

champpain 06.10.2008 14:00
Ok,
avenger meldet folgendes:
Zitat:
Logfile of The Avenger Version 2.0, (c) by Swandog46
Swandog46's Public Anti-Malware Tools

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\prun.exe" deleted successfully.
File "C:\WINDOWS\system32\ioyrkveu.dll" deleted successfully.
File "C:\WINDOWS\system32\rqmhve.dll" deleted successfully.
Folder "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp" deleted successfully.
Registry value "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs" replaced with dummy successfully.
Registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|prunnet" deleted successfully.
Registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|23fc883e" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
Geht gleich weiter...

Grüße

champpain 08.10.2008 18:46
Hallo.

MAM meldete folgendes:
Code:
Malwarebytes' Anti-Malware 1.28
Datenbank Version: 1233
Windows 5.1.2600 Service Pack 3

08.10.2008 18:07:38
mbam-log-2008-10-08 (18-07-31).txt

Scan-Methode: Vollständiger Scan (C:\|)
Durchsuchte Objekte: 137741
Laufzeit: 44 minute(s), 28 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 2
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)
Leider shafft er es nicht diesen Vundo.RS wirklich zu löschen.
Nach einem reboot ist er wieder da.

Virustotal sagt:
Code:
Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.10.3.2 2008.10.07 -
AntiVir 7.8.1.34 2008.10.07 -
Authentium 5.1.0.4 2008.10.07 -
Avast 4.8.1248.0 2008.10.06 -
AVG 8.0.0.161 2008.10.06 -
BitDefender 7.2 2008.10.07 -
CAT-QuickHeal 9.50 2008.10.07 -
ClamAV 0.93.1 2008.10.07 -
DrWeb 4.44.0.09170 2008.10.07 -
eSafe 7.0.17.0 2008.10.07 Suspicious File
eTrust-Vet 31.6.6133 2008.10.07 Win32/VundoCryptorT!generic
Ewido 4.0 2008.10.06 -
F-Prot 4.4.4.56 2008.10.06 -
F-Secure 8.0.14332.0 2008.10.07 -
Fortinet 3.113.0.0 2008.10.07 -
GData 19 2008.10.07 -
Ikarus T3.1.1.34.0 2008.10.07 Trojan.Win32.Vundo.AY
K7AntiVirus 7.10.486 2008.10.06 -
Kaspersky 7.0.0.125 2008.10.07 -
McAfee 5399 2008.10.07 -
Microsoft 1.4005 2008.10.07 -
NOD32 3500 2008.10.07 -
Norman 5.80.02 2008.10.06 -
Panda 9.0.0.4 2008.10.07 -
PCTools 4.4.2.0 2008.10.06 -
Prevx1 V2 2008.10.07 Fraudulent Security Program
Rising 20.65.12.00 2008.10.07 Packer.Win32.Agent.v
SecureWeb-Gateway 6.7.6 2008.10.07 Win32.Malware.gen (suspicious)
Sophos 4.34.0 2008.10.07 Troj/Virtum-Gen
Sunbelt 3.1.1707.1 2008.10.07 -
Symantec 10 2008.10.07 -
TheHacker 6.3.1.0.102 2008.10.07 -
TrendMicro 8.700.0.1004 2008.10.07 Possible_Vundo-5
VBA32 3.12.8.6 2008.10.07 -
ViRobot 2008.10.7.1410 2008.10.07 -
VirusBuster 4.5.11.0 2008.10.06 -
weitere Informationen
File size: 110592 bytes
MD5...: ebc0b691d73250479b591369d60a453d
SHA1..: 9df098f3023397ffbc949fe38dd34d3d9a9f6d70
SHA256: 5b8aca757d9bd9da9e5f151806488cd5bf013db593312ffedf6b812d6c92d2ae
SHA512: 714a9360cc38e50136f33ff09b2d230374c13c2fc38cd75f8875f314b0ec5779
14a8c86894092c3ffd912168b15a02167a6e62864b0a61e46ee81e9d1363ad04
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10001000
timedatestamp.....: 0x0 (Thu Jan 01 00:00:00 1970)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x16000 0x15400 7.99 cf6a0c6dc6df63cab6edad301f9ed19a
.data 0x17000 0x1000 0x400 4.75 66c59ab03ab7e5421e05893deb5c7628
.rdata 0x18000 0x27000 0x5400 7.79 df6a626d9c5c3ffcd3a471d39b131434

( 3 imports )
> USER32.dll: OemToCharBuffA, MessageBoxA, MessageBeep, LoadCursorFromFileA, LoadCursorA, EndPaint, EndDialog, EmptyClipboard, DrawTextA, DestroyCursor, CreateIconFromResourceEx, CreateDesktopA, CopyRect, CharToOemBuffA, CharNextA, ActivateKeyboardLayout
> KERNEL32.dll: lstrcmpiA, ReadFile, MapViewOfFile, InitializeCriticalSection, GetVersionExA, GetSystemTimeAsFileTime, GetStartupInfoA, GetModuleHandleA, ExitProcess, EnumResourceTypesA, EnumResourceLanguagesA, CloseHandle
> ADVAPI32.dll: RegQueryValueA, RegOpenKeyExA, RegCloseKey

( 0 exports )
 
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=0437B6B000811DD5B02201EDFC290700851D39BC
Kann ich den auch mit avenger killen?

Grüße

Chris4You 09.10.2008 06:27
Hi,

ja sollte möglich sein;
Hast Du MAM alles bereinigen lassen, das Log zeigt nur die Scannergebnisse?

zusätzlich noch Combofix:
Lade ComboFix von http://download.bleepingcomputer.com/sUBs/ComboFix.exe und speichert es auf den Desktop.
Alle Fenster schliessen und combofix.exe starten und bestätige die folgende Abfrage mit 1 und drücke Enter.

Der Scan mit Combofix kann einige Zeit in Anspruch nehmen, also habe etwas Geduld. Während des Scans bitte nichts am Rechner unternehmen
Es kann möglich sein, dass der Rechner zwischendurch neu gestartet wird.
Nach Scanende wird ein Report angezeigt, den bitte kopieren und in deinem Thread einfuegen.
Weitere Anleitung unter:http://www.bleepingcomputer.com/combofix/de/wie-combofix-benutzt-wird

chris

champpain 09.10.2008 08:00
Hallo Chris,
es sieht sehr gut aus!
:)

Ich habe MAM natürlich auch bereinigen lassen, aber nach einem reboot war der Vundo wieder da.

Nun habe ich combofix drüberlaufen lassen und der hat neben den Vundo-Dateien noch einiges mehr entfernt.

Code:
ComboFix 08-10-08.02 - Administrator 2008-10-09  8:43:22.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1483 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((  Files Created from 2008-09-09 to 2008-10-09  )))))))))))))))))))))))))))))))
.

2008-10-08 19:49 . 2008-10-08 19:52        <DIR>        d--------        C:\rsit
2008-10-07 08:27 . 2008-10-07 08:28        <DIR>        d--------        C:\WinTer
2008-10-07 08:27 . 2000-09-07 10:07        368,640        --a------        C:\WINDOWS\SWSETUPU.EXE
2008-10-07 08:27 . 2000-10-22 07:34        10,627        --a------        C:\WINDOWS\SWSETUP.INF
2008-10-07 08:27 . 2008-10-07 08:27        2,036        --a------        C:\WINDOWS\winter.del
2008-10-07 08:27 . 2008-10-07 08:27        32        --a------        C:\WINDOWS\winter.ini
2008-10-06 15:07 . 2008-10-06 15:07        <DIR>        d--------        C:\Program Files\Malwarebytes' Anti-Malware
2008-10-06 15:07 . 2008-10-06 15:07        <DIR>        d--------        C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-06 15:07 . 2008-10-06 15:07        <DIR>        d--------        C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-10-06 15:07 . 2008-09-10 00:04        38,528        --a------        C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-06 15:07 . 2008-09-10 00:03        17,200        --a------        C:\WINDOWS\system32\drivers\mbam.sys
2008-10-05 18:56 . 2008-10-05 19:00        <DIR>        d--------        C:\Program Files\Destinator PC Portal
2008-10-05 18:55 . 2008-10-05 19:00        <DIR>        d--------        C:\Documents and Settings\Administrator\Application Data\Destinator
2008-10-03 10:59 . 2008-10-03 11:01        <DIR>        d--------        C:\Documents and Settings\All Users\Application Data\TrackMania
2008-10-02 17:01 . 2008-10-02 17:01        0        --ah-----        C:\WINDOWS\system32\drivers\Msft_Kernel_HpqKbFiltr_01005.Wdf
2008-10-02 17:00 . 2007-06-08 13:46        1,560,576        --a------        C:\WINDOWS\system32\BttnCmns_64.dll
2008-10-02 17:00 . 2006-06-30 05:46        1,560,576        --a------        C:\WINDOWS\system32\BttnCmns.dll
2008-10-02 17:00 . 2007-06-18 16:12        16,768        --a------        C:\WINDOWS\system32\drivers\HpqKbFiltr.sys
2008-10-02 16:16 . 2008-10-02 16:16        <DIR>        d--------        C:\Documents and Settings\All Users\Application Data\HP
2008-09-29 09:14 . 2008-09-29 09:14        0        --ah-----        C:\WINDOWS\SwSys2.bmp
2008-09-29 09:14 . 2008-09-29 09:14        0        --ah-----        C:\WINDOWS\SwSys1.bmp
2008-09-28 17:48 . 2008-09-28 17:48        <DIR>        d--------        C:\Documents and Settings\Administrator\Application Data\PixelPlanet
2008-09-25 15:47 . 2008-09-25 15:47        <DIR>        d--------        C:\Documents and Settings\All Users\Application Data\Winferno
2008-09-25 15:21 . 2008-10-02 09:39        <DIR>        d--------        C:\Program Files\Yahoo!
2008-09-24 15:58 . 2008-09-24 15:58        <DIR>        d--------        C:\Program Files\Runtime Software
2008-09-22 19:13 . 2008-09-22 19:13        <DIR>        d--------        C:\Program Files\Free PDF to Word Doc Converter
2008-09-19 10:47 . 2008-09-19 10:47        <DIR>        d--------        C:\WINDOWS\system32\Temp
2008-09-19 10:47 . 2008-09-19 10:47        <DIR>        d--------        C:\Program Files\3GRTechnologies
2008-09-19 10:04 . 2008-09-19 10:04        <DIR>        d--------        C:\Program Files\tapStat
2008-09-14 09:50 . 2008-09-14 09:50        <DIR>        d--------        C:\Program Files\Exsate DV Capture Live
2008-09-14 09:50 . 2008-09-14 09:50        <DIR>        d--------        C:\Program Files\Common Files\Exsate Shared
2008-09-14 09:50 . 2008-09-14 09:50        <DIR>        d--------        C:\Documents and Settings\All Users\Application Data\{13255581-8301-4983-A732-4ADC50617C57}
2008-09-14 09:43 . 2008-04-13 20:46        51,200        --a------        C:\WINDOWS\system32\drivers\msdv.sys
2008-09-14 09:43 . 2008-04-13 20:46        51,200        --a------        C:\WINDOWS\system32\dllcache\msdv.sys
2008-09-14 09:43 . 2008-04-13 20:46        48,128        --a------        C:\WINDOWS\system32\drivers\61883.sys
2008-09-14 09:43 . 2008-04-13 20:46        48,128        --a------        C:\WINDOWS\system32\dllcache\61883.sys
2008-09-14 09:43 . 2008-04-13 20:46        38,912        --a------        C:\WINDOWS\system32\drivers\avc.sys
2008-09-14 09:43 . 2008-04-13 20:46        38,912        --a------        C:\WINDOWS\system32\dllcache\avc.sys

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-09 06:18        ---------        d-----w        C:\Documents and Settings\Administrator\Application Data\Free Download Manager
2008-10-08 13:42        ---------        d-----w        C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-10-07 11:11        ---------        d-----w        C:\Program Files\YadeRD
2008-10-03 08:59        ---------        d-----w        C:\Program Files\Steam
2008-10-02 14:13        ---------        d-----w        C:\Program Files\Hp
2008-09-28 15:55        ---------        d-----w        C:\Program Files\Common Files\XPressUpdate
2008-09-20 18:37        ---------        d-----w        C:\Program Files\PDF Editor 2
2008-09-19 08:47        ---------        d-----w        C:\Program Files\Microsoft ActiveSync
2008-09-08 08:27        ---------        d-----w        C:\Program Files\Gs4Word_331
2008-09-05 08:23        ---------        d-----w        C:\Documents and Settings\Administrator\Application Data\foobar2000
2008-09-05 07:47        ---------        d--h--w        C:\Program Files\InstallShield Installation Information
2008-09-05 07:47        ---------        d-----w        C:\Program Files\SanDisk
2008-09-01 15:23        ---------        d-----w        C:\Program Files\Rasterex
2008-09-01 15:23        ---------        d-----w        C:\Program Files\Common Files\Rasterex Shared
2008-09-01 15:21        ---------        d-----w        C:\Program Files\Print2cad 2008
2008-08-26 15:48        ---------        d-----w        C:\Program Files\Nokia
2008-08-26 14:50        ---------        d-----w        C:\Documents and Settings\Administrator\Application Data\fretsonfire
2008-08-21 09:40        ---------        d-----w        C:\Program Files\Doom 3
2008-08-21 08:58        ---------        d-----w        C:\Program Files\Common Files\Real
2008-08-21 08:34        ---------        d-----w        C:\Program Files\Common Files\Wextech Shared
2008-08-19 19:41        ---------        d-----w        C:\Program Files\Google
2008-08-19 19:38        ---------        d-----w        C:\Program Files\AUDIOEXTRACTOR
2008-08-19 15:09        ---------        d-----w        C:\Program Files\Frets on Fire
2008-08-19 15:09        ---------        d-----w        C:\Program Files\DivX
2008-08-19 15:05        ---------        d-----w        C:\Program Files\vtplus
2008-08-19 15:05        ---------        d-----w        C:\Program Files\TodaysInfo
2008-08-19 15:02        ---------        d-----w        C:\Program Files\WinTV
2008-08-18 18:28        ---------        d-----w        C:\Program Files\Common Files\Remote Control Software Shared
2008-08-18 18:28        ---------        d-----w        C:\Program Files\Common Files\Remote Control Software Common
2008-08-18 18:27        ---------        d-----w        C:\Program Files\Logitech
2008-08-13 06:24        ---------        d-----w        C:\Program Files\SignSIS-GUI
2008-01-01 19:11        469,504        -c--a-w        C:\Program Files\WinSCP.de
2007-09-11 11:07        22,328        -c--a-w        C:\Documents and Settings\Administrator\Application Data\PnkBstrK.sys
2007-12-12 09:15        56        -csha-w        C:\WINDOWS\SMINST\hpboot.sys
2006-05-03 09:06        163,328        --sha-r        C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47        31,232        -csha-r        C:\WINDOWS\system32\msfDX.dll
.

(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 1415824]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-12 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AccelerometerSysTrayApplet"="C:\WINDOWS\system32\AccelerometerSt.exe" [2006-01-17 53248]
"PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-06-08 131072]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-04-06 122940]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761948]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-20 1187840]
"Scheduler"="C:\WINDOWS\SMINST\Scheduler.exe" [2006-02-15 892928]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-20 266497]
"CognizanceTS"="C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 17920]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-09-06 7569408]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-09-06 86016]
"Copperhead"="C:\Program Files\Razer\Copperhead\razerhid.exe" [2005-11-25 155648]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-01 282624]
"QlbCtrl.exe"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 177456]
"MsmqIntCert"="mqrt.dll" [2008-04-14 C:\WINDOWS\system32\mqrt.dll]
"nwiz"="nwiz.exe" [2006-09-06 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 1232896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-02-15 581693]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2005-07-25 20:41 40960 C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2005-08-19 15:52 389120 C:\WINDOWS\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=mqlbgc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll
"SENTINEL"= snti386.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages        REG_MULTI_SZ          scecli AsWlnPkg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader - Schnellstart.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader - Schnellstart.lnk
backup=C:\WINDOWS\pss\Adobe Reader - Schnellstart.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Automatic Update-Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Automatic Update-Agent.lnk
backup=C:\WINDOWS\pss\Automatic Update-Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=C:\WINDOWS\pss\DVD Check.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a--c--- 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
--a------ 2006-08-21 00:24 2068527 C:\Program Files\Free Download Manager\fdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NcpBudget]
-----c--- 2005-01-05 09:32 214016 C:\WINDOWS\D-Link NetDefend\NCPBUDGT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NcpPopup]
-----c--- 2005-02-23 12:12 382976 C:\WINDOWS\D-Link NetDefend\NCPPOPUP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-01 14:33 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a------ 2005-05-06 15:06 716800 C:\Program Files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2005-05-20 11:11 925696 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-12 21:04 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
--a------ 2005-11-08 12:59 184320 C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe
"SoundMAX"=C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
"WireLessKeyboard"=C:\Program Files\Trust keyboard driver\StartAutorun.exe PS2USBKbdDrv.exe
"WireLessMouse"=C:\Program Files\Trust keyboard driver\StartAutorun.exe MouseDrv.exe
"Reminder"=C:\WINDOWS\Creator\Remind_XP.exe
"WatchDog"=C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"XboxStat"="C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\WINDOWS\\SMINST\\Scheduler.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"\\\\PSSST\\WOLFENSTEIN - ENEMY TERRITORY\\ETDED.exe"=
"C:\\WINDOWS\\D-Link NetDefend\\NCPMON.EXE"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\T-Mobile\\Communication Center\\AutoUpdateSrv.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\Program Files\\Totalcmd653\\TOTALCMD.EXE"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"C:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"6881:TCP"= 6881:TCP:bitlet.org

R1 Ext2fs;Ext2fs;C:\WINDOWS\system32\DRIVERS\ext2fs.sys [2005-05-14 130176]
R1 IfsDrives;IfsDrives;C:\WINDOWS\system32\DRIVERS\IfsDrives.sys [2004-09-25 4608]
R1 PersonalSecureDrive;PersonalSecureDrive;C:\WINDOWS\system32\drivers\psd.sys [2005-10-25 35488]
R2 AAV UpdateService;AAV UpdateService;C:\Program Files\Common Files\AAV\aavus.exe [2007-10-04 122880]
R2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 gtdetectsc;GtDetectSc Service;C:\WINDOWS\system32\gtdetectsc.exe [2006-09-28 122880]
R2 GtFlashSwitch;GtFlashSwitch;C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe [2007-02-09 176128]
R2 ncprwsnt;ncprwsnt;C:\WINDOWS\D-Link NetDefend\ncprwsnt.exe [2005-03-14 1171456]
R2 NcpSec;NcpSec;C:\WINDOWS\D-Link NetDefend\ncpsec.exe [2004-05-24 45056]
R2 rwsrsu;RwsRsu;C:\WINDOWS\D-Link NetDefend\rwsrsu.exe [2005-02-23 249856]
R2 SSIPDDP;SSIPDDP: Parallel port device driver;C:\WINDOWS\system32\Drivers\SSIPDDP.SYS [1998-07-08 55296]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 87936]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2006-04-25 36608]
R3 ncplentp;D-Link Secure Client Adapter Driver;C:\WINDOWS\system32\DRIVERS\ncplentp.sys [2005-03-14 85120]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2007-04-19 194048]
S3 EraserUtilDrv10720;EraserUtilDrv10720;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10720.sys [ ]
S3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2006-10-31 8064]
S3 GTUQBUS;GT UQ BUS;C:\WINDOWS\system32\DRIVERS\gtuqbus.sys [2006-10-31 36992]
S3 HCW77BDA;Hauppauge Nova-T Stick DVB-T Tuner;C:\WINDOWS\system32\Drivers\hcw70bda.sys [2006-04-06 118850]
S3 hcw99rc;Hauppauge Nova-DT IR Driver;C:\WINDOWS\system32\Drivers\hcw99rc.sys [2007-03-23 10368]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;C:\WINDOWS\system32\drivers\nmwcdnsu.sys [2008-02-01 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;C:\WINDOWS\system32\drivers\nmwcdnsuc.sys [2008-02-01 8320]
S3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2005-06-10 173056]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\drivers\PCASp50.sys [ ]
S3 S6U12Scanner;MUSTEK 1200 CU Still Image Device Service;C:\WINDOWS\system32\drivers\usbscan.sys [2008-04-13 15104]
S3 tapvpn;TAP VPN Adapter;C:\WINDOWS\system32\DRIVERS\tapvpn.sys [2008-01-23 27136]
S3 uisp;Freescale USB JW32 driver;C:\WINDOWS\system32\Drivers\usbicp.sys [2005-12-21 14592]
S3 UsbFltr;Razer Copperhead Driver;C:\WINDOWS\system32\drivers\copperhd.sys [2005-11-02 11596]
S3 zlportio;zlportio;E:\Games\UltraStar\zlportio.sys [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance        REG_MULTI_SZ          ASChannel

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##server#software]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e
\Shell\Open\command - U:\Boot.exe e
.
Contents of the 'Scheduled Tasks' folder

2008-10-03 C:\WINDOWS\Tasks\1-Klick-Wartung.job
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-08-02 12:40]

2008-10-09 C:\WINDOWS\Tasks\User_Feed_Synchronization-{77FCF14C-BD85-4C31-B50D-7A8F3A7E0833}.job
- C:\WINDOWS\system32\msfeedssync.exe [2007-08-13 19:36]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\en3cs24p.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.arcor.de/4rBLYmjQPg446vupVi8-eQn/login/login.jsp
FF -: plugin - C:\Program Files\Java\j2re1.4.2\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2\bin\NPJPI142.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPJava11.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPJava12.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPJava13.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPJava32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPJPI141_07.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPOJI610.dll
FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-09 08:46:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???xg??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rma]
"ImagePath"="C:/Novadigm/ManagementAgent/nvdkit.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rma]
"ImagePath"="C:/Novadigm/ManagementAgent/nvdkit.exe"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\IFXTCS.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Novadigm\ManagementAgent\nvdkit.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Program Files\ProtectTools\Embedded Security Software\SpTNA.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTServs.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\Razer\Copperhead\razerofa.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Completion time: 2008-10-09  8:53:15 - machine was rebooted
ComboFix-quarantined-files.txt  2008-10-09 06:53:11
ComboFix2.txt  2008-10-09 06:42:28

Pre-Run: 5.938.302.976 bytes free
Post-Run: 5,918,359,552 bytes free

333        --- E O F ---        2008-09-10 14:39:28
Bin ich die Scheiße jetzt los?
Und hast du eine Idee wo ich mir das Zeuchs eingefangen haben könnte?

Grüße

Chris4You 09.10.2008 09:02
Hi,

Bitte folgende Files prüfen:

Dateien Online überprüfen lassen:
  • Suche die Seite Virtustotal auf, klicke auf den Button „Durchsuchen“ und suche folgende Datei/Dateien:
Code:
C:\WINDOWS\SwSys2.bmp
C:\WINDOWS\SwSys1.bmp
U:\Boot.exe
  • Lade nun nacheinander jede/alle Datei/Dateien hoch, und warte bis der Scan vorbei ist. (kann bis zu 2 Minuten dauern.)
  • Poste im Anschluss das Ergebnis der Auswertung, alles abkopieren und in einen Beitrag einfügen.
  • Wichtig: Auch die Größenangabe sowie den HASH mit kopieren!

Deine Javasoftware ist veraltet,
Download jre-6u7-windows-i586-p.exe
Scrolle runter nach ---->Java Runtime Environment (JRE) 6u7
The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
Klicke auf "Download"
Setze ein Haeckchen bei --->"Accept License Agreement".
Klicke “Windows Offline Installation, Multi-language” um
“jre-6-windows-i586.exe”zum Desktop zu installieren
Schliesse alle Programme auch Deinen Webbrowser
Über "Start -> Einstellungen -> Systemsteuerung -> Software
entferne alle aelteren Versionen von Java Runtime Environment (JRE of J2SE)
Auch auf C:\Programme\Java entfernen!
Nachdem alles entfernt wurde --->Rechner neu starten
Installiere jetzt vom Desktop aus ---> “jre-6u7-windows-i586-p.exe”

chris

champpain 09.10.2008 09:23
Hi.

Die Dateien
C:\WINDOWS\SwSys2.bmp
C:\WINDOWS\SwSys1.bmp
haben 0 kB, demenstprechend meldet Virustotal
Zitat:
0 bytes size received / Se ha recibido un archivo vacio
U:\Boot.exe
U:\ scheint ein Netzlaufwerk bei einem Kumpel zu sein.
Ich habe so ein Laufwerk gar nicht.

Danke für den java-Hinweis.

BTW: Kann man sich außer einem Dankeschön auch auf andere Weise für den hervorragenden Support erkenntlich zeigen?

Grüße


Alle Zeitangaben in WEZ +1. Es ist jetzt 05:22 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131